Our guest today is Richard A. Clarke, former National Coordinator for Security, Infrastructure Protection and Counter-terrorism for the United States. Under President George W. Bush he was appointed Special Advisor to the President on cybersecurity. He’s currently Chairman of Good Harbor Consulting. He’s the author or coauthor of several books, the latest of which is titled The Fifth Domain - Defending Our Country, Our Companies, and Ourselves in the Age of Cyber Threats.
This is an extended version of an interview originally aired on the July 19, 2019 edition of the CyberWire daily podcast.
Dave Bittner: [00:00:03] Hello everyone, and welcome to this special CyberWire extended interview. I'm Dave Bittner. This special edition is made possible by our sponsor, FTI Cybersecurity. In today's increasingly connected world, all organizations are at risk from cyber related threats. FTI Cybersecurity takes an intelligence-led, expert-driven, strategic approach to global cybersecurity challenges affecting your organization, your people, your operations, and your reputation. FTI Cybersecurity builds a safer future by helping businesses understand their own environments, harden their defenses, rapidly and precisely hunt threats, holistically respond to crisis, and recover operations and reputation after an incident. Their team, capable of deploying worldwide, consists of dedicated cybersecurity experts, incident response consultants, developers, and data analysts with extensive investigative backgrounds. They're led by those with decades of experience at the highest levels of law enforcement, intelligence agencies, and global private sector institutions. As part of a multi-national, independent business advisory firm, FTI Cybersecurity can go beyond the breach, supporting the issues and challenges that come with cybersecurity. To find out more, visit FTIcybersecurity.com. That's FTIcybersecurity.com. And we thank FTI Cybersecurity for sponsoring this special edition.
Dave Bittner: [00:01:34] My guest today is Richard Clarke, former National Coordinator for Security, Infrastructure Protection and Counterterrorism for the United States under President George W. Bush. He was appointed Special Advisor to the President on cybersecurity. He's currently chairman of Good Harbor Consulting. He's the author or co-author of several books, the latest of which is titled "The Fifth Domain: Defending Our Country, Our Companies, and Ourselves in the Age of Cyber Threats." The book is co-authored with Robert Knake.
Richard A. Clarke: [00:02:06] So, the military talks about things as domains - land, sea, air. And over the years, they added space as the fourth domain. Now, in the last few years, the military have talked about a fifth domain, cyberspace, where they expect cyber war to take place. So, we're calling this the fifth domain because, not just because the book is about cyberwar, because it's also about other things that take place every day in cyberspace, including what happens to you as an individual, what happens to corporations. It's not just about cyber war.
Dave Bittner: [00:02:46] One of the points you make in the book, you say that the next major war will be provoked by a cyberattack. What leads you to that conclusion?
Richard A. Clarke: [00:02:55] Well, the Director of National Intelligence this year publicly testified that the Russian government has hacked into the controls of our power grid, and that the Chinese government - the Chinese military, the People's Liberation Army - is capable of controlling or affecting our controls for our natural gas pipelines. That, we suggest in the book, that creates a situation of crisis instability, where if there is tension among nations, people are going to look around for, how can we do signaling, or how can we do an initial attack that's not going to end up and killing people? And the answer is going to be cyber.
Richard A. Clarke: [00:03:40] We actually had proof of that a few weeks ago, when the Iranians shot down a drone, and the United States wanted to retaliate. The normal retaliation package was given to the president and he initially approved it. And it was the traditional way of retaliating with cruise missiles and bombers. But after a while, when they thought about it in the White House, they said, no, we don't want to go that far. Let's just start with a cyberattack, because it seems easier, less bloody, less lethal. But the problem with cyberattacks is they do destroy things, and they provoke retaliation. And when you get into a cycle of tit-for-tat retaliation, ultimately that ends up in a kinetic or conventional war. The Pentagon's policy, publicly articulated policy, is that if the United States gets hit by a cyberattack from another nation state, and if that attack is sufficiently destructive, that we reserve the right to respond with a kinetic attack. So, we've said publicly cyberattacks on us will not just be responded to with cyberattacks on you.
Dave Bittner: [00:04:52] When the Russians shut down Ukraine's power grid, do you suspect that that was a demonstration of capabilities? Was that a shot across our bow?
Richard A. Clarke: [00:05:03] I think it was a demonstration of capabilities that - the Russians have used Ukraine a lot as a testbed. They used it as a testbed for their media manipulation, their social engineering, through the use of Facebook and media placements prior to doing that to us in 2016. And I think their attack on the power grid there was an experiment. What's interesting about that attack on the power grid was that experts I've talked to in electric power systems say that, given the controls that the Russians were able to establish on that grid, they could have physically destroyed transformers and switches and generators that would have taken months to replace. They had that capability, but they didn't do it.
Richard A. Clarke: [00:05:59] So, when we think about Russian attacks on power grids, or anybody attacking a power grid, we tend to think of it, oh, well, there's a blackout, and like other blackouts we've all experienced, you get electricity back in a few hours or maybe a few days. No. A cyberattack could actually physically destroy generators and transformers that we do not have laying around in the warehouse. They have to be built on just-in-time orders, just-in-time delivery. And it would take months. And try to imagine what a society would be like without electric power for months. ATMs don't work, therefore there's no currency available. Credit card systems don't work. Food doesn't get delivered. There's a very thin veneer in our civilization that falls apart pretty quickly when a big city doesn't have power.
Dave Bittner: [00:06:55] Back in 2013, you and your team at Good Harbor published a paper that was called "Securing Cyberspace to International Norms." And I wonder, should critical infrastructure be considered off limits? Should that be a norm that's established?
Richard A. Clarke: [00:07:12] I would say yes. I would say that power grids, natural gas pipelines, public communication systems should be off limits, just as hospitals are in the existing laws of war. You're not supposed to attack a hospital. Of course, Russia has been teaming up with Syria to do exactly that, to target hospitals in Syria in the civil war. But I think international norms do have some value, and I would definitely say, get out of the power grids, get out of the natural gas pipelines.
Dave Bittner: [00:07:43] When it comes to testing traditional kinetic weapons, you know, they're unambiguous. If I do a test of a nuclear weapon, that capability is clear for everyone to see. But it's different in cyber, and we hear that nation states are hesitant to demonstrate these resources for fear of burning those resources, that revealing them will make them less effective.
Richard A. Clarke: [00:08:09] And that's why deterrence doctrine from the nuclear era doesn't port well over to the cyber era. Deterrence doctrine, MAD - mutually assured destruction - depended upon people knowing that both sides had weapons that would work, knowing that those weapons could definitely get through, knowing that those weapons could do a specific amount of damage. And that's not the case in cyber.
Richard A. Clarke: [00:08:37] Also, in deterrence doctrine from the nuclear era, attribution was not an issue. Attribution can be an issue with cyberattacks, because we now know that the Russians and the Chinese and apparently the Americans use each other's cyber weapons to obscure who is doing the attacks. And apparently we've all stolen each other's weapons. And certainly nothing like that ever happened in the nuclear era. We never had the Russians running around with a US missile submarine, or vice versa.
Richard A. Clarke: [00:09:10] So, you're right, we're reluctant to use a cyber weapon, because once you've used it, other people can figure out how it works and can build defenses against it. And therefore, we don't want to use a weapon unless we absolutely have to. We can't demonstrate it. And frankly, when we pull the trigger, we can't really be confident we know how well it will work or what the defenses are that it will have to overcome. So, cyber is a different kettle of fish than every other kind of combat, every other kind of war.
Dave Bittner: [00:09:43] Yeah, there's an interesting point you make in the book - you say that, traditionally, military strategists were looking for certainty, and that certainty was aligned with security. But in the cyber domain, uncertainty may be something that deters military action. Can you explain that difference to us?
Dave Bittner: [00:10:06] Well, no military commander wants to attack unless he knows there's a pretty good chance he's going to win. And in the case of cyber, you really don't know when you launch an attack what defenses you're going to come up against. Do they already know this attack technique? Will they allow you in and then shut you down? And the fact that we cannot be sure how effective our offensive weapons will be at any given time means that anybody advising a president or a commander should tell them, hey, boss, we don't know that this is going to do the job. That changes things.
Dave Bittner: [00:10:45] And does that run counter to how military leaders are accustomed to thinking?
Richard A. Clarke: [00:10:49] It's entirely counter to what they're used to thinking. They have in the past always been able to exercise, simulate, have high probabilities of success, know what the outcome will be. In the cyber war, they're not that sure.
Dave Bittner: [00:11:09] I want to dig into some of the activities around the 2016 elections, and then where we're headed when it comes to Russia and the 2020 elections. But first, I think when President Trump took office, there was some optimism that cybersecurity was going to be a focus. One of his first executive orders was centered on cybersecurity. How has that played out?
Richard A. Clarke: [00:11:33] Not well. He initially had a very good guy running cybersecurity policy from the White House - the old job I had - and that was Rob Joyce from NSA, a very respected nonpartisan guy, an expert. And John Bolton, when he came in as National Security Advisor, got rid of him and didn't replace him with anybody. So, the old sort of cyber czar job doesn't exist. There's no one really making policy or implementing policy across the board out of the White House. The same thing happened in the State Department, where Rex Tillerson came in and wondered why there were people working on international cyber norms and got rid of that office. They did, I will admit, the Trump administration did write a really good national security policy, national security strategy for cyber. I say it's really good because it looks a lot like the one I wrote for Bush...
Dave Bittner: [00:12:36] (Laughs)
Richard A. Clarke: [00:12:36] ...But they haven't implemented it.
Dave Bittner: [00:12:41] An interesting point you make in the book is how, heading into the 2020 elections, the playbook that the Russians used - this was not new for them, that they have a history of of this sort of propaganda, and these new cyber capabilities really played right into their hands.
Richard A. Clarke: [00:12:59] Well, the Russians have a history going back even before the communist revolution, Russian governments have been doing things with information manipulation. And they have words for it - maskirovka, kompromat, dezinformatsiya. For example, they spread the rumor in the 1980s throughout Africa that the HIV AIDS virus was created on the campus of the University of Pennsylvania by a CIA-funded program. Absolutely not a shred of truth to that, but everybody in Africa ended up believing it, because they would they would bribe reporters and editors to put it in newspapers and to put it on radio and TV all over Africa. And the US never was able to catch up and convince people that it wasn't true. So, when the Internet comes along and social media comes along, they are empowered by the Internet to do this on steroids.
Dave Bittner: [00:13:59] It seems to me like there's a disproportionality there as well, in terms of the investment it takes in these weapons, even - if you want to say disinformation is a weapon - is very low compared to investing in military tools and techniques.
Richard A. Clarke: [00:14:15] Oh, absolutely. There's a great asymmetry here that allows them to have an enormous impact with very little cost.
Dave Bittner: [00:14:24] I must admit, I'm puzzled that given what we saw in the 2016 election, what I would have thought would have been a non-controversial notion that defending our electoral system would have bipartisan support. That's not what we're seeing. We're seeing, you know, Mitch McConnell blocking efforts to strengthen our security when it comes to elections.
Richard A. Clarke: [00:14:49] Well, Mitch McConnell is - there are Republican senators that are interested in making progress on election security - Senator Lankford, Senator Rubio - but Mitch McConnell is blocking it. And his argument is pretty transparently false. His argument is, well, we don't want to federalize the Federal elections. That's nonsense. I think Mitch McConnell is once again pimping for Donald Trump and the White House. They don't want to improve our election security because they want the Russians to interfere again in the next presidential election. You saw Trump joking about it with Putin. The two of them sitting next to each other laughing and Trump wagging his finger at him and say, oh, you don't interfere in our election, and then laugh. You know, that's almost a treasonous act, I think. They want the same outcome as they had in 2016, which is the Russians being able to manipulate social media and perhaps even the election machinery to get this guy re-elected. They got him elected the last time, they want to get him elected the next time. McConnell knows that, and McConnell wants that outcome.
Dave Bittner: [00:16:01] Is there a case for optimism then? I think it's easy to be cynical with this, particularly given the conditions we find ourselves in, the news we hear every day. But the book is not just one of doom and gloom. There is optimism throughout.
Richard A. Clarke: [00:16:18] There is, in two respects. First of all, we say something's happened since we wrote Cyber War ten years ago. Ten years ago, we said no corporation could defend itself. This book says, no, wait a minute, there are a lot of corporations that are getting it right and a lot of corporations that are successful. They are the dog that does not bark. You don't get news stories about, oh, XYZ Corporation hasn't been hacked. That's not a news story. But there are corporations like that, and we go in some detail in the book about how they're different and how they achieve this level of security. That is a source for optimism.
Richard A. Clarke: [00:16:57] The second source for optimism is that we have, throughout the book, eighty, I think, specific proposals for addressing cybersecurity, improving it both at home and internationally, in government and in the private sector. And so we end out the book with a chapter entitled "It's All Done But the Coding," which is, as you know, something that said frequently in the IT business.
Dave Bittner: [00:17:22] (Laughs)
Richard A. Clarke: [00:17:22] You know, we've architected, we know we want to do, we know it can be done - now just give it to the guys to do the coding. We think that if you had a president and a Congress and other players who really wanted to solve this problem, it can be solved. We've had lots of studies, task forces, blue ribbon committees, industry consortia. We know what to do. This is no longer the problem from hell. It just takes people of goodwill acting on a bipartisan basis. That is really hard to achieve in Washington.
Dave Bittner: [00:18:04] A point you make in the book is sort of pushing back against this notion that we may find ourselves up against a cyber Pearl Harbor or a cyber 9/11. One of my colleagues here at the CyberWire makes the point that we could just as likely find ourselves in a sort of a cyber Tonkin Gulf. I'm wondering what your take is on that.
Richard A. Clarke: [00:18:28] Well, I assume what he's talking about is the attribution problem.
Dave Bittner: [00:18:32] Right.
Richard A. Clarke: [00:18:32] Well, the attribution problem - again, what we said ten years ago is the attribution problem wasn't bad, because ten years ago, NSA was pretty damn good at figuring out who was doing the attacks. They still are. You know, we talk about in the book, the specific names of Russians, North Koreans, Iranians, and Chinese - specific names of hackers. And if you go to the DOJ, the Justice Department website, you can see their pictures. These are individuals who have been indicted in the US for hacking. Ask yourself, how do we know that it was them, those individuals, and how did we get their pictures? I'm not going answer that question, but you can guess. So, attribution is not impossible, but when other nations are stealing each other's weapons, then attribution gets a little bit more difficult. And we know that our tools - NSA tools, CIA tools - have appeared on the dark web. We can argue about how they got out, but they did. I've also noticed that there are some Chinese tools available on the dark web. And I suspect nation states are using each other's weapons to confuse forensics.
Dave Bittner: [00:19:56] You know, personally, I find it helpful in my own mind to use public health as a metaphor for cybersecurity. If you look at the past hundred years of the progress we've made, where we've made tremendous strides in public health. And it's not perfect - you can you can wash your hands and, you know, do the basics, and still every now and then, you're going to get a cold. Do you find that that's a useful comparison?
Richard A. Clarke: [00:20:24] No.
Dave Bittner: [00:20:24] (Laughs)
Richard A. Clarke: [00:20:24] (Laughs) I'm sorry.
Dave Bittner: [00:20:27] Go on. (Laughs)
Richard A. Clarke: [00:20:29] Well, I know people are always struggling to explain cybersecurity in terms of something else that people already understand.
Dave Bittner: [00:20:36] Right.
Richard A. Clarke: [00:20:37] And, you know, one of the things that you hear a lot from people is well, if you just have good cyber hygiene, then you wouldn't get hacked. And I don't know what the hell that means.
Dave Bittner: [00:20:46] Hmm.
Richard A. Clarke: [00:20:46] I don't think anybody really knows what that means. It's not a matter of good cyber hygiene. It's a matter of spending money. The companies that are spending three and four percent of their IT budget get hacked. The companies that are spending eight to ten percent of their IT budget on cybersecurity do not get hacked. That's nothing about hygiene - it's about money.
Dave Bittner: [00:21:10] So what's the take-home for the reader? The average person who's going about their life, their day-to-day here in the US and elsewhere - what's the message you want to send home with them?
Richard A. Clarke: [00:21:20] Well, cybersecurity affects everybody and everything we do, from whether or not it's safe to go to a hospital and being strapped up to an IV drip machine or a heart-lung machine. It affects who gets elected, how the election processes work. It could, if we had a bad day, bring down an airline or bring down the power grid. And it can certainly mess your own personal life up, in terms of credit card theft and other records theft. So, we have a chapter in the book about what this means to the individual, and how - what are the things an individual can do to increase their own cybersecurity. So, individuals should do those many things that can improve their own security, but then they should be involved in the public debate, to urge corporations they deal with and governments they deal with to remove the threats, because we know how to do it.
Dave Bittner: [00:22:23] Well, the book is "The Fifth Domain: Defending Our Country, Our Companies, and Ourselves in the Age of Cyber Threats." Richard Clarke, thanks so much for joining us.
Richard A. Clarke: [00:22:31] Great to be with you.
Copyright © 2020 CyberWire, Inc. All rights reserved. Transcripts are created by the CyberWire Editorial staff. Accuracy may vary. Transcripts can be updated or revised in the future. The authoritative record of this program is the audio record.
FTI Cybersecurity takes an intelligence-led, expert-driven strategic approach to the global cybersecurity challenges affecting your organization. We are a leading provider of proactive, independent cyber and risk management advisory services, cybersecurity incident response programs, and investigation solutions. Learn more.