Book Review — The Perfect Weapon: War, Sabotage, and Fear in the Cyber Age By David Sanger
Author: Lukas Mejia, May 2020.
“In The Perfect Weapon, David Sanger presupposes that the onset of modern cyber technology is changing how state-to-state conflict is approached today. In a world where we progressively see a reduction of human input on devices through the increased digitization and connectivity of things…new avenues of exploitation continuously emerge for cyber threat actors. Just over a decade ago cyber technology did not make an appearance on the list of threats within the annual US Worldwide Threat Assessment. Now, it assumes the highest and most pressing position (Coats, 5).”
Cover page of David Sanger’s The Perfect Weapon: War, Sabotage and Fear in the Cyber Age from Penguin Random House.
The concept of a stranded asset is often applied in economics to describe a situation where the value of a particular good becomes a liability. This change in value is oftentimes a result of emerging or shifting circumstances that render the asset’s further ownership burdensome. One would find it hard to believe, then, that the paramount weapon in conventional warfare —the nuclear bomb— veers close to becoming a stranded asset itself. Yet, this is the exact scenario that the US nuclear arsenal finds itself in against the advent of modern cyber technology. Indeed, how should the country respond to an attack that some within its senior leadership perceives as being grounds for war, while others relegate it as a minor irritation?
In The Perfect Weapon, David Sanger presupposes that the onset of modern cyber technology is changing how state-to-state conflict is approached today. In a world where we progressively see a reduction of human input on devices through the increased digitization and connectivity of things —from power grid controls and banking systems to the interfaces of refrigerators and automobiles— new avenues of exploitation continuously emerge for cyber threat actors. Just over a decade ago cyber technology did not make an appearance on the list of threats within the annual US Worldwide Threat Assessment. Now, it assumes the highest and most pressing position (Coats, 5).
Sanger employs a considerable amount of government insider accounts —in some cases to the detriment of their careers, as was the case with General Cartwright and his resulting conviction— to chronicle the shifting paradigm occurring within state-to-state conflicts. He begins not with an examination of the usual state suspects, such as Russia and China, which monopolize the cyber technology debate today, but with an analysis of the US. In particular, the country’s dispatching of the Stuxnet malware and its parent operation, Olympic Games, to curtail Iranian nuclear proliferation. Through this example, Sanger provides ample evidence that the US has taken a novel approach to resolve geopolitical conflicts. When details regarding such operations are intentionally or unintentionally exposed to the rest of the world, courtesy of leaks (as in the case of Snowden) or security breaches (as in the case of GRU and Chinese hacking); rivals wisely find that it is possible to employ similar tactics to further their interests. Notably, they are able to do this without sacrificing much of their reputation or political capital, while challenging the rules of engagement, deterrence, retaliation, if not warfare itself.
In a post-cyber world, conventional deterrence faces the issue of attribution. After all, how can an attack merit an appropriate retaliatory response if its instigators cannot be properly identified, let alone, its damage fully assessed? This dilemma first paralyzed the Iranians in 2010 as they wondered what plagued their nuclear centrifuges in Natanz. It is a problem that scholars and insiders have examined as grounds upon which to depart from traditional deterrence strategies that belonged to the Cold War. With this predicament known to the US for some time, the subsequent empowerment of officials like General Paul Nakasone, and his relatively young CYBERCOM, have slowly risen to produce strategies aimed at cyberspace innovation.
Initially, the US was hindered by adamant senior military leadership that favored scenario building based on recent wars. More recently, the US has come to arm its offensive cyber arsenal with more pioneering methods and technology — oftentimes to a fault. Increased powers have been bestowed upon the likes of the National Security Agency (NSA) and its Office of Tailored Access Operations to mount a so-called “active defense” that would monitor and preemptively tackle any perceived threat before it emanates. This has come at a serious price. The secrecy that surrounds and protects these cyber capabilities negatively impacts their deployment due to the incentivizing of mistrust among the domestic and international communities alike. For instance, how do allies know whether they are targets of such technologies? The resulting lack of public and international debate thus prevents the establishment of a rule set akin to that of a global consensus on nuclear weapons.
Due to US rivals’ familiarity with the concept of nuclear deterrence, they have correctly assumed that the only circumstance under which these weapons could come into use would be if they challenged the US national security. With the subtlety, accessibility, and deniability afforded by cyber, these rival actors have found avenues of engagement that fall short of conventional war. The US has become vulnerable at home, where it once thought itself safe, due to the dissemination of technology and technical expertise among its enemies. It has been the subject of successful penetrations of its banking infrastructure and electoral systems by peer and non-peer competitors alike. The US’ strategy of ‘defending forward’ and its overemphasis on its capabilities abroad have hampered its ability to create deniability, which is what Joseph Nye Jr. alluded to when urging for a new kind of deterrence (Nye, 56). It is a kind of deterrence that champions deniability through resilience, deflection, and overall defensive cyber-mettle.
Affordability and attribution are what make cyber threats so effective, accessible, and destructive, and are what elevates them to near ‘perfection’, as Sanger ascribes. In face of more devices coming online in the ensuing years, more avenues of attack are likely to emanate, allowing the technological turnover rate of this domain to far outpace our ability to grasp it. This will lead to a scenario where warfare itself becomes increasingly unpredictable and out of reach.
In summary, the book used the case of cyber vis-a-vis Nitro Zeus to further our understanding of modern warfare. Nitro Zeus, was a US strategy to disable the critical infrastructure of Iran through the use of cyber in a possible war scenario instigated by Israel. The goal of the operation rested on “grooming” the battlefield before the actual battle, enabling the likelihood of the US and Israel’s victory with a reduced chance of retaliation by Iran. It was assumed that, with a swing of a single sword, cyber could act as the first line of attack that could sway the outcome of a battle, if not war, before it actually began.
Sanger’s prose and research may come off as overly journalistic to some; forcing the reader to eschew deep sourcing and fact-checking to validate his interviewees’ narratives. But where the book lacks empiricism and data analysis, it still serves as a thought experiment regarding cyber technology and its role in shaping the nature of warfare. And while nuclear weapons may remain the most destructive devices ever engineered — their destructiveness depends on their owner’s ability to bring them online, in the air, and on target. If the technology that allowed the US to render North Korean missiles futile becomes widespread, as was the fate of the Stuxnet malware before it, then soon nations may not need the weapons themselves, but merely the ability to strand them.
Coats, Daniel R. “Worldwide Threat Assessment of the US Intelligence Community.” Office of the Director of National Intelligence, Senate Select Committee on Intelligence, 29 Jan. 2019, p. 5., www.dni.gov/files/ODNI/documents/2019-ATA-SFR—SSCI.pdf.
Nye, Joseph S. “Deterrence and Dissuasion in Cyberspace.” International Security, vol. 41, no. 3, 1 Feb. 2017, p. 56., doi:10.1162/isec_a_00266.