On a September night in 2007, a swarm of Israeli jets swooped across Syrian airspace and destroyed a nuclear facility under construction. Despite Syria’s sophisticated radar, their approach went unnoticed. The Israelis had hacked the Syrian equipment so all it showed was vast, empty sky. It is technology that cuts all ways: In the United States, hackers have breached the Pentagon, while spies from China have gained access to 1,300 computers in embassies around the globe. Richard A. Clarke, a counterterrorism czar to three administrations and the first special adviser to the president on cyber security, calls the Internet a “cyber battlefield.” In his recent book, Cyber War, he discusses the vulnerability of the electrical grid, banking systems, air-travel networks, and national defense. Clarke recently visited the DISCOVER offices to discuss this emerging type of warfare.
You say the threat of cyber war begins with computer manufacturing. How so? Take any piece of computer hardware—your laptop, your desktop, a router in the network. It has probably been assembled in one country, but the components have probably been made in two dozen: Taiwan, India, China, the United States, Germany. And the software has probably been written by thousands of people in many countries. You can’t have high security when there are that many people involved. It’s so easy to slip a trap door into 50 million lines of code for a piece of software. It’s so easy to have a microscopic element on a motherboard that allows people to get in without authorization.
How could this sort of invasion happen? In cyber war or cyber espionage, the person who’s doing it can achieve access in dozens of different ways. Once they are in your computer or your local area network, they can see everything that goes on, they can copy information and exfiltrate that information, they can issue commands. If they’ve accessed a network that’s controlling something, such as an electrical power grid or a railroad system, they can cause things to happen not in cyberspace but in physical space. They can control a rail switch or a valve on a pipeline.
How are we responding to the threat? Last October the United States created a unit just like Strategic Command or Central Command; this one’s called Cyber Command. Under Cyber Command is a Navy unit called the 10th Fleet that has no ships and an Air Force unit, the 24th Air Force, that has no planes. These units are designed to fight both offensively and defensively in cyberspace.
Has the United States ever experienced a serious case of cyber espionage? The United States and several of its allies are building a new, fifth-generation fighter plane, the F-35 Lightning II, cutting-edge technology. There’s good reason to believe that a foreign government, probably China, hacked into the manufacturing company for the aircraft and downloaded all the plans. So for this plane that hasn’t even flown yet, a potential enemy knows its strengths and weaknesses. The really scary part is, if they got in, do you think they just copied information? Or do you think perhaps they inserted something in the software? Imagine the future where a U.S. F-35 is flying into combat and another nation sends up a much less capable airplane, but that other airplane can send out a signal that opens up a trapdoor in the software that’s running the F-35 and causes it to crash. Airplanes these days, whether it’s the F-35 or the 787, they’re all software. The plane is just one big computer network with all sorts of things being run by software applications.
What do we need to do to keep the country secure from digital attack? The United States is pretty good at offense; the government can probably hack its way into most anything. But we don’t have a good defense. Right now the U.S. government is defending only itself, and that’s largely the military defending the military. The Obama administration’s attitude seems to be that if you’re a bank or a railroad or a pipeline company or a power company, you should defend yourself. Imagine in the 1960s if our government had said to U.S. Steel in Pittsburgh or General Motors in Detroit, “The Soviet Union has a lot of bombers and those bombers could reach Pittsburgh or Detroit, so you, private company GM, private company U.S. Steel, should go out and buy some air-defense missiles.”
What are the private companies saying in response? They want it both ways. They want to minimize government involvement; they certainly don’t want the government telling them how to structure their information technology systems. But at the same time, when you tell them the government of China could be hacking into their company, they say, “Well, why isn’t the federal government stopping that? I pay my taxes.” In the end, there’s going to have to be a federal role larger than there is now. The fact that we have virtually no defense right now, that’s largely a matter of policy—not so much of technology—and it would seem to be a rather obvious wrong choice, I think.
It sounds like we’re the big, tough boxer with a glass jaw. The line that I like to use is “People who live in glass houses shouldn’t throw attack code.” We should be taking the lead in arms control.
The fight against cyber attacks is a form of arms control? I think if you do limits on cyber war, that’s arms control. I worked in arms control for over 20 years. I did biological, nuclear, and conventional arms control. I know how hard it is. I negotiated a lot of agreements, and cyber war would be very difficult to negotiate. But some of those arms control agreements may actually have stopped nuclear war. So let’s not throw up our hands and say, “We can’t do it in cyberspace with cyber war.” Instead, let’s get the arms control experts and the cyber experts together and see what we can do to reduce the chances of a damaging cyber war.
What is the biggest threat: national governments, terror groups, or individual hackers? Individual hackers can make a lot of trouble, but they can’t bring down a power grid. They can’t do the really destabilizing infrastructure attacks that we’re worrying about. Criminal gangs are getting better at it, and we’re seeing cyber criminal gangs doing things that in the past only nations could do. So that is a worry. But for the most part our concern is cyber war directed nation to nation, because in addition to having lots of technology at your fingertips, nation-states have intelligence agencies. And intelligence agencies can provide the collateral information to figure out how to do an attack. Sometimes you need physical involvement, social engineering, information gathering before you do an attack.
What will it take for us to acknowledge the true magnitude of the threat? When Russia cyber-attacked Estonia in 2007 and then a year later attacked Georgia, people said, “That’s the wake-up call.” When the Chinese attacks on Google occurred last year, people said, “Oh, that’s the wake-up call.” I think people would have to know that some great discomfort or some great violence had occurred because of deliberate malicious activity in a network.