The Honorable Richard Clarke â former National Coordinator and Special Assistant for Counterterrorism, Security, Global Affairs and Cyber Warfare to three presidents â called for a new national cyber defense policy to reduce the likelihood of a Cyber 9/11, during a special lecture at the 51¸ŁŔű, Aug. 17.
The internationally renowned national and homeland security expert was at 51¸ŁŔű to give two fast-faced back-to-back lectures on the subject of his latest book, Cyber War: The Next Threat to National Security and What to Do 51¸ŁŔű It. The first venue was the Secretary of the Navy Guest Lecture to the assembled student body in King Hall, followed by the 51¸ŁŔű Foundation Fall Quarterly Event on the Quarterdeck in Herrmann Hall.
âWhen historians look back at this period, what are they going to say were the really important changes that were going on?â he asked rhetorically in opening. âI think theyâre going to say that this was a time when a new form of warfare â cyber warfare â came into its own. Though the U.S. leads in cyber warfare -- we invented it in terms of offense â weâre also the nation with the highest dependence on cyberspace in the world and only ten percent of our chips are from trusted fabricators. Because our critical infrastructure so heavily depends on computer networks and because of the open nature of our society, weâre highly vulnerable to cyber attack while also being relatively weak in cyber defense.â
âWould you go into a football game with just an offense and no defense?â he asked. âOf course not. But today in this country, thatâs the situation we find ourselves in. The mission of the new U.S. Cyber Command is to defend the .mil environment, and [the] Homeland Security [Department] defends the .gov domain. But all the civilian-corporate private sector .comâs that run our critical infrastructure â the Internet, the stock market, the oil and gas pipelines, our food supply â are told, âYouâre on your own.â Itâs in our clear national security interest to defend all of our critical infrastructure, but itâs our current policy not to do so. [Cyber] Offense has been given to the military, but defense is diffused.â
Clarke painted how much there is to defend against in stark terms, and took pains to distinguish cyber warfare from cyber crime and cyber espionage.
âCyber espionage is essentially new â it didnât happen 15 years ago,â he noted. âToday, cyber spies and cyber thieves donât just read or steal few pages or documents a week like Aldrich Ames or Robert Hansen. They take out terabytes â measured in entire âLibraries of Congressâ of information â all remotely at a distance, like cyber predators. Every major government department including the military and every major private enterprise in this country and the world has been hacked, and can hack each other, and theyâre sophisticated attacks. As just one example, Johns Hopkins Universityâs Applied Physics Laboratory is really good at cyber security, but nothing they could do could stop it. So their solution was to unplug the entire campus from the Internet. So, if thereâs any value to the information you have in your systems, you can bet that itâs gone. The head of MI5 did. He wrote the CEOs of the top 300 U.K. companies telling them to assume that their computers had been hacked by the Government of China and that all their intellectual property had been exfiltrated. And our own cyberwar units have done successful red team attacks on the Pentagonâs SIPRNET and other supposedly secure closed-loop networks.â
But Clarkeâs greatest warning was for âthe arm that can come out of the computerâ and wreak damage, disruption and destruction by breaching the firewalls designed to separate the cyber and real worlds.
âIn a society where computer programs automate so many of the command and control functions of our critical infrastructure systems like gas pipelines, railroads, the stock market and mass communications, the difference between cyber espionage and cyber warfare is only a few keystrokes,â he stressed. âOnce youâre there [inside an enemy system], you can issue electronic commands to open or close valves causing pipeline explosions and refinery fires; change the RPMs on huge generators causing them to fly apart; cause more power to go down high tension lines than they can safely carry; order trains to derail; and trigger chaos in the stock market, 70 to 80 percent of whose trades are now done by computerized buy-sell programs, like the afternoon recently when it went crazy and one companyâs market cap suddenly went to a trillion dollars. The Internet itself has physical aspects. It has servers and fiber optic cables, all of which reside in some real-world location that can be hacked and attacked in the same way. The U.S. government has done experiments proving that you can hack your way from the public Internet into the command and control system of our power grids, so this is very real.â
The paradigm shift is so all encompassing that, Clarke recalled, âa train company executive recently said, âIâm not a train company. Iâm a network company that has trains.â The Navyâs reconstituted Tenth Fleet, the World War II anti-submarine warfare fleet in the Atlantic, has no ships â itâs a cyber command; and the Air Forceâs reconstituted 24th Air Wing has no planes â itâs also a cyber command, both components under the new four-star U.S. Cyber Command stood up last Oct. 1 [2009] at Fort Mead. Whether we realize it or not, we live in cyberspace â all the networks on the Internet and everything connected to it. It runs everything we do. â
âSo what needs to be done?â Clarke once again asked rhetorically. âFirst, decision makers and the public need to know and face these realities, admit that weâre vulnerable, and have a serious, open public debate on what this countryâs cyber defense policy should be. And places like the 51¸ŁŔű are great places to start that national dialogue. 51¸ŁŔű is well situated to discuss and develop strategy and to bring it to Washington and the White House, so in the future we can look back at the time when we had this great [new cyber defense] capability and we didnât have to use it.â
âHowever itâs implemented, that big picture policy decision needs to be that the U.S. government will defend cyberspace, not just the .mil and .gov domains. We need to be ready so that, if there is an attack, like Captain Kirk on the Enterprise, the president can issue the âShields up!â command. To be able to do this, we need to decide â as a nation â whoâs going to defend cyberspace, and I donât think the military should be the lead agency. It should be run by the private sector in partnership with Homeland Security, with expertise and advice from NSA and Cyber Command.
âWe also need to think seriously about an arms control treaty for cyberspace,â he stressed, âbecause two, and more, can play this game. Between 20 and 30 countries now have cyber warfare commands, many of which could hack into the command and control functions of Iranâs nuclear facilities, for instance. If we or an ally did that, do you think theyâd just retaliate against our ships in the [Persian] Gulf and our military personnel in the region â in real space? Theyâd also attack us in the homeland, at a distance, through their cyber warfare unit. But we donât have to speculate about possible cyberwar attacks in the future â theyâve already happened. Before the Russians physically attacked Georgia, they initiated a cyber attack on its critical infrastructure, remotely coordinated from a server in Brooklyn.â
âIt [cyber arms control] wonât be easy â attribution [determining who is behind an attack] is immensely difficult, so the cyber world doesnât lend itself to deterrence strategies like mutually assured destruction with nuclear weapons â but we have to try, just as we did with conventional weapons and bio weapons. We succeeded with those, and the only way to get there is by starting. We need cyberwar âhotlinesâ, like the red phone to the Soviet Union during the Cold War, and most countries would agree to sign a treaty not to attack each otherâs international financial and banking system networks. They donât want to cross that Rubicon, or the entire international banking system could go down. We have an international regime for cyber crime, and we need one for cyber war â to rule out some things globally. But we have to take this seriously and move quickly. If weâre not careful â if we donât take cyber defense and cyber arms control seriously â we may find ourselves in a shooting war and wake up to find that the enemy has pulled the plug on all our shiny, trillion dollar weapons, that our chips and supply chains have already been compromised, that our pipelines have been shut down and our trains derailed, all while our computer screens are telling us that nothing is happening.â
As for cyber terrorism by non-state actors, the Presidentâs top counterterrorism advisor on Sept. 11 noted, âDonât use the two words in the same sentence. We havenât seen evidence of cyber terrorism connected with any terrorist organization, including Al Qaeda â probably because theyâre so dependent on electronic media and information technology to carry out their operations. The only exception to what Iâve seen is, prior to the 2006 Bali bombing, the Australian government said that the terrorist organization behind it raised funds, in part, through cyber crime, but even thatâs not using cyberspace to conduct actual terrorist acts.â
Regarding Sept. 11 itself, Clarke noted that part of the little known history of that day was confusion by NORADâs North East Sector, which was about to conduct an exercise on a partial hijack scenario as the actual hijackings began, as to whether the unfolding events were âreal worldâ or part of the exercise â a confusion whose cause bears an eerie similarity to the âarm reaching out of the computerâ danger Cyber War warns about. âItâs critical that exercises harden the firewalls between the computer and real worlds, but it happens more than youâd think. Yes, it happened on 9/11, and it happened with TWA Flight 800, when the Navy was doing a sea search exercise in the very area where the plane went down. And though the White House clears every major exercise, on Sept. 11th just last year, the Coast Guard ran an exercise on the Potomac River right near where the President was at the time. Iâm a firm believer in exercises, and we have to make sure that firewalls in the future are tight. I wouldnât have been able to respond the way we did on 9/11 if we hadnât exercised it five times.â
âThis is such an important topic, and students here are such a key group â the future of the career military â to engage in this critical national policy debate on cyber defense,â said National Security Affairs student and Foreign Area Officer Marine Corps Capt. Anna Noyne at the reception following the afternoonâs second presentation. âSo itâs fantastic that Mr. Clarke is doing this here 51¸ŁŔű. He can pick and choose where he goes, and it shows how important it is that the military be aware of this. He was right before [in warning of the danger of a terrorist attack before 9/11] when he said it could happen here, and we didnât pay attention. We have to pay attention now. This time, we have to take his warning seriously, and we have to act on it.â
Despite decades of national responsibility resting on his shoulders, Clarke revealed a sense of humor commensurate with that weight. Taking the podium following a lengthy introduction citing his 11 consecutive years of White House service and 19 prior years in the Pentagon, intelligence community and State Department, he quipped, âIâm glad to see you left out my service in the Grant and Lincoln administrations.â
Clarkeâs introduction included White House titles of Special Assistant to the President for Global Affairs, National Coordinator for Security and Counterterrorism and Special Advisor to the President for Cyber Security. During the Reagan Administration, he was Deputy Assistant Secretary of State for Intelligence, and in the Bush Sr. Administration served as Assistant Secretary of State for Political-Military Affairs.
Clarkeâs talks were sponsored by the 51¸ŁŔű Foundation, whose executive director, retired Rear Adm. Merrill Ruck, served with Clarke in 1990-91 when the latter was Assistant Secretary of State for Political-Military Affairs coordinating the diplomatic efforts to support the first Gulf War and subsequent security arrangements, and Ruck was Deputy Director of Political-Military Affairs for the Joint Staff in the Pentagon.
In addition to Cyber War, Clarke is the author of the New York Times No. 1 best seller Against All Enemies: Inside Americaâs War on Terror, which details his pre-, day of and post-9/11 experiences in the Bush White House, and Your Government Failed You: Breaking the Cycle of National Security Disasters.
Clarke currently teaches at Harvard Universityâs Kennedy School of Government, is an on-air consultant for ABC News, and is a partner in Good Harbor Consulting, LLC located in the Washington, D.C. area. Good Harbor advises clients on a wide range of issues including counterterrorism, corporate security risk management, information security technology, and dealing with the federal agencies on security and information technology issues.