TERRY GROSS, HOST:
This is FRESH AIR. I'm Terry Gross. The U.S. government has long complained about Chinese hacking and cyber attacks, but leaked documents show that the U.S. National Security Agency managed to penetrate the networks of a large Chinese telecommunications firm and gather information about its operations. In addition, the NSA planned to exploit the equipment the Chinese firm sells to other countries so that the U.S. could penetrate those countries' computer and telephone networks as well.
That's what our guest, New York Times national security correspondent David Sanger, has reported, based in part on material leaked by former NSA contractor Edward Snowden. Sanger's earlier reporting revealed the origins of the Stuxnet cyber worm, designed to sabotage Iran's nuclear centrifuges. His latest book, "Confront and Conceal: Obama's Secret Wars and Surprising Use of American Power," is now out in paperback. He spoke with FRESH AIR contributor Dave Davies.
DAVE DAVIES, HOST:
Well, David Sanger, welcome back to FRESH AIR. Let's begin by explaining just - tell us just exactly what Huawei is, this Chinese company, what it does.
DAVID SANGER: Huawei is a Chinese Internet and communications company. It was founded by a man named Ren Zhengfei, who is a former People's Liberation Army engineer, though he didn't work in Internet work at the time. Mr. Ren has been very successful at building up a company that is now the third largest provider of smartphones in the world after Samsung and Apple, but is better known in the industry for the large servers that they build that compete with companies like Cisco Systems here in the United States that make up the backbone of the Internet.
These are the equipment that a company would put in place, or a government would put in place, to run their Internet connectivity. The one place where they've really had a very difficult time is the United States because U.S. authorities have blocked their efforts to purchase companies in the U.S. over nearly a decade now, and as a result they've been able to develop very little major business in the U.S., largely out of the American concern that their equipment would be filled with what's called back doors that would enable the Chinese government or other Chinese firms to go into that equipment and burrow their way into American networks.
DAVIES: Now, you've reported recently on what some of the documents that were released by Edward Snowden tell us about American efforts to penetrate this company, Huawei, this giant Chinese telecommunications firm. What were they up to?
SANGER: David, what we knew in public was that the U.S. government and the intelligence agencies were very concerned about Huawei and concerned about whether or not they could be a way in for the Chinese military or Chinese intelligence agencies to burrow into American networks. What we didn't know until these documents, which we published along with Der Spiegel, the German news magazine, is that while the U.S. government was expressing its concerns about Huawei, it was also burrowing into Huawei's own networks.
It had gotten into their main servers in Shenzhen, the industrial city that is just north of Hong Kong, and managed to get into the communications of all of Huawei's top leadership. But they did more than that. The program which we wrote about, which was called Operation Shotgiant, based on documents that seem to date from around 2010, describe an effort to both learn whether or not Huawei is a front for the Chinese government but also learn their way through the Huawei servers so that when Huawei sold its equipment to Kenya or to Cuba or to any of a number of other countries, some of which are listed in the documents, the NSA would have a way to get into those countries' communications through the Huawei equipment.
Now, this has all sorts of levels of fascination. First of all, it means the NSA was doing to Huawei exactly what the American government, the U.S. government, was warning Huawei and the Chinese could do to the U.S. But it also tells you that the NSA was highly aware of the fact that many countries will not buy American-made equipment, say from Cisco, or cloud services from Google or from Microsoft, and they were increasingly concerned that they needed a way into the networks of countries that buy Chinese.
And so what it meant was the NSA was learning how to get into these systems, whether or not the Chinese were also in these systems.
DAVIES: Now, this is remarkable. If I understand this, what you're saying is this was an effort to get into this big, giant telecommunications firm in China, Huawei, and then through it to essentially plant software and equipment it would sell around the world so that American intelligence officials would then in effect have their own spyware surreptitiously planted all over the world.
SANGER: That's right, or at least the capability to do that. Now, we know something from previous documents that we have seen both in the Snowden trove and other reporting that we have done and written about even earlier this year about the NSA's capability to put what are called implants in networks around the world. And we reported back in January that that effort has now reached somewhere between 80,000 and 100,000 implants on networks and computers globally, and that number could actually be significantly higher now.
Now, let's remember what implants are and are not. An implant does not necessarily mean that you are spying on that network currently, but it does mean that you have put some software in that if undiscovered would enable the NSA to go in and monitor those networks at a minimum and in some cases be able to go in and introduce malware, some kind of offensive cyber operation against those networks in the future if they needed to.
That's what's so fascinating about this current cyber-Cold War underway between the U.S. and the rest of the world, because the U.S. wants to make sure that even if it does not make use of offensive cyber weapons now, something you could only do with authorization by the president, that it's ready to go do it in these networks in the future.
So to the NSA, this is the equivalent of what the Air Force does when they map out potential targets all around the world using satellite photographs or GPS. It's understanding what the battlefield looks like, preparing to target your adversary but not necessarily acting unless you receive specific orders to do so.
DAVIES: So what did the U.S. hope to learn with this operation?
SANGER: The main priorities were laid out in the document itself. And the document which dates from 2010, said, and here I'm quoting: If we can determine the company's plans and intentions, we hope that this will lead us back to the plans and intentions of the PRC, using the initials for the People's Republic of China.
But the NSA document makes it clear that they saw one more opportunity, that as Huawei invested in this technology, as it laid its underground cables for what's now a $40 billion company, that they hoped that the NSA would gain access to what the document called key Chinese customers and targets, including, and here I'm quoting, high-priority targets: Iran, Afghanistan, Pakistan, Kenya and Cuba.
And if you go into Huawei's annual reports and their press releases, you'll see that all five of those countries are Huawei customers.
DAVIES: What kind of information would the United States actually be getting or seek to get from those countries if they were successful?
SANGER: Well, if those countries actually buy the Huawei equipment and put them onto their most sensitive networks, you'd get their all their communications. You would get what government leaders are emailing to each other. You might get military plans. When you think about those countries, Iran obviously a major adversary, a major target, one of the great mysteries that the U.S. intelligence agencies are trying to pursue as they conduct the negotiations with Iran, to make sure that there are no additional nuclear sites that they don't know about, that haven't been declared, you would think that would be a high priority.
In Afghanistan, you know, it's an ally where we deeply mistrust the current government of President Karzai. Pakistan, I mean here's a country with 100 to 200 nuclear weapons and the largest insurgency around and an intelligence service in the ISI that we are concerned frequently is supporting the Taliban, even while working with the U.S. All of these are Huawei customers. So it would be very understandable that the NSA would want to be into their networks.
DAVIES: Right, now just to be clear about this, I mean what the Snowden documents tell us is that there was this effort on the part of the American intelligence, Operation Shotgiant, to penetrate this Chinese firm and potentially, you know, infuse software into equipment it was selling abroad. Do we know that that actually happened, that people have bought stuff from this Chinese firm that has American spyware in it?
SANGER: We don't know that that happened, and that's both the fascination and the frustration of dealing with these Snowden documents. You know, I think people think that if you look at the Snowden documents, they will tell all, but that's not the case. The Snowden documents are by and large PowerPoints about programs that are underway. They tell you about plans, intentions and priorities. They don't tell you very much about successes and failures unless one was cited as an example in one of these PowerPoints.
So he didn't seem to have much access to live intelligence, at least in the documents that have so far been made public or that we've seen, but he did have a lot of access to the innermost programs, including ones like Shotgiant.
DAVIES: What does the Obama administration have to say about these revelations?
SANGER: They say very little about these revelations, as they say very little about almost all such revelations that come out of the Snowden documents. They do say this, though. They try to distinguish between the kind of cyber espionage that we're worried about in the daily attacks on the United States from China and elsewhere and the kind of work that the NSA does.
So they say the following. They say the United States only spies for national security purposes. It does not go in and steal trade secrets the way they accuse the Chinese of doing, so that they can then give those trade secrets to American companies. So they charge that what makes the Chinese activities in the U.S. illegitimate is that the Chinese go into American corporations or into government sites, try to steal information and then give it to state-owned or state-affiliated companies.
The U.S. says if it does into a foreign site, it goes into them with the intention of gaining national security information for the United States but not with the intention of commercial advantage. This is a big deal to the U.S., and it's a very American way of thinking about this. It somewhat puzzles the Chinese and many other countries for whom their state-owned industries are part of their national security structure.
And they sort of look and don't really understand what it is that the United States is trying to accomplish by making this distinction.
DAVIES: You note that an American official of Huawei, this Chinese telecommunications firm, said that if in fact the Americans have penetrated, you know, Huawei's internal communications and communications of its leaders, that should show them that the company is an independent commercial enterprise, has no unusual connections to the Chinese government and is not a military asset. Are you in a position to evaluate that claim?
SANGER: Well, that was the claim made by Bill Plummer, who is a Huawei executive here in the United States, an American, who has been in the forefront of defending the company against these many investigations. But we don't know enough from what the results of Shotgiant were or other collection activities to know whether the United States has real evidence that the Chinese government, the People's Liberation Army, are actually using Huawei as a front, as the U.S. government has warned, or whether in fact it is a truly independent company, as Huawei executives like Mr. Plummer insist.
DAVIES: We're speaking with New York Times national security correspondent David Sanger, and we'll talk some more after a break. This is FRESH AIR.
(SOUNDBITE OF MUSIC)
DAVIES: This is FRESH AIR, and we're speaking with the New York Times national security correspondent David Sanger. He's been writing about cyber warfare and in particular about activities involving the Chinese telecommunications firm Huawei. His most recent book is "Confront and Conceal."
How have the Chinese reacted to your story about Huawei?
SANGER: They've reacted with outrage and what some might regard as false outrage. They have accused the United States of doing exactly what the U.S. accuses China of doing. What's interesting is the story came out by coincidence just two days before President Obama met with Xi Jinping, China's president, in The Hague last week. And we were told by the White House briefers that this case, the Huawei case, was specifically raised by President Xi in his meeting with President Obama, and we didn't get many details about what took place in that conversation other than that President Obama simply said that if the United States ever conducts cyber or other attacks or espionage, it does so purely in the national security interests of the U.S. and does not try to use that information for competitive advantage.
I'm not sure that Mr. Xi was necessarily impressed with that answer, but it's completely consistent with what the U.S. says in public.
DAVIES: What other Chinese institutions do U.S. intelligence authorities believe have been involved in hacking and cyber attacks?
SANGER: Well, last year we wrote about Unit 61398, which is a unit of the People's Liberation Army, it's based outside of Shanghai, near the Shanghai airport, and it's one of many Chinese military units that there is plenty of evidence to suggest are actually fronts for hacking groups. Unit 61398 has frequently been considered a front for a group called Comment Crew, that has been very active in breaking into American corporations, into government sites and so forth.
Now, we wrote that initial story that described Unit 61398 and showed photographs of the building in which they're located, in February of 2013. And we thought that with the revelation of the group and their links to the Chinese PLA that that would probably force the group to go underground for a while. We were wrong. We now know that about a dozen PLA units aside from Unit 61398 do their hacking from various eavesdropping posts around China and that while their targets were initially government agencies and foreign ministries around the world, they've actually expanded to the private sector as well.
So one group that we looked at hacked into the Pentagon's network, but now that group now targets telecom and technology companies that specialize in networking and encryption equipment, including some of Huawei's competitors. So this is very much a two-way battle that's underway, hidden, but it really tells you where the focus and the efforts of both American and Chinese intelligence agencies and their militaries are these days.
DAVIES: You wrote, I think, that there was a recent attack on some Navy computers. There was this attack you just referred to on Pentagon computers. What's been the impact of these hacking and cyber efforts on the part of the Chinese?
SANGER: Well, the Chinese get the bulk of the attention, although they are not the only operator in this sphere. In fact, if you ask cyber-professionals who do you worry about the most in the cyber realm, attacks on the United States, they'll probably start by saying the Russians because they're very careful and very sophisticated, that the Chinese are omnipresent but not quite as sophisticated, at least so far, and not as careful, so you're more likely to discover them.
And then right behind them, Iran and North Korea. And it's Iran that is believed responsible for a very major attack about a year and a half ago on the computer systems of Saudi Aramco, a major refiner in Saudi Arabia, and on some American banks. And North Korea is believed responsible for a number of attacks on South Korean media companies and banks last year.
So it's not just the Chinese. But what is so fascinating here is the pervasiveness of it. Now, one of I think the notable things we were able to do in the story that appeared last week about Huawei is make the point that while the United States frequently portrays itself as the victim of this kind of hacking, and it is, it's also conducting a fair bit of espionage and in some cases putting these implants in place itself.
And so it raises the question, if the U.S. and China were ever to come up with some norms of behavior, would we be able to adhere to whatever norms we agreed to?
GROSS: David Sanger will continue his interview with FRESH AIR contributor Dave Davies in the second half of the show. Sanger is a national security correspondent for the New York Times. I'm Terry Gross, and this is FRESH AIR.
(SOUNDBITE OF MUSIC)
GROSS: This is FRESH AIR. I'm Terry Gross. Let's get back to Dave Davies' interview with David Sanger, the national security correspondent for the New York Times. He's reported extensively on cyber espionage. His recent article, based in part on documents leaked by Edward Snowden, revealed that the U.S. National Security Agency penetrated one of China's largest telecommunications companies. Sanger has also reported on Chinese cyber attacks against the U.S.
DAVIES: There was a fascinating example that you described involving an attack on Coca-Cola, and the circumstances were interesting why they were penetrated at that moment. Do you want to tell us that story?
SANGER: Sure. There was a case a while back now, we wrote about it last year when we wrote about Unit 61398, in which Coca-Cola was trying to acquire - as I recall - a Chinese company. And all of a sudden, they were the recipient of a number of attacks that appeared to be based out of China to figure out their true intentions. Now that could have been just for negotiating advantage. Maybe the attackers were hoping to get documents that would indicate just how much Coca-Cola was willing to pay or on what terms. What's fascinating there is it gets to the American point, which is true, that the Chinese frequently spy on behalf of their companies for commercial advantage. Now the U.S. does not do that.
DAVIES: And in this case, it was a Chinese military unit...
SANGER: That's right.
DAVIES: ...getting information from Coca-Cola about their negotiating strategy.
SANGER: At least it appeared to be from a Chinese military unit. You know, one of the big problems of the cyber Cold War is that attribution - figuring out where an attack came from - is a very difficult thing. So you can trace an attack back to a neighborhood or a set of servers, but figuring out whether or not it was Unit 61398 sitting up in that big, white tower with hundreds or thousands of hackers working in it is difficult. It could be that the hackers were in the noodle shops around the neighborhood, but that would seem unlikely. But you can't get back to pinpoint things directly. On top of this, the Chinese are very good at making sure that attacks appear to be coming from someplace different from them where they're actually coming from.
So let me give you an example that struck close to home. When there was a Chinese attack on The New York Times computer systems about a year and a half ago, after my colleague, David Barboza, wrote a series of stories about how the family of the then Chinese premier had gotten so filthy rich, the attacks appeared to be coming from a university in the American South. Well, it just turned out that that university system had been taken over by the actual attacker so that they could use their broadband capability to launch the final stage of the attack. I'm sure no one in the university even knew it was happening. So this is not like the nuclear age where you can go into a big cave somewhere in Colorado and flip on a giant screen and see where the missiles are coming from, because in a cyber attack you may never know where the actual attack was launched.
DAVIES: And in that case, where there was this attack on The New York Times, what did it accomplish?
SANGER: It was an effort - it appeared to us - to go through The Times systems and determine who Mr. Barboza's sources were. Now most reporters I know don't keep source information in our computer system, but they did a very good job of grabbing the passwords of many Times correspondents and then making their way through the system. And I've worked for The New York Times for a long time. I don't think I've ever figured out my way around The Times computer system...
SANGER: ...as well as the Chinese did in a few months.
DAVIES: You reported in your book and in The Times about the attack on the Iranian centrifuges as part of their nuclear program that the cyber attack by the United States and Israel. And he also reported recently that the NSA and the Pentagon develop plans for a cyber attack against the Assad regime in Syria - which is, of course, a very thorny policy dilemma for the United States. What do we know about these plans for a cyber - offensive cyber attack?
SANGER: Well, what we know in the case of Iran is what happened in Operation Olympic Games. That was the attack on the centrifuges that enrich uranium at the Natanz nuclear site in Iran. That program began under the Bush administration and proceeded through the Obama administration, was ramped up by President Obama, until an accident occurred in 2010, in which a new piece of software was introduced, either by the United States or Israel - they were developing software together for this program. And it escaped from the plant and suddenly was copied around the Internet, around the world. And this program that the United States had held deeply secret was suddenly evident to much of the world. Now it took a lot of reporting to go figure out what the origins of the program were, that it was in fact the NSA and its Israeli equivalent. But the basis of the story was the actual software that escaped.
Now Syria is a more complex case. The idea in Syria was to see whether or not you could do a version of what was done in Iran and actually attack some of Assad's military systems, some of their communication systems, maybe, if necessary, even parts of the electric power grid that supplies the military and bring those systems down without ever firing a shot. But it turns out that targets like Syria, which are a lot less wired than many societies we know around the world, are extremely difficult targets. They're difficult because their computer systems are not fully networked because our access to them is poor. And so we discovered in the Syria case that it wouldn't be as easy to launch a cyber attack on Syria partly because of the government's backwardness as it was in a place like Iran.
DAVIES: When you talk about launching an offensive cyber attack in a circumstance like this as an instrument of policy, it raises a lot of, you know, I guess moral and policy questions, as do some of the United States' efforts in China. You know, we've seen this trade-off between civil liberties and security internally as, you know, we look at U.S. surveillance within the United States and there's sort of a similar question about how we behave internationally. Do these activities correspond to, you know, our principles and our image of ourselves in the world? How do you consider those questions?
SANGER: Well, David, it's a fascinating question and it's exactly the reason that we write about offensive American cyber activities. We're not just writing up these stories because they're cool technological stories - although they are - or because they give you some insight into the American competition with Iran or with China - although they do. But we write them, in part, because this is an entirely new field of conflict. I wouldn't say warfare, but conflict between nation states, and it's one that we have barely debated as a country. They do raise all kinds of issues.
President Obama waned to be very careful when he was ordering the attacks on Iran that these attacks did not hit the power plants that run hospitals or would affect ordinary Iranians. He wanted something highly targeted at the Iranian nuclear program. He did that because he was concerned that the United States not get a reputation of just going out and turning out the lights on an entire country. But he was also concerned because he didn't want to establish a precedent that one day could be used against us because which country in the world is most vulnerable to cyber attack? Clearly, the United States. It's our power plants. It's our cell phone networks. It's our emergency responder systems that are all vulnerable to similar attacks. And if the U.S. doesn't lay out some very strict rules about how we would use cyber weapons, you could hardly expect that anybody else would.
But the difficulty here is that the U.S. barely acknowledges even possessing cyber weapons. It has never acknowledged its role in the Iran attacks. It has never acknowledged Olympic Games, which was the code word for the U.S. program that the NSA ran against Iran. And only in recent times and congressional testimony have there even been extensive discussion of the fact that the U.S. now takes cyber units that it has created and puts them out with other military units - the Marines, the Air Force, the Navy - in support of their traditional military capabilities. So we're at the point right now where we're deploying cyber units before we've had much debate in this country about whether or not we really want to be using cyber weapons.
DAVIES: We're speaking with New York Times national security correspondent David Sanger. We'll continue our conversation after a short break. This is FRESH AIR.
(SOUNDBITE OF MUSIC)
DAVIES: This is FRESH AIR. And if you're just joining us, we're speaking with New York Times national security correspondent David Sanger. We are talking about some of the pieces he's written recently about cyber warfare. He's also the author of the book "Confront and Conceal."
Defense Secretary Chuck Hagel recently had some things to say about U.S. cyber warfare policy. What did he say?
SANGER: Well, the main thing that he said was that if the United States uses a cyber weapon, it will use it sparingly and in the most limited way. And what that was codeword for is a decision that President Obama codified in a document called Presidential Decision Directive 20, which came out in an unclassified form when it was signed about a year and a half ago, and then came out in classified form thanks to Mr. Snowden. It was included in trove. And one of the things that that tells you is that the president has reserved for himself the decision about when to conduct an offensive cyber attack. So basically, just as the president must sign off on any use of nuclear weapons and I'm sure chemical and biological and so forth, just as he keeps a very close eye on drone attacks, he is reserving to himself the power to use cyber weapons and wants to use them in a limited way. But the U.S. has never described what that limited way is.
And the reason you hear for that is well, this is all classified and so forth and so on, but partly I think it's because this is still a raging debate in the U.S. about when you would use cyber. So, if there is a cyber attack on the United States, would we do a cyber attack in return against another country? Well, that depends on how big it was. And clearly we didn't respond to many of the attacks on American banks or other companies in the past, but we might if, say, the entire East Coast was shut down with an attack on the power grid.
So the U.S. is trying to leave some ambiguity in what its response would be and how broad that response would be in hopes of building some deterrent capability. You'd think though, the deterrent would be stronger if there was a little more transparency about what our cyber capability was.
DAVIES: You mean in the way that, you know, mutually assured deterrence doesn't work unless people know what kind of weapons you have?
SANGER: That's right. So, you know, in the nuclear age, as you referred to, MAD, or mutually assured destruction, was a policy that came out in part to try to make sure that nuclear war never happened. And it was rooted in the fact that there was no such thing really, as a limited nuclear war - though some argued in their favor. Once this started it could escalate in a large way. And there are a lot of people who argue that we need the same thing in the cyber arena. But, of course, all analogies are imperfect and nuclear analogies are usually imperfect.
And so in cyber there are two problems. One is you can imagine a limited cyber war, one in which American companies are attacked but, say, the utilities or the stock market or the cell phone network is not. And secondly, you have the difficulty that in the nuclear age, we knew exactly who had their finger on the button, you know, we could identify individual Soviet units or Chinese units that were in command of their nuclear arsenal. But in cyber, it's not just governments that own the weapons. There are criminal groups - think of the Eastern European criminal group that attacked Target and stole those credit card numbers late last year. There are patriotic groups - think of the pro-Russian groups that attack Estonia and Georgia back in 2007 and 2008 and may be responsible for some of the more limited attacks we've seen in Ukraine. And then, of course, they're teenagers. And the thing about criminal groups and teenagers and others is they don't sign treaties. So the analogy to the old days of nuclear may be limited.
DAVIES: You know, there have been reports recently of the Obama administration obtaining information about phone calls and emails of news organizations without notifying them and a lot of cases of aggressive government questioning and investigations of officials and former officials about their contact with the reporters. Has this changed the kind of reporting you can do? Do you find it different when you call government officials these days?
SANGER: Oh, yes. It certainly is. This is a much tougher environment to conduct reporting in than any time I can remember in my time in Washington or as a foreign correspondent for The Times. The Obama administration has pressed more leak investigations, conducted more leak investigations, launched formal inquiries or in some cases criminal cases than all previous presidents combined.
And it was only recently after the revelation last year of some of the monitoring of some reporters and the Associated Press that Attorney General Eric Holder issued some new guidelines within the Justice Department that are meant to limit to some degree the way they can intrude on the communications of reporters and so forth. And that came after a number of meetings with different news organizations.
But the fundamental fact remains that the atmosphere right now is so difficult, particularly for those of us who have written things that have become the focus of investigations and the story about the Olympic Games - the attacks on Iran has been the subject of one such investigation.
DAVIES: Did you ever have any indication the government was after you?
SANGER: After the publication of "Confront and Conceal" and the excerpts in The Times, the government announced a significant investigation into the disclosures there and in other stories that they announced at the same time The Times had run coincidentally earlier that week - a major story on drones and the president's - what became known at the president's kill list.
There were stories that the AP had run about Yemen. So they all became the subject of investigations. And these investigations all have a chilling effect on later stories that you do, even if the later stories are on completely different subjects. I think there's a lot more concern inside the U.S. government right now about being found to be talking to reporters even if you are talking about something that is unclassified or something that's a policy question.
And so as I indicated before, it's understandably difficult to get American officials to talk about their plans for potential cyber attacks or cyber defenses. I understand that, but it's also been very difficult to get government officials to talk about our policy about using these cyber weapons as a tool of American power. And that's what worries me, because in a healthy democracy I think the American citizens have to be at least informed of, and maybe participate in, the debate about how we want to use these weapons since we are vulnerable to them ourselves.
DAVIES: Well, David Sanger, it's been good to have you back. Thanks so much.
SANGER: Thank you, David. Great to be with you and thanks for spending the time to explore these issues.
GROSS: David Sanger is the national security correspondent for the New York Times. He spoke with FRESH AIR contributor Dave Davies. Coming up, rock critic Ken Tucker reviews a new folk rock album by Jon Langford of the punk band The Mekons. This is FRESH AIR.
NPR transcripts are created on a rush deadline by a contractor for NPR, and accuracy and availability may vary. This text may not be in its final form and may be updated or revised in the future. Please be aware that the authoritative record of NPR's programming is the audio.