A Look At The Vulnerabilities And Capabilities Of American Cybersecurity

Jul 16, 2019
Originally published on July 16, 2019 9:01 pm
Copyright 2019 NPR. To see more, visit https://www.npr.org.

MARY LOUISE KELLY, HOST:

In military speak, the fifth domain of warfare is cyberspace. Unlike the others - land, air, sea and outer space - it is made by humans and can be altered by them, too.

ARI SHAPIRO, HOST:

Former White House counterterrorism adviser Richard Clarke's new book is called "The Fifth Domain." It raises a lot of terrifying scenarios. Some of them have already happened in the U.S. and other countries. There's election hacking, taking down the power grid, holding a city hostage with ransomware. I asked Richard Clarke to describe the scenario that keeps him awake at night.

RICHARD CLARKE: Well, what I fear is that somehow, the U.S. is dragged into a war - and perhaps again in the Middle East. But we're up against somebody who has a cyber army, and they're able to attack our conventional weapons. So we spend all of this money on the fancy F-35 or the fancy new Freedom class Navy ships, and they're hackable. So we go to war, and the enemy pushes the button, and none of our weapons work.

SHAPIRO: You're saying the U.S., which has the biggest and most expensive military in the world, might have piles of worthless metal if a war starts because there is malware embedded in these high-tech machines.

CLARKE: I'm not saying that. The Pentagon's own Defense Science Board is saying that. The Government Accountability Office is saying that. Year after year, they report a long list of weapons systems that have not been built with security in mind.

SHAPIRO: And there could already be, lurking inside of these high-tech military machines, the thing that will disable them if the U.S. tries to deploy them.

CLARKE: Just as there are already, according to the director of national intelligence, such things in our power grid and our gas pipelines.

SHAPIRO: Already there.

CLARKE: The director of national intelligence testified publicly this year that the Russians could affect the controls of our electric power grid, that the Chinese could affect the controls of our natural gas pipelines. And then, a few months later, the White House leaked a story that we're also in the Russians' electric power grid.

SHAPIRO: So everyone has the power to disable everyone.

CLARKE: Well, so that creates what we call in the book crisis instability risks. Who goes first? - because there's a first-mover advantage. And so if you're in a crisis and it pays to go first, that's a very unstable situation.

SHAPIRO: Is the U.S. already engaged in cyber war with Russia or Iran or China or North Korea?

CLARKE: The United States has attacked Russia twice that we know of. The most recent attack was against the Internet Research Agency. We feared that they would be interfering with our congressional election last November.

SHAPIRO: The Internet Research Agency was the Russian sort of troll farm.

CLARKE: It's a Russian front organization for their intelligence agencies. So Cyber Command attacked it recently when the Iranians shot down one of our drones. The president decided not to bomb them, but to engage in the cyberattack against them. So U.S. Cyber Command is engaged in offensive activity against places like Russia and Iran, and they admit it.

SHAPIRO: Why is it so hard to say whether we are then engaged in cyber war with these countries?

CLARKE: Well, what's the definition of cyber war? That gets into a very interesting legal question involving insurance companies because insurance companies are now saying, well, if you were attacked by the Russian military and your entire network was destroyed and your company lost hundreds of millions of dollars, we're not going to pay up on your cyber insurance policy because we don't pay for war coverage.

SHAPIRO: So according to the insurance companies, there is already a cyber war raging.

CLARKE: According to some of them, there is.

SHAPIRO: But according to the U.S. military, the Russian military, the Chinese military...

CLARKE: They don't call it war. In fact, in the recent National Defense Authorization Act, they used the phrase typical military activities in the preparation of the battlefield.

SHAPIRO: Is this typical now?

CLARKE: Apparently, it is.

SHAPIRO: One line in the book stood out to me from somebody who was talking about election security but could just as easily have been talking about other aspects of cybersecurity. And the line is, our house was robbed, so let's at least lock the door. The problem is there are so many doors in the United States - 50 states, thousands of counties, who knows how many private businesses. Each one of them is a target. So is it naive to think that anyone could prevent the house from being robbed again?

CLARKE: There are major American corporations that have achieved security - cybersecurity. They don't like to attract attention to themselves. They don't like me using their names, so I won't. But there are big American companies that have done it. Ten years ago, when we wrote the book "Cyber War," we said no company is safe. If the Russians or the Chinese want to get into your network, they can. Now we're saying that's no longer true.

SHAPIRO: That's interesting 'cause all we ever hear about on the news is the companies that get hacked. You're saying there's a much quieter phenomenon of companies that don't get hacked.

CLARKE: There are the dogs that don't bark. The largest attack in history, which was something called NotPetya, which was done by the Russian military - and we have a long list of companies that were destroyed by that. Their - all of their software was wiped. They stopped operating as companies for weeks on end.

SHAPIRO: It started in Ukraine and spread across Europe.

CLARKE: Yeah, as collateral damage across Europe and the United States. But there's also a long list of American companies that were hit by that attack and nothing happened.

SHAPIRO: What do the companies that have not been successfully hacked have in common? What are they doing right?

CLARKE: The companies that are resilient spend more money on it and have a better governance model so that the guy in charge or the gal in charge reports to a much higher-level official. They're not buried in the bureaucracy of the company. And in terms of just a raw metric, the good companies - the companies that are successful at this - are spending 8% to 10% of their IT budget securing their networks. There are banks in New York that are employing thousands of people and spending hundreds of millions of dollars each year.

SHAPIRO: But could Palm Beach County in Florida...

CLARKE: No.

SHAPIRO: ...Ever mount the kind of defense that Goldman Sachs can mount?

CLARKE: No, not by itself. There are 4,000 counties in the United States, all of whom insist on running their own election machinery. No, they can't. That's why the federal elections should be federalized. And Mitch McConnell, the Senate Republican majority leader, is standing in the way of a bill that has passed the House to give hundreds of millions of dollars' assistance to the counties and to the states so that we can improve their cybersecurity. Right now, it's impossible to have all of these counties and all these state governments even know when they're under attack. Many of them say they've never been attacked. Well, they have no capability of knowing.

SHAPIRO: You've said the government has acknowledged that it is hackable and that companies have figured out how to get the upper hand and prevent themselves from being hacked. Why can't the government learn the lessons that these companies have learned?

CLARKE: Well, I think part of the problem is the federal government, which has maybe 40 or 50 major departments and agencies, insists that they all defend themselves. I don't think that should be the job of every federal agency. What we propose in the book is that the government create one single cybersecurity office for all the little agencies and departments that can't do it. This is what's done in the private sector. A lot of companies don't do it themselves.

SHAPIRO: They outsource it. They hire a contractor.

CLARKE: They outsource it, and you pay them by the month. And you get the - you get them handling all of your security. That's the way the federal government should do it.

SHAPIRO: Right now, the U.S. is at a time of heightened tension with Iran. We know that Russia is trying to hack U.S. systems. Are you more or less optimistic today about the risk of cyber war than you were when you wrote "Cyber War" 10 years ago?

CLARKE: I'm more optimistic about the ability of major American companies to defend themselves. I am less optimistic about the ability of the United States and the other major cyber powers to avoid a cyber war. We have had shots fired. We've had shots fired several times, including by the United States. We have lowered the barrier. It is easier to imagine cyber war initiating and, once it initiates, getting out of control.

SHAPIRO: Richard Clarke's new book with Robert Knake is "The Fifth Domain: Defending Our Country, Our Companies, And Ourselves In The Age Of Cyber Threats."

Thank you very much.

CLARKE: Thank you, Ari. Transcript provided by NPR, Copyright NPR.