[Infowarrior] - Richard Clarke on the Next Cyber Pearl Harbor

[Richard Forno]

Seven Questions: Richard Clarke on the Next Cyber Pearl Harbor

http://www.foreignpolicy.com/story/cms.php?story_id=4241


Posted April 2008

Former U.S. counterterrorism chief Richard A. Clarke reveals his fears about
the ³massive espionage² being conducted against the Pentagon by Chinese
hackers.

Cyberwarrior: The real cyberthreat, Richard A. Clarke warns, is that ³all of
our information is being stolen.²

Foreign Policy: Last year, a Pentagon computer network serving Defense
Secretary Robert M. Gates was hacked into, allegedly by the Chinese
military. Do you think the Chinese military was behind the attacks, and if
so, what was it trying to accomplish with these attacks?

Richard A. Clarke: I think the Chinese government has been behind many, many
attacks‹penetrations. ³Attacks² sounds like they¹re destroying something.
They¹re penetrations; they¹re unauthorized penetrations. And what they are
trying to do is espionage. They¹re engaged in massive espionage, not only in
the U.S. government, in the U.S. private sector as well, but also around the
world. The British security service, MI5, sent a note to the 300 largest
corporations in England a few months ago, telling them that the Chinese
government had probably penetrated their networks.

FP: How vulnerable do you think the U.S. government is to a cyberattack or
cyberpenetration? How seriously should this threat be taken?

RC: Well, I think it¹s being taken very seriously. President Bush signed a
National Security Presidential Directive on the 8th of January redirecting
billions of dollars into protection against it. I think it should be taken
very seriously. The United States government and private corporations are
quite vulnerable even though they think they¹re not.

FP: What¹s the worst-case scenario from a cyberpenetration of the U.S.
government¹s computer network? Are we talking about things like remotely
attacking nuclear power plants and things on that scale?

RC: Well, people tend to think about, sort of, attacks that change
things‹turn off power grids, or whatever. And while that¹s possible, what is
happening every day is quite devastating, even though it doesn¹t have a
kinetic impact and there are no body bags. What¹s happening every day is
that all of our information is being stolen. So, we pay billions of dollars
for research and development, both in the government and the private sector,
for engineering, for pharmaceuticals, for bioengineering, genetic stuff‹all
sorts of proprietary, valuable information that is the result of spending a
lot of money on R&D‹and all that information gets stolen for one
one-thousandth of the cost that it took to develop it.

FP: Both China and Russia have received attention as cyberthreats. Which
country do you think is more of a threat, and are there other countries, or
nonstate actors, to be worried about also?

RC: I think nonstate actors could develop capabilities rivaling that of
nation-states because this is the classic case of asymmetrical warfare where
small numbers of highly skilled people could have the same effect as could a
nation-state.

FP: What do you expect the capabilities of the new Air Force Cyber Command
to be?

RC: I think they¹re probably both offensive and defensive. But on the
defensive side, all they can do is defend the Air Force or perhaps other DOD
[U.S. Department of Defense], or maybe even other federal government,
entities. And the problem is that much of what we need to protect is not in
the U.S. government; it¹s in our private companies and our private networks.

There should be a White House senior person who has oversight of all
government programs in the area of cyberdefense. There hasn¹t really been
someone since I left, and I think they need to re-create that position.

FP: You mentioned both the defensive and offensive capabilities of the Air
Force Cyber Command. What kind of offensive cybercapabilities should the
United States ideally have?

RC: Highly classified ones.

FP: You mentioned earlier in discussing the Air Force Cyber Command that
it¹s not just cyberpenetrations of government computers that we should be
concerned about, but also private industry. So, are you concerned about
cyberpenetrations by foreign governments against U.S.-based defense
contractors?

RC: Well, yeah. I¹m also concerned about penetrations of U.S.
research-and-development firms, everything from pharmaceuticals to genetics
to aerospace engineering‹all the things we have to sell in our
knowledge-based economy. We are a post-industrial, knowledge-based society.
That¹s what we sell to the world. If other people can steal it readily, then
we won¹t have much of a margin.

There¹s been a lot of talk about a cyber Pearl Harbor. People say that I
coined the phrase, and I¹m afraid I actually didn¹t. But, if we wait for
that‹just as we waited for 9/11 to do something about al Qaeda‹if we wait
for a cyber Pearl Harbor to do something about cyber[security], it may never
come. But we will, nonetheless, be losing huge amounts of valuable
information to our competitors and to cybercriminals who cost our society
billions of dollars a year. Just because we haven¹t had the big attack
doesn¹t mean that we should wait to act.

Richard Clarke is chairman of Good Harbor Consulting. He was formerly the
principal counterterrorism advisor on the U.S. National Security Council
under presidents Bill Clinton and George W. Bush.