a group of finance ministers to simulate a similar attack that shut down financial markets and froze global transactions. By several accounts, it quickly spun into farce: No one wanted to admit how much damage could be done or how helpless they would be to deter it.
.. something has changed since 2008, when the United States and Israel mounted the most sophisticated cyberattack in history on Iran’s nuclear program, temporarily crippling it in hopes of forcing Iran to the bargaining table.
.. the sophistication of cyberweapons has so improved that many of the attacks that once shocked us — like the denial-of-service attacks Iran mounted against Bank of America, JPMorgan Chase and other banks in 2012, or North Korea’s hacking of Sony in 2014 — look like tiny skirmishes compared with the daily cybercombat of today.
.. Yet in this arms race, the United States has often been its own worst enemy. Because our government has been so incompetent at protecting its highly sophisticated cyberweapons, those weapons have been stolen out of the electronic vaults of the National Security Agency and the C.I.A. and shot right back at us.
.. the WannaCry ransomware attack by North Korea last year, which used some of the sophisticated tools the N.S.A. had developed.
.. Nuclear weapons are still the ultimate currency of national power, as the meeting between President Trump and Kim Jong-un in Singapore last week showed. But they cannot be used without causing the end of human civilization — or at least of a regime. So it’s no surprise that hackers working for North Korea, Iran’s mullahs, Vladimir V. Putin in Russia and the People’s Liberation Army of China have all learned that the great advantage of cyberweapons is that they are the opposite of a nuke: hard to detect, easy to deny and increasingly finely targeted. And therefore, extraordinarily hard to deter.
.. Cyberattacks have long been hard to stop because determining where they come from takes time — and sometimes the mystery is never solved.
.. Today cyberattackers believe there is almost no risk that the United States or any other power would retaliate with significant sanctions, much less bombs, troops or even a counter cyberattack.
.. “They don’t fear us,”
.. At the State Department, the eviction took weeks, shutting down systems during negotiations on the Iran nuclear deal. The hackers were even bolder at the White House. Instead of disappearing when they were exposed, they fought back, looking to install new malware as soon as the old versions were neutralized.
.. It appears the attackers just wanted to prove they could go, and stay, anywhere in the American government’s network.
.. the United States never called out the Russians for what they were doing.
.. If Mr. Putin thought there was no price to be paid for invading White House systems, why wouldn’t he attack the Democratic National Committee?
.. By the summer of 2016, some Obama administration officials, waking to the threat, proposed counterstrikes that included exposing Mr. Putin’s hidden bank accounts and his ties to the oligarchs and cutting off Russia’s banking system. But the potential for escalation caused Mr. Obama and his top aides to reject the plan.
“It was an enormously satisfying response,” a senior American official told me later, “until we began to think about what it would do to the Europeans.”
Mr. Obama also understandably feared that anything the United States did might provoke Mr. Putin to tinker with election systems just enough to give credence to Donald Trump’s warning that the system was “rigged.”
.. Since the election, the American retaliation has included closing some Russian consulates and recreation centers and expelling spies — actions one Obama national security official called “the perfect 19th-century solution to a 21st-century problem.”
.. The wide-open vulnerabilities in America’s networks have essentially deterred the United States from credibly threatening retaliation against the Russians, the Chinese, the North Koreans and the Iranians.
.. One way to start is to make sure no new equipment goes on the market unless it meets basic security requirements. We won’t let cars on the road without airbags, so why do we do less with the systems that connect them to the internet?
.. Second, we must decide what networks we care most about defending — and make those priorities clear. Mr. Mattis’s threat to turn to nuclear weapons hardly seems credible — unless the cyberattack would create an existential threat to America. That requires an intensive public review of what is critical to our nation’s survival.
..President Trump forfeited the perfect opportunity when he decided against a commission to learn the larger lessons from the 2016 election.
.. the United States needs to end the reflexive secrecy surrounding its cyberoperations. We need to explain to the world why we have cyberweapons, what they are capable of and, most important, what we will not use them for.
.. it is in the nation’s interests to develop global norms clarifying that some targets are off limits: election systems, hospitals and emergency communications systems, and maybe even electric power grids and other civilian targets.
.. Microsoft’s president, Brad Smith, has proposed digital Geneva Conventions that begin to establish those norms, outside the structure of governments and treaties.
.. Intelligence agencies hate this idea: They want the most latitude possible for future operations in an uncertain world. But in any arms control negotiation, to create limits on others, you need to give up something.
The Voter Purges Are Coming
The Trump administration’s election-integrity commission will have its first meeting on Wednesday to map out how the president will strip the right to vote from millions of Americans.
.. the Justice Department’s civil rights division. It forced 44 states to provide extensive information on how they keep their voter rolls up-to-date. It cited the 1993 National Voter Registration Act, known as the Motor-Voter law, which mandates that states help voters register through motor vehicle departments.
The letter doesn’t ask whether states are complying with the parts of the law that expand opportunities to register. Instead it focuses on the sections related to maintaining the lists. That’s a prelude to voter purging.
.. Here’s how the government will use voters’ data. It will create a national database to try to find things like double-voters. But the commission won’t be able to tell two people with the same name and birthday apart. Such errors will hit communities of color the hardest. Census data shows that minorities are overrepresented in 85 of the 100 most common last names.
.. Purging voters is part of a larger malicious pattern that states have employed across the country. Georgia and Ohio are being sued for carrying out early versions of what we can expect from the Trump administration.
.. Mr. Kobach has been at the vanguard of a crusade against Motor-Voter and has been sued at least three times for making it harder for Kansans to vote. Before the 2016 election, he illegally blocked tens of thousands of voters from registering. Mr. Blackwell rejected registration forms because they were printed on paper he thought was too thin. Mr. von Spakovsky has led numerous unsuccessful legal efforts to diminish voter participation and to fight voting rights. Mr. Adams published personal information about people whom he wrongly accused of committing multiple felonies in a flawed hunt for fraud... my biggest fear is that the government will issue a report with “findings” of unsupported claims of illegal voting, focused on communities of color... These wild claims won’t be just hot air. Members of Congress will seize on them to turn back protections in federal law. States will enact new barriers to the ballot box. Courts will point to the commission’s work to justify their decisions... The irony is that there are serious threats to our voting systems,
- from cyberattacks to aging machines to
- Russian interference to
- discriminatory voter ID laws at the state level.
Those are the real problems, but that’s not what the commission was created to address.