BROOKE GLADSTONE: In February of 2010, the U.S. Joint Forces Command issued a report that looked at the threat confronting us in cyberspace. It concluded, quote, “Through cyberspace, enemies will target industry, academia, government, as well as the military in the air, land, maritime and space domains. In much the same way that air power transformed the battlefield of World War II, cyberspace has fractured the physical barriers that shield a nation from attacks on its commerce and communication.” This was hardly news to Richard Clarke. Clarke is an intelligence and counter-terrorism expert who served in the administrations of Presidents Reagan, H.W. Bush, Clinton and W. Bush. He’s the coauthor of a new book, Cyber War: The Next Threat to National Security and What to Do About It. It offers a scarifying cyber-doomsday scenario, but it’s also full of stories from the annals of real life cyber-attacks. Clarke writes that the British government had already alerted 300 of its largest companies that their computer networks had likely been hacked and their industrial secrets stolen by the Chinese. Last year, the U.S. Defense Department created an official Cyber Command that should be operational in 2010, but Clarke doesn't think the U.S. is any more secure.
RICHARD CLARKE: The head of the CIA, the head of national intelligence, the head of the U.S. military have all said that they believe China had penetrated most American companies. The truth is, it’s likely that every major U.S. corporation, every research lab and most government agencies have been successfully penetrated by China and terabytes, whole libraries of Congress have been exfiltrated. We know it happened at the Advanced Physics Lab at Johns Hopkins University last summer, which has government contracts to work on cyber security, and they couldn't stop it. They watched the data go out the door.
BROOKE GLADSTONE: It seems to hearken back to the days of the Cold War. In cyberspace, China and Russia are, again, America’s biggest adversaries.
RICHARD CLARKE: Well, that's right, but there are between 20 and 30 nations, according to a CIA witness before the Congress, that have cyber war capability. And we've seen small countries, like North Korea and Taiwan and Israel, all have pretty good capability. North Korea’s a very interesting case because it has no cyberspace, to speak of, of its own, so they deploy their attackers outside of the country. They deploy them in South Korea and they deploy them in China. And they have been experimenting with attacks of the United States. On July 4th, 2009, they staged the largest denial-of-service attack seen in history so far, which means that they flooded a variety of sites in Washington.
BROOKE GLADSTONE: Such as?
RICHARD CLARKE: The White House, the Department of Homeland Security - oddly, The Washington Post [LAUGHS] and a few others.
BROOKE GLADSTONE: What about stateless groups, like al-Qaeda, do they pose a significant threat in this space?
RICHARD CLARKE: We have not yet seen evidence that al-Qaeda or Hezbollah, Hamas and the others are actually using cyber war techniques. What we've seen is that they are using it the way Harvard uses it, to fundraise, to do outreach.
BROOKE GLADSTONE: Getting back to the big guns, I was intrigued by a Chinese maneuver that you describe early in the book involving Cisco routers. Is there a short way to tell that story?
RICHARD CLARKE: Well, we have stories about Chinese companies copying the American router Cisco produces that’s on all networks, and in one case, they sold it under the label Cisco. It was a counterfeit. The Defense Department and the National Security Agency have reason to believe that these Cisco routers may have been compromised by the Chinese government, which means that they would see all the traffic from a network like perhaps the Pentagon. And it was Pentagon components that bought the counterfeit routers.
BROOKE GLADSTONE: But you say Russia is even better armed in cyberspace than China.
RICHARD CLARKE: Well, they have a very extensive bureaucracy dedicated to cyber war and cyber espionage, and they have a very good research base. They've been doing it in a way that doesn't get noticed. China gets a lot of press by attacking Google and other people, but Russia does it and doesn't break the door down on its way in and doesn't leave breadcrumbs back to the Kremlin on its way out.
BROOKE GLADSTONE: For decades, when we were faced with a nuclear threat, America and Russia used deterrence, mutually assured destruction, to keep either nation from pushing the nuclear button. Can't a strategy like that work in cyberspace?
RICHARD CLARKE: Deterrence is based on a fear of a demonstrated capability, and we have never seen that demonstrated capability. In the nuclear scenarios there were over 2,000 nuclear weapons exploded in the atmosphere by the United States and the United Kingdom, France and Russia to demonstrate what nuclear weapons could do. No one’s ever seen a big cyber war. We've seen some small ones, some primitive ones. Moreover, it assumes that you know who’s attacking you. In nuclear war, you saw the bombers coming, you saw the missiles coming, in theory, and you could tell where they were coming from. In cyberspace it’s not always clear who the attacker is. But it appears to be the Pentagon’s doctrine and the Obama administration’s doctrine that they will anticipate the attack coming and they will then use cyber war to take out the systems of the attacker. There are lots of problems with that strategy. It requires us to respond very quickly, when we might not really know the identity of the attacker, and it assumes the attack is going to come from outside our country, when it would be very easy for an attacker to come into the United States and seize computers, even remotely. The attack, for example, that Russia did on the nation of Georgia was from a computer in Brooklyn.
BROOKE GLADSTONE: What sort of safeguards does the government employ right now? I mean, how much does our cyber security suffer from the kind of turf wars between agencies that roadblocked vital information before 9/11?
RICHARD CLARKE: Well, there’s a very similar situation right now. The government says this new Cyber Command, a military organization, will defend the Pentagon, and the Department of Homeland Security will defend the rest of the government, even though they admit they can't do that yet. But then they say, everybody else, you’re on your own. We suggest in the book that this is a bit akin to if in the Cold War the government had said to people like U.S. Steel in Pittsburgh, hey, the Russians have a lot of bombers and they may come over and bomb Pittsburgh. You, U.S. Steel, should go out and buy an air defense network.
BROOKE GLADSTONE: So what do you suggest?
RICHARD CLARKE: What we suggest is a defensive strategy. You pick two or three things which really matter and which a lot of other things are dependent upon. So, number one, do everything you can to make it impossible to attack the electric power grid. Number two, the big internet service providers, on which 80 or 90 percent of the traffic move, have those internet service providers scanning not the content of our emails but scanning to see patterns of attack malware. The technology exists to do that. So they could be looking for attacks and they could be killing attacks before they got to the targets.
BROOKE GLADSTONE: A critical review of your book in Wired Magazine suggested that that’s a slippery slope. Who’s to say that unwelcome speech won't also be intercepted?
RICHARD CLARKE: Well, I reject slippery slope arguments because they're always arguments for not doing something because of something you’re not proposing. What we're suggesting is not that the government look at what’s going across the networks, but that the big ISPs, internet service providers, scan not the content of what’s going across the networks but the ones and zeros, to see if they can recognize attack software. There’s, there’s no infringement on privacy. And, in fact, what we propose is that there be an outside privacy watchdog organization to prevent any abuses. And the third thing we suggest is that we do more of what we're doing now, which is to try to make the Pentagon systems more invulnerable. And we have to supplement it with international agreements and potentially arms control. So far we have arms control for biological war and chemical war and nuclear war, but not yet for cyber war.
BROOKE GLADSTONE: Alright, thank you very much.
RICHARD CLARKE: Thank you, Brooke.
BROOKE GLADSTONE: Richard Clarke is the coauthor, with Robert Knake, of Cyber War: The Next Threat to National Security and What to Do About It.