Richard Clarke, coauthor of the book The Fifth Domain.
Dave Bittner: My guest today is Richard A. Clarke, former national coordinator for security, infrastructure protection and counterterrorism for the United States. Under President George W. Bush, he was appointed special adviser to the president on cybersecurity. He's currently chairman of Good Harbor Consulting. He's the author or co-author of several books, the latest of which is titled "The Fifth Domain: Defending Our Country, Our Companies, And Ourselves In The Age Of Cyber Threats." The book is coauthored with Robert Knake.
Richard A. Clarke: So the military talks about things as domains - land, sea, air. And over the years, they added space as the fourth domain. Now, in the last few years, the military have talked about a fifth domain - cyberspace - where they expect cyberwar to take place. So we're calling this the fifth domain because - not just because the book is about cyberwar - because it's also about other things that take place every day in cyberspace, including what happens to you as an individual, what happens to corporations. It's not just about cyberwar.
Dave Bittner: You know, one of the points you make in the book - you say that the next major war will be provoked by a cyberattack. What leads you to that conclusion?
Richard A. Clarke: Well, the director of national intelligence, this year, publicly testified that the Russian government has hacked into the controls of our power grid and that the Chinese government - Chinese military - the People's Liberation Army - is capable of controlling or affecting our controls for our natural gas pipelines. That - we suggest, in the book, that creates a situation of crisis instability, where if there is tension among nations, people are going to look around for, well, what - how can we do signaling? Or how can we do an initial attack that's not going to end up in killing people? And the answer is going to be cyber.
Richard A. Clarke: We actually had proof of that a few weeks ago when the Iranians shot down a drone, and the United States wanted to retaliate. The normal retaliation package was given to the president, and he initially approved it. And it was the traditional way of retaliating with cruise missiles and bombers. But after a while, when they thought about it in the White House, they said, no, we don't want to go that far. Let's just start with a cyberattack because it seems easier, less bloody, less lethal.
Richard A. Clarke: But the problem with cyberattacks is they do destroy things, and they provoke retaliation. And when you get into a cycle of tit-for-tat retaliation, ultimately that ends up in kinetic or conventional war. The Pentagon's policy, publicly articulated policy, is that if the United States gets hit by a cyberattack from another nation-state, and if that attack is sufficiently destructive, that we reserve the right to respond with a kinetic attack. So we've said publicly cyberattacks on us will not just be responded to with cyberattacks on you.
Dave Bittner: When it comes to testing traditional kinetic weapons, you know, there's - they're unambiguous. If I do a test of a nuclear weapon, that capability is clear for everyone to see. But it's different in cyber. And we hear that nation-states are hesitant to demonstrate these resources for fear of burning those resources - that revealing them will make them less effective.
Richard A. Clarke: And that's why deterrence doctrine from the nuclear era doesn't port well over to the cyber era. Deterrence doctrine - MAD - mutually assured destruction - depended upon people knowing that both side had weapons that would work, knowing that those weapons could definitely get through, knowing that those weapons could do a specific amount of damage. And that's not the case in cyber.
Richard A. Clarke: Also, in deterrence doctrine from the nuclear, attribution was not an issue. Attribution can be an issue with cyberattacks because we now know that the Russians and the Chinese and apparently the Americans use each other's cyberweapons to obscure who's doing the attacks. And apparently, we've all stolen each other's weapons. But certainly nothing like that ever happened in the nuclear era. We never had the Russians running around with a U.S. missile submarine or vice versa.
Richard A. Clarke: So you're right, we're reluctant to use a cyberweapon because once you've used it, other people can figure out how it works and can build defenses against it. And therefore, we don't want to use a weapon unless we absolutely have to. We can't demonstrate it. And frankly, when we pull the trigger, we can't really be confident we know how well it will work or what the defenses are like that it'll have to overcome. So cyber is a different kettle of fish than every other kind of combat, every other kind of war.
Dave Bittner: Yeah, there's an interesting point you make in the book. And you say that, traditionally, military strategists were looking for certainty and that certainty was aligned with security. But on - in the cyber domain, uncertainty may be something that deters military action. Can explain that difference to us?
Richard A. Clarke: Well, no military commander wants to attack unless he knows there's a pretty good chance he's going to win. And in the case of cyber, you really don't know, when you launch an attack, what defenses you're going to come up against. Do they already know this attack technique? Will they allow you in and then shut you down? And the fact that we cannot be sure how effective our offensive weapons will be at any given time means that anybody advising a president or a commander should tell them, hey, Boss, we don't know that this is going to do the job. That changes things.
Dave Bittner: Does that run counter to how military leaders are accustomed to thinking?
Richard A. Clarke: It's entirely counter to what they're used to thinking. They have, in the past, always been able to exercise, simulate, have high probabilities of success, know what the outcome will be. In the cyberwar, they're not that sure.
Dave Bittner: When President Trump took office, there was some optimism that cybersecurity was going to be a focus. You know, one of his first executive orders was centered on cybersecurity. How has that played out?
Richard A. Clarke: Not well. He initially had a very good guy running cybersecurity policy from the White House - the old job I had. And that was Rob Joyce from NSA, a very respected, nonpartisan guy - expert. And John Bolton, when he came in as national security adviser, got rid of him and didn't replace him with anybody. So the old sort of cyber czar job doesn't exist. There's no one really making policy or implementing policy across the board out of the White House.
Richard A. Clarke: The same thing happened in the State Department where Rex Tillerson came in and wondered why there were people working on international cyber norms and got rid of that office. They did, I will admit - the Trump administration did write a really good national security policy, national security strategy for cyber. I say it's really good because it looks a lot like the one I wrote for Bush.
Dave Bittner: (Laughter).
Richard A. Clarke: But they haven't implemented it.
Dave Bittner: Personally, I find it helpful in my own mind to use public health as a metaphor for cybersecurity. And if you look at the past hundred years of the progress we've made where - we made tremendous strides in public health. And it's not perfect. You can wash your hands and, you know, do the basics. And still, every now and then, you're going to get a cold. Do you find that that's a useful comparison?
Richard A. Clarke: No.
Dave Bittner: (Laughter).
Richard A. Clarke: I'm sorry.
Dave Bittner: That's fair enough.
Dave Bittner: (Laughter).
Richard A. Clarke: No.
Dave Bittner: Go on. (Laughter).
Richard A. Clarke: Well, you know, I know people are always struggling to explain cybersecurity in terms of something else that people already understand.
Dave Bittner: Right.
Richard A. Clarke: And, you know, one of the things that you hear a lot from people is, well, if you'd just have good cyber hygiene, then you wouldn't get hacked. And I don't know what the hell that means. I don't think anybody really knows what that means. It's not a matter of good cyber hygiene. It's a matter of spending money. The companies that are spending 3 and 4% of their IT budget get hacked. The companies that are spending 8 to 10% of their IT budget on cybersecurity do not get hacked. That's nothing about hygiene. It's about money.
Dave Bittner: So what's the take-home for the reader - the average person who's going about their life, their day to day here in the U.S. and elsewhere? What's the message you want to send home with them?
Richard A. Clarke: Well, cybersecurity affects everybody and everything we do, from whether or not it's safe to go to a hospital and being strapped up to a IV drip machine or a heart-lung machine. It affects who gets elected, how the election processes work. It could, if it - we had a bad day, bring down an airline or bring down the power grid. And it can certainly mess your own personal life up in terms of credit card theft and other records theft.
Richard A. Clarke: So we have a chapter in the book about what this means to the individual and how - what are the things an individual can do to increase their own cybersecurity? So individuals should do those many things that can improve their own security, but then they should be involved in the public debate to urge corporations they deal with and governments they deal with to remove the threats because we know how to do it.
Dave Bittner: Well, the book is "The Fifth Domain: Defending Our Country, Our Companies, And Ourselves In The Age Of Cyber Threats." Richard Clarke, thanks so much for joining us.
Richard A. Clarke: Great to be with you.