The Jordan Harbinger Show - 240: Richard Clarke | Defending Ourselves in the Age of Cyber Threats
Episode Date: August 20, 2019Richard Clarke (@richardclarke) served for 30 years in national security policy roles in the US government and worked directly for three presidents. He is the host of the Future State Podcast... and co-author of The Fifth Domain: Defending Our Country, Our Companies, and Ourselves in the Age of Cyber Threats. What We Discuss with Richard Clarke: How we're in constant low-grade cyber conflict with Russia, China, Iran, and other adversarial nation states -- and the forms this can take. Cyber crime was a $600 billion industry (one percent of global GDP) in 2018, much of it perpetrated by rogue nations like North Korea. How cyberattacks can be (and have been) used to wreak physical damage on infrastructure, and why we should take them as seriously as traditional weaponry. Is it the government's job to protect private companies against cyberattacks from foreign powers, or is it up to private companies to be responsible for their own safety? Why there's a crisis-level shortage of cybersecurity expertise coming out of our country's most serious tech schools, and where it's being found instead. And much more... Full show notes and resources can be found here: https://jordanharbinger.com/240 Sign up for Six-Minute Networking -- our free networking and relationship development mini course -- at jordanharbinger.com/course! Smart Passive Income with Pat Flynn is the podcast where it's all about working hard now so you can sit back and reap the benefits later. Give it a listen here! Like this show? Please leave us a review here -- even one sentence helps! Consider including your Twitter handle so we can thank you personally!See Privacy Policy at https://art19.com/privacy and California Privacy Notice at https://art19.com/privacy#do-not-sell-my-info.
Transcript
Discussion (0)
This episode is sponsored in part by Conspiruality Podcast.
You know how I'm always talking about critical thinking and spotting manipulation?
Well, there's a podcast that's all about dismantling new age cults, wellness grifters, and
conspiracy med yogis, basically the wild overlap of spirituality and misinformation.
It's called the Conspiruality Podcast.
The hosts, a journalist, cult researcher, and a philosophical skeptic, dive deep into how
this stuff spreads, from Project 2025 and the Heritage Foundation's dystopian vision of the future
to how former leftists get pulled into far-right conspiracies.
An interesting episode to check out is called Speaking Truth to Goop,
where Jen Gunter breaks down the pseudoscience behind the wellness industry
in a way that is super entertaining and eye-opening.
It's sharp, funny, and makes you a lot harder to fool,
which, if you listen to this show, you know I'm all about that.
From exploring cults to analyzing our cultural and political landscape,
the Conspiratuality Podcast will help you stay informed
against misinformation and resist fear tactics.
Find Conspirality on Apple Podcasts, Spotify,
and wherever you get your podcasts.
Welcome to the show.
I'm Jordan Harbinger.
As always, I'm here with my producer, Jason DeFilippo.
On the Jordan Harbinger show,
we decode the stories, secrets, and skills
of the world's most brilliant and interesting people.
We turn their wisdom into practical advice
that you can use to impact your own life
and those around you.
A lot of people think cyber war
is just stolen information or inconveniences
like the internet slowing down for a few hours.
But these systems can impact our economy
and our lives much more deeply and result in absolutely catastrophic failure of our infrastructure,
or worse.
Today on the show, Richard Clark, former National Coordinator for Security, Infrastructure Protection
and Counterterrorism for the United States under both Bush and Clinton, by the way,
explains how we're in constant low-grade cyber conflict with Russia, China, and Iran,
and how vulnerable our systems, infrastructure, and country are to these attacks.
We'll also discuss why protecting ourselves isn't as simple as installing better software,
or enhancing our own capabilities.
It's not just our data.
It's not just our elections.
In a terrifying twist, we'll also uncover why cyber war is very likely to lead to conventional
war and loss of life, potentially even large-scale conflict.
If you want to know how we get this guest roster, well, it's not just about my business
relationships.
I've got killer personal relationships that I manage with hundreds, thousands of people.
I use systems and tiny habits, and I want to show you how to do this.
This has been very impactful for my life.
for my business for the show, check out our course six minute networking. It's free. Not enter your
credit card free, just free, free. Go to Jordan Harbinger.com slash course. And by the way,
most of the guests that you hear on the show, they also subscribe to the course and the newsletter.
So you're going to be in great company. Lots of smart people in there. I'd love to have you join us.
All right, here's Richard Clark. What surprised me about the book when I first picked it up was that
we're in low-grade cyber conflict with Russia, China, and Iran. And I guess that wasn't a shock,
because you hear about cyber attacks,
I didn't really realize that this was kind of an ongoing thing.
And my friend showed me this,
I'm sure you've seen this, this live kind of map
of the little lines that look like little missiles lobbying over
and these are supposed to be cyber attack maps.
I'm pretty sure it's not quite how it works.
I think that's a PR map.
Yeah.
No, but I think we are in a low-grade cyber war with Iran and Russia.
I mean, shots are being fired.
just let's go over Russia and Iran.
Sure.
And what we know publicly, and we can assume there's a lot we don't know.
Sure.
So just before the congressional election in the U.S., U.S. Cyber Command, did some sort of cyber attack against the Internet Research Agency in St. Petersburg.
I've heard that we sent messages to intelligence officers working there by name saying, we know who you are.
You know, don't mess up our election.
We'll come after you.
I've heard that we screwed up their network as well.
I don't know the truth.
We did something.
But the U.S. Army or the U.S. military, U.S. Cyber Command, attacked something in St. Petersburg.
Then you go forward in, I think, March of this year, the head of U.S. intelligence, Dan Coates, the director of national intelligence.
in his annual threat briefing to the Congress,
says the Russians are in the controls of our power grid.
Yeah, we'll get to that.
That's mildly terrifying.
And then a few months later, the White House has an official leak that, oh, we're in the control of their power grid.
Yeah, yeah.
So we hit their intelligence front organization in St. Petersburg.
We've apparently gotten into their power grid.
With the Iranians, we know the U.S. admits, more or less, that we did an attack on their nuclear facility at Natanz and blew up their centrifuges using software.
Now, after they shot down our drone, Trump tweeted that he launched a cyber attack and way of retaliation against their missiles and intelligence along the Straits of Hormuz.
I don't know exactly what he hit, but he hit something.
Yeah, they made a statement today.
I read this on the way here that, of course, Iran, as most countries would do, say, oh, it didn't do anything.
Right.
Which is the only answer you can really give to a cyber attack.
And it's very hard to have a satellite fly overhead and look at the damage and say, oh, no, look, it was serious.
Right.
But, you know, for years we had Cyber Command.
I think it's 11 years old as an organization.
And it didn't seem to be on the offensive very much.
we knew that the Secretary of Defense, Ash Carter, and the Obama administration, ordered Cyber Command to go after the terrorist group ISIS.
And we know now from his book that just came out inside the five-sided box, he was terribly disappointed at the results.
Sure.
That Cyber Command didn't do very much to ISIS.
Well, you can understand that.
They're not a nation state.
They don't have a lot of interest.
But Cyber Command has apparently attacked Russia.
It's apparently attacked Iran.
And we know what the Russians have been doing to our election and to other nations,
democratic processes.
We know that Iran has attacked in the U.S.
They've gone after Sheldon Adelson's casinos in Las Vegas, oddly.
They've gone after the major banks in New York with a denial of service attack.
They went after the Saudi oil company, Aramco.
and wiped all the software off their network.
So, you know, when we wrote the book Cyber War 10 years ago
and said all this stuff was going to happen,
people said, oh, that's fanciful.
You've been reading too many clancy novels.
But it wasn't even back then.
No.
Because I remember when I was probably, man, 13 or 14,
and I was messing around on the Internet with hackers and stuff like that,
MCI used to be a telecom company that you probably have heard of.
Yeah.
And they had a bunch of phone lines,
in Iraq. And me and a large group of guys, I should say a large group of guys and I, we shut down
a lot of their international telecoms capabilities by, and I, again, I'm 13, I'm not a genius with
computers. It was actually just not that hard. Yeah. It was like dial into their modems,
flip a couple things around, you needed to know the country code for Iraq, and then other,
some other things that were social engineering in nature, which is where my skills were lying
at the time was more like, oh, hey, we're going to need to do something with this fiber pipe,
and they're like, okay, no problem, you're going to run a test? Yeah, okay, it's going to last
five hours. Okay, well, we'll, you know, throttle traffic for five hours. And then you just
jam it all up to the point where they're going, what the hell happened there? And it takes
some three weeks to undo the damage or three days. And that's exactly what we did. And that was
basically how you could shut down a whole country's phone system.
So, see, this is exactly the change that's happened. Ten years ago, 15 years ago, it was
13-year-old boys.
Yeah.
And I remember we had an attack on a whole series of U.S. Air Force bases when I was in the White
House.
And the Air Force got all upset.
This is in the early days of this kind of thing happening.
And we're trying to figure out who did it.
Was it Russia?
Was it Iraq?
It was a big debate about that.
And I said, well, you know, let's not try to guess.
You know, let's wait for the forensics to come back.
And the forensics came back and there were two 13-year-old boys.
They were in Israel.
Sure.
But so what's new 10 years on from our first book, Cyber War, is that the things that we worry about now are not 13-year-old boys.
Right.
They're nation states and their armies.
So if you look at the major attacks that are occurring now, it's Russia.
is GRU, which is military intelligence. It's a numbered unit of the People's Liberation Army
of China, unit 5218-9. They're into numbers, not names. But of course, U.S. cyber companies
can't stand that. They can't stand the enemy is 59812 or whatever the number is. And so they
make up funny names for them. Like Russia had, what was it like the bears? They're bears. So the
company CrowdStrike, great company, just went public, now worth $13 billion, they broke down
the various Russian threat actors.
And instead of calling them Advanced Persistent Threat Group 1, 2, 3, which is what another
U.S. company called Fire Eye had done, they started giving them names.
So there's Fancy Bear, yeah.
and various other bears.
And then they started calling the Iranian threat actors,
the various forms of kitten, this kitten, that kitten.
But they're all military organizations.
Now, you can give them sweet little, you know, kitty names.
We're talking about the Russian military,
the Iranian Revolutionary Guards,
the North Korean military, the Chinese People's Liberation Army.
That's who's attacking.
not only us, but other nations around the world.
And a lot of what happens overseas is the U.S. military, cyber command, N.S. and CIA.
It's changed. It's now the big boys.
It's now big military organizations that are doing most of the serious damage.
They're well funded now, I assume, because two 13-year-old boys in Israel,
not super well-funded.
Usually their allowance only goes so far.
They're using their parents' computers.
I mean, even me at that age,
working with these other guys,
we're using Internet Relay Chat to talk.
Most of those guys, I think,
I mean, we didn't really know each other,
were in college.
Some were probably beyond college
system administrator at Hewlett-Packard,
something like that, but nobody was working for,
there was no Cyber Command,
nobody was in the Army.
Definitely none of them were in law enforcement.
I mean, we were just a bunch of nerds on computers that thought, like, wouldn't it be helpful if we shut this down?
Probably.
Well, it sounds fun, and we're probably going to get away with it, so let's do it.
That was the consensus.
And we see crime going up in this area, too, not just the attacks from China and Russia, but cybercrime.
I was telling you before the show that on the way here, cybercrime is something like a $600 billion industry.
And that might count solving cybercrime, but it looks like we're taking a dent.
the tune of 1% of global GDP as of 2018.
So that's interesting.
Part of the cybercrime is nation-state related.
And in two different ways.
The North Korean Army, when it goes out and does cyber activity, is stealing money for the state.
That's how they support the North Korean government.
How the North Korean government pays the bills is they steal.
This has always been true.
They were using the diplomatic pouch for years to carry counterfeit money.
They made a almost perfect U.S. $100 bill.
It's called the Super Dollar, right?
A super note.
They also used the diplomatic pouch for years to carry narcotics.
So now they're making money in a criminal way through cyber tech.
So that's one way the states are involved in crime.
The other way is there's pretty good reason to believe.
that in Russia and in China, people go home after an eight-hour shift working five days a week
in the military cyber unit and do a little work at night on their own or with cartels,
criminal cartels, do a little work on the weekends.
It also looks like China and Russia seem to be following the U.S. model that the military
is supported by contractors.
So now there are Russian contractors
and Chinese contractors
and they're, you know,
private companies owned by individuals,
not owned by the state,
and they get contracts
from the government
to go hack something.
So there's like a Chinese version
of what might look like
crowd strike here?
Or Booz Allen.
Booz Allen, yeah.
Booz Allen's the one I always think of
because whenever someone is arrested
for stealing NSA's material, it seems to me.
It's often a Booz Allen employee.
Or if they escape to Moscow.
Or if they escape to Moscow, they're a Boozell employee rather than an NSA employee.
NSA is always quick to say.
It's not us.
Right, right.
It's our contractor.
Right.
Edward Snowden worked for Booz Allen for people who don't know.
And a few other guys who've been charged.
I didn't mean to pick on Booz Allen.
But anyway, the point is there's now a Russian equivalent of that.
There's a Chinese equivalent of that.
And it's pretty clear that they're using attack tools in their day job to do intelligence collection.
And then they go home and work with some other friends and make a little money on the side.
It seems like countries are, according to your work, they're more likely to go
cyber, they're more likely to go unconventional first in conflict. Why is that? Why do people
start off with the hacking in the cyber attacks? I think we have a good example of that just
recently with Trump. So Trump wants to retaliate because our unmanned vehicle got shot down.
I always thought the point of having an unmanned vehicle was that it could be shot down.
Right. But frankly, I'm serious about that. When we started using drones, I was a big advocate.
and one of the reasons was
there's never going to be
a U.S. pilot
taken hostage.
No U.S. pilots ever going to be
tortured and killed again.
No John McCain has ever
going to spend six years
in a cell because his plane
was shot down. We're going to use drones.
And if they, you know, if they
shoot a drone down, the pilot's
going to go home to her
husband. Right.
You know?
Right. That night.
Say, I lost a
really expensive piece of equipment, I might get in trouble.
Yeah, let's have dinner.
So I thought that was compelling.
But anyway, a drone got shot down, Trump got mad.
And apparently John Bolton, the National Security Advisor, gave him plans to launch missiles and bombers and go after Iran.
And then that great national security expert, Tucker Carlson, apparently said, gee, that's not a good idea.
And the president wondered why and was informed, oh, 150 Iranian military people will probably die if we do this.
And he thought, well, gee, they didn't kill any of our guys.
Maybe we should do something neater and cleaner with no body bags involved.
Let's do a cyber attack.
People, and I think that's typical, people think cyber attacks are.
not dirty. They're not lethal. There are no body bags. It's somehow exercising state power
for some purpose or other, but in some sort of sanitized way. And I think that's dangerous
thinking. Yeah. You mentioned that, and I've seen this at DefCon and other hacker conferences,
people game this stuff out. And there are a lot of real world issues that can happen here.
Let me scroll down on my notes here because I know that especially when you're attacking power systems or people think it's just going to be, oh, well, a bunch of people lost their ICloud accounts.
What a bummer.
Or, oh, man, I hope you had that word document backed up because your server's down.
But when you're looking at SCADA systems, which are these, what does that stand for, some sort of command system for power?
Supervisory control and data acquisition.
Okay.
Yeah, you pass that quiz, I guess.
I couldn't remember.
But these are systems that are used to control power grids, I think water treatment plants, stuff like that.
So, when you think of IT as computer networks, the SCADA systems are called OT, operational technology, operations technology.
It's a different software environment.
Yeah.
And what I didn't realize until I got into this a little deeper was there are two different worlds who don't like each other.
Of course.
Two different people, two different sets of conferences, you know?
That's how you really know.
It's like, did you go to the OT conference in Miami?
No, I was at the IT conference in Boston.
There's two different worlds.
And that's a problem, it turns out,
that the OT world of the SCADA control system
for the power grid, for manufacturing, for pipelines,
all those sort of operational software,
it doesn't interact well with regular old IT.
Yeah.
And nonetheless, people are running around connecting networks all the time because they want data from one to get to the other.
And that creates a huge vulnerability.
Yeah, but I get it, though, right?
Like, if I work at this wastewater treatment plant and I go, you know, if I just plug this Windows machine into this, I can log in from home.
And I don't have to show up on Sunday.
You got it.
Yeah.
That's exactly right.
I have an old war story about that.
I went to Houston when I was just learning this stuff, I'd go around the country and say, hey, I'm from the White House.
Can you brief me?
And they'd always say yes.
And so I went down to Houston.
I went to a pipeline company who will be nameless.
And they said, oh, man, we're glad to brief you because we got security.
We got it knocked down.
And we drove to a golf course.
I'm like, okay, why are we at a golf course?
and we went to a bunker, not a golf bunker, but a bunker bunker bunker.
And there was staircase down.
And underneath the golf course, they had built a command center to run their national pipeline network.
And they had done this during the Cold War because they thought there might be a nuclear war.
Sure.
And so the command center was designed to survive a nuclear war.
And they could run all the pipeline pumps all over the country from there.
and then I said, well, whatever, I mean,
what if there's like a weather event and you can't get here?
Oh, that happened.
You know, we had that hurricane two years ago.
Not a problem.
We worked from home.
How'd you work from home?
Well, we take our laptops and we just get a VPN line.
We plug right into the controls.
Yeah.
In fact, we do that all the time now.
Yeah.
Nobody comes down here anymore.
Yeah.
Yeah.
Yeah, we just log in from home.
Right.
Exactly. And we use the same password that we use on AOL and Gmail for all of our accounts. And everybody, we have six employees over the last six months that don't work here anymore. Their accounts are all still active. Right. And we write the passwords on Post-it notes in the room just in case somebody knew goes. What could possibly go wrong?
Right. Yeah. I can imagine.
You're listening to the Jordan Harbinger show with our guest, Richard Clark. We'll be right back.
Thanks for listening and supporting the show. And to learn more and get links to all the great discounts you just heard from our.
amazing sponsors, visit jordanharbinger.com slash deals. Don't forget, we have a worksheet for today's
episode so you can make sure you solidify your understanding of the key takeaways from Richard Clark.
That link is in the show notes at jordanharbinger.com slash podcast. If you like some tips on how to
subscribe to the show, just go to jordanharbinger.com slash subscribe. Subscribing to the show is
absolutely free. It just means you get all the latest episodes downloaded automatically to your
podcast player so you don't miss a single thing. Now, back to our show with Richard Clark.
It's crazy to me because when I see these Russia and Ukraine conflict and you see the power grid being taken down in Ukraine or you see ransomware attacks and looking at things like SCADA systems or SCADA systems, you've got this whole system that can't really be fixed without a total redesign from the ground up.
I think that was one of your points.
But what really freaked me out was the sensors and things like Stuxnet.
And I want to hear about that in a second.
but I was going over the scenarios in my head here,
and I thought, all right, power going down,
that's a problem, especially if it's really hot or really cold.
People need heat and things like that.
Gas plants, water filtration systems.
I mean, once you start thinking,
what happens if I tweak this in a malicious way,
imagine sensors telling us that water's clean when it's dirty
and hasn't been treated at all,
or they just dump a ton of a chemical in instead of a little bit,
and then they dump that out into the water system.
I mean, people drink this.
Well, and there are systematic dependencies that most of us don't know about.
So in 2003, a tree fell over in Ohio.
Trees fall over all the time.
That does happen, yeah.
Particularly in my yard for some reason.
But a tree fell in Ohio that knocked down an electrical line.
And it was a hot day, and the power grid was at peak production.
and a series of trips, cascading failures occurred.
And pretty soon a quarter of the country had no electricity,
including New York, Boston, Philadelphia.
Oh, is it a cascade?
Cleveland, yeah.
Brownout or whatever it's called?
Blackout.
Blackout.
And up into Canada.
It happened like that.
And, you know, all right, they blamed it on a tree.
Maybe it was a tree.
But things happened that people didn't know.
So I think it was Cleveland or it may have been Detroit.
Some Midwestern city discovered that without electricity, it didn't have water.
Oh, wow.
That's not true in most cities, but it was true in this one city.
And a number of cities discovered without electricity, they don't treat sewage.
Oh.
It gets discharged into lakes and rivers.
So exactly what you're talking about.
There are not only cascading failures within an electrical system,
but then because of these dependencies, cascading failures of other kinds of systems.
And until recently, people weren't planning for that kind of thing.
Now they are.
You know, people now take seriously because, as you said,
the Russians have attacked another country and turned off the power grid.
Ukraine, twice.
Twice, yeah.
People now have, I think they're out of the denial they were in for the first part of the century.
And they're actually planning FEMA, the emergency management agency,
held a test in the exercise recently where the scenario was,
power's going to be out for three months.
Because the cyber attack and the exercise destroyed.
Transformers, destroyed generators, didn't it just shut them off?
Yeah, let's talk about that a little, because one of the most famous cyber attacks of all time, I think, is Stuxnet.
And you mentioned this before when we destroyed or when whoever was, I don't know, Israel, U.S., some combination, destroyed these centrifuges in Iran.
And I watched a documentary about this, which is on Netflix, by the way.
I don't know if you've seen it's really interesting.
Zero Day.
It might be that.
Yeah, they kind of outline.
how all of this went down.
And what I didn't realize was for almost every computer in the world has the Stuxnet
virus on it.
That's how they got it there.
I thought, wow, how did they target this computer system?
And the answer is give it to everyone.
It's like herpes.
It's going to find you.
You know, it's going to get in there somehow.
And so they got it onto their, and the viruses, it might be on your computer right now,
your phone, but it only attacks
Siemens-made
centrifuges that have this certain
combination of parts that just happen to be
and of course this was very deliberate,
the exact configuration that they were using
at the one place. It has to be,
apparently, it has to be
the Siemens SCADA system
tied to a
program logic
controller from Finland
or Iran.
And pretty much
the only place in the world where
those precise things occur was the Natanz Nuclear Enrichment Facility.
So, yeah, as a piece of software, it's over 50,000 lines of code, it's a really, really complex piece of software.
It used four different zero days, the type types that had never been used before in the wild.
If one didn't work and used the other, it was going to get in to the network.
and wasn't going to the network, it spread,
then it checked, you know,
I'm essentially asking,
am I in the Tants?
And if I'm not, it shuts down.
So, yeah, it is on a lot of people's computers around the world,
in part because after the attack,
it somehow got out from the Tantz,
even though Natanz wasn't connected to the Internet.
Right.
There's only so much you can discuss publicly
about how that might have happened.
Yeah, I mean, my theory,
based on no real information,
is if you target enough people
and they'll put something in an air gap
to machine at some point and find it
or it gets transmitted in some way that
isn't really that well known.
But the thing that struck people after
the fact was
most people hadn't
accepted that this could happen or hadn't
thought that this could happen.
Software
destroys hardware.
Software can
make a machine
kill itself. Right.
So I always talked before Stuxnet for a decade before Stuxnet.
I talked about a cyber attack is a virtual arm reaching out of cyberspace into physical space and blowing something up as sure as it was a missile or a bomb blowing it up.
And my metaphor just never, no one ever got it or they thought I was crazy or had read too much science fiction.
after Stuxnet, and people went, oh, I see, you can really cause things to blow up.
Yeah, people don't really get it, and I understand why.
But when you, the way you wrote about it in the book made perfect sense, which is it's largely
about the sensors, right?
So if you're running something at a red line speed and you tell that sensor to say, hey, we're
only at half the speed, and people keep turning it up where the hardware control keeps turning
it up way past what it safely can operate at.
because it's causing itself to lie,
it's causing your speedometer to lie to you,
you don't know that you're going 140 miles at half.
Exactly.
If you can get in between the device itself
and the signal, the sensor control panel.
So, yeah, think about it as a car.
And the car is reading 60 and it's doing 100.
Well, all that results in is you're getting a ticket.
Sure.
From the state police.
But if that's a gas pipeline,
then the gas pipeline blows up.
Right.
And, you know, we talk in the book about a town in Massachusetts called Lawrence, Massachusetts.
And one night in Lawrence and in three other towns surrounding it, suddenly houses were blowing up.
And the three little fire departments in these three little towns were getting flooded with calls.
The house next door just blew up.
The house next door just blew up.
And suddenly they had more fires than they had fire trucks.
And it looked like the German Air Force, the Luftwaffe, had flown over and dropped incendiary bombs or something.
It looked like London in 1941.
What was going on?
What was going on was that the gas pipelines going into these houses, the houses were all heated with gas, the pipelines had a massive overpressure,
10 times the amount of gas that should have been going into the houses was being pumped into the houses.
And what happens in that case is the pump breaks.
Sure.
The basement fills up with gas and any little source of friction will cause it to explode.
Like a pilot light from a furnace.
Exactly.
And so bang, bang, bang, bang, houses somewhat randomly it looked like.
It wasn't random.
It was the houses that had gas were blowing up.
Now, the reason for that was a maintenance company working for the gas company was doing some work on the power line, the gas line, and had the wrong setting.
Oh, wow.
It was off by a factor of 10.
There's no reason to believe that was a cyber tech, but we talk about that in the book to demonstrate what can happen if you can get control.
And you can online, digitally.
you can get control of something that regulates how much pressure goes into a line.
Things explode.
It is wild to see how vulnerable these things are.
And of course, the problem is companies go, well, I'm not going to protect against Russia.
That's the government's job.
And the government says, why are we going to go in and custom design a solution for your particular
cell phone company's IT software that we have to update every time you have a system?
upgrade. So we make any sense.
We talk about this argument a lot
in the book, and we begin
by saying what General Keith
Alexander, the former head of Cyber Command,
likes to say publicly.
And it's a very appealing
argument. He says,
if a Russian bomber flies
overhead and drops a bomb on your
plant, you expect
the United States Air Force, because you pay taxes
and we got a big Air Force. You expect
the United States Air Force to go out and shoot
down that bomber and deal with
the Russian threat. But if the same damage to your plant is done by a Russian cyber unit, Russian military,
they're both Russian military. One's a bomber or one's a cyber unit. They both have the same
effect. Your plant doesn't work anymore. It's destroyed. What's the difference? Why should the
government save you when it's a bomber and the government doesn't do anything to save you when it's a
cyber attack? Right. I'm a taxpayer. I expect the Pentagon to
to save me from the Russian military.
That's a very appealing argument.
Right.
And it's wrong.
It's just wrong.
Because if you try to think about, all right,
let's agree with that.
Let's be able to stop these attacks.
You can't do it.
You know, what are we going to do?
Ask Cyber Command to figure out how bank networks run,
how gas pipeline networks run,
how electric power, they don't know.
Cyber Command is having a hard time defending itself
and the U.S. military.
And they're not doing a very good job
defending themselves or the U.S. military.
Why do we think they would be able to defend a bank network?
And then who do you defend, who's more important,
Chase Bank or the water company in New York?
Or, you know, J.P. Morgan,
because it's a big, wealthy bank,
or the, you know, neighborhood bank down the state,
Street.
Yeah.
J.P. Morgan did tell us what they spent for the book.
And it was $700 million every year defending their network.
Bank of America did not tell us.
We have subsequently learned from an inside source that it's more like a billion
three at Bank of America.
Every year, they're spending a billion three.
They're employing thousands of people.
Why do we think that the U.S. military could do that any better?
Yeah.
It can't.
They don't have the legal authority.
They don't have the expertise.
They don't have the number of people necessary.
Basically, you know, the government can do something.
And we enumerate in the book what the government should do.
But it can't defend your network for you.
No.
As appealing as that analogy with the bomber is, it's not a true analogy.
Also, though, companies, if I'm,
graduating from the University of Michigan or MIT,
and I'm a computer genius,
the odds of me going,
I'm going to take a government paycheck
versus going to work for crowd strike.
It's pretty low.
Well, it's even worse than that.
So you're right.
But if I'm a computer genius,
which I'm not, by the way,
and graduating from MIT,
chances are,
I'm getting an undergraduate degree, let's say.
Chances are I've never taken
a single semester course
in cybersecurity.
Because at MIT,
and I went to MIT,
it's still true.
It was true when I went there.
It's true now.
You can get a computer science degree
without any,
any course in cybersecurity.
Oh, I believe that.
I remember a lot of my friends
who, I studied
econ and commerce,
and a lot of my friends
who were in computer engineering
at Michigan,
they would walk into my dorm room
and they'd go,
whoa, what kind of computer is that?
And I go,
oh, I just,
I made it, I built it, which is actually not hard.
It's like putting together Legos made out of circuit boards.
And they would go, wow, I'm a senior in computer engineering.
And there's no way I could build my own computer.
And I guarantee you could figure this out in one Saturday afternoon.
And one of my friends actually switched to French as a major because he just went, okay,
if you can do this and I can't, I'm done, I'm done.
But it reminded me like, wait a minute, these guys, they don't even know how I'm opening
up their CD-ROM tray remotely on the local network, which is like,
using a simple Trojan, back then was called Netbus.
I mean, these are really, really basic,
like click on this dancing bear email attachment
and I control your whole machine.
And they had no clue how this stuff works.
So let's come back to the Computer Genius Kid.
Computer Genius kids are taught
by their computer science department
to look down their nose at cybersecurity,
like it's carpentry or taking out the garbage or something.
Whereas if you're a computer genius,
You have to be working on advanced neural network machine learning or quantum computing or something, you know, state of the art.
There's a real kind of, so Stanford isn't a place where we get computer security people.
MIT is not.
There's a real kind of society thing here, kind of tiering.
So where do I look for the best cybersecurity people?
Idaho State, Tulsa University, places that, all right, Carnegie Mellon.
Yeah, that makes sense.
But a lot of them are from places that you would not think of.
They're not household names.
You know, Tulsa University is not a household name.
They produce some of the best cybersecurity people in the country.
Yeah, if I didn't know, you could have just made that up right now, the name of that university, and I would have no idea.
Right.
Yeah.
Yeah.
Quantum computing is an interesting phenomenon.
You just kind of mentioned this.
And I want to get to that in a second,
but the idea that this domain moves so fast is a little scary and surprising.
I mean, when I look at things like war planes,
we, every decade or two, there's an advancement where you go, wow, that's our new plane.
That's amazing.
But when you look at cyber attacks, you come up with things like zero days,
that we call them zero days, as you mentioned, the exploits that are not public yet.
And these are weapons that as soon as you find out what it is, you can block it.
You can patch it. You can fix it.
So it's kind of like, what was the analogy you gave in the book?
It's like being able to go in and change the atmosphere so that bombs no longer fall downward when they're dropped out of a plane.
Right.
And you can just fix that in a couple of days or if you've got a real crack team on it and it's a really obvious zero-day exploit.
You can patch it in a few hours.
You can.
So there's a use-it-once kind of phenomenon against a hard target.
because a hard target is going to have all sorts of sensors,
and eventually they'll figure out what happened,
and they'll, as you say, patch it, blocking.
But they'll be somebody five years later
who still hasn't patched it.
And, you know, this is what happened with the famous not Petia attack
of the Russian attack on Ukraine.
They were going after a vulnerability in Microsoft
that had been reported publicly,
by Microsoft
and Microsoft
has said this is how you fix it
months before,
months before.
And you would think everybody would say,
oh, that's a critical patch.
Let's run out and stop
the zero day. Let's apply that patch.
Hundreds of companies didn't.
Well, we've all been to a place
like an office and you go,
man, this is the computer you work on?
This is at Windows 98?
And they're laughing and they're like,
well, actually, this is Windows XP professional edition,
but this is a computer that controls our lighting system.
We don't really care.
We don't worry about this.
And hospitals were until recently, and still are in many places,
the worst defender beat.
And there was a reason.
You joke about Windows 98.
There were lots of medical devices in this country.
Probably some still are.
As late as last year, when we were looking into this for the book,
lots of medical devices running Windows,
P.E. and Windows 98. Why? Because the government forced them to. The Food and Drug Administration,
in its old incarnation, it's changed in the last year. But FDA used to say, we certified that software
for that machine. You cannot change anything. And people would say, but Microsoft is no longer
servicing that operating system. There are known vulnerabilities.
in that operating system.
There are millions of exploits.
Nope, can't change anything.
Right, because you'd have to submit
the medical device for recertification,
which would take a lot of money in a long time.
Now the FDA has come around,
but for years they didn't.
And so you had hard lung machines
and IV drip machines
and all sorts of life-sustaining machines
in hospitals that were filled,
riddled with vulnerabilities.
You're listening to the Jordan Harbinger show with our guest, Richard Clark.
We'll be right back after this.
Thank you for listening and supporting the show.
Your support of our advertisers keeps us on the air.
To learn more and get links to all the great discounts you just heard so you can check out those amazing sponsors,
visit jordanharbinger.com slash deals.
And don't forget the worksheet for today's episode.
That link is in the show notes at jordanharbinger.com slash podcast.
And if you're listening to us on the Overcast player,
please click those little stars next to the episode.
They really help us out.
Now for the conclusion of our episode with Richard Clark.
Quantum computing seems like that this is something we, that's a whole show, but it's a whole phenomenon that we don't know when it's coming.
A lot of people don't even know exactly what it is.
And I would love, are you able to explain it in sort of a simplified way?
I tried.
I tried really hard in the book.
Yeah.
I did a chapter on it.
And I'll tell you, when I first heard about it, I was.
quantum computing, quite a long time ago.
I mean, people have been trying to get this for a long time.
And I called out to NSA and said, send me some experts on quantum computing, because I don't
know anything about this.
And again, when you were in the White House and asked people, send me experts.
They always did.
It was great.
Well, the only perk of being in the White House.
Can't be the only perk, but okay.
There weren't many.
They've got good ice cream, I've heard.
They do.
They do have good ice cream.
So they sent these guys down and they began by talking about a German physicist from the early 20th century named Schrodinger and his analogy of his cat.
Schrodinger's cat, yeah.
And for those of you who haven't heard this, this is the explanation that everybody uses for quantum computing.
The cat is alive.
It's in a box.
It is alive.
it is also dead at the same time
and it is also alive and dead
and he is the worst possible way
of explaining quantum computing.
Right, because people don't understand
Schrodinger's cat in the first place.
Now you're adding a variable.
And cats and boxes and it's alive
and it's dead at the same,
but then it's alive and dead.
It's just a Schrodinger guy, you know, stop it.
He was not good at teachers.
He may have been a great physicist.
This is a really bad analogy, and that we perpetuated it for a century.
I can't stand it.
So let's put all that aside.
Sure.
What quantum computing is about is using the phenomenon that occur at the subatomic level.
We can't physically see at the subatomic level.
All of the rules of physics that we observe and that we learned about in,
high school physics.
None of those rules seem to apply at the subatomic level.
It's a different world down there.
And we don't fully understand why things happen the way they do down there.
But we're beginning to understand what they, if not why, is certainly what they do.
And some people in computer science learning about this said, oh, wow, we could use
the phenomenon, the strangeness
of what goes on at the subatomic level
to run a different
kind of computer.
And there would be a real
advantage to that in terms of
if we could make it work
dealing with really
hard number crunching
exercises. So
there are some problems
that you can run a computer, the best computer
or supercomputer we have. You can
run it for months
and it
may solve the equation, but it may not. And encryption is one of these problems. You can get an
enemy's code and put it into a supercomputer and literally walk away for months and have that
supercomputer trying to break the encryption, and it usually doesn't. That's the secret story. It usually
doesn't. The secret is it doesn't work. It's secret is it doesn't work. So what's the magic that
occurs at the subatomic level. So the subatomic particle, we call a qubit, not a bit, but a
qubit, and it does simultaneously have ones and zeros. Right, so binary is like one or zero.
Binary, which is conventional computing is one or zero. At the subatomic level, it's both at the same
time and states in between.
Right.
Okay.
Now, if you can manipulate those qubits and use them in a computer instead of regular bits,
you have an exponential power of calculation.
So you can have 8, 16, 56 qubits are able to do increasingly exponentially higher amounts
of calculations because they have this ability, not just to be a one or a zero, but to be a lot
of different values.
Right.
So something that might take a supercomputer, a month of time could take a few seconds.
A few seconds.
And the question is, you know, when are we going to have supercomputing?
When are we going to have quantum computing?
We kind of already do.
And everybody is saying, well, here's the definition of when we have it.
Well, under some of the definitions that were around 10 years ago, we already have it.
There are quantum computers operating.
I went to write the book.
I went over here to Rijetti computing across the bay in Berkeley.
And they've got one.
Cool.
It works.
Is it huge?
No.
No?
It looks like somebody's bizarre combination of an espresso machine and a pot roaster.
Is it radioactive?
Like, what's going on?
Whether there's like steam coming out of it.
The reason, literally,
the reason for all of those pipes and wires
is that you can really best manipulate
these subatomic particles at absolute zero.
Okay.
They're more stable at absolute zero.
Right.
Now, even at more stable,
they only exist for a second or two.
In fact, if you can get them to exist for a second,
that's pretty good.
So these are like elements that were created.
in some sort of high pressure super cold chamber or something.
They're super cold chambers, yeah, absolute zero.
So this is not a quantum computer, is not going to be a laptop.
Not yet.
Not yet, not in the long time.
But you might be able to VPN into a quantum computer from your laptop.
So they use this term, and it's another terrible term, quantum supremacy.
and it sounds like, oh, is China going to get quantum supremacy before us?
That's kind of where I was going.
And then will they be quantum supreme?
What quantum supremacy means is something very different from what it sounds like.
What it means is the first time a quantum computer can successfully do a calculation
that has never been successfully done before.
So there are algorithms, there are equations.
We've never been able to solve, but we think in theory they should be ones that can be solved.
With a supercomputer, it takes infinite time.
With a quantum computer, we think they can be solved.
And when one of these is solved for the first time, an equation that's never been solved before,
a problem that's never been solved before by a computer, when a quantum computer does
that. That is quantum supremacy. It's supremacy not over China than supremacy over a regular computer.
A regular computer, right. And there's a debate about when that'll happen. And I think you can get
odds. I think it's going to happen a lot faster than the general public believes. Sure. Yeah.
And there's a whole community out there writing machine learning algorithms on the
assumption that we're going to get a quantum computer to work.
So there's people writing code for something like,
this is going, this program would take infinite time to run,
so that's not super useful right now.
But eventually I'll be able to plug this into some Rosetti computer,
and it will run, and what it will do is simulate the weather pattern
on the entire planet over the earth for the next.
Or, you know, something that now is done in a biotech lab, a wet lab,
that costs millions of dollars to build the PL4 wet lab
and repeatedly do these experiments
until you get a combination that works.
Just simulate it on the quantum computer
and in a matter of minutes
get a result that would otherwise take years in a wet lab.
Like I said, this is probably a whole show
because I'm imagining drug trials and things being simulated on this.
That's exactly right.
Is it?
Now, where does this affect security?
Well, a lot of people believe that these quantum computers will be able to break the encryption that we use today.
Sure.
Yeah, they probably will.
Yeah.
Is that the end of the world?
No, because we've seen this coming.
And the encryption whizzes of the world have started writing quantum resistant computing algorithms.
Some people are already using quantum resistant algorithms.
The government, through the National Institute of Standards, has a public, unclassified open program
where they're asking people from all over the world to participate in creating standards
for quantum resistant algorithms for encryption.
Now, they want, NIST wants to, the standards people, wants to have this done by 2024.
I think 2024 may be too late.
Yeah, yeah.
You probably walk that deadline back a little because I think the work that's going on at IBM and Google and Rijetti and elsewhere is a lot further along the people tend to think it is.
We hear of these treaties between, let's say China and the United States that are like, all right, let's agree not to hack each other left and right.
But you said there's two types of companies.
Those have been hacked and know it and those that have been hacked and don't know it.
I mean, even my small company back, I don't know, three, four years ago, we got hacked and people put malware on our whole website.
And so whenever anyone logged in, it asked them to download something and install it under their machine.
And a lot of people did because it was our learning software and thought, oh, it's an update for my learning software.
And so a ton of people got infected.
It was really embarrassing for us.
But what's the point of these treaties if everyone's just going to violate it?
I mean, I guess I don't understand.
Is it like we're sort of following this?
I mean, what do people, why bother?
Before I answer your question on treaties, I've got to give credit where credit is due.
So, Dmitri El Provich from Crowdstrike was the guy who invented that line.
There are two kinds of companies.
Those have been hacked and know it and those have been hacked and don't know it.
And what we say in the book, and we asked Dimitri this, whether he agreed and he said he does now agree, there are three kinds of companies.
And the third kind of company is the company that cannot be hacked or that is resilient.
from hacking.
That third kind of company didn't exist 10 years ago.
It exists now.
We can all list companies that have been hacked.
Echo effects, Marriott, Sony, Target,
that we could go on all day.
One of the ones that didn't get hacked.
Can you list them?
There's a list.
You can come up with it.
You can derive it.
Now, some of them actually were hacked and didn't tell anybody,
even though you're supposed to under the law
or if you're a publicly traded company.
Some of them skirt that law.
That's a different subject.
Talk about that all day.
But there are companies,
and we've talked to them,
that in the last five years,
haven't been hacked.
Or the hack got in
and was quickly isolated
and did little damage to the network,
and the network was quickly restored.
So we called those companies
resilient
companies.
And they don't
want us saying
who they are.
Right,
because they don't want
to dare,
I mean,
right.
Yeah.
I know for a fact
that these companies
are safe.
Maybe tomorrow
they'll be hacked.
Sure.
But they've had like
a five or more
year record.
And they're targets.
They are attempts all the time.
Sure.
I'm imagining like Palantir
probably in the front.
And the interesting thing
about this is
it's because of
the technology
that's come out in the last few years,
like endpoint detection and response, EDR,
like some cloud computing applications.
But it's not any one technology.
It's stringing together dozens,
dozens of applications and technologies
to make this work.
That's the big surprise for us writing the book,
that this is the dog that doesn't bark.
This is the news story.
Nothing happened today.
You don't hear it.
But it's more important in some respects than all the little stories about who got hacked
because it means that there's been a big shift in the offense-defense-defense relationship.
And that for this moment in time, at least, if you know what you're doing and you have a nice checkbook, you can defend yourself.
There's a lot of companies now have these sort of hacking back policies.
I don't know if this is still a thing, but there's a lot of companies that go,
oh, well, we're going to find the source of this
and go back after them.
What do you think of that?
Because that sounds like
that sounds like somebody's little brother
gets picked on and they punch the guy in the nose
and then what happens when they go back
and they hack Iran, then what?
Then they have to tap on the shoulder
of their big brother of the U.S. Army and say,
hey, we pissed off Iran
because they came and shut down our ATM thing
and then we went and screwed with them.
It's a really bad idea.
Yeah, it seems like a bad idea.
And I'll tell you, there's a couple of reasons
why I think it's a bad idea.
One is, what the hell difference does it make who hacked you?
If you're a company, you're a corporation, you really care whether it was the Iranian Revolutionary Guards or the North Korean Army.
I mean, you got hacked.
Fix it.
And make sure it can't happen again.
Figure out how it happened.
That's what you should be doing.
Figure out how it happened.
Make sure it can't happen again.
You cannot legally attack the guy who hacked you.
It's a class A felony.
So it may feel good to say, oh, the Iranians hacked me and I went back and I fried the Iranian computer.
You can be arrested for that.
Right.
It's not self-defense, right?
You're not stopping someone from punching in the face.
You're burning down their house because they burnt your house down.
And that's illegal under the Computer Fraud and Abuse Act.
So that's one reason.
But that's an appeal to law.
how about an appeal to reason?
Why shouldn't you do it?
Well, one of the jobs we had in the government of Rob and I
was to talk to all the agencies who might be hacking
and to do something called de-confliction.
So, FBI might be hacking, CIA might be hacking, NSA might be hacking,
and S-A-might-comand might be hacking,
Maybe the British are, maybe the Australians are.
If everybody goes after the same target, there's going to be a lot too much noise.
And somebody is going to be picked up by a detection system and the attack, the hacking won't work.
So you want to be very, very careful to only have people who know what they're doing with the most sophisticated capabilities around doing the hack.
doing the hacking
and you don't want a lot of other people
in the network making noise
or you do sometimes
you know want to make noise
intentionally over here to distract people
while you attack over here
but having the random American company
decide to be a vigilante
and get into this mess
and not be deconflicted
all that's going to do is put in jeopardy
jeopardy, U.S. intelligence and military and law enforcement activities that are probably
occurring on that target network. In other words, let the pros go after the bad guys.
You know, if somebody's done something, don't get your gun and go after them. Call the SWAT team.
Yeah. Yeah, that makes sense. That makes sense. Is there any sort of, is there, I hate using hyperbole
like this, but forgive me, is are we expecting any sort of like cyber 9-11 type scenario?
I mean, what would that look like?
Is there a scenario in which damages are so bad that insurance companies can't cover it?
Insurance companies are worried about that, and that is why insurance companies are writing
relatively small coverage policies.
And I've talked to state insurance regulators because insurance, for some reason, is not
regulated at the federal level.
health care is, but property, casualty, insurance, continuity, business continuity insurance,
all that kind of stuff is regulated at the state level.
And I've talked to the state regulators about this.
And their concern, their chief concern, is that the companies are going to write cyber policies
that are too big.
And then there's some big, huge attack that comes in and wipes everybody out, and that'll
wipe out the insurance companies.
So given that concern, that regulatory concern, the insurance companies are writing small policies.
What would a big 9-11 attack look like?
I guess it's a matter of definition.
I say in the book that in some ways the Russian attack on our democracy in 2016 was kind of like a 9-11.
It was a big attack that caught us flat-footed.
It succeeded.
And we didn't even know it was coming.
And we did nothing to stop it.
And it had a pretty profound effect.
It was attacking the very substance of the center of who we are as a country, our electoral process, our democracy.
A lot of the attacks right now are kind of relegated to the ones we hear about are relegated to ransomware.
Right?
We see police departments, hospitals, and businesses getting their computers locked up or encrypted
and they have to pay Bitcoin to somebody to unlock it, ransomware and things like that coming from North Korea,
some of which was, I guess, meant for Ukraine.
But it does seem dangerous if we're not prepared for this.
And you made this point in your book, and I had never thought about this,
if we can't really fend for ourselves in the cyber domain, this is problematic not just because we're a little bit defenseless,
but because then our next option is not, oh, we'll call the pros and they'll really handle this.
It's, well, I guess we can go blow up something because that's what we're really good at.
So you don't have this kind of incremental escalation.
You have, well, shoot, we can't respond in kind, so now we've got to sink a boat or destroy an airport.
No, I think that's right.
I think people, coming back to our earlier point about how people think cyber is safe and not lethal
and therefore it's okay to use.
You get to some level of damage with a cyber attack
and somebody's going to say,
I'm not just going to respond in kind,
I'm going to go bomb them.
And in fact, that somebody is the Pentagon.
The Pentagon's public policy is if there's a level of damage,
they won't define it, but we'll know it when we see it.
Right.
If there's some level of damage to the U.S. by a cyber attack,
We feel that we have the right to respond not just with another cyber attack against you,
but by bombing and sending missiles against you.
That's our policy.
So a war in cyberspace ain't going to stay in cyberspace.
And everybody who thinks, well, we can fight a neat, clean, antiseptic war.
No, you can't.
No, it doesn't make sense, especially because if we can't get them to stop attacking,
what you do is you take out the office building where they all work, right?
So Israel just did this.
Oh, really?
Yeah.
So there was an office building in Gaza where all the Hamas cyber unit was.
And they were doing whenever they could to make Israel's life miserable.
Israel's pretty good about their cyber defense.
But nonetheless, and the Israelis thought about it for a while.
Like, these people are a pain in the ass.
We have to spend a lot of time defending against this Hamas cyber unit.
Get an F-16.
and they blew it up.
They called in an S-16.
They dropped a bomb on the cyber unit in Gaza.
I think that's a metaphor.
Sure.
For a much larger kind of operation that could occur.
This all is a little surprising if you're not used to it.
Because, of course, you do think,
oh, well, if somebody hacks us and we're going to hack back.
And good, I'm glad we're in low-level cyber conflict with Russia and Iran and China
instead of in conventional conflict.
but it's kind of just a matter of time at that rate.
Why is it, this might be a silly question,
but why are countries like Russia, Iran,
so heavily involved in cyber war against the USA?
Is it because they can't match us conventionally?
I mean, what's going on?
Yeah, in the case of Russia and Iran, I think it is.
They can't match us conventionally.
And there's a low barrier to entry.
It's not zero, but there is a low barrier to entry.
Even North Korea, heaven's sake.
North Korea can barely, you know.
I mean, they can't even keep the lights on literally in the capital city.
Yeah, they can't do anything.
They can't feed their people, but they have a cyber unit.
Yeah, that country is a whole mystery.
I wonder how people attribute attacks to them, because don't they have to use proxies in China?
They do.
They use facilities in China.
At one point, I knew a particular floor, a particular hotel in a particular city.
And if I knew that the North Koreans were attacking from,
the third floor of a hotel in Dali and China.
The Chinese must have known that, too.
Oh, I'm sure.
I mean, you can't even have, if you're going to run that kind of attack.
I mean, it doesn't necessarily have to be a lot of traffic, but you can, if you know
what you're looking for, you can find people signaling bot networks or running a distributed
denial of service attack.
And speaking of that, 5G, the Internet of Things, this is going to change the way cyber attacks
are, it's going to change the whole world, of course.
But can you tell us what 5G is and why the Internet?
this is going to magnify this problem even further?
So 5G is the fifth generation of cellular phone service.
And recently, we went from 3G to 4G.
Right.
You probably didn't know this.
No, it just seems like faster Internet on your phone.
Well, maybe it seemed like faster to you.
I didn't notice.
The only thing I noticed was somewhere on my phone that said 4G instead of saying 3G.
I couldn't tell the difference in terms of speed.
5G, you'll know this.
This is going to be like 100 times faster.
We have fake 5G now.
I don't know if you know.
It is fair.
Your phone says 5GE and it's like that might as well be 5G asterisk and that it says not 5G.
Right.
But when it happens, which will be next year probably in most places, the international standard for 5G is the ability to do 100 times faster bandwidth over the year with a million devices per square kilometer connecting simultaneously.
That's, it's a hard number to wrap your head around.
Right?
Yeah.
So the notion is that everything could be talking on the Internet at the same time and doing it at high bandwidth and high speed with 5G.
5G is not going to be everywhere.
It doesn't work well through walls.
You're going to be a lot of repeaters, a lot of transmitters.
You're not going to have rural 5G.
But in cities, you're going to have it.
And it will allow things like autonomous cars.
because autonomous cars really,
the cars each have to talk to each other.
And so one car may have to be talking to six other cars
at the same time so that they can keep pace,
keep separation.
One guy knows that the other guy is going to break
and the other one's going to go, that sort of like.
So you need high speed and you need high capacity.
5G will provide that.
Great.
It will also allow all sorts of devices in the house
in the office space to go
straight to the internet without going through a router or a
firewall. Oh, okay. See, I didn't know that. I thought, I've got
NEST, I've got a ring doorbell, what's the big deal? Is it just going to be
a bunch of those types of things? I didn't realize it doesn't then have to go
through a router. It doesn't have to. Now, you'd be wise to put it through a route.
Yeah, that seems wise. You'd be wise to put it through a firewall, but it won't
have to. And so I think it'll be much easier
for people. There'll be more devices to hack. The more devices
you have to hack, the more likely you are to succeed in hacking one of them.
And let me guess the cheapest ones will be the ones that have no security built in.
They're not protected and they go straight to the Internet.
Right.
And there will be millions of them.
Yeah.
So the attack surface will develop.
And people say, oh, well, who cares?
Well, we already saw a case where a Chinese surveillance camera, nanny cams,
a little cheapy Chinese cameras that you can put up anywhere,
where hundreds of thousands of them got hacked because they were so easy to hack.
And then they were used as jumping off points for a denial of service attack.
So all the little Chinese cameras lit up and simultaneously went after one site, bang, and took that site down.
So the more devices there are out there connected to the Internet and unsecure, the more there will be denial of service attack.
that take down things that we care about.
And these will be, in large part, unfortunately,
it seems like China, Huawei,
they've got a lot of contracts for 5G internationally,
and we already get worried about little chips
and little firmware in there
that's spying on sniffing the traffic,
sending data and metadata back to China
or wherever for use or misuse.
So that's a little scary.
And it's funny to hear all of this
and think how far,
I mean, you've studied this for a long time.
Do you ever think, wow, how far cyber has really come?
Because I think the biggest worry that I had a few years ago,
aside from denial of service attacks against my web servers
and things like that was,
oh, I need to put some tape over my webcam on my computer
because I went to DefCon and I saw my hacker friends
turned the camera on in about three minutes,
you know, without me installing anything.
And I thought, okay, if that's easy, you know,
I got to put, I still put stickers and tape
over the cameras on mine.
And when I went to North Korea,
they took our phones at the airport
and you get it back later.
You go to China and a business delegation.
They take your phone,
and scarily they bring it back to you
20 minutes later, which you know.
I mean, at North Korea,
I thought they just didn't want me to use the phone.
In China, they give it back to you,
so it's not that.
Clearly, they just wanted to dump the contents
of my phone onto a server somewhere.
When they do.
And so it's just amazing
how far all of this has come,
and it seems almost hopelessly complicated
and yet 95% of cyber attacks are very preventable
by just installing the damn Windows update.
A lot of cyber attacks are preventable.
And that's why we do now have companies
that are succeeding in preventing them.
Was there anything else that you want to leave us with
that I haven't asked?
Well, the one thing I'm concerned with
is the 2020 election.
And we know the Russians penetrated 39 states
voter databases.
We don't know what they did because they weren't automated.
They weren't instrumented.
So they're going to do that again.
They're going to have fake personas and social media,
micro-targeting voters very skillfully,
telling people who are concerned about the environment
to vote for the Green Party,
drawing votes away from the Democrats,
telling African-Americans that the,
the white candidate, Hillary Clinton, doesn't really like blacks,
doing that in a convincing way with convincing text
that draws just enough of the blacks away
so they didn't vote in rather specific places like Philadelphia.
They're going to do all this again.
They're going to determine the outcome of the next election
unless we do something about it.
We need to improve the security of the election infrastructure.
We need to help the states and the counties with cybersecurity.
The money to do that has passed the House and is being held up in the Senate by the Republicans.
Now, the cynic will say the Republicans don't want that money spent because they like the Russians getting involved in our elections because the last time they did that,
they were pro-Republican.
Well, I got news for you.
You can't be sure
that next time it'll be pro-Republican again.
They may be pro-democrat.
Or the Republicans may get Russian support.
Maybe the Chinese will get involved this time
and on the side of the Democrats.
I don't want foreigners picking our president
or our senators or our congressmen.
I don't think any American does.
And so what we really need to do is bang the drum here to pass the bill in the Senate over Mitch McConnell objections to get aid to the states and county so that they can defend their networks and have some cybersecurity for the election system.
Yeah, that type of thing should keep everyone up at night because no matter who you favor the idea that this could happen so easily.
And a lot of people say it never happened.
This is not something that ever happened.
Even if that's the case, and I think it's all pretty convincing that there's something
happened regardless, even if that's the case, it's so easy when you see someone.
If you are not interested, or if you're not able to wrap your head around this, but you are interested in this, I should say.
Go to DefCon and Vegas and just go look at the guys doing demonstrations on voting machines.
Well, they had a 13-year-old girl, Huckabst one, a voting machine in three minutes.
Yeah.
It's incredible.
I was working there at the social engineering village a long, long time ago, and Keith Alexander,
the former head, I think at the time of the NSA, he stopped by with him, secret service agents.
It was really cool.
And you will see.
You'll see a guy that a couple talks, the voting machine one that was really interesting.
There was a guy who showed us the SCADA system.
It was a simulation because, of course, you can't really hack into Detroit power and energy or whatever
and not getting into trouble.
he also did a demonstration where he showed air traffic control and the way that you say that you're a plane flying is you just tell air traffic control that you're a plane flying and he said so I just put fake planes in flight patterns and other planes have to move out of the way and he goes what would happen if I put 70 or 80 fake planes right over Washington, D.C. and put them in restricted airspace. They don't have to be there. They just have to say that they're there. People will go absolutely crazy.
And this is really easy.
And these are like unencrypted, publicly open systems that a 20-year-old with an antenna and a computer can start messing with.
I learned a long time ago, you have to go to hacker conferences like Blackat and DefCon.
And you have to believe what you see because there are a lot of big companies out there and big government agencies that will tell you, oh, that could never be done.
Sure.
You go there, you see it being done, and then a year later, unfortunately, it gets done in the real world.
Dick, thank you so much.
This has been a great.
Great, great conversation.
Great big thank you to Richard Clark.
The book is called The Fifth Domain, Defending Our Country, Our Companies, and ourselves in the Age of Cyber Threats.
There's a video of this interview on our YouTube channel as well at Jordan Harbinger.com slash YouTube.
I'm teaching you how to connect with great people like Richard Clark and manage relationships.
I manage hundreds, if not thousands of relationships.
Of course, via email, text.
I'm teaching you how to do this in a course in a very scalable way.
Our course is called six-minute networking and it's free.
Not enter your credit card free, just free, free.
I think I said that earlier on the show.
That's at Jordan Harbinger.com slash course.
You've got to start now.
Procrastination leads to stagnation when it comes to personal and business relationships.
In other words, you cannot make up for lost time when it comes to relationships and networking.
You have to dig the well before you get thirsty.
need relationships. Now you're coming out of left field. Hey, old buddy, old pal, I need something.
Not going to work. The drills take a few minutes a day. That's why we call it six-minute networking.
It's probably even less than that. I wish I knew this stuff 20 years ago. This has just been crucial
and a deciding factor in my success of the show here and in my personal life as well.
Again, all for free at jordanharbinger.com slash course. By the way, most of the guests on the show,
they subscribe to the course and the newsletter. So come join us. Join a bunch of smart people
in improving themselves, yourself included.
I would love to have you in there, and I take questions, of course.
Speaking of building relationships, you can always reach out and or follow me on social.
I'm at Jordan Harbinger on both Twitter and Instagram.
This show is produced in association with Podcast One, and this episode was co-produced by Jason DeFilippo and Jen Harbinger.
Show notes and worksheets by Robert Fogarty.
Music by Evan Viola, and I'm your host, Jordan Harbinger.
Our advice and opinions and those of our guests are their own, and yes, I am a lawyer, but I am not your lawyer.
So do your research before implementing anything you hear on the show.
And remember, we rise by lifting others.
The fee for the show is that you share it with friends when you find something useful,
which should be in every episode.
So please share the show with those you love and even those you don't.
In the meantime, do your best to apply what you hear on the show
so you can live what you listen.
And we'll see you next time.
This episode is sponsored in part by What Was That Like Podcast.
If you're looking for a new show to add to your rotation,
something that'll make you stop mid-dishwashing and go, wait, what, that actually happened?
You got to subscribe to what was that like.
It's real people telling the most surreal moments of their lives,
and they're not just giving you the highlights.
They're walking you through it from the inside as a person who actually lived it,
which means you're basically getting a front row seat to the chaos.
One episode is about Scott getting locked up in a foreign jail for a crime he didn't commit.
Sure, Scott.
Another is Sue's parachute failing.
Wow, I'm surprised she was around to tell that story.
And then there's Michael who was stabbed on a bus,
which makes your commute instantly feel a little bit more relaxing.
Do anything you think?
So if you want to hear some wild and inspiring firsthand stories,
I invite you to check out what was that like.
Every story is verified.
Their site even has photos so you know even the most bizarre stuff you're hearing is somebody's real life.
Listen to what was that like on Apple Podcasts, Spotify, or whatever app you're using right now.
This episode is sponsored in part by Something You Should Know podcast.
Finding a new great podcast shouldn't be this hard, so let me save you some time.
If you like the Jordan Harbinger show, you'll probably like something you should know with Mike Carruthers.
It's one of those shows that makes you smarter in a practical, useful way.
Same curiosity vibe we go for here, just in a fast,
focused format, Mike brings on top experts and asks the exact questions that you'd want to ask,
and the topics are all over the place in the best way.
Recently, they've covered things like why we care so much what other people think,
the benefits of laughter, why sports fans get so invested, and what makes people like you
or not, the through line is always the same.
Smart ideas you can actually use in real life.
Something you should know has been featured in Apple's shows we love, and it's got thousands
of five-star reviews because it's consistently interesting.
So if you want another show that scratches that I want to understand,
how people in the world really work, itch, search for something you should know wherever you get your podcasts.
Look for the bright yellow light bulb and start listening. You can thank me later.