Reckoning with the Cyber Revolution: A Journalist's Take on Cyber Weapons

Woe to the journalists who take on a technical revolution, as they face a two-part challenge: understanding the technical details themselves and presenting those details to non-expert readers. David Sanger's The Perfect Weapon: War, Sabotage, and Fear in the Cyber Age mostly manages to overcome this challenge. Sanger, after all, has been on the cyber beat for a long time. As a national security reporter for the New York Times he covered important cyber-related stories, most notably the 2011 exposé on the "Stuxnet" attacks on uranium centrifuges at Iran's Natanz nuclear facility. He later incorporated his reporting on the Stuxnet attack and other covert operations into the 2012 book on President Obama's foreign policy Confront and Conceal.

Sanger's latest work follows a similar model, expanding on his newspaper reporting and incorporating more top-level policy analysis. The Perfect Weapon is a solid introduction to high-profile cyberattacks from Stuxnet to the present day, including the "Shamoon" attack on Saudi Arabian Aramco, North Korea's hacking of Sony, and Russia's 2016 US election hacking. In contrast to his newspaper articles, Sanger also switches into first person to give a reporter's-eye view of the action as it unfolds. In short, even a quick reading of The Perfect Weapon will get a reader reasonably up to speed on the big-picture cyberwar narrative.

The technical details of the attacks Sanger profiles are a bit more muddled, perhaps by necessity. For instance, Sanger repeatedly refers to distributed denial of service (DDOS) attacks, such as those launched by Iran against US banks in 2012, as "hacking." There are some semantics at play here, but many technical experts would probably agree that the firehose of data from a DDOS attack is distinct from the active digital infiltration and exfiltration connoted by "hacking." There are other recurring technical misfires, including Sanger's discussion of encryption, which he mentions fifty-four times without ever attempting to define encryption in detail.

The bigger problems with The Perfect Weapon are unfortunately endemic to public discourse about, for lack of a better term, "cyberwarfare." In his discussion of the strategic applications of cyber weapons, Sanger repeatedly designates cyber weapons a disruption akin to the invention of nuclear bombs. Indeed, his primary thesis is that cyber weapons occupy a gray space that allows constant harassment and low-level destruction without prompting a military response. But there is a breathlessness to his descriptions of various nations' cyber exploits that distorts the more quotidian reality of information operations.

It is an approach that can sometimes elicit a genuine chuckle. In recounting the early days of the US-North Korean cyber duel, Sanger writes, "only in retrospect is it clear that in 2014 Obama and Kim were using cyber weapons to go after each other. Obama's target was North Korea's missiles; Kim's was a movie studio intent on humiliating him." That is quite a juxtaposition. Though North Korea's attacks on Sony were sophisticated in their execution, they seemed to largely use derivatives of commonly available malware. Nor was the attack targeted at the core national security infrastructure of the United States. In Sanger's account, however, it too is a "cyber weapon" on equal footing with US digital sabotage of North Korea's missile program. Noting the clumsiness of the comparison is not an attempt to belittle Sanger, who is a well-informed journalist making a good-faith effort to educate his readers. It is a good example, however, of how he falls into the trap of letting a broad category (cyber weapons) push him to create a single thesis that cyber weapons have ushered in a new age of low-level constant war and created the unlikely—but consequential—possibility of low-cost massive societal disruption. The less exciting truth is that cyber weapons, like conventional weapons, cause different types of damage with varying degrees of severity. Wiping the hard drives of computers...