Play Live Radio
Next Up:
0:00
0:00
0:00 0:00
Available On Air Stations

Journalist Warns Cyber Attacks Present A 'Perfect Weapon' Against Global Order

DAVE DAVIES, HOST:

This is FRESH AIR. I'm Dave Davies in for Terry Gross, who's away today. The day before Christmas Eve in 2015, the lights suddenly went out for more than 200,000 citizens in Ukraine. Operators of the nation's power grid found their computer screens frozen while malware inserted in their systems prevented them from regaining control. The shutdown was the work of Russian hackers. And our guest, David Sanger, says cyberattacks are increasingly common in the modern world and that electric grids and nuclear plants in the United States have been implanted with code that may be used in such an attack.

Sanger's new book is about the growing threat and use of cyberwarfare. He says American officials were slow to recognize the threat Russia posed to the presidential election campaign of 2016 and are still trying to decide how to defend the nation against cyberattacks and under what circumstances the U.S. will wage cyberwar on other countries. David Sanger is a national security correspondent for The New York Times. He shared three Pulitzer Prizes at the paper and is the author of two previous books, "The Inheritance" and "Confront And Conceal" about the joint U.S.-Israeli cyberattack on Iran's nuclear program. His new book is "The Perfect Weapon: War, Sabotage, And Fear In The Cyber Age."

Well, David Sanger, welcome back to FRESH AIR. You write in this book that any classified Pentagon scenario about a confrontation with Russia or China or Iran or North Korea, any scenario in how that might play out, it's assumed the adversary's first strike would be a cyber barrage aimed at civilians. What are we talking about?

DAVID SANGER: Well, we're talking about an effort, either by an adversary aimed at the United States or by the United States aimed at an adversary, to try to conduct a war before the first shot is even fired. That if you can so disable the adversary's electric power grid, the cellphone system, emergency response, the communications to their defenses, in some cases even their ability to launch a nuclear weapon or just an ordinary missile, then you've kind of won before any shot was fired. And it's entirely conceivable that you could achieve your political objectives before you actually started shelling anything or dropping bombs.

DAVIES: A cyber Pearl Harbor some people would say.

SANGER: Yes, Dave, exactly. That's the concept of a cyber Pearl Harbor, which is something we don't see coming. And that's the reason that people get so unhappy when they read headlines - and I've written many of these stories - that the Russians or the Iranians or someone have placed implants in our utility grid, our other computer systems, so that they would be able to go turn off computer systems at any moment. And we know right now, for example, that the Department of Homeland Security has warned of a very extensive amount of malware, which is essentially what an implant is, that's in the American utility grid. The problem here is we don't see this the same way when someone's doing it to us than when we're doing it to someone, right?

So we hear that the Russians have put implants in our grid, and we say, oh, my goodness, somebody is getting ready to go turn off the power at any moment of conflict. When we do the same to other countries - and believe me; the National Security Agency and its military sidekick, the United States Cyber Command, does put these implants in other foreign systems and probably has tens if not hundreds of thousands of them in - we say, well, we're just preparing the battlefield. We're using them for monitoring. But the fact of the matter is it's sort of like the port that a doctor puts in your body if you're being treated for cancer or something like that. The doctor can use it to monitor what's going on, but he can also use it to inject something if they decide to treat you. And that's the problem with the cyber age. You never know what that implant is there for.

DAVIES: Right. I mean, obviously, to conduct the kind of disabling cyberattack that would shut down a lot of a country's infrastructure, you have to have done a lot of work beforehand. I want to be clear about this. Are we saying that we know that there are implants in our power grid which would enable the Russians or someone else to take it down?

SANGER: We know that there are implants in our power grid. Interesting question is, if somebody made use of it, how good would it be at taking it down? And that's why for the electric utility industry and for the financial industry, they've invested a huge amount in redundancy and resilience so that if you lose some set of power plants, you could contain it, route around it and be able to pick up and go on. And you just don't know until things happen how well your adversary has wired your system to take everything down. And as you said, this takes a lot of time. The United States spent years getting inside the Iranian centrifuges at Natanz and even then had to keep working on the software to improve it. The North Koreans, when they went into Sony Pictures in 2014 in retaliation for the release of a really terrible movie called "The Interview" that envisioned the assassination of Kim Jong Un, the same friendly Kim Jong Un we all saw in Singapore the other day - when the North Koreans went in, they went in in early September of 2014. They didn't strike until around Thanksgiving because it took all that time just to map out the interconnections of the electrical system, of the computer system, and when they did strike, it was devastating. They took out 70 percent of Sony's computer servers and hard drives.

DAVIES: OK. In this book, you say that, you know, cyberwarfare is the kind of game-changing innovation that's - you compare it to the introduction of aircraft into warfare in the early 20th century and that we are still figuring out what rules or conventions should apply to it. I want to get to some of that conversation, but let's talk a bit about some of the experience that we've had over the last 10 years. You write that in 2008, a woman at the National Security Agency, Debora Plunkett, discovers something about the classified networks in the Pentagon that's troubling. What did she find?

SANGER: Well, she was overseeing security at the NSA, and somebody came to her with evidence that the Russians - though the U.S. did not announce it was Russians at the time - were deep into something called the SIPRNet, which is basically a classified network by which the Defense Department, some of the intelligence agencies, sometimes the State Department, communicate with each other. And this was a big shock to everybody because they had seen the Russians in unclassified systems before, but here they were deep into a classified system. And the first question was, how'd they get in? And the answer was so simple that it really was a wakeup call. Somebody had distributed little USB keys, you know, the kinds you get at conventions and all those kinds of...

DAVIES: Thumb drives, yeah.

SANGER: Thumb drives, right. If somebody gives you one for free, a really good thing to do with it first is throw it out. They had distributed these around and left some in parking lots in the Middle East. And people the military had picked them up, put them in their computer and, of course, inside that thumb drive was a beacon that basically got into the system and then would broadcast back out to the Russians. And that's how come when you go to military bases these days and you see older computer systems and you look at the little ports where the thumb drives would go in, they're frequently superglued over now because these have all been banned because it's such an easy way to put malware into your system.

They're not the only way. I mean, if you can get malware inside, for example, a virus protection system, the software you buy to protect your computer, that too is great because - for the adversary because it goes right into the core of the computing system. And that's the concern about Kaspersky, the Russian firm that sells virus protection. And it looks like the Russian government did in fact put something in that picked up the secret files of an NSA employee who'd taken them home. So the bottom line here is that in 2008, this attack woke everybody up, and it actually led to the creation of what is now 10 years later U.S. Cyber Command.

DAVIES: Yeah. Well, I wanted to talk about that. This was something the U.S. military hadn't really grasped or really confronted yet. How did they respond?

SANGER: Well, the problem for the U.S. military and for the U.S. government writ large - and really, for all of us - is that computers are so ubiquitous that they couldn't figure out a comprehensive way to go protect themselves because more and more people were bringing computers into the system. And when you think about the rise of the kind of computer attacks that we are now accustomed to, it maps out pretty well with the introduction of the iPhone in 2007 because at that moment everybody had a computer in their pocket. Everybody was bringing them into work. Over time, they were insisting that they get on their work networks with them. And as mobile computing has taken off, it means that something you pick up on the outside suddenly comes in on the inside of the network. It's like people being out and catching a cold and coming to the office and spreading it to everybody.

DAVIES: One of the most extensive and most effective cyberattacks that we know of in history was Operation Olympic Games, which was the joint U.S.-Israeli effort to slow Iran's nuclear program by introducing this computer malware which caused these centrifuges in Iran, which were enriching uranium, to malfunction and blow up - really effective and took a lot of time though neither countries ever formally acknowledged it. You've written a lot about this. And one of the interesting points you make is that one of the ways that a cyberattack is effective is in a subtle psychological way. What do you mean?

SANGER: It makes you fearful that you cannot trust the system you are running. So the brilliance of Stuxnet was that it went in and replicated - it took a look at how the centrifuges underground in Iran, which were these machines that that spin at supersonic speeds - how they seemed to operate normally. And so when the code went in and started speeding them up and slowing them down to destabilize them and basically make them explode, it sent false messages back up to the control room that said everything's fine. Everything's normal. You know, it's like watching a rocket take off, and, you know, all the readings you're getting back are nominal. And then all of a sudden, the rocket explodes. Well, that's exactly what happened in Stuxnet. And so you lose confidence in the instruments you have.

Now think of this in the next phases of cyberconflict. I'm not saying cyberwarfare - just low-level conflict. If you go into vote, and you are no longer confident that the vote that you put in is the way it's going to get recorded because you don't know if the Russians or someone else have gotten into the voting system, that undercuts your trust in the democratic process. If you get into your self-driving car, and you think it's going to take you to the supermarket to get some milk and eggs, but instead you have in the back of your mind the fear that it might drive you off a cliff, that subtly undercuts your confidence in getting in to drive around. And to take this to its next extreme, if you think when the president presses that red button - although there is no red button - to go launch a nuclear weapon that maybe it won't launch, then suddenly you're very fearful about what other things you may need to be able to do to defend yourself or maybe act preemptively because you no longer have confidence in your weapon systems and your defenses.

DAVIES: David Sanger's new book is "The Perfect Weapon." We'll continue our conversation in just a moment. This is FRESH AIR.

(SOUNDBITE OF AHMAD JAMAL'S "THE LINE")

DAVIES: This is FRESH AIR. And we're speaking with New York Times national security correspondent David Sanger. His new book is "The Perfect Weapon: War, Sabotage And Fear In The Cyber Age."

You write about how active China has been in using cyberweapons to gather information about U.S. activities. And it's fascinating that our own intelligence services, the National Security Agency, has been using Chinese equipment to get into - to implant our stuff into their equipment. So when it's shipped all around the world, we can find out about people all over the world. And you have a fascinating description of meeting with a private cyber investigator, Kevin Mandia, who looked into Chinese hacking. Tell us about that.

SANGER: Well, the remarkable thing about the Chinese is that they've operated differently than the Russians, the Iranians and the North Koreans. By and large, they have not done destructive hacks. So far, they haven't tried to get in our voting system the way the Russians did. They haven't tried to go blow up computer systems the way the North Koreans did. But they have done the most extensive cyber espionage programs. And the great example here was the Office of Personnel Management. OPM could be the world's most boring federal bureaucracy. It's literally the record-keeper for all of the U.S. government.

And when people would go off to get their security clearances, they would fill out these very lengthy forms that the government wonderfully calls the SF86. And this is more, Dave, than just your name and Social Security number and a couple of credit card numbers. This is the list of every foreigner you ever knew. This is the list of your kids, your parents, your spouse. This is listing everybody with whom you've ever had a relationship - both a licit or an illicit relationship. So it's a blackmailer's dream, as you can imagine. It's all of your medical history. It's all of your financial history.

And how well was this protected by the U.S. government? The Office of Personnel Management, following a mandate from Congress not to get too many expensive cloud services if they could use unused government computer space, took most of this data and put it in the Department of the Interior's computer systems, where they had the same great protections we have on, say, bison migration in Yellowstone. And the Chinese came in. They figured out where the data was located. They discovered that it was unencrypted. I mean, when you talk to your bank over your iPhone, it's an encrypted conversation. This data was unencrypted. They sucked it all up, usually at night. They encrypted it and sent it back to China. And by the time the U.S. government figured this out - and Kevin Mandia was among those who helped everybody figure this out - the U.S. government had lost 21 million files, more than 5 million fingerprints.

Now, what could the Chinese do with this? The initial fear was, oh, it will get sold on the black market. You know, this will end up being used for credit card data. And you remember. The U.S. government gave all of its employees who lost their data, you know, free credit monitoring for a year or something. It was utterly ridiculous. That is not what the Chinese had in mind. The Chinese were using that, and other data stolen from Anthem and other medical groups, to put together a giant database using big data capability, so they could figure out who in the U.S. government works on what, who knows whom, what the nature of the relationships were.

What was remarkable was that the U.S. government never publicly named the Chinese as the aggressor here. And James Clapper, the director of national intelligence, who I spoke to extensively for the book and has written his own really interesting book in recent times, basically argued this is just plain old espionage. If we could have done it, we would have done it too. I don't think it was just plain old espionage. When you've got 7 percent of the U.S. population's data, and you can put it together that way, you can do all kinds of things that go well beyond espionage.

DAVIES: They could find out targets to blackmail and make them provide information to spies - turn people into spies.

SANGER: They could. But they could also figure out that you and I were working in the same lab, on the same project at the same time, and that we were probably working with a third person, who they've sort of sorted out by time and date, and begin to piece together who knew about each piece of technology that they were interested in and wanted to get at.

DAVIES: And tell us about this private cyber investigator Kevin Mandia. There was this building in China where a lot of this activity was going on - and the level of information he was able to get.

SANGER: So the building is near the Shanghai airport. And it's a big, bland, white office tower. And it is the home of Unit 61398, which is a PLA cyber unit.

DAVIES: People Liberation Army - the Chinese Army.

SANGER: The People's Liberation Army Cyber Unit. And the way that people began to understand what was happening was - Mr. Mandia, who ran a company called Mandiant that's since been merged up with FireEye, which he now runs, began to track the attacks that this unit was doing to steal intellectual property in the United States whether it was, you know, F-35 designs or other industrial designs and then turn them over to state-run Chinese firms. The hackers who would come in would sit at their computer terminals, and, unbeknownst to them, Mandiant would turn the cameras on those computers back on. So you could see them working.

And they would come in at like 8:30 in the morning. They would check sports scores. They would send a few notes to their girlfriends. A couple of them would look at a little bit of porn. You know, they would be reading newspaper articles. 9 o'clock would come. They'd start hacking into American sites. Lunchtime, they're back to sending notes to the girlfriends. They're back to checking their sports scores. I mean, it was such an interesting picture of the life of a young Chinese hacker.

DAVIES: David Sanger is a national security correspondent for The New York Times. His book about cyberwarfare is called "The Perfect Weapon." After a break, he'll take us inside the Russian hack of the Democratic National Committee, and we'll talk about President Trump's initiative to curb North Korea's nuclear program. Also, rock critic Ken Tucker reviews Father John Misty's new album. I'm Dave Davies. And this is FRESH AIR.

(SOUNDBITE OF JESSICA WILLIAMS' "BEMSHA SWING")

DAVIES: This is FRESH AIR. I'm Dave Davies, in for Terry Gross who's away today. We're speaking with New York Times national security correspondent David Sanger. He has a new book about the increasing threat and use of cyberwarfare. He writes that there have been about 200 state-on-state cyberattacks over the past decade. And governments are wrestling with when to engage in cyberwar and how to respond when attacked. His new book is called "The Perfect Weapon."

Well, I want to talk about the cyber and misinformation campaign the Russians waged in the 2016 election. But, you know, you write that, in the years before that election, we can see in retrospect a demonstration of what Putin and the Russian government's use of cyberwar really was all about integrated into a strategy. What did they do in Ukraine? And what did it reveal about what might be coming in 2016?

SANGER: Dave, when we went back and looked at Ukraine, it was essentially Putin's petri dish for testing out cyberactivity that he might want to use in Europe - or, as it turned out, against the United States. Everything that we saw in 2016, he tried there - misinformation, setting up websites or manipulating Facebook pages, manipulating voter numbers that they very nearly got away with a manipulation of the voter numbers in the presidential election in Ukraine where they were trying to get somebody sympathetic to Moscow elected and came within an hour or so of actually having the wrong result announced on Ukrainian television.

They also, though, went after the power grid in Ukraine. And in two separate instances, they took over the computerized systems that run parts of the power grid in Ukraine, once in Kiev, a bigger attack out in the countryside. And it really scared the U.S. government because they looked at what the Russians had just done in Ukraine and, in fact, sent teams out to go look at it and see if we would have the same vulnerabilities. And, of course, we had some of them.

What saved the Ukrainians in the end was that their system was so old they still had the big, old manual switches that you could use to disconnect the computer and then run the electric grid the way they ran it in the '50s. And that's how they got the power back on. But this was pretty scary. The failure of imagination we had, Dave, was that nobody thought that Putin would dare hop across the Atlantic and try this in the United States.

The second failure we had - and this was a policy failure, I think, of the Obama administration, and the book is pretty critical of the way the Obama administration handled this - was that when there were attacks on the State Department, on the Joint Chiefs of Staff and on the White House by the Russians, the U.S. fought the Russian groups to get them back out - in the one case, the White House, it took two weeks. But they never announced publicly it was the Russians and they never made them pay a price.

And frankly, if you're Vladimir Putin, you've got to be thinking, if they're not going to make me pay a price for going into the White House system, even the unclassified system or the State Department, why are they going to care about the Democratic National Committee, which is essentially staffed by a bunch of college kids?

DAVIES: I mean, the story that you write about the DNC is remarkable. I mean, first of all, Richard Clarke, who was the, you know, national security official in, I guess, the Clinton and Bush administrations, had a private firm. He looked at the DNC stuff. He said, you're very vulnerable. You're wide open. Do this to correct it. They said, that's too expensive. We've got an election to run. They said, we'll do it after the election, right?

(LAUGHTER)

DAVIES: But then the FBI gets word in the summer of 2015 something is going on, and they call the DNC and says, well, I need to talk to your computer security people. What happens?

SANGER: They call into the DNC and somebody connects them to the help desk.

DAVIES: (Laughter).

SANGER: I'm not kidding (laughter). So the help desk is staffed by somebody who is of no help, who was a young IT operator who really did not have any background in computer security and cybersecurity. But worse yet, he didn't believe that the guy on the other end of the phone was a special agent from the FBI. He basically thought he was pulling his leg, so he hung up, OK?

And about a month later, the FBI guy calls back. It takes months for them even to meet. And it takes until the next spring before they actually begin to persuade the DNC that they really had a problem and it was getting bigger. It was nine months between the time that the FBI first tried to contact the DNC and that the president of the United States learned that the Democratic National Committee, the place where the Watergate break-in had happened, not physically the place but the same organization - they have moved since - that they had been attacked by the Russians.

Nine months - there are babies in America who were conceived and born in the time it took for the United States to figure out that the Russians were inside one of the main parties in the election.

DAVIES: And, of course, the story of the election has been well reported. I mean, those thousands of emails from the Democratic National Committee came out. John Podesta's emails were hacked from - the Clinton campaign manager. It created a lot of havoc. And then, of course, the U.S. government began to learn that there were efforts to penetrate voter rolls in a number of states.

And one of the questions that it raised and that is still there for the government dealing with this whole issue is how do you respond to a cyberattack? Let's just explore some of the options and what their risks are. I mean, one thing is to publicly out the person that you are convinced is doing it. I mean, Obama did this in the case of the North Koreans hacking Sony Pictures after the movie.

He chose not to out the Russians in the case of the hacks of the State Department and White House computer systems. What were the considerations there?

SANGER: Well, the first consideration was they thought at the time this is just pure espionage. We do it to them. They do it to us. Shame on us for having our systems out there and be vulnerable and so forth. It didn't dawn on anybody because it really hadn't happened before that the objective here might not simply be information collection.

It might be taking that stuff and making it public, sort of the way North Korea did in the Sony case. But in this case, it was done writ large by the GRU, which is the military intelligence unit for the Russians. And they were the second of two intelligence agencies that got into the DNC and quite aggressively spread this stuff around, first through a site they set up called DCLeaks and then through WikiLeaks.

So there were two big decision points and, I think, Dave, you could say two big errors here. The first was the United States was very slow on the detection of what was going on with the Russians coming into the DNC. As one person said to me, it's not simply that we had our radar off like at Pearl Harbor. He said, we hadn't even built the right radar system to see this.

The second problem was the one that you just identified. Once the White House was aware of it, then the question came, what do you do? And I went out and interviewed everybody I could find who had gotten involved in that debate. And there are many people, including Victoria Nuland, who was the head of Russian affairs over at the State Department, who wanted to hit Putin very hard, expose his own connections to the oligarchs, where he's put his money.

Sort of basically say, you want to play this game? Two can play this game. That got overruled. There were people who came in and said, let's disconnect the Russians from the world financial system. Well, that seemed like a really good idea until someone put up their hand and said, well, you know, the moment you do that, there's no way to pay them for the gas that's going into Europe and the Europeans are going to freeze.

So they couldn't go do that one.

DAVIES: And can I just go back to the attack on Putin himself? There was this thought you could expose his secret assets, I think maybe even make some of his money disappear.

SANGER: Right.

DAVIES: What were the objections?

SANGER: Well...

DAVIES: Risks.

SANGER: ...The Federal Reserve doesn't like any idea in which you sort of legitimize going into a central bank and making money disappear because they think at that moment, you have started the war of all against all and everybody will lose confidence in the financial system - again, the fear factor that we discussed. There were concerns that you could expose Putin's connections to the oligarchs and the Russians would yawn.

Oh, that's news, Vladimir Putin's got a lot of money coming in from the oligarchs, this just in, you know? So they were worried that it might not be all that effective. But President Obama had a particular fear. And his fear was escalation. We do something to Putin - and Putin was already inside, they knew, the registration systems in Arizona and Illinois. They suspected there were attacks on...

DAVIES: The voter systems, yeah.

SANGER: The voting systems, not the systems where you actually cast your vote because those are pretty well off-line but the system where you register to vote. So that if you showed up, Dave, at your polling place on Election Day and they might say, well, thanks for coming in, Dave, but we show that you moved to New Mexico three months ago.

And you could imagine the chaos that could be played with there. And those are outward-facing systems, those are connected to the Internet. So you could cause a lot of chaos in that. And President Obama's concern, and I fully understand it, was they could come back and cause chaos in the election. Why was that a concern? Because Donald Trump was already running around saying this election has been rigged.

And they all thought in the White House, Hillary's going to win and Trump is going to turn around and say, the election was rigged for her, and that will create chaos. And they didn't want to play into that narrative. And they thought that was the most likely outcome. It never dawned on them that Hillary might lose and that it would go the other way. And so they thought they had time.

They thought that they could deal with the Russians and retaliate against the Russians after Hillary Clinton was elected and then hand the plan off to her. Well, it didn't turn out that way.

DAVIES: David Sanger is a national security correspondent for The New York Times. His new book is "The Perfect Weapon." We'll continue our conversation after a short break. This is FRESH AIR.

(SOUNDBITE OF AVISHAI COHEN'S "GBEDE TEMIN")

DAVIES: This is FRESH AIR, and we're speaking with New York Times national security correspondent David Sanger. His new book is "The Perfect Weapon: War, Sabotage, And Fear In The Cyber Age." You've written a lot about the North Korean military program. And I want to get your take on what happened in Singapore. I have to say, watching the coverage, it was frustrating to see so much speculation when there's so little real information.

I mean, it's clear we did not have a, you know, the kind of agreement that would be enforceable and specific. What's your take on whether this is a meaningful start towards something positive in North Korea?

SANGER: Well, I think that the president deserves credit for saying, look, we've tried this one way for 35 years, which is to try to build up small agreements with the North Koreans and dangle out the possibility of a meeting between the leaders. And, of course, every time, those agreements have fallen apart. So he said, I'm going to try it from the top down, very Trumpian thing to do, right?

Go out, I'm going to meet the leader, we're going to get to know each other and so forth. And so he went off and did the meeting. And I think it's good that an American president has finally met a North Korean leader. So that part, I think, was all to the good. And if they can build up a relationship, even better.

What worried me was that the president was so eager to have the meeting that his negotiators essentially agreed to an empty piece of paper that defined nothing, referred briefly to denuclearization, didn't even go into the details of previous U.S. agreements with Kim Jong Un's father and with his grandfather, the founder of the country.

I've been covering North Korea nuclear issues since I was a young reporter in the Tokyo bureau of The Times and wrote some of the first pieces about the existence of the program at Yongbyon. And we saw more detailed U.S. agreement in 1994 and 2005, again in 2007. And so then for the president to come back and say, we are no longer under any kind of nuclear threat from North Korea - they have every weapon that they had two weeks ago.

They have every production facility they had two weeks ago. They have every intercontinental and regional missile that they had two weeks ago. What we have here is a start and an improved tone, but it's entirely about what you can build on that.

DAVIES: And to be fair, the president has said, there's a lot more work to do. It has to be all ironed out in great detail. And it has to be verifiable, and that's down the road. You know, I wonder if, you know, there's a long history of frustration in dealing with this regime. But this is the first with this leader. I mean, do you think Kim Jong Un might have a different perspective and different approach than his father or grandfather?

SANGER: Well, I think he does. I think he's got a more of an understanding that he needs to build up the North Korean economy. And he's young. We think he's 34. And that means he could rule North Korea for the next 40 years, right? So if he's going to do that, he wants to make sure he does it under economic conditions that make sure that he's got a real country to run and the place doesn't rise up against him. That's in our favor. What's going against us is that in the years of neglect of the North Korean issue, and President Trump is right that past presidents have kicked this down the road, Kim Jong Un managed to speed ahead particularly in the past five years with increasing the size of his nuclear arsenal and increasing the capabilities of the missiles.

So it's now a much more complicated issue. And I suspect what Kim thinks he can get away with is not the elimination of his arsenal but basically arms control, a reduction of his arsenal. Oh, I'll give you half of what I've got in return for economic aid, opening up those markets and arms control, a reduction of his arsenal. I'll give you half of what I've got in return for economic aid, opening up those markets, and then we'll talk about the other half. Essentially, we are enshrining some level of de facto nuclear capability in North Korea the way we've done in Pakistan, for example, or in India or in Israel, three countries that are undeclared nuclear states. And the concern about this is President Trump said he would solve this problem. In other words, that we would no longer be under nuclear threat. I have my doubts that he's going to make it quite that far. In fact, I have my doubts that we'll even ever know exactly how many nuclear weapons Kim Jong Un has built in the past few years.

DAVIES: You know, I have to ask you whether you think that Trump's bellicose statements about raining fire and fury down on the North Koreans were helpful.

SANGER: They may have been. They certainly scared the Chinese, who thought that President Trump might well launch a unilateral attack. Remember, it was the Chinese President Xi Jinping who was sitting there when President Trump ordered that brief attack on a Syrian chemical weapons base. Of course, a lot lower risk there, but I think the rhetoric played something to it. And, frankly, I think that the much-improved sanctions played a significant role. And, as I've said to people in the Obama administration as I was working on the reporting for "The Perfect Weapon," part of which deals with North Korea - I'll get to that in a moment - I say to them, what was the reason that you did not focus on putting these same sanctions on against North Korea during your time in office? And they really can't come up with a good answer other than they were distracted dealing with the Iran situation. But these sanctions didn't require any new laws. They just required focused effort.

Now, one thing that President Obama did do was that he ordered up a very comprehensive effort to use cyber and electronic warfare, as we've discussed a year and a half ago, against North Korea's missile program. And it's a fascinating case because while it was effective against one type of North Korean missile, it has not been effective since. And it raises the question, did Kim Jong Un figure out what we were doing?

DAVIES: Well, David Sanger, thanks so much for speaking with us.

SANGER: Thank you. Great to be with you again, Dave.

DAVIES: David Sanger is a national security correspondent for The New York Times. His book about cyberwarfare is "The Perfect Weapon." Coming up, rock critic Ken Tucker reviews Father John Misty's new album, "God's Favorite Customer." This is FRESH AIR.

(SOUNDBITE OF MUSIC) Transcript provided by NPR, Copyright NPR.

NPR transcripts are created on a rush deadline by an NPR contractor. This text may not be in its final form and may be updated or revised in the future. Accuracy and availability may vary. The authoritative record of NPR’s programming is the audio record.

Dave Davies is a guest host for NPR's Fresh Air with Terry Gross.