Cyber Armies Are on the March

staged cyber-attack, Joint Base San Antonio-Lackland
Capt. Sarah Miller and Tech. Sgt. Carrol Brewster discuss options in response to a staged cyber attack during filming of a scene for an Air Force Reserve Command mission video at Joint Base San Antonio-Lackland, Texas, on June 1, 2019. Photo credit: US Air Force
Reading Time: 15 minutes

It is often said that the American military is fighting every war based on the lessons learned from the last one. Today, that’s not an option because its past conflicts will not prepare the US for the battlefield of cyberspace.

A billion-dollar aircraft carrier and its companion attack group can be destroyed with a handful of missiles. A cyberattack from Russia or China may know no limits and no antidote. This is the world that Richard Clarke looks at in this week’s WhoWhatWhy podcast.

Clarke served as White House counterterrorism coordinator in the administrations of Bill Clinton and George W. Bush, and he was the first White House official placed in charge of US cybersecurity policy.

He points out that — notwithstanding the data breaches at Capital One, Target, and Equifax — it is the corporate world that is spending the requisite dollars and learning the lessons of how to fight a cyberwar. Clarke says there used to be two types of companies: those that knew they had been attacked, and those that hadn’t yet discovered it. Today, they all now — and are defending themselves far better than the US government.

Clarke talks about how, as technology continues to evolve, ever larger sums of money will need to be spent to keep up our defenses. But even with higher budgets, he says, the US will never really know the capabilities of its enemies — or even whether it is able to properly defend itself.

It’s no exaggeration to say that both Russia and China have full-fledged cyber armies and that they are constantly on the march. In the future, things like machine learning, quantum computing, and 5G will make countries both more secure and more vulnerable as the ability to hack reaches into every aspect of the internet of things, from hospital IV drips to self-driving cars.

At least, Clarke notes, the capabilities of nuclear weapons were well known. With cyber warfare and cyberterrorism, the US has no idea what the outer limits of the attack might be. It changes by the day, and defenses must therefore keep adapting. It’s a constant game of cat and mouse, one where the old idea from the nuclear era, of mutually assured destruction, is simply not enough.

googleplaylogo200px download rss-35468_640

Click HERE to Download Mp3


Full Text Transcript:

As a service to our readers, we provide transcripts with our podcasts. We try to ensure that these transcripts do not include errors. However, due to time constraints, we are not always able to proofread them as closely as we would like. Should you spot any errors, we’d be grateful if you would notify us

Jeff Schechtman: Welcome to the WhoWhatWhy Podcast. I’m your host, Jeff Schechtman.
Jeff Schechtman: This past month, we marked 50 years since man first landed on the moon. It was the culmination of a space race with the former Soviet Union that always had as its subtext the potential weaponization of space. From the very first Sputnik to Neil Armstrong, the idea that space was a new domain for warfare was always part of the discussion.
Jeff Schechtman: Today, that global battle has moved to cyberspace. The battle of ones and zeros being played out by the US, by Russia, and by China has potential consequences far beyond what we may think. It’s a danger that affects us personally, that affects our corporations, and that affects the very bedrock and functioning of the nation itself. Its tentacles and consequences are still not understood by the vast majority of Americans and even by the government and the military. We’re going to talk about this today with my guest, Richard A. Clarke.
Jeff Schechtman: Richard A. Clarke is one of the world’s leading experts on security, cyberspace, and terrorism. He served in the US government for 30 years, including as White House counter-terrorism coordinator under Presidents Bill Clinton and George W. Bush. He became the first White House official placed in charge of US cybersecurity policy. He is currently chairman of Good Harbor Consulting and is the author of The Fifth Domain, Defending Our Country, Our Companies, and Ourselves in the Age of Cyber Threats.
Jeff Schechtman: Richard Clarke, thanks so much for joining us here on WhoWhatWhy.
Richard Clarke: It’s good to be with you.
Jeff Schechtman: It’s always an axiom that we’re fighting the next war with the lessons that we’ve learned from the last one. That certainly is a problem particularly with battles in cyberspace. Talk about that general concept first.
Richard Clarke: You’re absolutely right. We are investing huge amounts of money in things like aircraft carriers, which cost a couple of billion dollars each just to buy, another billion for the aircraft, another billion for the escort ships, and, as we now know, China, and probably Russia, can sink aircraft carriers pretty quickly if they get within range.
Richard Clarke: We should be spending more money on the things that, frankly, they’re spending money on, which is cyber war. Every day, China is engaged in cyber war with the United States, stealing secrets from our companies, stealing the research and development of new products that our taxpayers and our shareholders are spending billions of dollars on. The Chinese get that information for free, and then they go out and make the products and turn around and sell them to us.
Richard Clarke: That’s the ongoing daily cyber war, but then we actually also are engaged in a cyber war pretty often where we’re attempting to destroy each other’s military. President Trump just this month launched a cyber attack against Iranian air defense systems after they shot down one of our drones.
Jeff Schechtman: In fact, there’s more being done right now by our corporations to counter potential cyber warfare than is being done by the government, it seems.
Richard Clarke: I think the corporations are certainly in aggregate spending more money from the government, and they’re also having, some of them, good results.
Richard Clarke: One of the things we say in the book that’s different from when we wrote the book Cyber War ten years ago. Ten years ago, we said, “No company can defend itself successfully.” Now, we’re saying, “Wait a minute. There are a lot of companies that are defending themselves successfully even against the Chinese and the Russians.” The technology has evolved and, if you know how to do it and if you’re willing to spend the money, you as a corporation can defend yourself. You don’t hear about them. You hear about Equifax and Yahoo and Marriott and the ones that get hacked, but then there are other dogs that did not bark. The companies that you never hear about are the ones that are secure.
Jeff Schechtman: In fact, right now, we don’t have anyone, as I understand, that is doing the job that you used to do, that is really a kind of cyber czar for the US government right now.
Richard Clarke: We did at the beginning of the administration. We had a good fellow named Rob Joyce, but the national security advisor asked him to leave and he has not replaced him, and so there really is no one pulling it all together. There are good people out in the departments, career people trying to defend the country and defend the departments, but they don’t have enough money and they don’t have a coordinated effort led by someone in the White House.
Jeff Schechtman: How effective is our intelligence right now with respect to what the Russians and the Chinese are doing in the area of cyber warfare?
Richard Clarke: It’s pretty good, and if you go to the US Justice Department website, you can see indicted individuals and you can see their names, true names, and their pictures, and these are Russian military officers, Chinese military officers, North Korean, Iranian. Not only do we know what nation state is doing the hack of an individual company, we know what organization, we know the individual’s name, who’s doing the hack, and we even have their picture.
Jeff Schechtman: Talk a little bit about what the Russians are doing now, which is sort of an extension of what they did with respect to disinformation even before the full blossoming of potential cyber attacks.
Richard Clarke: What the Russians have been doing over the last several years according to the public testimony of the head of US Intelligence is that they’ve been trying to get into the control system for our electric power grid, and apparently they have, but the White House has leaked the story recently that we’re now also in the control of the Russian power grid, so maybe that creates some kind of mutual assured destruction. If the Russians try anything, they know that the power might go out in Moscow, too.
Jeff Schechtman: To what extent can things like mutually assured destruction and some of the ideas that really functioned during the days of the Cold War, to what extent are they valid in an age of cyber warfare?
Richard Clarke: We used to be able during the old Cold War to prevent attacks on each other using nuclear weapons by having this idea of mutual assured destruction. No matter what you do to me, I’ll still survive and I’ll throw nuclear weapons back at you. That worked, as crazy as the idea was. It was called MAD, by the way, Mutual Assured Destruction, mad in more than one sense, but we don’t quite have that now because you don’t know the other guy’s strength. You don’t know what cyber weapons they have, how good they are and how good they will be against your defenses. You don’t even know how good your own defenses are, so there’s a lot of uncertainty, and that breeds instability.
Jeff Schechtman: Talk about that, this sense of the unknown. We don’t really know the full extent of the consequences of some of these potential cyber attacks.
Richard Clarke: In the nuclear era, we had blown up, we, the Russians, the British, the French, had blown up over 2,000 nuclear weapons in the atmosphere. We kind of knew what the effects would be of a nuclear bomb going off. It will be horrific. And if they launched a missile from Siberia toward the United States, there was no way to stop it, so, although President Reagan tried, that never worked, and so we were sure about what would happen. We were sure about the weapons capabilities. We were sure that we really didn’t have any defenses.
Richard Clarke: In cyber war, you could think that you have a good weapon, and you might one day, but, the next day, the other side might learn about it and be able to counter it, and you really can’t tell how good the other side’s defenses are unless you try. The technologies are always changing. It’s a cat-and-mouse game where the offense gets a new weapon, the defense gets a new way to stop it. You cannot rest on your laurels in this game. You always have to be one step ahead of the other guy.
Jeff Schechtman: Talk about it with respect to what we saw in 2016, arguably, just the tip of the iceberg with respect to elections, and what the potential dangers are into 2020 and beyond.
Richard Clarke: We didn’t know in 2016 the extent to which the Russian Intelligence Service had assumed the personalities, created personalities by the thousands on Facebook and Twitter pretending to be Americans and were micro-targeting American voters, sending messages designed to get supporters of the environment to vote for the Green Party, micro-targeting, pretending to be African-Americans, trying to get African-Americans not to vote or not to vote for Hillary Clinton, very sophisticated, and most of the statistical analyses that we’ve seen tend to indicate that they had an effect, and you can never be sure, you can never prove a negative, you can never roll the clock back, but I think they had a big effect.
Richard Clarke: Now, did they hack their way into voting machines or electoral rolls, registration rolls? We don’t know, because we didn’t have and we still don’t have a sophisticated detection equipment on the machines or on the networks. Most election officials, if you ask them, will say, “We were not hacked.” They had no way of knowing. Even corporations that spend huge amounts of money every year don’t know sometimes when they have been attacked, so we can hardly expect the state and tell the election officials to know when they don’t have the equipment to detect an attack.
Jeff Schechtman: Is a subset of that problem the fact that unlike the nuclear issue where those that were engaged in it worked for the government, that because this is such a widespread problem, particularly for the private sector as well, that the best and the brightest that we have are working in the private sector and not necessarily working with the government?
Richard Clarke: That’s partially true. Very big corporations are spending huge amounts of money defending themselves. Bank of America, for example, we believe is spending over a billion dollars a year, with a B, just defending its own network. When you’re spending that kind of money, you could afford big salaries and you could afford to get the very best, so, if you look for example at the leadership of the banks, most of the big Wall Street banks, there are people who are trained in the US government, people who used to work in the US government and now are getting paid four and five times as much money defending the banks.
Jeff Schechtman: How is the government dealing with this across a wide spectrum of different agencies that have to deal with this, the Defense Department, the CIA, et cetera?
Richard Clarke: There are probably 50 US government departments at the federal level, departments and agencies, and the way it’s set up now, they all have to defend themselves, and, frankly, that’s too much. It’s asking too much. You can’t defend yourself when you’re against the People’s Liberation Army of China, when you’re the US Agriculture Department or the Interior Department or the Commerce Department, and, believe it or not, all of those departments and agencies have something valuable. For example, the HR department, which was called the office of personnel management, had all the secret and top secret records of people’s security investigation, and they were attacked by the Chinese, and the Chinese stole all those top secret documents.
Richard Clarke: Now, how could we expect some little organization like the office of personnel management to defend itself against the Chinese army? It’s crazy, but yet that’s the model that we’re pursuing, and, in the book, The Fifth Domain, we make proposals for changing all of that and having one federal department run the networks and provide it as a utility, as a service to all the other departments.
Jeff Schechtman: Was that originally supposed to be part of the mandate for the director of National Intelligence?
Richard Clarke: The director of National Intelligence is in charge of standards for the intelligence community, but not for the other agencies, not for commerce, interior, education, energy, veterans affairs.
Jeff Schechtman: We talk about this in terms of the threat to the US with respect to both China and Russia. What about the danger between countries, between China and Russia themselves and what’s going on in that area?
Richard Clarke: I think what we’re finding is all countries are engaged in this, and they’re all hacking each other, with the few exceptions of what we call the Five Eyes, the US, Canada, Australia, the UK, and New Zealand. The Five Eyes promised each other they won’t hack each other, and they cooperate instead, but everything else seems to be fair game, and everybody now has a cyber army.
Jeff Schechtman: To what extent are we spending enough or not spending enough in terms of dealing with this? How much more do we need to spend?
Richard Clarke: We spend a lot of time in the book talking about the right amount of money to be spent if you’re a corporation. We tell the story that, it used to be a joke in this business, there were two kinds of companies, those that have been hacked and know it, and those that have been hacked and don’t know it, but now we say the technology’s changed and there’s a third kind of company, and that third kind of company is the company that has not been hacked and probably won’t be, and the reason, there are many reasons, but the most determining reason we think is the amount of money that those companies spend. If they’re spending 10% of their IT budget defending their IT network, they probably can succeed, and they won’t be named all over the newspapers like Equifax and Marriott and Yahoo and Target.
Jeff Schechtman: To what extent will technology make us more vulnerable to hacking or technology really provide the antidote to this, things like the blockchain and future technologies?
Richard Clarke: We spend three chapters in the book, The Fifth Domain, looking at the technologies that are hitting us right now, just beginning, things like machine learning for cybersecurity, things like quantum computing, which is just about to start I think, and 5G supporting the Internet of Things. All those new technologies could make us more secure, but they could also make us less secure, depending upon how they’re configured.
Richard Clarke: Unfortunately, in many cases, security is not being designed in from the beginning, and that’s really the only way to make something secure is when you sit down and create it and start designing it. You have security designed in. Unfortunately, the Internet of Things is not that way, and so there are lots of devices, from IV drip machines and heart, lung machines in hospitals, to cars, potentially autonomous cars that are not yet secure.
Jeff Schechtman: Do we need a public policy fix, a legislative fix in order to begin to force those things to be designed in to the technology of the future?
Richard Clarke: I think we do. The state of California passed a state law saying, “All Internet of Things devices must be secure by design before they’re put on the Internet.” Now, that’s a very lofty ambition. It’s also a very big law. It didn’t say how to do it. It didn’t enumerate what devices it was talking about, but it set a goal, and maybe that is okay. Maybe that’s what we need to do at a national level is to have some goals and tell corporations, “If you’re going to deploy something on the Internet of Things, it should be secure. You figure it out, and if you haven’t figured it out, then maybe we’ll pass some regulations and we’ll get more specific.”
Richard Clarke: The problem is regulations in this business are difficult because the technology is always changing, and so you can’t say with a regulation though, “The screw must be this size, and you must turn it five times to the left.” Rather, we need regulations that are goal-oriented and that require third parties to audit, to see how you’re doing, see if you’re achieving the goal, and then there has to be real punishment if you haven’t done the goal.
Richard Clarke: Facebook, for example, just received a $5-billion fine for violations of privacy rights. That sounds like a lot of money, $5 billion, but to Facebook, it’s probably not.
Jeff Schechtman: You mentioned 5G before and the dangers inherent in that. Talk a little bit about what we’re facing in that regard and how quickly it’s coming at us.
Richard Clarke: 5G is already going in in some cities around the country, and you may not have noticed when we moved from 3G cell phones to 4G because, frankly, it wasn’t a big change, but when we move to 5G, you will notice it. It is much faster, and you’ll be able to stream movies from almost anywhere if you have 5G without buffering. A million individual devices every square kilometer, that’s what the 5G standard is, all operating simultaneously, all operating at very high bandwidth.
Richard Clarke: Now, that will allow things like autonomous cars where the cars can talk to each other. You get to an intersection, and one car says to the other, “I’m going to turn right,” and the other car says, “Okay, fine, you go first.” All of that happens seamlessly without you knowing it in the background. That’s the goal, but, unfortunately, the Federal Communications Commission, which regulates things like the 5G network, hasn’t created security standards for the new technology, hasn’t created really tough, secure regulations, so it could be that we get all these devices, these Internet of Things devices hooked up, running at high speed, and all that means is it’s easier to hack them.
Jeff Schechtman: What about the fact that the Chinese are so far ahead in this area and what we’re seeing now playing out with companies like Huawei, for example?
Richard Clarke: The Chinese are ahead in the deployment of 5G. They have a company called Huawei which makes 5G equipment, routers and switches and that sort of thing. There’s no American company that does. There are some European companies that do, but no American company, and so the Trump administration is concerned, and I am, too, frankly, others are, that if Huawei were putting in the 5G network around the country, that someday the Chinese could hit a button and shut it all off or have a backdoor, a software backdoor, and get into the network so that they could listen and do spying on anybody using the network. I think that’s a legitimate concern not because the company Huawei necessarily would want to do it, but they’d have no choice. They’re a Chinese company. If China told them to do it, they’d have to do it.
Jeff Schechtman: If you were back in your old job, what would be your number one priority at this point?
Richard Clarke: I’d be looking to get money to the states and counties so they could defend themselves in the 2020 election. We have a very short window of time to get the money appropriated by Congress and then get out to the states and counties with advice about how they should spend it and rules about how they should spend it to secure the voter registration databases, to secure the voting machines and to, in general, help defend our democracy against another Russian attack.
Jeff Schechtman: Is the Pentagon appropriately aware of what these dangers are?
Richard Clarke: Oh, I think they’re very aware. The heads of the various intelligence agencies testify publicly every year on all of the threats that we face as a country, and for the last several years, they’ve said cybersecurity is the biggest threat. The Pentagon knows that, and it’s trying hard to defend itself, but weapon systems nowadays are nothing but software. The F35 is just an airplane that’s filled with software, the new Freedom-class Navy ships, all software. If a software doesn’t work, the weapon doesn’t work. It just sits there, and so there’s a risk. If the enemy can interfere with the software, they can shut the system down or cause it to malfunction, and according to the Pentagon itself, a lot of our weapon systems are not secure or not adequately or sufficiently secure against a sophisticated attack. So you could trot those weapons out when you need them and they might not work.
Jeff Schechtman: It certainly doesn’t fill anybody with confidence when you talk about how modern weapon systems are all about software to see that a company like Boeing, which is one of the leading weapons manufacturers, are facing these problems they’re facing with software just in a commercial aircraft.
Richard Clarke: It’s a real shock because Boeing is known as having a history of good cybersecurity, good aviation security, of really setting the gold standard, and for this aberration to occur, these mistakes to occur at Boeing is a big disappointment.
Jeff Schechtman: Richard A. Clarke, his new book is The Fifth Domain, Defending Our Country, Our Companies, and Ourselves in the Age of Cyber Threats.
Jeff Schechtman: Richard, I thank you much for spending time with us here on the WhoWhatWhy Podcast.
Richard Clarke: It’s good to be with you.
Jeff Schechtman: Thank you, and thank you for listening and for joining us here on Radio WhoWhatWhy. I hope you join us next week for another Radio WhoWhatWhy Podcast. I’m Jeff Schechtman.
Jeff Schechtman: If you like this podcast, please feel free to share and help others find it by rating and reviewing it on iTunes. You can also support this podcast and all the work we do by going to whowhatwhy.org/donate.

Related front page panorama photo credit: Adapted by WhoWhatWhy from DoD, DoD, and Aude / Wikimedia (CC BY-SA 3.0).

Where else do you see journalism of this quality and value?

Please help us do more. Make a tax-deductible contribution now.

Our Comment Policy

Keep it civilized, keep it relevant, keep it clear, keep it short. Please do not post links or promotional material. We reserve the right to edit and to delete comments where necessary.

print

Comments are closed.