[Infowarrior] - Clarke’s Cyberwar: File Under Fiction

[Richard Forno]

Richard Clarke’s Cyberwar: File Under Fiction

	• By Ryan Singel  
	• April 22, 2010  | 
	• 4:17 pm  | 
	
http://www.wired.com/threatlevel/2010/04/cyberwar-richard-clarke

Readers of Richard Clarke’s new book Cyberwar who want to jump to the steamy parts should start at page 64 in the chapter “Cyber Warriors.” It’s there you’ll find the Book of Revelation re-written for the internet age, with the end-times heralded by the Four Trojan Horses of the Apocalypse.

Chinese hackers take down the Pentagon’s classified and unclassified networks, trigger explosions at oil refineries, release chlorine gas from chemical plants, disable air traffic control, cause trains to crash into each other, delete all data — including offsite backups — held by the federal reserve and major banks, then plunge the country into darkness by taking down the power grid from coast-to-coast. Thousands die immediately. Cities run out of food, ATMs shut down, looters take to the streets.

That electronic Judgment Day is not the stuff of bad movies or sci-fi novels, according to Clarke, who writes, “A sophisticated cyber war attack by one of several nation-states could do that today, in fifteen minutes.”

That’s right. In less time than it takes to download Live Free or Die Hard, foreign hackers could make it real.

A former top counter-terrorism advisor under President Clinton, who later served as President Bush’s cybersecurity czar, Richard Clarke has been sounding the alarm on cyberwar for more than a decade, rarely letting up, even through two real wars and one massive domestic terrorist attack. Now Chairman of Good Harbor Consulting, Clarke is going full-out Jerry Bruckheimer in an effort to get America to take seriously what he clearly sees as a (perennially)  looming existential threat to the nation.

And it turns out that in Cyberwar, like in real war, truth is the first casualty.

It’s not just Clarke’s 15-minutes-to-doomsday scenario that stretches credulity. Like most cyberwar pundits, Clarke puts a shine on his fear mongering by regurgitating long-ago debunked hacker horror stories. In his world, the Slammer worm was partially responsible for the Northeast blackout of 2003 — the Energy Department concluded otherwise. A power outage in Brazil is similarly attributed to a hacker, when the real-life evidence points to sooty insulators. Clarke describes the Russian denial-of-service attacks against Estonian servers in 2007 as the “largest ever seen” (not even close). He claims that foreign hackers stole the plans to the F-35 Joint Strike Fighter fighter, when they actually nabbed unclassified information on the plane’s self-diagnostic system.

So much of Clarke’s evidence is either easily debunked with a Google search, or so defies common sense, that you’d think reviewers of the book would dismiss it outright. Instead, they seem content to quote the book liberally and accept his premise that cyberwar could flatten the United States, and no one in power cares at all. Of course, the debunking would be easier if the book had footnotes or endnotes, but neither are included — Revelation doesn’t need sources.

Clarke returns over and over to the security of the power grid, focusing on the systems known as SCADA that allow utilities to remotely monitor and control electric generation and transmission equipment. Here, he starts reasonably enough: Good security practices dictate that these systems should be unreachable from the public net, and, unfortunately, that’s not always the case. But from there, he quickly moves back to fantasy. He suggests darkly throughout the book that the nation’s power and chemical plants are all shot through with secret backdoors implanted by the Russian, North Korean and Chinese governments, even though there’s never been a single publicly documented case, outside of a vague and anonymously sourced article in the Wall Street Journal

Clarke’s prescriptions are manyfold. First, the nation’s backbone carriers — the ones with fiber optic networks crisscrossing the country — should be required to inspect all packets, and delete the ones that match known signatures of viruses and other malware. While that might seem like a fine idea, the security industry is already moving away from signature-based strategies, since malware-makers have taken to testing their payloads against anti-virus software before deploying it.

ISPs already have the ability, and the legal right, to filter out known bad packets, but requiring it — as Clarke would do — would not only be ineffective, but it would inevitably lead to other demands to filter content, first child pornography, then perceived copyright violations, and finally unwanted speech of all sorts. Clarke fails to consider the contents of the Pandora’s box he seeks to open.

More persuasively, Clarke argues the feds need to set some real, auditable and binding rules for companies that run critical infrastructure, such as the electrical grid. The current policy is driven by the rationale that private-sector companies have enough financial incentive to protect their network, and the government’s role should be limited to helping share information about threats among the stakeholders. That policy works well when it comes to companies like Google and Chase, which could lose customers if their networks are routinely hacked, but isn’t as effective for your energy company, which likely has no real competition.

So, even if you don’t accept Clarke’s doomsday predictions, there’s a good case to be made that the feds ought to have strong rules governing these systems, and, as he suggests, a crew of white hat hackers tasked with trying to bust into the grid on a daily basis.

And there’s something to be gained by thinking about the consequences and morality of militaries infiltrating other country’s power grids, or whether the government ought to be able to take down Al Qaeda websites, or whether the military should ever hack into the financial system. These are fun and not unimportant debates to have.

But the Chinese can’t blunt the power of 15 carrier groups with some fancypants, unheard of ninja cybercoding tricks. Live Free or Die Hard was a bad movie, not a prescient one (it’s one of many Hollywood references Clarke makes to bolster his case). The Chinese and Russians don’t have secret backdoors into the transformer outside your  house, and if it blows up, it’s more likely a rodent chewing through the casing than a cyberwarrior sitting in an internet cafe in Shanghai.

The cyberwar rhetoric is dangerous. Its practitioners are artists of exaggeration, who seem to think spinning tall tales is the only way to make bureaucracies move in the right direction. But yelling “Cyberwar” in a crowded internet is not without consequence. Not only does it promote unnecessary fear, it feeds the forces of parochial nationalism and militarism — undermining a communications system that has arguably done more to connect the world’s citizens than the last 50 years of diplomacy.

And, let’s be honest, your photocopier will never, ever catch on fire due to a hacker, like it does in Cyberwar.

Except, of course, in the movie version of this book, which undoubtedly, will star Bruce Willis or Keifer Sutherland.