Research, ideas, and leadership for a more secure, peaceful world

Video

Richard Clarke on Cyber Threats: Defense is Key

Published:

Author
James F. Smith

Related
Richard Clarke

Video | Article | Transcript

Security expert Richard A. Clarke offers stark examples in arguing that the threats of cyberwar and cyberespionage are not just science-fiction hype:

  • Israeli F15 and F16s screamed across the Syrian border in September 2007 and bombed a nuclear reactor construction site, but Syrian radar screens showed nothing but peaceful green. The Israelis had hacked into the Syrian air defense and seized control of the software system.
  • British intelligence told the top chief executives in the country: Assume that your corporation has been hacked, and that all of your vital information, all your intellectual property, all your research and development has been stolen.
  • The Pentagon acknowledged in August that the secret American SIPRNet defense network was hacked two years earlier by a foreign intelligence service using the Internet.

Clarke has been a principal US security strategist, serving as security and counterterrorism adviser to Presidents Bill Clinton and George W. Bush before and after the 9/11 attacks. Introducing Clarke at a seminar at Harvard Kennedy School's Belfer Center for Science and International Affairs, director Graham Allison noted that Clarke was the only government official to apologize to the American people after the attacks, telling the 9/11 commission, "Your government has failed you."

Yet Allison said Clarke himself was one of the most effective players within the government in recognizing and addressing the growing threat of catastrophic terrorism. And when Clarke left government in 2003, he wrote what Allison called the best book on the war on terrorism, "Against All Enemies."

Now Clarke is working to focus attention on another threat that could pose equally grave challenges to the nation's security. Clarke has co-authored a new book, "Cyber War: the Next Threat to National Security and What to Do About It." He briefed a Directors' Seminar at the Belfer Center on Sept. 14 about the risks of cyber attacks, and suggested ways for the United States to develop a credible defensive strategy against cyber threats.

In on-the-record introductory remarks, Clarke surveyed the range of cyber risks in crime, espionage and warfare. He called cyberterrorism a comparatively minor threat, saying terrorists have shown little capacity to use the Internet for anything other than propaganda. And Clarke said that cybercrime, while costly to the economy and to financial institutions, tended to involve stealing small amounts of money from lots of people.

Cyberespionage is more serious and immediate, he said, threatening not only governments:

"If you are a private research corporation, if you are a university research facility, or you're a government lab, if you have any intellectual property worth having - it's been had. And the most sophisticated of facilities, even with expertise in the area of cyber security, have been successfully hacked. And terabytes of information have been extracted. but also research institutions and corporate R&D departments."

The prospect of cyberwar, Clarke said, poses extremely serious threats that have not received the national or international focus that they deserve. Here's an extended excerpt from his opening summary:

"Cyber-war on the other hand is something that really hasn't happened yet to the United States. It has happened to small countries like Georgia, Estonia. Israel has indeed had incidents with Syria. But these have all been very primitive things, where the attackers have not, with a few exceptions, revealed sophisticated attack tactics. They have used the brute force method of deluging a site and knocking it off.

‘But what could cyber-war mean? In the first few pages of the book we talk about an incident where the Israelis blew up a nuclear research facility that was under construction in Syria and was being built by the Koreans. The Israelis did it by flying a bunch of F16s and F15s into Syria, planes from the 1970s, with big radar cross sections. And the Syrians had spent billions of dollars on air defense. Yet the Syrian air defense system saw nothing. They didn't see the F15s and F16s with their big radar cross sections.  All they saw was an empty screen -- because the Israelis had hacked into the Syrian air defense system. And they were showing a green screen, everything fine, when in fact if they had opened the window, they could have heard the planes flying overhead.

"That same idea can be carried forward into attacks on infrastructure. So you can hack your way into the control system for the electric power grid, and the control room will show everything is fine and normal, and yet you can cause nonetheless the system to malfunction and create blackouts, or cause the equipment to damage itself and destroy itself. That's not entirely theoretical. The US government has tried to do that and proven it can do it, and can it from the public internet.

"So there's a case, if you will, of the hand coming out of the computer and destroying something. It's not just ones and zeros fighting each other. It's something like an electric power generator flying apart or high tension wires melting. Or, and I've been saying this in discussions around the country on the book, blowing up a big natural gas pipeline. One of those big 30-inch natural gas pipelines: if you get into the control system and you shut a valve at one end and increase the pump rate at the other end, you get something like what happened in San Francisco last week. I'm not saying that's what happened there, it probably didn't. But that's the kind of destruction you can cause. You can cause physical destruction of infrastructure from the other side of the world by hacking into the control systems.

"And that's true with electric power. It's true with natural gas. It's true with aircraft in terms of air traffic control. It's true of railroads, in terms of switching systems and derailments. And all of our infrastructure like that, railroads, aviation, power, are vulnerable to these kinds of attacks because they all run by computer networks.

"And none of them have been architected to be secure. Even our systems that have been architected to be secure, systems like SIPRNet, the Defense Department's secret level network, the deputy secretary of defense admitted last month had been hacked -- that is, air-gapped from the internet - he admitted it had been successfully hacked by a foreign intelligence service."

Clarke, a partner with Good Harbor Consulting where he leads consulting projects in the areas of security risk management, cyber security, and counterterrorism, summarized two key recommendations the book makes to start grappling with this threat.

First, he said the United States has to develop a defensive strategy to defend key elements of the nation's infrastructure. He suggests concentrating on the electric power grid and Internet service providers, which "see all the traffic, and should be able, with some assistance, to identify attacks and stop them."

Second, Clarke said, the United States needs to engage in cyber arms control, to put in place mechanisms and agreements not unlike those that have controlled nuclear and conventional arms. Initial steps could include creation of a multinational risk reduction center, and an agreement requiring signatories to prevent attacks from within their borders.

 

TRANSCRIPT

 

Richard A. Clarke
Former White House National Coordinator for Security and Counterterrorism,
Faculty affiliate, Belfer Center for Science and International Affairs

Transcript of introductory remarks to Directors' Seminar at the Belfer Center for Science and International Affairs, Harvard Kennedy School, Sept. 14, 2010

"To conceptualize is probably a good place to start. What are we talking about? What do the terms mean? You hear a lot of different terms and they get confused. You hear about cyber-terrorism, which I don't think exists. I think that's a null set. I'll come back to it. You hear about cyber-war, and cyber-crime, and cyber-espionage, and they all get sort of blended together, and I think it's important to understand the differences and the similarities.

So let me try some definitions at the top here. Cyber-crime happens every day, it's a big business. People try to estimate the revenue from it, and no one does a good job at it, it's hard to do. But it's in the billions of dollars as in industry. It's crime that doesn't get prosecuted very much, because the best people at it live in countries like Moldova, and Russia, and Belarus, and other places where the law enforcement agencies - if we're charitable about it, we say the law enforcement agencies don't cooperate with international prosecution attempts. If we're less than charitable, we say the law enforcement agencies are in on it, and in fact have a relationship with some of the cybercriminal cartels.

These are very sophisticated groups with an understanding of computer science that would make anyone at MIT proud, and they are coming at you. And they have hired all sorts of bright help for their criminal activities. Basically their criminal activities are to steal money. And they do that through a variety of scams. And while it does cost our economy something, it's hard to feel that, because ultimately the banks cover the losses. Very few people get stuck for the money they've had stolen. They steal small amounts of money from lots of people, and that adds up.

The problem there is largely one of international cooperation and law enforcement. There are lots of lessons we can learn from other things, such as money laundering activities, narcotics activities, where we establish standards for international orgs, and say to nations that don't cooperate, there are standards and if you don't cooperate, there are sanctions. We haven't done that.

So that's cyber-crime.

Cyber-espionage is espionage. It's stealing information. It's the second oldest profession. If you think of traditional espionage, and imagine yourself the KGB resident in Washington, and your job is to get somebody in the CIA or the FBI, that's a risky business. If I recruit you as an FBI agent who's going to work for the KGB, maybe you arrest me, or turn me in. So talent spotting is very difficult. And when you get that agent, Robert Hansen in the FBI, Aldrich Ames in the CIA, they smuggled out small amounts of documents from the headquarters. And they hid these documents in a public park, and the Russians would come along and pick them up, old fashioned espionage. Very risky, very labor intensive, small amount of documents get stole.

Cyber-espionage - very limited risk. You sit back in Moscow or Beijing or wherever you are and you attempt to get documents remotely, by hacking in. and the same documents you would have your spies steal, you get off the server. Because all documents in government agencies are now on a server. And you don't steal a few documents a day over the course of a year the way spies do. Instead, you take down whole Libraries of Congress equivalents in a night - terabytes of information getting exfiltrated. I know this sounds like science fiction, and it's a little difficult to prove that it's going on - except that the government admits that it's going on. And other governments admit that it's going on. And some corporations admit that it's going on. The head of the British domestic security service, MI5, said in a letter to the 300 CEOs of the largest companies in the United Kingdom: ‘you should assume you're your agency has been hacked, your corporation has been hacked, and that all of your vital information, all your intellectual property, all your research and development has been stolen. That letter became public. There's no equivalent letter like that in the United States. Janet Napolitano hasn't written that letter. But it doesn't mean that the phenomenon of cyber-espionage only occurs in the United Kingdom. It has occurred here as well, and I think basically the same thing can be said here as well:

If you are a private research corporation, if you are a university research facility, or you're a government lab, if you have any intellectual property worth having - it's been had. And the most sophisticated of facilities, even with expertise in the area of cyber security, have been successfully hacked. And terabytes of information have been extracted. Sometimes they detect it after the fact. Occasionally they detect it during the fact. And even when they do it, there are instances of sophisticated government labs that have detected these exfiltrations of information going on, and were unable to stop it.

So that's cyber-espionage. And it's important, because we are losing our competitive edge. We are spending billions of dollars of taxpayer money, stockholder money, doing r and d, and then other countries are coming along and stealing that information for pennies on the billions, and handing it off to their corporations. So it's important.

It's also important from a national security and defense perspective, because some of the information has to do with weapons systems. Something like the F-35 fighter, which hasn't even been in service yet, we have reason to believe that information about it was successfully stolen from the manufacturer by a foreign entity. So it has implications in our military strength.

Cyber-war on the other hand is something that really hasn't happened yet to the United States. It has happened to small countries like Georgia, Estonia. Israel has indeed had incidents with Syria. But these have all been very primitive things, where the attackers have not, with a few exceptions, revealed sophisticated attack tactics. They have used the brute force method of deluging a site and knocking it off.

But what could cyber-war mean? In the first few pages of the book we talk about an incident where the Israelis blew up a nuclear research facility that was under construction in Syria and was being built by the Koreans. The Israelis did it by flying a bunch of F16s and F15s into Syria, planes from the 1970s, with big radar cross sections. And the Syrians had spent billions of dollars on air defense. Yet the Syrian air defense system saw nothing. They didn't see the F15s and F16s with their big radar cross sections.  All they saw was an empty screen -- because the Israelis had hacked into the Syrian air defense system. And they were showing a green screen, everything fine, when in fact if they had opened the window, they could have heard the planes flying overhead.

That same idea can be carried forward into attacks on infrastructure. So you can hack your way into the control system for the electric power grid, and the control room will show everything is fine and normal, and yet you can cause nonetheless the system to malfunction and create blackouts, or cause the equipment to damage itself and destroy itself. That's not entirely theoretical. The US government has tried to do that and proven it can do it, and can it from the public internet.

So there's a case, if you will, of the hand coming out of the computer and destroying something. It's not just ones and zeros fighting each other. It's something like an electric power generator flying apart or high tension wires melting. Or, and I've been saying this in discussions around the country on the book - or blowing up a big natural gas pipeline. One of those big 30 inch natural gas pipelines: if you get into the control system and you shut a valve at one end and increase the pump rate at the other end, you get something like what happened in San Francisco last week. I'm not saying that's what happened there, it probably didn't. But that's the kind of destruction you can cause. You can cause physical destruction of infrastructure from the other side of the world by hacking into the control systems.

And that's true with electric power. It's true with natural gas. It's true with aircraft in terms of air traffic control. It's true of railroads, in terms of switching systems and derailments. And all of our infrastructure like that, railroads, aviation, power, are vulnerable to these kinds of attacks because they all run by computer networks.

And none of them have been architected to be secure. Even our systems that have been architected to be secure, systems like SIPRNet, the Defense Department's secret level network, the deputy secretary of defense admitted last month had been hacked -- that is, air-gapped from the internet - he admitted it had been successfully hacked by a foreign intelligence service.

So, that's cyber-crime, cyber-espionage, and cyber-war. To coin a phrase, what is to be done?

The answer that we suggest in the book is that we need to think of two things simultaneously. One, to create a defensive strategy, defending those key elements of our infrastructure that are most important. It does us little good if we have a great offensive capability, which I'm willing to admit that we do have, and to have no defense. And right now that's where we are. It's a bit like the Patriots going out into a game and only bringing their offensive team, leaving the defensive squad at home. That's the United States today. Damn good offense, virtually no defense.

We suggest two or three ideas for addressing the defense. You can't defend everything, you can't make everything perfect. Where would you concentrate your effort? We suggest the electric power grid, not surprisingly, and the internet service providers. Internet service providers see all the traffic, and should be able, with some assistance, to identify attacks and to stop them.

The second thing we think you should be doing simultaneously, and this is a bit more ethereal, is arms control. I've heard from arms control people that this is different, this is harder. But all the objections they have raised, about verification, about multilateral cooperation, are the same objects that I heard when we started doing strategic nuclear arms control, when we did conventional arms control, when we did biological arms control, when we did chemical arms control - all the same genre of objections. And in each of those, we ultimately got agreements that I think improved our security. They are not perfect, but they improved our security. We didn't get them overnight. It took 10 years, 20 years in some cases, to negotiate the international arms control regime. You have to start somewhere. We have some suggestions in the book about starting, including an international obligation to assist when a nation is under attack. It can reach out to an international mechanism like a risk reduction center and get assistance. And an international obligation to prevent attacks from your territory. Those are baby steps, perhaps, but they are ones that we could do relatively quickly, and would be verifiable.

I know there's a problem called attribution, that is, you don't necessarily know who is attacking you in cyberspace, and it's easy to spoof the attacker. That's true. But there are ways of addressing that. And in any event, the idea of international obligation to assist and international obligation to prevent attacks from your territory addresses some of that."

The latest from Belfer
See more
Recommended citation

Smith, James. “Richard Clarke on Cyber Threats: Defense is Key.” Belfer Center for Science and International Affairs, Harvard Kennedy School, September 21, 2010