Richard Clarke: Can the U.S. Win a Cyberwar?


The United States economy depends on the Internet more than any other developed country in the world. On most days that's a good thing. But according to Cyber War a new book by Richard A. Clarke, the very connectivity that gives the U.S. an edge in most markets is likely its greatest vulnerability. While this nation and others have suffered attacks against some of their largest government and private infrastructures (DOD and Google's password system), most Americans probably don't spend much time worrying about attacks on our technology systems. NEWSWEEK's Jessica Ramirez spoke with Clarke about the possibility of such an event and why we are not prepared for it. Excerpts:

Do you think cyberwar is imminent?
The question isn't what are the chances of a cyberwar. The question is what are the chances of a war. The next time there's a war between sophisticated countries, cyber will be part of it. Unless we do something about the defensive side of that equation before it happens, we are going to hurt a lot the day after the attack.

So this country isn't prepared?

There is a broad sense that the U.S. government is late to the cyberwarfare game. Is that really true?
I think on the offensive side, the U.S. government invented it. They are probably the best in the world. But on the defensive side, there has always been this ideological issue about who should defend things that are not owned by the government like the power grids, railroads, airlines, and the banks. There's a subsection in the book that's called, "No, I thought you were doing it." That's kind of the problem. The government thinks the private sector is going to defend all of that, and the private sector's attitude is, "We can do that against run-of-the-mill threats, but please don't expect us to be able to handle a nation-state attack. That's why we pay taxes. So the U.S. government will do it."

Is this what was missing from President George W. Bush's Comprehensive National Cyber Security Initiative, which is in place now?
Yes. It has all these great programs to defend the Pentagon and defend .gov and .mil. But there's nothing about defending our banks or power grids. There's nothing about defending the critical infrastructure that would logically be attacked.

If the government has created a plan to protect key government sectors, then they understand a problem exists. So why not do the same for the private sector?
There are a couple of reasons. There hasn't been a singular big event. There are little events every day where intellectual property is being lost, but there's no one big driver. There's also the issue of the role of the federal government in regulating something like the Internet. It's not what most people want.

I don't know if the average American understands why it's so important to protect private infrastructure like our power grids. Can you explain?
I think the average American would understand it if they suddenly had no electricity. The U.S. government, [National Security Administration], and military have tried to access the power grid's control systems from the public Internet. They've been able to do it every time they have tried. They have even tried to issue commands to see if they could get generators to explode. That's the famous Aurora experiment in Idaho. Well, it worked. And we know there are other real cases, like the power grid taken out in Brazil as part of a blackmail scheme. So the government knows it can be done, the government admits it can be done, the government intends to do it to other countries. Even the Chinese military has talked publicly about how they would attack the U.S. power grid in a war and cause cascading failures.

Where does Obama stand on cyberstrategy?
He doesn't have one. He took a year to appoint a cyber czar. I do believe [the administration] intends to do more, but they haven't decided yet on what that is.

Do you know how the president feels about the importance of protecting private infrastructure from cyberthreats?
Well, he understood it when we talked to him about it during the campaign.

But he's said that he doesn't believe in imposing regulations on the private sector, right?
He said, in general, he believed that cybersecurity should be done without regulation. [Director of President Obama's National Economic Council] Larry Summers wrote that into the president's statement. I don't know that the president fully understood the meaning of that. I think it's still an issue that could be discussed with him, if the need arose, and he could be convinced. But I think Larry Summers is the obstacle that would have to be overcome there.

Why would Summers be opposed?
Since he was Secretary of Treasury during the Clinton administration, he has not thought that there was a big cyber problem and has said so. He has said the private sector will do whatever is necessary and the free market will cause the private sector to do whatever is necessary and the government shouldn't get involved.

What about the new cyber czar, Howard Schmidt? Do you think he'll have any pull?
Well, the person he appointed was my deputy when I was cyber czar. He's very experienced. We won't find out how much authority the position actually has until he tries to exercise it.

So what is crucial? What must be done by the cyber czar or some other part of the administration to minimize damage in case of a cyberwar with a nation-state?
I would say there are three things. We must protect the power grid, the tier-one Internet service providers, and defense.

What will it take for any administration to actually want to implement a structured plan?
Unfortunately, the day-to-day losses of intellectual property to industrial espionage have not been enough of an impetus. So, every time one of these things happens you think, "That should be enough" Losing the secrets to the new F-35, that should do it. Or the Google thing, that should do it. Or the Chinese hacking into the Secretary of Defense's personal computer, that should be the straw that breaks the camel's back. It turns out that this camel has a pretty resilient back. So I think it will take a major disaster.