In 2004, as he sat before the commission investigating the 9/11 attacks, Richard Clarke famously declared, “Your government failed you, those entrusted with protecting you failed you, and I failed you,” before asking for understanding and forgiveness. Clarke, a former senior government counterterrorism official, told the world that before the terrorist attacks, President George W. Bush’s team had ignored his efforts to get the administration to address the threat posed by Al Qaeda. (White House officials vehemently denied this charge.)
These days, Clarke is focused on another threat that the US government has been slow to confront: the vulnerability of the country’s computer networks. It’s an issue he’s worked on for years. In 2010, he teamed up with Robert Knake to write, Cyber War: The Next Threat to National Security and What to do About It, outlining the country’s exposure to cyber attacks. The threat landscape has changed since that book was published, as nations including the US have increasingly folded cyber operations into their diplomatic and military arsenals. Clarke and Knake have just published a new book—The Fifth Domain: Defending our Country, our Companies, and Ourselves in the Age of Cyber Threat—arguing that the nation’s susceptibility to computer warfare is no longer a failure of technology but instead a failure of political will. Cyber defense, they write, once bordered on the impossible, but now it’s much more achievable—if only our leaders take the right approach.
I caught up with Clarke to talk about the new book, out today, and to get his thoughts about what the US government is doing on issue. “Very little has been done to protect our own military weapons systems,” he said. “And almost nothing has been done to secure the government.”
The conversation has been edited for length and clarity.
Mother Jones: One of the main messages of the book is that in many ways cybersecurity is improving. How is a general audience to square that message with constant news of massive data breaches, foreign governments hacking each other, and the like?
Richard Clarke: What we’re saying is, over the course of at least the last five years, major US corporations have proven that you can achieve cyber security. Ten years ago, when we wrote the book Cyber War, we said no one can defend themselves, that defense was impossible. Now, we say there have been changes in the defensive technology that allow major corporations to fight back—if they spend enough money and if they have enough skilled people to achieve cyber resilience—and that there are a large number of those companies. That’s, that’s good news.
But if we survey where the government has come, and where military activity and intelligence activity have come during those 10 years, it’s not good news. Now the major threat actors are governments and military organizations. The major cyber attacks now are being done by the Chinese People’s Liberation Army cyber unit, by the Russian GRU cyber unit, by North Korea’s army, by Iran’s army.
Very little has been done in the last 10 years to protect major systems in the United States, like our electric power grid, our gas pipelines, and other sorts of critical infrastructure. Very little has been done to protect our own military weapons systems. And almost nothing has been done to secure the government.
MJ: That’s a striking statement, considering that security experts have been howling about these problems for many years. Why do you think it’s taking so long for necessary changes and hardening of systems to happen?
RC: People are reluctant to spend the money. The companies that have achieved high levels of cyber resilience spend something like 8-to-10 percent of their IT budget on security. And that’s not true at most companies. It’s not certainly not true of the government. A lot of companies are at 3-to-4 percent. And there’s a reason for this, I understand that. When people first learned about cyber security in the late 1990s, there weren’t a lot of defensive weapons they could buy. Now, when we talked to the major banks in New York, they’re deploying 50, 60, 70 different kinds of cyber defense software, and some hardware, on their networks.
So if you’re in Baltimore or Atlanta and you don’t spend money on the cyber security of the municipal network, then you’re going to get hit with ransomware, and all your systems are going to be locked up. That wouldn’t be true if they were resourcing the problem appropriately. [In both cases, attackers infected municipal networks with malware that locked the cities’ computer files and demanded a ransom; neither city paid the ransom, but they spent millions to repair the damage.]
MJ: In the book, you argue that in a crisis situation of possible conventional warfare, the initial attack is likely to be a cyber attack. Just a few weeks ago, amid increasing tensions between the US and Iran, we saw reports of the US cyber attack on Iranian infrastructure. Why is this the way things will kick off?
RC: Just like using drones was easier for a decision-maker than sending over planes with pilots in them, I think it’s easier for a decision-maker to do a cyber attack than to do a bombing attack, and we have the proof of that two weeks ago. But the problem is, once you do a cyber attack there’s going to be retaliation. Sometimes that retaliation is a cyber attack back at you. The United States has to worry about that because we are so vulnerable to cyber attacks. The director of national intelligence says the Russians are in our power grid controls and the Chinese are in the controls of the natural gas pipeline system.
Which means it’s easy to get in. The Iranians in the past have attacked, successfully, in the United States. Iranians attacked leading banks several years ago and knocked all their online banking offline. The Iranians attacked Sheldon Adelson’s hotels and casinos and did a lot of damage. So there is a tendency to say, “Yeah, OK, so I’m going to carry out a cyber attack on them,” because it’s quick, and it’s easy, and it’s bloodless, and there are no US troops involved. But it does invite retaliation, and people in glass houses shouldn’t throw stones. We’re in a glass house.
MJ: You bring up an interesting point regarding the decision-making process when using tools like this. In that respect, what is your sense of Trump’s national security adviser, John Bolton, and his approach in this regard?
RC: Well, in the Obama administration, there was a rule called [Presidential Policy Directive] 20 which pretty much said the president has to approve everything when it comes to the cyber attack. What Bolton has done is something called article [National Security Presidential Memorandum] 13, which devolves the power to the pentagon, and then the pentagon can devolve it further within the commands so that the president is not necessarily involved anymore, and Bolton’s not necessarily involved anymore.
I think that’s a mistake.
I think, as always in Washington, the pendulum is at one side or the other and never in the middle. Obama probably overly restricted activity after the Stuxnet fiasco. [The US and Israel reportedly teamed up in 2009 to hobble part of Iran’s offline nuclear infrastructure with Stuxnet, the world’s first destructive cyber weapon. The attack worked, but the malware made its way into the wider world, causing the US to be identified as the attacker. Parts of the code were subsequently folded into tools that criminals and other governments exploited.] But I think without White House supervision by experienced, qualified people, you run the risk that something will get screwed up.
MJ: Bolton is obviously a very ideological person. How do you think that’s playing out in his role right now?
RC: Bolton’s always had an itchy trigger finger. He was always more willing to use military force than other people. We’ve seen that play out with the president apparently getting advice from him that we should do more aggressive activity, and the president saying, “No”— which, you know you have a problem when Trump is the inhibitor.
MJ: Do you think Trump will be able to hold Bolton at bay, especially when we’re talking about issues such as Iran and North Korea?
RC: We have a fictional story in the book. So in the real world Israel is bombing Iranian facilities in Syria with some regularity. And in the book we have that happen, and Iran says, alright, enough of this, and they let loose with missiles and rockets from their militias in Syria, in Lebanon, in the Gaza Strip, and then with missiles from Iran. And it does serious damage to Israel, and Israel says to Trump, “Help. Send resupplies.”
Trump orders a resupply effort, but Iran attacks our logistics system. It doesn’t just attack the military, it attacks the civilian things that support key bases. To do a logistics resupply, we have to use certain ports. Those ports get attacked. We have to use certain airports; the electric power systems that are going to those Air Force bases gets attacked. And after several days when Trump is expecting us to turn the tide with our resupply, our resupply essentially hasn’t gotten there. And some of our weapons systems that we wanted to use have been attacked as well, because our weapons systems are vulnerable to hacking. And so at the end of several days, Trump turns to Bolton and says, “What do we do now?” And Bolton says in this fictional scenario in our book, “Well, gee, I guess we just have to bomb them.”
Several points on that scenario: One is how vulnerable our civilian infrastructure is, how vulnerable our own weapons systems are. And the key point: A cyber war can eventually lead to a regular conventional war.
MJ: What is the likelihood of that scenario happening in the real world, a cyber attack leading to a war as we would think of it in the traditional sense?
RC: I don’t want to put a probability on it. When I was in the intelligence community I always hated that give policymakers probabilities. We really have no statistical basis. What I used to do is say, “Well, what is standing in the way of that happening?” And in the case of that scenario, there’s nothing standing in the way of that.
MJ: How does China fit into all of this? Is the US behind China in ways people should worry about?
RC: China has an advantage that other nations don’t have, and I’m glad we don’t have it. Because they’re a police state, they can put up the Great Firewall of China, they can restrict activity on their networks, they can scan what comes into the country. We really can’t, and I wouldn’t want us to control what’s on our internet. But it gives them an advantage when it comes to defending that we don’t have.
I think the offensive playing field has gotten kind of level. We used to have a huge advantage. I think China and Russia caught up to us offensively. Defensively, aside from the Chinese inherent structural advantage, no nation has done a very good job of defending itself.
MJ: You wrote about election security in the new book. As you know, Senate Majority Leader Mitch McConnell (R-Ky.) has been blocking every piece of election security legislation under the premise that the proposals overstep traditional federal roles in what are supposed to be state-run elections. What is your assessment of what he’s doing?
RC: I think it’s awful. They say the Constitution requires the states to be in charge in these elections. Actually, it doesn’t. That clause of the Constitution has a word you don’t see very often the Constitution, and that word is “but.” It says, “but the Congress may at any time by law make or alter such regulations.” Congress may set the rules.
So Congress could federalize federal elections. We could say, “Fine, if you want to have an insecure system the Russians can manipulate when you’re electing the dog catcher of Mayberry, that’s fine. But when you’re electing a United States senator, United States congressman, you have to have a secure system. And these are the rules. These are the minimum guidelines for having a secure system.”
We haven’t done that, and I think we need to. The thousands of counties and the 50 states, for the most part, they say, “We were never attacked, we were never successfully penetrated.” And the question I have for them is: How the hell would you know? You have no systems in place to adequately detect a sophisticated Russian GRU attack. Major corporations in this country that spend hundreds of millions of dollars a year on cyber security don’t detect Russian GRU attacks. What makes you think you would?
Back in 1997, I was part of an effort to make the armed services put in intrusion detection devices on their networks. Intrusion detection devices were new, and so we forced them to put them on very quickly. And then we had meetings to see how they were going. Some general representing the Army at the meeting said, “I hate these devices.” Why? “Well, before we put them on, we were never being attacked. And now we’re being attacked all the time.” I think that’s the story of the states and the counties that say they’ve never been attacked.
MJ: McConnell recently told Laura Ingraham on Fox News that current election security legislative proposals amount to socialism and that none of it is going anywhere on his watch. What’s the path forward with that type of obstruction?
RC: I think the answer is Amy McGrath. The only plausible reason McConnell is opposing protecting our election system is that he believes the Russians, when they get involved, again, will be supporting the Republican Party.
MJ: Some might say that’s a cynical view of Mitch McConnell.
RC: It’s not cynical. There’s nothing cynical about it. There is no other explanation. We know that the Republican Party was supported in the last election by the Russians. And now you don’t want to stop that from happening again? What other conclusion can you come to? I think it’s as obvious as the nose on my face why this is happening.
I asked Clarke to share his thoughts on the ongoing debate over encryption, specifically the federal government’s repeated efforts to weaken data encryption by giving law enforcement a “back door” to access secure information. The last major flareup of this fight occurred in the wake of the 2015 San Bernadino shootings, when the FBI wanted Apple to update its software to allow agents to bypass the encryption on the iPhone belonging to one of the perpetrators. Apple refused, and a legal battle ensued. But the FBI eventually paid $1 million to a third-party entity to exploit a flaw in Apple’s design and get into the phone without the tech giant’s help.
MJ: You wrote about the encryption debate. I’m looking at a headline from just a couple weeks ago, “Trump officials weigh encryption crackdown.”
RC: I know, they’re back with this stupid idea that’s been defeated so many times. The last time it came back, it was Jim Comey, as FBI director. And he used the awful terrorist incident in San Bernardino to try to justify forcing Apple to make its software less secure, so that he could get into it. And what was fascinating to me about that was two things. One, the FBI already had the capability of getting in, and Comey, I think, knew that and pretended not to. The Justice Department IG investigation more or less said that.
But the other thing, the more important thing, is that former directors of CIA, former directors of NSA, homeland security officials, came out of the woodwork, came out of of retirement, to say, “No, Jim Comey is wrong. It’s more important that we have encryption than it is for the government to have the ability to crack it.” And when you’ve got a bunch of former intel guys saying that, I think you need to listen carefully, because they know how to weigh the two concerns.
Look, I used to run counterterrorism for the country. I know how much you want to be listening to terrorists and to be able to crack their message traffic. But even knowing that, and knowing those risks, I would be in favor of making encryption better, not weaker.
More damage can be done to our national security and our economy, if our encryption doesn’t work, than any amount that terrorists ever could do.
MJ: How do you bring that message to a general, non-technical audience when you have powerful government agencies trying to turn the debate into a question of patriotism?
RC: It’s difficult. And that’s why it was so insidious of Jim Comey to use the terrible incident in San Bernadino to whip up support for this crazy idea. Because when you see a bunch of dead people, and somebody says, “Oh, but we could have stopped this if only we had decrypted their phones, or we can stop the next one,” naturally, your hearts go out to the victims and their families. It’s a little hard under those circumstances to step back and say, “But what he’s proposing would hurt us more as a nation.” It’s been difficult to look at dead people and say, “Well, but the harm to our economy, the harm to our national security with weakening encryption, outweighs that.” But it does.