David Sanger, cybermenace

The ace NYT reporter needs an upgrade

This is a free edition of the Nonzero Newsletter. If you like this issue, I hope you’ll consider a paid subscription.

If you’re going to write a book called the Apocalypse Aversion Project—which, as you may have heard, I’m trying to do—it would help to have a plan to avert the apocalypse.

And there’s a sense in which I do. Unfortunately, one sense is not enough. There need to be two senses in which I have a plan. Maybe you can help me with the second sense.

The first sense is about policy. If you perused my draft introduction to the book last week, you know that I have a general idea of the kinds of policies needed to avert global calamity. Many fall under the heading of international cooperation: In realms ranging from nuclear arms to genetic engineering to fossil fuel consumption, nations should agree to restrain their behavior for the common good.  

Sounds great! But how do you convince politicians to support this kind of international cooperation in all the areas where it’s needed? Especially when they can often profit by whipping up international antagonism? And when other actors—like media outlets, for example—help them do the whipping up? What are some ways you might change the conduct of politicians or the quality of journalism or anything else that needs changing if the planet is to flourish? A true plan to avert the apocalypse needs to include ideas about points of intervention.

A good example of what I mean came last week in the form of a New York Times article. Like some other Times pieces (and pieces in other outlets), it has apocalypse-hastening tendencies.

The piece was about recently publicized intrusions into US computers by (allegedly) the Russian and Chinese governments—the famous “SolarWinds” hack and a hack of Microsoft Exchange servers, respectively. This realm—cyberspace—is another area where I think we need more in the way of binding international agreements if we’re going to get serious about saving the planet.

The main bit of real news broken by the Times piece was that the Biden administration plans to retaliate for the Russian hack—SolarWinds—through a combination of sanctions and hacking. However, that’s not exactly the angle around which the piece was organized. The article’s lead author is alpha NYT national security reporter David Sanger, who has a tendency to frame stories grandly, sometimes in ways that have a subtly hawkish undercurrent. Here are the first two paragraphs:

WASHINGTON — Just as it plans to begin retaliating against Russia for the large-scale hacking of American government agencies and corporations discovered late last year, the Biden administration faces a new cyberattack that raises the question of whether it will have to strike back at another major adversary: China.

Taken together, the responses will start to define how President Biden fashions his new administration’s response to escalating cyberconflict and whether he can find a way to impose a steeper penalty on rivals who regularly exploit vulnerabilities in government and corporate defenses to spy, steal information and potentially damage critical components of the nation’s infrastructure.

Note, first of all, how—even though this is supposedly a news story, not an editorial—the second paragraph tells us how we should judge Biden’s performance in the realm of cybersecurity. The big question is: “whether he can find a way to impose a steeper penalty on rivals” who hack us.

Now, I might have suggested an alternative way of framing the big question. Like: whether Biden can coax rival nations into establishing robust international rules of cyberconduct that would reduce the risk of things getting out of control. You know—like a treaty or something. But that’s just me.  

The Times piece does mention the possibility of “new rules of the road for cyberspace.” But that phrase comes in the 30th paragraph. And there’s no explanation of what the new rules might be or of how they might change things.  

Which is convenient, because elaboration on this subject might have undermined the editorializing in that second paragraph. The fact is that there already are some “rules of the road”—in the sense of international norms, not laws. And, though these norms aren’t as fully articulated as I’d like, they’re clear enough to warrant saying the following, which any first-rate piece of journalism on this subject would have said: The Russian hack that we’re about to punish Russia for was in compliance with existing norms and indeed was, broadly speaking, the kind of thing the US does to Russia and many other countries all the time.

Here is the fundamental norm of hacking among nations: Computer intrusion per se—sneaking into a country’s computers—is business as usual; but it’s another thing altogether if you go beyond espionage—if you don’t just take information but wreak some sort of havoc, ranging from destroying the information to destroying physical things to taking down power grids. Moving across this line between cyberespionage and cyberattack violates the fundamental norm.

Now, the US violated this norm during the Obama administration with its infamous Stuxnet attack on Iran, done in coordination with Israel. So there’s a limit to how indignant America could justifiably get if Russia violated the norm—but, again, Russia didn’t violate the norm with the SolarWinds hack

Don’t take my word for it. A piece on the generally pretty hawkish blog Lawfare says the SolarWinds hack is something “the U.S. government would be extremely proud of, if executed by its own intelligence agencies. In fact, U.S. intelligence agencies have conducted functionally identical campaigns in the past.”

The Lawfare piece—written by well-known cybersecurity expert and past Pentagon consultant Dmitri Alperovitch—goes on to say that, “strange as it may seem,” the SolarWinds hack is “the sort of cyberespionage campaign that the U.S. should be willing to acknowledge as acceptable under existing international norms: limited in scope, carefully executed, and not designed to destroy, manipulate, or otherwise disrupt data. If the U.S. responds too forcefully to this campaign, it risks removing any incentive for adversaries to adopt such a measured approach in the future.”

Yet to read the Sanger piece, you’d think the Russia hack was some kind of throwing down of the cybergauntlet—and that, if we don’t respond forcefully, America’s and Joe Biden’s masculinity will forever be suspect. Sanger and his co-authors write, “For the president, who promised that the Russian attack would not ‘go unanswered,’ the administration’s reactions in the coming weeks will be a test of his ability to assert American power in an often unseen but increasingly high-stakes battle among major powers in cyberspace.” Godspeed, Joe Biden.

Sanger can’t plead ignorance. He’s aware of the fundamental normative distinction between cyberespionage and cyberattack; I’ve heard him mention it on a podcast. But making that distinction here would have forced him to write a less melodramatic piece—a heavy price to pay for clear and responsible reporting.

To begin with, he’d have had to amend—or at least qualify via elaboration—the piece’s high-voltage second paragraph, the one that informs us that the test of Biden will be whether he “can find a way to impose a steeper penalty on rivals who regularly exploit vulnerabilities in government and corporate defenses to spy, steal information and potentially damage critical components of the nation’s infrastructure.” It’s only the last of these—damaging a nation’s infrastructure—that violates international norms, and neither the SolarWinds hack nor the Microsoft hack, the one attributed to China, damaged our nation’s infrastructure. (But the Microsoft hack may have left lots of computers vulnerable to future trouble in ways the SolarWinds hack didn’t. The Times piece rightly devotes space to this, though the Lawfare piece gives a crisper, clearer overview of the problem; see my postscript below for elaboration.)

So, all told, the New York Times, which is in a position to do influentially illuminating work on this subject at an important moment, made a mess of the subject instead. And I’m afraid I can’t say I’m shocked, given Sanger’s reputation (among some close watchers of MSM national security coverage, at least) for dramatic, nationalistic framings that have the potential to heighten international antagonisms.

These framings also have a tendency to get Sanger’s pieces prominent play in the New York Times and lots of traffic online. Whether or not that’s his motivation, the drive for prominence and traffic is definitely a corrupting force in journalism more broadly. It’s easy to get clicks by warning of imminent peril at the hands of evil foreigners. It’s harder to get clicks (believe me!) by explaining that the peril afflicts many nations, that America shares in the responsibility for creating and sustaining it, and that a durable solution to the problem will require the further evolution of international norms and/or laws.

So this is what I meant when I said the Apocalypse Aversion Project needs, in addition to ideas about policy, ideas about points of intervention—about parts of the system that need to change if the policies are to become politically realistic. One of those parts is American journalism.

Specifically, American journalists need to exhibit more cognitive empathy—they need to do a better job of looking at things from the perspectives of nations other than America. If Sanger had said to himself, “Hmmm, I wonder what Vladimir Putin would say about the article I’m writing,” he might have realized that one obvious answer is, “Hey David, don’t forget to mention that cyberespionage is widely accepted as a fact of life and America does it all the time!” And that would have led to better journalism—journalism that’s better for the world and is literally more objective: more like what you’d write if you were a journalist from Mars, observing earthlings from no national vantage point.

But once you realize that journalism—or any other point of intervention—needs to change, there’s still the hard question of how you bring change, the question of what kind of intervention might work. I guess one thing you could try is circulating critiques of counterproductive, nationalistic journalism, such as Sanger’s. (Entirely unrelated thought: There’s a share button at the bottom of this newsletter.) It would take a lot of such circulating to shame reporters and their employers into doing a better job, especially when doing a bad job wins them traffic and glory. But you gotta start somewhere. Other ideas about places to start are welcome in the comments section below.

Postscript: The Microsoft Hack

The Microsoft hack, attributed by Microsoft to China, arguably violates an international norm, though not the fundamental norm, the one that distinguishes between espionage and attack. At least, the aforementioned Dmitri Alperovitch argues as much.

What happened here is that when Microsoft detected the hack and was poised to neutralize it, the hackers countered with a shotgun approach to pre-emption that left Exchange servers at thousands of organizations, including lots of small ones, vulnerable to future hacking—even though the Chinese government has no interest in ever hacking most of these places. So there’s now a chance that thousands of American companies could be hit with ransomware attacks run by enterprising criminals around the world. (Interestingly, The SolarWinds attack, the one attributed to Russia, also involved gaining access to servers at thousands of American companies that weren’t the targets of the hack—but, according to Alperovitch, in that case the hackers quickly patched the holes, denying future access even to themselves.)

The norm Alperovitch says the Microsoft hack violates is vaguer than the fundamental norm (though the fundamental norm itself gets a bit fuzzy when you realize that garden variety espionage hacks leave the hacker with the ability to destroy data or do other kinds of norm-violating damage). As I understand the norm Alperovitch has in mind, it has to do with the sheer breadth and sloppiness and open-endedness of the second wave of the Microsoft hack. Any hack that leaves that many organizations vulnerable to future exploitation violates the norm.

Alperovitch thinks heavy retaliation may be in order in the case of the Microsoft hack. But he also thinks we should first tell the Chinese government that it can avoid extreme retaliation by plugging the holes it created in those thousands of servers. And he thinks we should convey that message privately, so that China can comply without paying the political price of seeming to bow to US demands.

By the way, I’m happy to say that the Biden administration, like Alperovitch, seems at least somewhat aware of the perils of public confrontation. The Times piece reports that the administration plans to make the cyber-retaliation directed at Russia “evident to President Vladimir V. Putin and his intelligence services and military but not to the wider world.”

I should add that Alperovitch thinks some retaliation for the Russia hack is also in order—but that it’s more of the limited and pro-forma kind you see when a country discovers an adversarial country’s spy in its midst. The country expels the spy and maybe exacts some other token penalty; but there’s no real sense of affront—it’s all part of the spying game.