ARI SHAPIRO, HOST:
This week, we've heard a lot about what was discussed at the summit between President Trump and North Korean leader Kim Jong Un - nuclear weapons, military exercises, returning the remains of U.S. troops killed in the Korean War. As David Sanger filed his stories from Singapore, he noticed something very big missing. Sanger is a national security correspondent for The New York Times whose new book is all about cyberweapons.
DAVID SANGER: Cyber is not included in any of these discussions with North Korea. They want to do nuclear, bio, chem. And yet cyber is the only weapon that they've actually used against us and used effectively.
SHAPIRO: North Korea used cyberweapons against the U.S. in the 2014 hack of Sony Pictures to catastrophic effect. And Sanger's book describes a raging cyber war happening just below the surface of public perception. The U.S. and Israel attack Iran. Russia and China attack the U.S. Sanger's new book is called "The Perfect Weapon." One story he tells in detail is about the Sony hack, which began with North Korea getting upset over a movie called "The Interview" about two journalists who plot to kill Kim Jong Un.
SANGER: The North Koreans wanted to stop it. The first thing they did was the very logical thing you'd want to do whenever you wanted to stop a movie. They wrote a letter to the secretary general of the United Nations and asked him to stop it.
SHAPIRO: Sure.
SANGER: When that failed, they put some code into the Sony Pictures Entertainment computer system. And what was fascinating about this was that they put it in, and then they were patient - very patient. They put it in in September of 2014. And they used a few months to map the entire computer system at Sony Pictures Entertainment. Now, the code was designed to melt down Sony's computer systems, melt down the hard drives.
And right around Thanksgiving of that year, months after they had first gone in, that's exactly what they did. The only people whose hard drives really got saved that morning were those who were smart enough to reach behind their computers and unplug them, literally pull the plug so the hard drive stopped spinning. Everybody else lost their data. We didn't know at that time the North Koreans could do this.
SHAPIRO: So this North Korea-U.S. dynamic points to something that you make clear throughout the book, which is that cyberweapons are a great equalizer.
SANGER: They're an equalizer, Ari, because while they are not as powerful as nuclear weapons - at least so far they're not - they have a bunch of attributes that nuclear weapons do not. A cyberweapon is the ultimate short-of-war weapon. You can target it to a specific group of computers. You can dial it up to be more powerful. You can dial it down. You can make sure that your tracks are hidden, or you can be incredibly obvious about it as the Russians were, by and large, in their hacks during the election season. So it's a much more usable weapon.
SHAPIRO: I want to ask you about that phrase short-of-war weapon because you describe a lot of instances in this book where if the perpetrator had used traditional weapons to carry out what they did with cyberweapons, it would have been an act of war. You know, if the U.S. sent a missile to hit Iranian centrifuges instead of sending a Stuxnet virus to do it - I should say the U.S. and Israel because it was a joint effort - that would have been an act of war. So why do we consider these cyberattacks something short of war?
SANGER: It's a fascinating question. And I've spent a lot of time sort of wrestling with this. Why is it - if the effect is the same as hitting something with a missile or sending in a saboteur and blowing something up, why is it we don't react that way? You know, the Sony hack's a really good example. What happened to the North Koreans for this? President Obama issued a weak series of sanctions that I'm sure the North Koreans never noticed amid all the other sanctions...
SHAPIRO: Right.
SANGER: ...That are on North Korea. So we have not internalized the thought that it can be an attack even if you don't see the smoking, charred remains of the building on TV.
SHAPIRO: Which teaches hostile countries that they can get away with it.
SANGER: It's why it's the perfect weapon.
SHAPIRO: Knowing that North Korea has attacked the United States using cyberweapons, knowing how powerful a weapon this can be, how did you feel watching the Singapore summit with all this talk about nuclear weapons that have never been used against the U.S. and no talk whatsoever about the cyberweapons that are a very real and present danger?
SANGER: Well, look; I've been covering nuclear weapons and the North Korean nuclear program since the late-'80s when I was a reporter posted in Tokyo. So I deeply believe we've got to deal with the North Korean nuclear program. But we have completely failed to recreate in the cyber world the kind of deterrence that got created in the nuclear world. Now, the nuclear analogies do not work for cyber.
They don't work because you don't know entirely where the attack is coming from and because there are so many players and because there are so many different targets. And many cyberattacks are going to be below the threshold at which you're going to go respond. So we need a different kind of deterrence put together. And we need it first for places like North Korea.
SHAPIRO: President Trump's biggest public action on cybersecurity was to eliminate the position of national cybersecurity coordinator, which he did last month. Now those responsibilities go to John Bolton, his national security adviser who has many other responsibilities, too. How big of a deal is this change?
SANGER: Well, we don't know yet, but I suspect it's a pretty big deal. I mean, think about this. Every year for the past four or five years when the national intelligence threat assessment comes out, the biggest single threat that they identify to the United States are cyberthreats.
SHAPIRO: Bigger than terrorism.
SANGER: Bigger than terrorism, bigger than the possibility of nuclear war breaking out. Cyber has been No. 1. And the White House response to this is to take the cyber coordinator's job and eliminate it.
SHAPIRO: And they haven't given a good explanation for why they eliminated the job.
SANGER: They have - they certainly have not. And, you know, certainly it could not be that we're over-coordinated because if you talk to anybody in the U.S. government, they will tell you that even the basic responsibilities of who's responsible for defending certain parts of the United States are all over the map.
SHAPIRO: It is really clear from your book that the U.S. is totally unprepared for a major cyberattack. What would it take for the U.S. to get there?
SANGER: Well, what worries me the most out of my reporting is that in some ways we're better prepared for the big attack, the cyber Pearl Harbor...
SHAPIRO: Yeah.
SANGER: ...Than we are for the everyday attacks.
SHAPIRO: Yeah.
SANGER: What worries me the most is time and time again we get taken by surprise because something that is of vital importance to the way America operates is left unprotected. It probably would take that cyber Pearl Harbor - and I'm sad to say that, but there are a lot of people who believe that you don't actually get the United States to kick into gear politically behind something until there is something so big that you can't ignore it.
SHAPIRO: That leaves a lot of room for countries to do a lot of mischief in the meantime.
SANGER: That's right. And they're going to figure out ways to do it without triggering that cyber Pearl Harbor.
SHAPIRO: David Sanger, thanks so much for talking with us today.
SANGER: Thank you.
SHAPIRO: He's national security correspondent for The New York Times. And his new book is "The Perfect Weapon: War, Sabotage, And Fear In The Cyber Age." It comes out next week.
(SOUNDBITE OF PINDARIC FLIGHT'S "LIMON") Transcript provided by NPR, Copyright NPR.