David E. Sanger’s riveting work, The Perfect Weapon: War, Sabotage and Fear in the Cyber Age, explores the quandary of how to use and defend against cyber-attacks. He describes the perfection of cyber weapons as their almost limitless ability to steal money, pilfer secrets, sabotage critical infrastructure, undermine democracies, and tear societies apart at the seams. Cyber weapons are available to large and small powers, democracies and dictators and they have altered the geopolitical landscape forever. The panoply of questions that this fact raises makes Sanger’s book fascinating. How does a nation respond to, deter, or defend against a stealthy, effective, deniable cyberattack? Is it better to threaten an overwhelming cyber counterattack? Or should it be a non-cyber response, ranging from economic sanctions, a conventional military response or even going nuclear? Does a nation “bunker-in” and harden its defenses? (Sanger alleges this is a 10-year task for the United States.) The author takes on all of these questions and more. Organized into thirteen nearly stand-alone chapters, four important threads run throughout the book: (1) A strategic partnership between government and private sector technology companies is vital; (2) Cyber transparency is a required; (3) A good cyber offense requires a good cyber defense; and (4) There is an underlying risk of escalation into conventional war.
David Sanger is a senior national security correspondent for The New York Times and has been on three Pulitzer Prize-winning teams. As part of his journalistic career, Sanger served as the paper’s White House correspondent during both the Clinton and Bush administrations. This book is sourced almost exclusively from the author’s firsthand interactions with world leaders and cyber experts. His direct access to presidents, politicians, technology CEOs, and security leaders around the world is unparalleled. The foreshadowing of things to come is chilling. The insights into the threat are eye-opening for a cyber neophyte. For instance, what cyber threat could possibly cause a steady hand, like former US Secretary of Defense James Mattis, to recommend a policy of nuclear deterrence in this arena?
The book is easy to read for anyone interested in geopolitics and the conundrums of offensive and defensive cyberwar. The author does not delve deeply into the technical issues underpinning cyberwar but provides enough details for the tech savvy reader to appreciate and explore further. In addition to the four pervasive themes, this book focuses on the “7 sisters of cyber conflicts” – US, Russia, China, Britain, Iran, Israel, and North Korea. The United States is portrayed as surprisingly aggressive and predictably vulnerable in this arena.
The role of private companies is interwoven throughout the book. Sanger illuminates the complex debates concerning personal privacy and electronic device security. Who is right when law enforcement demands access to a ‘secure’ iPhone? Do the ends justify the means when law enforcement pays one private company to break a security system designed by another company,
intended to ensure a US citizen’s privacy?
Sanger provides an insightful history of a time when government collaboration with industry was easier and explains why it is dysfunctional today. An example of why there is a bad public-private relationship is Snowden’s leak of a secret NSA briefing revealing (with a smiley face graphic) where the NSA will tap into the Google Cloud. Consequently, it is not surprising that Google’s head of security told Sanger “No hard feelings, but my job is to make their job hard,” referring to the NSA. Sanger juxtaposes such areas of public-private friction
with historical illustrations of close cooperation, such as the “proud” American company, AT&T’s Bell Laboratories, enthusiastically supporting successful Cold War efforts in the 1980s.
Sanger advocates for greater cyber transparency on several fronts. How does a nation begin to discuss setting international rules about the use of weapons whose existence and use are not acknowledged? Additionally, how do institutions defend against threats if the intelligence community will not share information of a known threat, its details, and reliability, for fear of
compromising sources? A perfect example is the FBI’s anemic attempts to warn the Democratic National Committee (DNC) of Russian cyber intrusion into their network well before the 2016 election. The warning went unheeded, and the DNC fumbled the response. The timeline was such that “babies were conceived and born” before the DNC looked into the warning, and the US
presidential election was directly impacted.
The reader becomes well informed regarding the United States’ frequently used and effective offensive capabilities. Despite eras of timidity, especially under President Obama, the US has set many cyberattack precedents. The descriptions of Stuxnet and Olympic Games are riveting and the results satisfying to an American reader. Sanger also explains how the US has seen its cyber weapons stolen and turned back on it (not so satisfying).
Sanger states that ten years will be required for the United States to develop a defense that is adequate for cyber deterrence. But this argument is underdeveloped compared to other issues in the book and needed greater detail to make such a long timeline convincing. A comparison to “The Great Firewall” of China might have been a good place to start. Perhaps the public sector – private sector relationship in the United States could be expanded to encompass
national cyber security standards such as regulations, incentives, and penalties for non- compliance. This might be a natural extension of Sanger’s “defend forward” and “deterrence through transparency” of offensive capability argument.
The author provides recommendations, mostly relating to cyber transparency. In particular, establishing a cyber “red-line” requires a credible deterrent that the United States presently lacks. Sanger does not advocate for Mattis’ nuclear deterrence concept but recommends that the United States’ powerful offensive cyber capability be clearly revealed and publicly employed to establish strong deterrence. Weaker states such a North Korea currently do not fear a US response to egregious cyber-attacks. Public attribution and responses to attacks are also required for an effective cyber policy. Faster technologies and the use of artificial intelligence will increase the destructive power of cyber-attacks. The author believes that cyberwar arms control agreements must come out of the shadows and that the days where only nations with conventional weapons could threaten the United States are gone.
About the Author:
Steve Bruner is a recently retired Lieutenant Colonel in the United States Army with tours in Bosnia, Kosovo, Iraq and Afghanistan. His career culminated with a four year stint coordinating strategic level crisis response exercises at NATO's Joint Warfare Centre in Stavanger, Norway. He is currently completing a MA in International Affairs: Comparative and Regional Studies for Eurasia focused on security issues at American University's School of International Service. His primary research interests are the geopolitical challenges and security threats around the Black Sea. He hopes to rejoin NATOs efforts to predict and prepare for emerging threats upon his graduation from American University.