CyberWire Daily - The Fifth Domain coauthor Richard A. Clarke. [Special Editions]
Episode Date: July 21, 2019Our guest today is Richard A. Clarke, former National Coordinator for Security, Infrastructure Protection and Counter-terrorism for the United States. Under President George W. Bush he was appointed S...pecial Advisor to the President on cybersecurity. He’s currently Chairman of Good Harbor Consulting. He’s the author or coauthor of several books, the latest of which is titled The Fifth Domain - Defending Our Country, Our Companies, and Ourselves in the Age of Cyber Threats. This is an extended version of an interview originally aired on the July 19, 2019 edition of the CyberWire daily podcast. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this. How are they so red?
With flight deals starting at just $589, it's time for you to see what Europe has to offer.
Don't worry. You can handle it. Visit AirTransat.com for details. Conditions apply.
AirTransat. Travel moves us.
Hello, everyone, and welcome to this special Cyber Wire extended interview.
I'm Dave Bittner.
My guest today is Richard A. Clark, former National Coordinator for Security,
Infrastructure Protection and Counterterrorism for the United States.
Under President George W. Bush, he was appointed Special Advisor to the President on Cyber Security.
He's currently Chairman of Good Harbor Consulting.
He's the author or co-author of several books,
the latest of which is titled The Fifth Domain,
Defending Our Country, Our Companies, and Ourselves in the Age of Cyber Threats.
The book is co-authored with Robert Kanacki.
So the military talks about things as domains.
Land, sea, air.
And over the years, they added space as the fourth domain.
Now, in the last few years, the military have talked about a fifth domain, cyberspace,
where they expect cyber war to take place.
So we're calling this the fifth domain because, not just because the book is about cyber war to take place. So we're calling this the fifth domain because not just because the
book is about cyber war, because it's also about other things that take place every day in cyber
space, including what happens to you as an individual, what happens to corporations.
It's not just about cyber war. One of the points you make in the book,
you say that the next major war will be provoked by a cyber attack.
What leads you to that conclusion?
Well, the director of national intelligence this year publicly testified that the Russian government has hacked into the controls of our power grid.
And that the Chinese government, the Chinese military, the People's Liberation Army, is capable of controlling
or affecting our controls for our natural gas pipelines.
That, we suggest in the book, that creates a situation of crisis instability, where if
there is tension among nations, people are going to look around for, well, how can we
do signaling, or how can we do an initial attack that's not going to look around for, well, how can we do signaling? Or how can we do an initial
attack that's not going to end up in killing people? And the answer is going to be cyber.
We actually had proof of that a few weeks ago when the Iranians shot down a drone
and the United States wanted to retaliate. The normal retaliation package was given to the president,
and he initially approved it,
and it was the traditional way of retaliating with cruise missiles and bombers.
But after a while, when they thought about it in the White House,
they said, no, we don't want to go that far.
Let's just start with a cyber attack,
because it seems easier, less bloody, less lethal. But the problem
with cyber attacks is they do destroy things and they provoke retaliation. And when you get into a
cycle of tit-for-tat retaliation, ultimately that ends up in a kinetic or conventional war.
The Pentagon's policy, publicly articulated policy, is that if the United States gets hit by
a cyber attack from another nation state, and if that attack is sufficiently destructive,
that we reserve the right to respond with a kinetic attack. So we've said publicly,
cyber attacks on us will not just be responded to with cyber attacks on you.
When the Russians shut down Ukraine's power grid, do you suspect that was a demonstration of capabilities?
Was that a shot across our bow?
I think it was a demonstration of capabilities.
The Russians have used Ukraine a lot as a testbed.
The Russians have used Ukraine a lot as a testbed.
They used it as a testbed for their media manipulation, their social engineering,
through the use of Facebook and media placements prior to doing that to us in 2016.
And I think their attack on the power grid there was an experiment. What's interesting about that attack on the power grid was that experts I've talked to in electric power systems say that given the controls that the Russians were able to establish on that grid, they could have physically destroyed transformers and switches and generators that would have taken months to replace. They had that capability, but they didn't do it. So when we think about
Russian attacks on power grids or anybody attacking a power grid, we tend to think of it,
well, there's a blackout, and like other blackouts we've all experienced, you get electricity back in a few hours or maybe a few days.
No, a cyber attack could actually physically destroy generators and transformers
that we do not have laying around in the warehouse.
They have to be built on just-in-time orders, just-in-time delivery,
and it would take months.
Try to imagine what a society would be like
without electric power for months ATMs don't work therefore there's no currency
available credit card systems don't work food doesn't get delivered there's a
very thin veneer in our civilization that falls apart pretty quickly when a big city doesn't have power.
Back in 2013, you and your team at Good Harbor published a paper that was called
Securing Cyberspace Through International Norms.
And I wonder, should critical infrastructure be considered off-limits?
Should that be a norm that's established?
I would say yes. I would say that power grids, natural gas pipelines,
public communication systems should be off-limits, just as hospitals are.
In the existing laws of war, you're not supposed to attack a hospital. Of course, Russia
has been teaming up with Syria to do exactly that, to target hospitals in Syria in the civil war.
But I think international norms do have some value, and I would definitely say get out of the power grids,
get out of the natural gas pipelines.
When it comes to testing traditional kinetic weapons, you know, they're unambiguous.
If I do a test of a nuclear weapon, that capability is
clear for everyone to see. But it's different in cyber, and we hear that nation states are
hesitant to demonstrate these resources for fear of burning those resources, that revealing them
will make them less effective. And that's why deterrence doctrine from the nuclear era
doesn't port well over to the cyber era.
Deterrence doctrine, MAD, Mutual Assured Destruction,
depended upon people knowing that both sides had weapons that would work,
knowing that those weapons could definitely get through,
knowing that those weapons could do a specific amount of damage.
And that's not the case in cyber.
Also, in deterrence doctrine from the nuclear era, attribution was not an issue.
Attribution can be an issue with cyber attacks because we now know that the Russians and the Chinese and apparently the Americans
use each other's cyber weapons to obscure who's doing the attacks.
And apparently we've all stolen each other's weapons.
But certainly nothing like that ever happened in the nuclear era.
We never had the Russians running around with the U.S. missile submarine or vice versa.
So you're right.
We're reluctant to use a cyber weapon because once you've used it,
other people can figure out how it works and can build defenses against it.
And therefore, we don't want to use a weapon unless we absolutely have to.
We can't demonstrate it.
And frankly, when we pull the trigger, we can't really be confident
we know how well it
will work or what the defenses are that it'll have to overcome. So cyber is a different kettle
of fish than every other kind of combat, every other kind of war. Yeah, there's an interesting
point you make in the book. And you say that traditionally military strategists were looking for certainty and that certainty was aligned with security.
But in the cyber domain, uncertainty may be something that deters military action.
Can you explain that difference to us?
Well, no military commander wants to attack unless he knows there's a pretty good chance he's going to win.
military commander wants to attack unless he knows there's a pretty good chance he's going to win. And in the case of cyber, you really don't know when you launch an attack
what defenses you're going to come up against. Do they already know this attack technique?
Will they allow you in and then shut you down? And the fact that we cannot be sure how effective
our offensive weapons will be at any given time means that anybody advising a president or a commander should tell them, hey, boss, we don't know that this is going to do the job.
That changes things.
And does that run counter to how military leaders are accustomed to thinking?
It's entirely counter to what they're used to
thinking. They have, in the past, always been able to exercise, simulate, have high probabilities of
success, know what the outcome will be. With cyber war, they're not that sure.
or they're not that sure.
Cyber threats are evolving every second,
and staying ahead is more than just a challenge.
It's a necessity.
That's why we're thrilled to partner with ThreatLocker,
the cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of solutions designed to give you total control,
stopping unauthorized applications,
securing sensitive data, and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default deny approach can keep your company safe and I want to dig into some of the activities around the 2016 elections and then where we're headed when it comes to Russia and the 2020 elections.
But first, I think when President Trump took office, there was some optimism that cybersecurity was going to be a focus.
One of his first executive orders was centered on cybersecurity.
How has that played out?
Not well.
He initially had a very good guy running cybersecurity policy from the White House, the old job I had.
And that was Rob Joyce from NSA, a very respected nonpartisan guy, expert. And John
Bolton, when he came in as National Security Advisor, got rid of him and didn't replace him
with anybody. So the old sort of cyber czar job doesn't exist. There's no one really making policy
or implementing policy across the board out of the White House.
The same thing happened in the State Department, where Rex Tillerson came in and wondered why there were people working on international cyber norms and got rid of that office.
They did, I will admit, the Trump administration did write a really good national security policy, national security strategy for cyber.
I say it's really good because it looks a lot like the one I wrote for Bush.
But they haven't implemented it.
An interesting point you make in the book is how heading into the 2020 elections, the playbook that the Russians used, this was not new for them,
that they have a history of this sort of propaganda, and these new cyber capabilities really played right into their hands.
Well, the Russians have a history going back even before the communist revolution.
Russian governments have been doing things with information manipulation.
Russian governments have been doing things with information manipulation.
And they have words for it.
Maskarovka, kompromat, disinformatia.
For example, they spread the rumor in the 1980s throughout Africa that the HIV AIDS virus was created on the campus of the University of Pennsylvania
by a CIA-funded program. Absolutely
not a shred of truth to that. But everybody in Africa ended up believing it because they would
bribe reporters and editors to put it in newspapers and to put it on radio and TV
all over Africa. And the U.S. never was able to catch up and convince people that it wasn't true.
And the U.S. never was able to catch up and convince people that it wasn't true.
So when the Internet comes along and social media comes along, they are empowered by the Internet to do this on steroids.
It seems to me like there's a disproportionality there as well in terms of the investment it takes in these weapons, even if you want to say disinformation is a weapon,
is very low compared to investing in military tools and techniques.
Oh, absolutely. There's a great asymmetry here that allows them to have an enormous impact with very little cost.
I must admit I'm puzzled that given what we saw in the 2016 election, what I would have thought would have been a non-controversial notion that defending our electoral system would have bipartisan support.
That's not what we're seeing.
We're seeing Mitch McConnell blocking efforts to strengthen our security when it comes to elections?
Well, Mitch McConnell is.
There are Republican senators that are interested in making progress on election security,
Senator Lankford, Senator Rubio, but Mitch McConnell is blocking it.
And his argument is pretty transparently false.
His argument is, well, we don't want to federalize the federal elections.
That's nonsense.
I think Mitch McConnell is once again pimping for Donald Trump and the White House.
They don't want to improve our election security because they want the Russians to interfere again in the next presidential election.
You saw Trump joking about it with Putin, the two of them sitting next to each other
laughing, and Trump wagging his finger at him and saying, oh, you don't interfere in
our election, and then laugh.
That's almost a treasonous act, I think.
They want the same outcome as they had in 2016, which is the Russians being able to manipulate social
media and perhaps even the election machinery to get this guy reelected they
got him elected the last time they want to get them elected the next time
McConnell knows that and McConnell wants that outcome is there a case for
optimism then I think it's easy to be cynical with this, particularly given the conditions we find ourselves in, the news we hear every day.
But the book is not just one of doom and gloom.
There is optimism throughout.
There is in two respects.
First of all, we say something's happened since we wrote Cyber War 10 years ago.
10 years ago, we said no corporation could defend itself.
This book says, no, wait a minute.
There are a lot of corporations that are getting it right,
a lot of corporations that are successful.
They are the dog that does not bark.
You don't get news stories about, oh, XYZ Corporation hasn't been hacked.
That's not a news story.
But there are corporations like that, and we go in some detail in the book
about how they're different and how they achieve this level of security that is a source for
optimism the second source for optimism is that we have throughout the book i don't know 80 i think
specific proposals uh for uh addressing cyber security improving it, both at home and internationally,
in government and in the private sector.
And so we end up the book with a chapter entitled
It's All Done But The Coding,
which is, as you know,
something that's said frequently in the IT business.
You know, we've architected, we know what we want to do,
we know it can be done,
and I just give it to the guys to do the coding.
We think that if you had a president and a congress and other players who really wanted to solve this problem, it can be solved.
We've had lots of studies, task forces, blue ribbon committees, industry consortium.
We know what to do.
This is no longer the problem from hell.
It just takes people of goodwill acting on a bipartisan basis.
That is really hard to achieve in Washington.
A point you make in the book is sort of pushing back against this notion that we may find ourselves up against a cyber Pearl Harbor or a cyber 9-11.
One of my colleagues here at the Cyber Wire makes the point that we could just as likely find ourselves in sort of a cyber Tonkin Gulf.
I'm wondering what your take is on that.
Well, I assume what he's talking about is the attribution problem.
Right.
Well, the attribution problem, again, what we said 10 years ago was the attribution problem wasn't bad because 10 years ago,
NSA was pretty damn good at figuring out who was doing the attacks.
They still are.
at figuring out who was doing the attacks.
They still are.
You know, we talk about in the book the specific names of Russians,
North Koreans, Iranians, and Chinese, the specific names of hackers.
And if you go to the DOJ, the Justice Department website, you can see their pictures.
These are individuals who have been indicted in the U.S. for hacking. Ask yourself,
how do we know that it was them, those individuals, and how do we get their pictures?
I'm not going to answer that question, but you can guess. So attribution is not impossible,
but when other nations are stealing each other's weapons, then attribution gets a
little bit more difficult. And we know that our tools, NSA tools, CIA tools, have appeared on the
dark web. We can argue about how they got out, but they did. I've also noticed that there are some
Chinese tools available on the dark web,
and I suspect nation states are using each other's weapons to confuse forensics.
You know, personally, I find it helpful in my own mind to use public health as a metaphor for
cybersecurity. If you look at the past hundred years of the progress we've made,
where we've made tremendous strides in public health, and it's not perfect. You can wash your
hands and, you know, do the basics, and still every now and then you're going to get a cold.
Do you find that that's a useful comparison? No. I'm sorry.
Fair enough. No. Go on.
Well, I know people are always struggling to explain cybersecurity in terms of something else that people already understand.
Right.
And one of the things that you hear a lot from people is, well, if you just have good cyber hygiene, then you wouldn't get hacked.
And I don't know what the hell that means.
I don't think anybody really knows what that means.
It's not a matter of good cyber hygiene.
It's a matter of spending money.
The companies that are spending 3% and 4% of their IT budget get hacked.
The companies that are spending 8% to 10% of their IT budget on cybersecurity do not get hacked.
That's nothing about hygiene.
It's about money.
So what's the take-home for the reader,
the average person who's going about their life,
their day-to-day here in the U.S. and elsewhere?
What's the message you want to send home with them?
Well, cybersecurity affects everybody and everything we do,
from whether or not it's safe to go to a hospital
and being strapped up to an IV drip
machine or a heart-lung machine. It affects who gets elected, how the election processes work.
It could, if we had a bad day, bring down an airline or bring down a power grid. And it can
certainly mess your own personal life up in terms of credit
card theft and other records theft. So we have a chapter in the book about what this means to the
individual and what are the things an individual can do to increase their own cybersecurity.
So individuals should do those many things that can improve their own security, but then
they should be involved in the public debate to urge corporations they deal with and governments
they deal with to remove the threats because we know how to do it.
Well, the book is The Fifth Domain, Defending Our Country, Our Companies, and Ourselves
in the Age of Cyber Threats. Richard Clark, thanks so much for joining us. Great to be with you.