The Elections in 2020 Will Take Place on a Cyber-battleground That Puts the U.S. At a Disadvantage, Says Expert Richard Clarke

FE_Hacking_Sidebar_Clarke
Illustration by Alex Fine

Richard Clarke has never been shy about highlighting the security vulnerabilities of the United States. He came to national prominence by attacking the Bush Administration for its failure to stop the 9-11 attacks. His new book The Fifth Domain: Defending Our Country, Our Companies, and Ourselves in the Age of Cyber Threats (Penguin,July 2019), written with Robert Knake, is a deep dive into how digital technologies might be used against the U.S. and what we can do to protect against them.

Clarke has decades of experience to back up his opinions. He worked in US State Department during President Ronald Reagan's administration and was Bill Clinton's chief counter-terrorism adviser on the National Security Council. He also served as a special advisor on cybersecurity to George W. Bush. Newsweek's Adam Piore caught up with him recently to discuss how nation-states are weaponizing cyberspace and what it means for national security.

You've said that the U.S. has low-grade simmering cyber conflicts with Russia, China, and Iran. What do you mean by that?
We've attacked Iran as recently as last month with cyber attacks. That's a straight forward example of simmering war. With Russia, we have more or less admitted that we've recently penetrated their power grid. That's what I mean by simmering cyber war.

Will the next major shooting war be provoked by a cyber attack?
It could very well be. When Hamas, a terrorist movement in Gaza, was doing cyber attacks on Israel earlier this year, the Israelis responded by dropping a bomb on the Hamas cyber facility. The Pentagon's policy for the last four years has been, if there's a significant cyber attack in the US, we hold the right to respond to that with a missile or a bomb. If North Korea did a major attack, again, in the United States, our public policy is we might bomb you.

How might we lesson tensions?
In Europe with arms control in the 70s and 80s and strategically between the Soviet Union and the US during the Cold War, we did two things. First, we did risk reduction measures, where if you see something that bothers you, some unusual activity, you've got someone you can immediately call to get an answer. Once, we had a missile launch that kind of went crazy and I thought the Russians might've misinterpreted where it was going. I called them and said, 'Hey guys, want you to know we had a little problem with our missile'." We also did confidence building measures—transparency activities and ways that you can be part of or observe the activities on the other side.

No one's developed a risk reduction measures or confidence building measures for cyber war yet, but I think they're doable. The more we create crisis instability by getting into each other's power grids and things like that, the more we need risk reduction measures and confidence building measures.

Russia doesn't seem to have much incentive to have confidence building and risk reduction measures.

You may be right, I don't know. But we should at least try.

What should the U.S. be doing to protect itself against these threats?
We're not doing enough on the defensive side—we're sitting in a glass house. It makes it really difficult to go to the president and say, 'Hey, we want to retaliate on the cyber attack' when we know that the Chinese can affect our natural gas pipelines and the Russians can affect our electric power grid—and you can imagine that other critical systems are also vulnerable.

How does the 2020 election look from the standpoint of cybersecurity?
It's easier and cheaper to be the attacker than it is to be the defender. The attacker can choose where to attack; the defender has to defend everywhere. The attacker can probably spend a couple hundred bucks to buy malware on the dark web. To defend against that, you're going to have to spend hundreds of thousands of dollars. Hackers can be a relatively small team in another country and defenders have to be present in counties around the United States. So there really is an offense preference.

How optimistic are you that our democracy can survive threats from Russia?
We have been, for the last 250 years, a fairly resilient country, not brittle. We've gone through some terrible situations and bounced back. But that doesn't mean that will always happen.

So are you optimistic or pessimistic?
I'm concerned.


_______________________________
_

FE_Hacking_Sidebar_Threat Matrix
Illustration by Alex Fine

The two-year probe by special prosecutor Robert Mueller uncovered many instances in which Russia attempted to interfere with the 2016 presidential elections. The threats fall into four broad categories—social media, election infrastructure, campaign security and dark money. Security experts are anticipating a similarly broad campaign of attacks between now and November 2020.

→ Starting in 2014, Russia's Internet Research Agency spent millions of dollars and tasked scores of people to create fake online personas on Facebook, YouTube, Instagram and Twitter. They posed as activists and operated social media pages designed to attract a U.S. audience. The stated goal was to "spread distrust towards the candidates and the political system in general."

Social Media

→ The organization sought to sow divisiveness by controlling pages on immigration, with names like "secured borders;" the Black Lives Matter movement, with names like "Blactivist;" religion, with "Army of Jesus" and "United Muslims of America;" and regions, with groups like "South United" and "Heart of Texas."

→ By 2016, many IRA-controlled pages had grown to have hundreds of thousands of online followers.

→ Political ads and social-media pages urged black followers to vote for Green party candidate Jill Stein, or not to vote at all.

→ Posing as grassroots US entities and persons, the IRA also staged political rallies and solicited and compensated US citizens to promote or disparage candidates.

Infrastructure

→ Hackers connected to Russian intelligence services targeted at least 21 state computer networks (and possibly many more) and at least one manufacturer of voting machines.

→ Spear-phishing emails sent to local election officials resulted in a breach of at least one Florida county government.

→ Hackers stole voter data from the Illinois election board.

Campaign Security

→ 29 computers at the Democratic Congressional Campaign Committee were hacked and data from more than 70 gigabytes of files were stolen, setting the stage for the subsequent hack of the Democratic National Committee.

→ More than 50,000 emails from Hillary Clinton campaign chairman John Podesta were stolen and eventually released through Wikileaks.
→ In August 2016, after the DCCC and DNC hacks became public, according to Mueller, an unnamed candidate for U.S. Congress reached out to Guccifer 2.0, an online persona created by members of Russian intelligence, requesting stolen documents. The Russians responded by sending the candidate stolen documents related to the candidate's opponent.

Dark Money

→ The Citizens United ruling opened up a gaping hole in campaign finance reporting. Intelligence officials worry that Russia, with help from a domestic partner, could funnel money to US campaigns.

The Elections in 2020 Will Take Place on a Cyber-battleground That Puts the U.S. At a Disadvantage, Says Expert Richard Clarke