David Sanger is the chief Washington correspondent of The New York Times. During his 30-year career with the paper, he has written about everything from the investigation into the causes of the space shuttle Challenger disaster to North Korea’s nuclear program, and has twice been a member of teams that won the Pulitzer Prize. He is a Senior Fellow at the Belfer Center for Science and International Affairs at the John F. Kennedy School of Government, and the author of two books, most recently “Confront and Conceal: Obama’s Secret Wars and Surprising Use of American Power.”
David spoke at the Hewlett Foundation earlier this month about his work covering cybersecurity issues in Washington as part of our ongoing “shop talk” series, where we invite outside speakers to share their knowledge and expertise with our staff. I had a chance to ask him a few questions after his talk, which he called “Short of War: How Cyber is Changing American Statecraft.” The following is a lightly edited transcript of our conversation.
Eli Sugarman: You’ve reported extensively about the Sony Pictures hack and Office of Personnel Management breach and written about how the U.S. government is struggling to deter cyber-attacks and respond to them once they occur. You argue that despite sustained high-level attention, it lacks a real cybersecurity policy playbook. What it is about cybersecurity that makes developing a policy playbook so difficult?
David Sanger: Developing a playbook is hard because cyber-attacks come from so many different groups, so many different geographies, and because they are so hard to attribute to specific actors. As a result, you don’t know who you’re deterring. That is a big change from the nuclear world, where you could identify a limited number of missiles coming from a small number of places, and you knew who exactly had control over them. In the cyber world, none of that is true. The attackers can be state actors, terrorists, criminal groups, or teenagers. They can come from any place.
What’s more, the cost of entry to cyber is so low that even broke countries like North Korea can launch a highly effective attack—as Sony learned to its regret. And large countries, like China, can steal the data on 22 million Americans from the Office of Personnel Management secure in the knowledge that U.S. interests with China are so intertwined and complex that serious retaliation is pretty much off the table. So policymakers appear frozen; often they don’t know how to respond.
Eli Sugarman: One of the key challenges to developing effective cybersecurity policies is the wide gulf between government and the tech industry. As someone who spends a lot of time talking with people who make policy in Washington, how do you think government views the tech industry? How does the tech industry view government? Do you see any prospects for bridging the trust gap between the two sides?
David Sanger: During the Cold War, the interests of the American tech industry and government were very closely aligned. The products that the big defense contractors were producing were sold largely to the U.S. government and its allies. But now, the U.S. is one of many markets, and often not the most important one for the leaders in the tech industry. Since the Snowden disclosures, many of those companies are going out of their way to demonstrate that they are not creating backdoors for American investigators, even those armed with legal court orders. Apple is a prime example: It designed the latest iPhone operating system to create secure conversations between iPhone users in a way that assures Apple itself does not possess the de-encryption “key.’’ So if it gets a court order, it usually can turn over only gibberish.
The result is that the government now views much of Silicon Valley the way it would view a foreign ally who has some interests in common with Washington, but that was always hedging its bets. In return, the tech industry views the government as hopelessly behind the technology curve, striving to put together regulations that simply don’t fit the current technological moment. The debate over the encryption of data is a classic example where the government is taking years to come up with a policy while Apple, Google, and a host of startups produce new, more secure products every few months.
Eli Sugarman: Your reporting also highlights the fundamentally international dimensions of cybersecurity policy. How does the public conversation on cybersecurity in the U.S. differ from the conversation in the UK, Germany, or China, for example? Are U.S. policymakers aware of and responsive to international views and different dynamics in play in those conversations?
David Sanger: American policymakers are discovering somewhat late that whatever rules they set for cyber within the U.S. may be be twisted to very different purposes overseas. Encryption is once again a good example. If the U.S. required Apple to put a backdoor in the iPhone or Google to put one in Gmail, the Chinese would instantly demand the same if those companies wanted to operate in that market. In fact, the Chinese have been contemplating making those demands without the U.S. going that far. So it would be fairly easy to imagine a situation in which an American citizen would find that their communications were being intercepted by Chinese authorities under Chinese law for purposes that the U.S. government would find offensive to individual civil liberties and privacy.
This greatly complicates the Obama administration’s efforts to solve the “going dark’’ problem. Every time the FBI demands a certain level of access to a range of new devices and technologies, someone in the White House needs to ask the question, “Do we really want the Chinese or Russians to have the same rights?” And as soon as the U.S. government demands access, even our closest allies will shun American products. Look at Germany: there is a continuing reaction to the Snowden disclosures and a somewhat dubious movement to demand that data remains local rather than pass through American servers on American territory.
Eli Sugarman: A huge amount of money is being spent on cybersecurity each year—but that money is siloed, earmarked for addressing needs identified by governments, or to safeguard individual companies’ networks, to a large degree. Obviously, the funding we are doing through our Cyber Initiative is tiny in comparison, but we hope to make a difference by fostering more cooperation among government, industry, civil society, and academia to better serve the public interest. For us and other interested funders, what role can philanthropy play in improving policy responses to cybersecurity challenges? How would you advise us to invest our resources?
David Sanger: There is plenty of private investment already going into traditional questions of cybersecurity—how to lock down your systems, how to make your bank account safer, how to secure the utility grid, and how to make defense systems more resilient. But there is very little investment going into understanding the kind of strategy or institutions that are needed to develop a lasting framework for how we might use offensive cyber weapons, how we would deter attacks from state sponsors of cyber activity and non-state actors, and how we would set up some rules of the road for the biggest players. President Obama and President Xi Jinping took a few steps down that road when they met recently in Washington, D.C. But there is a long way to go and sometimes I think that the our policy development for cyber is currently where our strategic understanding of air power was when the Wright brothers demonstrated their biplane to a group of Army officers outside of Washington more than a century ago. We’ve only begun to think about the strategic implications of how a connected world changes the balance of power among states and we need to put a lot more thought into how to manage that, just as we did after the invention of chemical weapons, nuclear weapons, and drones.