michael barbaro

From The New York Times, I’m Michael Barbaro. This is “The Daily.” Today: A Times investigation reveals that the United States is actively infiltrating Russia’s electric power grid. David Sanger on what that means for the future of cyber warfare. It’s Tuesday, June 18.

david sanger

So what happened in 2008 was the Russians did something pretty brilliant. They dropped a bunch of USB keys — you know, the kind you might get at a convention or maybe that’s given to you at a hotel — in parking lots around American bases in the Middle East. People would pick these things up, bring them into work, and, believe it or not, put them in their computers at work.

michael barbaro

Jeez.

archived recording Somebody got away with the most serious breach of Defense Department computer networks ever.

david sanger

And what happened was those keys essentially put some malware into computers that got the Russians inside something called SIPRNet.

archived recording The drive contained malicious coding that spread through classified files and stole information.

david sanger

The official name is the Secret Internet Protocol Router Network, but the main thing to know is it’s the Pentagon’s secret network.

archived recording We didn’t think that was possible because it’s completely separate from the internet.

david sanger

And suddenly, they were able to drain out of the Pentagon some of its most secret communications, all because somebody picked up a USB and stuck it in their machines. And one day, a woman named Debbie Plunkett came into the office at the N.S.A. Remember, this was just ahead of President Obama’s election. And she discovered this breach, and basically she said, we’ve got to get them out. And this started a massive effort secretly inside the N.S.A. to clean out the Department of Defense’s systems. In fact, after a while, people began using superglue to seal the USB ports on Pentagon computers —

michael barbaro

Wow.

david sanger

— so that no idiot would go pick up a USB from someplace and put it in. It was a low-tech solution, Michael, but it worked.

michael barbaro

So beyond supergluing the USB ports on computers inside the Defense Department, what is the response from the U.S. to this incursion?

david sanger

The response was near-panic. I mean, think about what had happened just in that year or two. The Chinese had gotten inside Lockheed Martin and stolen many of the designs for the F-35, the most expensive fighter jet that you’ve ever paid for. And that’s why the Chinese today are producing what looks like an F-35, although it’s a lot cheaper than ours. The United States was launching its own big, sophisticated cyber operation against Iran’s nuclear enrichment plant at Natanz. And the Russians, of course, were coming inside the Pentagon. And everybody realized, this is now not just a big intelligence problem. This is a big military problem, and we don’t have a military unit of size and sophistication to deal with it. And that was the birth of what is now United States Cyber Command.

michael barbaro

So what does this newly established Cyber Command do about Russia, the culprit of this really damaging attack on the Pentagon?

david sanger

Initially, Michael, not much. U.S. Cyber Command was just getting organized. It didn’t have many troops. It didn’t have much expertise. It was based at Fort Meade, but it was highly dependent on its next-door neighbor, the National Security Agency, for most of its capability to look inside networks, much less attack back. So they spent years sort of watching the Russians and building their forces, building cyber sort of expeditionary teams that they could put out with American Army units and Navy units and the Air Force and others. But the big concern was what do you do in time of warfare when the Russians or the Chinese or some other adversary might do more than just get into your communications networks? They might go in to try to change data, like supposing they altered the targeting on a missile. Supposing they just got into the medical database and changed the blood type of every soldier and sailor, you can imagine the havoc that they would bring about. So the question was how would you find them, how would you counter them, and then, what’s the right retaliation? What’s the deterrent to keep them from doing that? Of course while the U.S. was having this debate, there were some real attacks happening.

archived recording 1 The White House is considering a response to the crippling cyberattack on Sony Pictures. archived recording 2 Federal officials are pointing right at the source. They say the attack was launched from inside North Korea.

david sanger

The North Koreans went into Sony because they didn’t like a bad movie called “The Interview,” and they took out 70 percent of Sony Pictures Entertainment’s computer systems.

archived recording 1 It raises huge questions about vulnerability and national security. archived recording 2 They call this new kind of attack cyber extortion.

david sanger

And suddenly the Obama administration had a debate. What do we do in retaliation? Well, the answer was they put a few sanctions on the North Koreans, and they cut off their internet access through China for a day or two, but not much. And then, of course, the Chinese came in, and they stole 22 million security files from the Office of Personnel Management. That’s the office that does security reviews for everybody applying for a clearance.

archived recording O.P.M. did not specifically say what information the hackers got their hands on, but it could include everything from names to Social Security numbers.

david sanger

So suddenly the Chinese had all this information about 7 percent of the U.S. population, a very elite 7 percent.

archived recording 1 We’ve learned the breach goes back 30 years to 1985 and affects nearly every government agency. archived recording 2 One of the largest thefts of U.S. government data ever.

david sanger

And no one knew what to go do in response other than try to negotiate some agreement about not stealing intellectual property with the Chinese. But all this was very frustrating inside Cyber Command and inside the N.S.A., because the number of attacks on the United States was expanding like mad. It reached its high point, really, in 2016, when the election attacks happened from Russia. And it wasn’t just the election system they were into, because at the same time that the Obama White House was beginning to understand what was happening as the Russians got into the registration systems in Illinois and Arizona and all that, they were getting this other stream of intelligence about much more aggressive attacks on nuclear power plants, on regular power plants. The Russians got into a communications system in a nuclear power plant that’s in Kansas that caused all kinds of disruption. And suddenly we were beginning to see warnings coming out of the Department of Homeland Security and the F.B.I., saying, hey, every utility in America — not just the power companies, but people who ran gas pipelines and water systems and all that, had to be on the lookout for malware, and that could cripple you. It’s not that the Russians had used that to go turn off the lights yet. They hadn’t, at least in the United States, but that they were prepared to do so.

michael barbaro

So David, you’ve described a series of cyberattacks against the U.S. by its adversaries that are escalating in their brazenness. So why does it seem that this Cyber Command, which was created specifically to defend the U.S. against these kinds of attacks, isn’t doing very much about it?

david sanger

Well, for a couple of reasons. First, the primary defense for the United States is supposed to come from the Department of Homeland Security. The Pentagon was only supposed to get into this game when the attacks became so severe that they threatened the viability of the United States. The second reason is that Cyber Command didn’t really have the authorities to do much more than defend the Pentagon. That’s what its legal authority was. And there was this great frustration, because everybody inside Cyber Command and the N.S.A. and many others realized that no foreign adversary was paying much of a price for attacking the United States. But then this remarkable moment came, because President Trump ended up nominating —

archived recording The meeting will come to order. The committee meets today to —

david sanger

— Lieutenant General Paul Nakasone.

archived recording — consider the nomination of Lieutenant General Paul Nakasone to be commander of the U.S. Cyber Command and director —

david sanger

He was nominated as the new head of the United States Cyber Command and the director of the N.S.A. One person holds both jobs.

archived recording That’s quite a bit of stuff there.

david sanger

And he came up in March of 2018 for his confirmation hearing, and he is asked by Senator Dan Sullivan from Alaska —

archived recording (dan sullivan) What do you think our adversaries think right now? If you do a cyberattack on America, what’s going to happen to them?

david sanger

So what do you think our adversaries think about us right now?

archived recording (paul nakasone) They do not think that much will happen to them. archived recording (dan sullivan) They don’t fear us. archived recording (paul nakasone) They don’t fear us. archived recording (dan sullivan) So is that good?

david sanger

And his answer was essentially not much.

archived recording (paul nakasone) It is not good, Senator. archived recording (dan sullivan) So will you —

michael barbaro

And what did he propose to do about that?

david sanger

Well, he didn’t say this in public, but what he had been proposing for years was a concept really drawn from American Special Forces, which is defend forward. Don’t wait to get attacked. You know, the Special Forces has learned in the war on terror that if you’re going to stop a terror attack in Times Square, you better go hit the living room in Pakistan where it’s being planned. And Nakasone sort of had the same concept, which is the United States has to have what he called persistent presence in foreign computer networks around the world, because if you aren’t already buried inside that network, you were never going to see an attack coming, and you wouldn’t have any way to retaliate.

michael barbaro

In other words, you have to go on the offense to really be on the defense.

david sanger

And you have to live in your adversaries’ networks. You have to be inside their computers before they attack you, not after. And he was confirmed, and that began a real new era for how Cyber Command went on the offense.

michael barbaro

We’ll be right back. So David, you’ve spent the past few months trying to understand what it means for the Trump administration to go on the offense when it comes to cyber. What exactly have you found?

david sanger

Well, the first thing I found was that the Trump administration and Congress enabled Cyber Command to go on the offense much more aggressively than they had been before. In August of 2018, President Trump signed a long-awaited executive order. It was called National Security Presidential Memorandum 13. Its contents are still classified, but essentially it allows the Cyber Command to go ahead and conduct all kinds of operations inside foreign networks without going back to the president for prior approval. Our computer networks around the country were under such a constant barrage of attacks that Cyber Command needed much more freedom to be able to get inside those foreign networks and begin to combat it and that it couldn’t be going to the White House every time it wanted to do this, just the way the Navy doesn’t go to the White House every time it wants to go run a group of destroyers down through the South China Sea or go do patrolling along the DMZ in South Korea.

michael barbaro

In other words, it’s an acknowledgment that cyber is such an active place that the president could spend his entire day signing off on every decision that needed to be made.

david sanger

That’s right, and Congress authorized Cyber Command to do even more. It basically said these kind of operations in cyberspace are part of traditional military activity, and you’re authorized to go ahead and do them the same way that you would do ordinary patrols.

michael barbaro

And so what does this newly empowered Cyber Command do with this authority?

david sanger

Well, the first thing it did was go after those units in Russia that were responsible for a lot of the election-hacking. They shut down the Internet Research Agency in St. Petersburg, which, of course, had designed many of those Facebook ads and other social media ads, for a couple of days right around the midterm elections. They went after the G.R.U., the Russian military intelligence unit that had been responsible for breaking into the D.N.C. and then making public much of that data. They sent text messages to individual Russian officers and hackers saying, we know who you are. We know where you live. We know your phone number, and if you mess with us, you’re going to pay a price. So a lot of that action to counter the election malfeasance was made public. What wasn’t made public was a parallel effort to go inside the Russian power grid, to put some code in places where the Russians would see it as a warning, but put other code in places where the Russians wouldn’t see it, in case the U.S. ever needed to act against Russia’s utilities as the Russians were putting malware in our systems.

michael barbaro

So the U.S. now has the ability to interfere with the Russian power grid in the same way that Russia can already interfere with the U.S. power grid.

david sanger

That’s right. The U.S. wanted to get deep inside the Russian systems, this time not just for surveillance but to be able to place malware there, basically ticking time bombs or what you might think of as digital landmines that they could set off if we got into a broader conflict with the Russians.

michael barbaro

David, how significant is it that the U.S. took this step of basically infiltrating Russia’s electric grid?

david sanger

Oh, I think it’s a big step, Michael, but it’s also a pretty risky one. So classic deterrence theory would tell you, do like in the nuclear age, right? If they can hit you, show them you can hit them back. But I think the Russians have some doubts that we’d really be willing to pull the plug. They know that we’re limited by all kinds of legal and ethical considerations and that unplugging a country, except in the midst of a war, would cause a lot of civilian deaths. The people who are most vulnerable if you unplug the grid are people in hospitals or nursing homes. So there’d be a great reluctance to cause civilian casualties.

michael barbaro

But wouldn’t that presumption be true on both sides?

david sanger

It might be, but one of the remarkable things about cyber is how well you can go hide the causes of a cyberattack. Most cyber is used in short-of-war conflicts, not full-scale war, but instead this quiet war of attrition where countries are trying to seek advantage or gain power by manipulating the data in your financial systems or making A.T.M.s unavailable or turning off the power in certain parts of the city, but maybe not in others. So it’s pretty subtle. And the Russians are really smart. They do not want to trigger a general military conflict between the U.S. and Russia. Most other countries don’t either. So they want to use their cyber capability in the most subtle way possible.

michael barbaro

David, given that, as you just said, the battlefield is much more subtle when it comes to cyber than traditional warfare, but the consequences just as significant, at what point does Cyber Command, do all these officials with these new powers granted by the Trump administration, at what point do they need to seek the approval of the president and of Congress to conduct these operations, like entering the Russian electrical grid, in the way that they would for traditional warfare?

david sanger

It’s a fascinating question, because if you look at the law, and from what we’ve heard about the presidential order, they have the authority to do this themselves. Now the law does require them every quarter to bring their congressional overseers up to date with what they’re doing. So they’d have to report what they’re doing in the grid maybe after the fact, but they’d have to report it. The big question that we were trying to answer is did anybody go to the president to tell them that we were conducting this traditional military activity inside the Russian grid?

michael barbaro

And what did you find?

david sanger

What we found was a lot of people saying to us, we don’t think the president knows very much about it. He may have been told generally that of course we’re doing cyber operations, but there’s a great reluctance inside the intelligence community and certainly inside the U.S. military about what they tell the president about operations against Russia. And that’s because every time the president hears the words Russia and cyber, his mind immediately goes to the charge that the Russians put him in office or somehow were responsible for his election because of what they did in 2016, and that sets him off. So we’ve seen time and time again that people sort of avoid the topic.

michael barbaro

So it’s quite possible that the president learned about this operation to get inside the Russian electrical grid from your reporting.

david sanger

We think that’s possible. He issued two tweets the night that it came out, on Saturday night. The first suggested that publishing it was perhaps an act of treason.

michael barbaro

He called you a traitor, basically.

david sanger

Yes. And then in the second tweet he said, and it’s all wrong.

michael barbaro

David, the treason charge seems worth asking you about. Did the people you talked to inside the U.S. military, Cyber Command, the intelligence community, did they discourage you from reporting on any of this?

david sanger

They didn’t. They refused to comment on the specifics that we had found about the U.S. operation. But you know, we’ve been doing this for a long time, and we’re accustomed to going to the government and saying, here are the facts we’re going to lay out. And if you have any national security objections to our publishing this, let us know now before we print, and we’ll make some judgments about whether to hold back some details. And over the years I have held back details, including about some American cyber operations, when the government made the case that the adversary didn’t know about it. But in this case, they came back and said, we have no national security objections.

michael barbaro

In fact, it may be that people in the Trump administration, perhaps not the president himself but those around him, may have wanted you to report this.

david sanger

Or certainly they didn’t see a downside to it. There’s this great scene at the end of “Dr. Strangelove” when they’ve been building this huge nuclear gadget and they’re keeping it a deep secret, and the whole premise of the end of the movie is if you don’t tell them about the gadget, what good is it? So we have sort of the same problem in cyber.

michael barbaro

David, from everything you’ve explained, the U.S. goal here is deterrence, and it reluctantly entered a more aggressive phase in its approach to cyber with the goal of preventing our adversaries from attacking us. But at what point does a strategy of deterrence inevitably lead to an arms race, where you have to keep up with your enemies and their approach to cyber, and on and on it goes, until eventually, we’re in a deeper phase of cyber conflict?

david sanger

Michael, we’re deeply into that arms race already. We’re building up new weapons. Everybody else is building up new weapons, but there’s a lot of discussion these days about whether you should have something akin to a digital Geneva Convention. The real Geneva Conventions protect civilians from being gassed, tortured or starved. In the digital Geneva Convention, you might say there are some systems that are so critical to civilian life that we have to protect them — power grids because they power hospitals and nursing homes. You might say that election systems should be off limits. You might say that emergency communication systems, communications to ambulances or the police or the fire department, are off limits. And these all seem like pretty attractive ideas, and a lot of countries have signed on to them, although not the United States so far. And one reason, I think, is that many in the U.S., inside the government, believe we have a big advantage and that we don’t want to give that advantage up and deprive a future president of the United States of the ability to use one of these weapons that we’ve spent billions of dollars developing. They might want to be able to go to a president and say, you know, it would be better to manipulate the results in this election than end up with another Nicolás Maduro, the dictator in Venezuela, or it might be better to be able to go into the central bank of this country and drain a dictator’s bank account or keep a terrorist organization from being able to spend any money. So if we’re going to be able to do those things, we probably wouldn’t want to sign up to an agreement that prohibits them. And that’s the big argument we need to have as a country, which is what cyber capability are we willing to give up in order to begin to set some norms of behavior that we’re hoping other countries will adhere to as well?

michael barbaro

David, thank you very much. We appreciate it.

david sanger

Thank you, Michael.

michael barbaro

On Monday afternoon, a spokesman for Russian president Vladimir Putin said that Russia was confident it could repel U.S. attempts to hack into its electrical grid but warned that such attacks could eventually escalate into a cyberwar with the U.S. We’ll be right back. Here’s what else you need to know today.

[chanting]

michael barbaro

On Monday, the Chinese government expressed strong support for Hong Kong’s chief executive, Carrie Lam, after days of massive protests against her by hundreds of thousands of Hong Kong residents. But the support from China could ultimately backfire by reinforcing protesters’ fears that Lam is acting on China’s behalf. The protests began after Lam pushed for a law that would allow Hong Kong residents to be prosecuted in China, a plan she has since suspended in response to the protests. And —

archived recording [SPEAKING FARSI]

michael barbaro