News - Belfer Center for Science and International Affairs, Harvard Kennedy School

Richard Clarke on Cyber Threats: Defense is Key

| Sep. 21, 2010

Video | Article | Transcript

Security expert Richard A. Clarke offers stark examples in arguing that the threats of cyberwar and cyberespionage are not just science-fiction hype:

  • Israeli F15 and F16s screamed across the Syrian border in September 2007 and bombed a nuclear reactor construction site, but Syrian radar screens showed nothing but peaceful green. The Israelis had hacked into the Syrian air defense and seized control of the software system.
  • British intelligence told the top chief executives in the country: Assume that your corporation has been hacked, and that all of your vital information, all your intellectual property, all your research and development has been stolen.
  • The Pentagon acknowledged in August that the secret American SIPRNet defense network was hacked two years earlier by a foreign intelligence service using the Internet.

Clarke has been a principal US security strategist, serving as security and counterterrorism adviser to Presidents Bill Clinton and George W. Bush before and after the 9/11 attacks. Introducing Clarke at a seminar at Harvard Kennedy School's Belfer Center for Science and International Affairs, director Graham Allison noted that Clarke was the only government official to apologize to the American people after the attacks, telling the 9/11 commission, "Your government has failed you."

Yet Allison said Clarke himself was one of the most effective players within the government in recognizing and addressing the growing threat of catastrophic terrorism. And when Clarke left government in 2003, he wrote what Allison called the best book on the war on terrorism, "Against All Enemies."

Now Clarke is working to focus attention on another threat that could pose equally grave challenges to the nation's security. Clarke has co-authored a new book, "Cyber War: the Next Threat to National Security and What to Do About It." He briefed a Directors' Seminar at the Belfer Center on Sept. 14 about the risks of cyber attacks, and suggested ways for the United States to develop a credible defensive strategy against cyber threats.

In on-the-record introductory remarks, Clarke surveyed the range of cyber risks in crime, espionage and warfare. He called cyberterrorism a comparatively minor threat, saying terrorists have shown little capacity to use the Internet for anything other than propaganda. And Clarke said that cybercrime, while costly to the economy and to financial institutions, tended to involve stealing small amounts of money from lots of people.

Cyberespionage is more serious and immediate, he said, threatening not only governments:

"If you are a private research corporation, if you are a university research facility, or you're a government lab, if you have any intellectual property worth having - it's been had. And the most sophisticated of facilities, even with expertise in the area of cyber security, have been successfully hacked. And terabytes of information have been extracted. but also research institutions and corporate R&D departments."

The prospect of cyberwar, Clarke said, poses extremely serious threats that have not received the national or international focus that they deserve. Here's an extended excerpt from his opening summary:

"Cyber-war on the other hand is something that really hasn't happened yet to the United States. It has happened to small countries like Georgia, Estonia. Israel has indeed had incidents with Syria. But these have all been very primitive things, where the attackers have not, with a few exceptions, revealed sophisticated attack tactics. They have used the brute force method of deluging a site and knocking it off.

‘But what could cyber-war mean? In the first few pages of the book we talk about an incident where the Israelis blew up a nuclear research facility that was under construction in Syria and was being built by the Koreans. The Israelis did it by flying a bunch of F16s and F15s into Syria, planes from the 1970s, with big radar cross sections. And the Syrians had spent billions of dollars on air defense. Yet the Syrian air defense system saw nothing. They didn't see the F15s and F16s with their big radar cross sections.  All they saw was an empty screen -- because the Israelis had hacked into the Syrian air defense system. And they were showing a green screen, everything fine, when in fact if they had opened the window, they could have heard the planes flying overhead.

"That same idea can be carried forward into attacks on infrastructure. So you can hack your way into the control system for the electric power grid, and the control room will show everything is fine and normal, and yet you can cause nonetheless the system to malfunction and create blackouts, or cause the equipment to damage itself and destroy itself. That's not entirely theoretical. The US government has tried to do that and proven it can do it, and can it from the public internet.

"So there's a case, if you will, of the hand coming out of the computer and destroying something. It's not just ones and zeros fighting each other. It's something like an electric power generator flying apart or high tension wires melting. Or, and I've been saying this in discussions around the country on the book, blowing up a big natural gas pipeline. One of those big 30-inch natural gas pipelines: if you get into the control system and you shut a valve at one end and increase the pump rate at the other end, you get something like what happened in San Francisco last week. I'm not saying that's what happened there, it probably didn't. But that's the kind of destruction you can cause. You can cause physical destruction of infrastructure from the other side of the world by hacking into the control systems.

"And that's true with electric power. It's true with natural gas. It's true with aircraft in terms of air traffic control. It's true of railroads, in terms of switching systems and derailments. And all of our infrastructure like that, railroads, aviation, power, are vulnerable to these kinds of attacks because they all run by computer networks.

"And none of them have been architected to be secure. Even our systems that have been architected to be secure, systems like SIPRNet, the Defense Department's secret level network, the deputy secretary of defense admitted last month had been hacked -- that is, air-gapped from the internet - he admitted it had been successfully hacked by a foreign intelligence service."

Clarke, a partner with Good Harbor Consulting where he leads consulting projects in the areas of security risk management, cyber security, and counterterrorism, summarized two key recommendations the book makes to start grappling with this threat.

First, he said the United States has to develop a defensive strategy to defend key elements of the nation's infrastructure. He suggests concentrating on the electric power grid and Internet service providers, which "see all the traffic, and should be able, with some assistance, to identify attacks and stop them."

Second, Clarke said, the United States needs to engage in cyber arms control, to put in place mechanisms and agreements not unlike those that have controlled nuclear and conventional arms. Initial steps could include creation of a multinational risk reduction center, and an agreement requiring signatories to prevent attacks from within their borders.

For more information on this publication: Please contact the Belfer Communications Office
For Academic Citation: Smith, James F.. “Richard Clarke on Cyber Threats: Defense is Key.” News, Belfer Center for Science and International Affairs, Harvard Kennedy School, September 21, 2010.

The Author