Richard Clarke Discusses Cyber Security

CHRISTIANE AMANPOUR: Now, as we know from the Mueller report, Russia absolutely did interfere in the 2016 election, and before Congress today Mueller said they’re still at it and that they will try to interfere in 2020. So how do we defend our democracies against cyber warriors? Richard Clarke served as the National Coordinator for Security and Counterterrorism in both the Clinton and George W. Bush administrations, alongside Robert Knake, he’s penned “The Fifth Domain.” It’s an urgent warning, an inside look at the threats that lurk in dark online corners. Speaking to our Hari Sreenivasan, Clarke gave his take on whether cyber peace is possible.

(BEGIN VIDEO TAPE)

HARI SREENIVASAN: So we know about land, sea, air, space — what is this fifth domain?

RICHARD CLARKE, CO-AUTHOR, “THE FIFTH DOMAIN”: So the Pentagon uses this phrase, “the fifth domain,” to talk about cyber space. And talk about it as an area of warfare. Because when the Pentagon talks about domains — land, air, sea, and space they’re talking about places where they may have to fight. And what they’re saying is we are going to fight combat in that domain. We’re going to destroy things in the other domains by fighting in cyber space.

SREENIVASAN: Yeah, so give us an example of — what kind of threat level are we at, or what are the threats that the fifth domain poses to us in real life because we know that when we’re in a war, a plane drops a bomb, a building disintegrates — we kind of have an ability to visualize that.

CLARKE: Right. Well, so we have something called U.S. Cyber Command. It’s a joint military organization — the Army, Air Force, Navy, Marines. They have either leaked officially, or admitted that they attacked the Russian troll factory in St. Petersburg just before our Congressional election in 2018, they destroyed computers there. The president has announced that U.S. Cyber Command attacked air defense facilities in Iran a few weeks ago after the Iranians shot down one of our drones. We also, apparently — according to a White House leak, we are now in the Command and Control system of parts of the Russian power grid. This comes months after the head of U.S. Intelligence Dan Coates said publically that the Russians were in the control plane of our power grid, and the Chinese had access controls of our natural gas pipeline system. So 10 years ago when Rob Knake and I wrote the book “Cyber War,” we said this would happen but it was theoretical. Now, shots have been fired this year, it’s happening.

SREENIVASAN: So you know, when you talk about the fact that these ideas — these countries have access to our power grid, our natural gas pipelines, what can they do with it, or what could we do — or anybody that has control of somebody else’s infrastructure?

CLARKE: Well we already know what the Russians did when they got in to the Ukrainian power grid, they didn’t shut it down. And post hoc analysis showed that they could have blown up the transformers — and blown up the generators. We know that the U.S. cyber attack on centrifuges, nuclear enrichment devices, in Iran caused those devices to blow up. So here’s the breakthrough thought involved here. You can cause physical things, real things in the real world to damage themselves and to blow up by giving them the wrong software. That’s the bad news, that this is now actually happening. The good news we try to point out in the book is that unlike 10 years ago, now there are American companies that are demonstrating that they can fight off cyber attacks. And that’s new.

SREENIVASAN: You actually have this scenario that you lay out in the book, Israel and Iran getting into a fight. Play that out. What is the scenario that could happen that goes from a cyber war to a real war?

CLARKE: In the book, we have a scenario where Iran attacks American infrastructure to prevent the United States from being able to resupply Israel in a crisis. And unable to do anything, because of a cyber attack, the president decides, in our fictional scenario, “Well, to heck with this. Let’s fight a conventional war. Let’s bomb Iran.”

SREENIVASAN: And the U.S. Pentagon reserves that right.

CLARKE: The Pentagon’s declaratory policy, written during the Obama administration, public policy is that if the United States, not just military, but if the United States as a whole is hit by a cyber attack by a nation, and we consider the damage to be bad enough, and that’s undefined, the United States military reserves the right to respond to a cyber attack with a conventional response, meaning bombs and missiles.

SREENIVASAN: I mean in the idea of a nuclear war, we have this notion of mutually assured destruction, we have deterrents. What’s keeping a full-scale attack from happening?

CLARKE: I think any weapon, whether it’s a cyber weapon or a nuclear weapon or a conventional weapon, nations don’t use them simply because they have them. They wait until they are in a situation where they were going to go to war anyway. And so, any time a nation like Iran or China or Russia or North Korea decides to go to war in the future, they’re going to use cyber attacks in the fifth domain, either just before or during their conventional war.

SREENIVASAN: And the attack on companies; in the past couple of years, we’ve seen these malicious pieces of software run amok on corporate networks and cost billions of dollars.

CLARKE: Yes.

SREENIVASAN: I mean some of these companies are forthright enough to tell their shareholders, “Hey, guess what? That $180 million line item is something pretty important and we want to explain it to you.” Other companies aren’t telling you.

CLARKE: And the companies that aren’t telling us are violating the law. The Securities and Exchange Commission says if you’re a U.S. publically-traded company, and you have a cyber event, you’re supposed to report it. Now the way they get around that is they have lawyers who say, “Oh, it’s not a material breach.” I think there’re a bunch of lawyers in Washington who will never see a material breach, no matter how bad. But you say billions of dollars; we had one attack on companies in the Ukraine by the Russian military, going after companies in the Ukraine, that got out of control, that was collateral damage, and the insured loses around the world are estimated at $10 billion.

SREENIVASAN: And that’s just one piece of software.

CLARKE: That’s one software, one attack, collateral damage. It stopped shipping contains around the world. It stopped the production of cancer drugs. It stopped the production of food substances. It wiped out, wiped out all the software on laptops, servers, printers, everything on the network.

SREENIVASAN: If shipping containers are stopped, it has huge ripple effects down the entire supply chain.

CLARKE: It did, for weeks. There was 70 ports around the world where containers didn’t move because they didn’t know what was in them. They didn’t know where they were supposed to go, and the actual cranes to move them had no software.

SREENIVASAN: Yes, it’s not like the old clipboard. Here it is; here’s the sheet. We’re checking off the boxes. It’s all virtual.

CLARKE: Increasingly, it’s all robotic and semi-robotic. And so, if there’s no software on the device –

SREENIVASAN: Yes.

CLARKE: The other thing we’re seeing similar to this, instead of wiping out software, we’re seeing encrypting software – this is called ransomware – and it’s been going on across the country, and really around the world, for the last couple of years. This year, we’ve seen it hit big American municipal governments, Atlanta, Baltimore, where all the municipal functions stop, because the software has been encrypted by bad guys who say, “Well, we’ll give you the key to the encryption but you have to pay us.” And places like Atlanta and Baltimore are refusing to pay. Most companies, I think, quietly pay.

SREENIVASAN: Yes.

CLARKE: And that’s money going to criminal groups, and it’s a lot of money.

SREENIVASAN: Is this the modus operandi of what organized crime looks like today? I mean basically, why go get messy in the streets with a big gang brawl when I can just release a piece of software and have people pay me ransom?

CLARKE: We don’t know how money the criminals are making, but I’ve seen one estimate that criminals are making more money around the world in cyber attacks every year than they are through selling narcotics.

SREENIVASAN: Wow. I mean is it – are we not having those conversations more openly? Is it because of an ego thing, that you don’t want to admit that your system was bad, and if I tell everybody in a local news, that, well, our city’s been held hostage, and it’s just cheaper to just give them the $50,000?

CLARKE: Well, some cities have done that, some little cities have done that. The large cities, they refuse to do it because they can’t do it secretly –

SREENIVASAN: Yes.

CLARKE: – if you’re a big municipal government. But another way, and this is going to sound a little cruel, another way, the cities that are being hit are the weak members of the herd. They have poor cybersecurity. They don’t invest in modernizing their IT. They don’t invest in cyber protection. That’s why they’re being picked off. One thing that ransomware tells you is who had bad security.

SREENIVASAN: So tell me, what does it take to have good security? What are the companies that are surviving this, are resilient through this? What do they have in common?

CLARKE: They have three things in common. First of all, they have leadership at the CEO level and at the board level that understands this is a reputational issue, this is a existential issue, potentially. So leadership, committed and understanding the issue. Secondly, flowing from that, is a culture of security where they educate the workforce about why we have to worry about this and the reason to be aware of cybersecurity and put up with some inconvenience, frankly.

SREENIVASAN: Yes.

CLARKE: But the third and probably most important thing that also flows from the governance model is money, money to buy the state-of-the-art =cybersecurity products. Basically, if you’re spending 3 or 4 percent of your IT budget on security, you’re going to be hacked, and you’re going to suffer. If you’re spending double that or more in the 8 to 10 percent of your IT budget, then you can achieve security. You constantly have to update it. You constantly have to change as the threat evolves, but you can achieve security if you spend enough money.

SREENIVASAN: So given that this is the kind of investment that a company needs to make, almost at the 10 percent level, is the United States government anywhere close to making that kind of investment right now?

CLARKE: No, it’s not. And the problem is the United State government, even though it’s spending about $7 billion a year, asks every little government agency to protect itself, asks every agency to stop the People’s Liberation Army of China, the Russian GRU. They can’t do it.

SREENIVASAN: So you mean the Department of Education, on a cabinet level, everyone’s on their own?

CLARKE: Agriculture, interior, veterans, they all have to achieve a certain level of security. None of them do. Year after year, they fail their tests, but year after year, we keep up with that model. Now states, the laboratories of Democracy, all right (ph), the states are doing something different. The states are saying, we’re going to have IT department, and that will provide IT as a utility, and it will layer in security and security as a utility to all departments and agencies. That’s what we suggest in the book; we need to do it at the federal level, not for the Pentagon, not for the big departments that are competent, but frankly, if you’re selected to be the secretary of agriculture, probably that’s not because of your IT experience.

SREENIVASAN: Right.

CLARKE: And you shouldn’t really have to worry about that, just as small- and medium-sized companies shouldn’t have to worry about it. They should outsource it.

SREENIVASAN: Is there a sense of security and confidence going forward for the 2020 elections?

CLARKE: No. Everything the Russians did to manipulate our 2016 election, they can do again. Now we know that Facebook and Twitter and some of the social media platforms have hired thousands of people to try to identify fake news, try to identify bots and trolls, but we don’t (inaudible) because there are no federal standards, there’s no regulation. What’s interesting is some of the social media platforms are saying regulate us, because we don’t want a situation where we’re supposed to guess what the government wants and we don’t want to be criticized after the fact for not doing something if you didn’t tell us in advance that we’re supposed to do it. So there should be, for the social media part, some minimum standards that we all agree on. For the safety of the election machinery, the states and the counties, 4,000 counties, they’re all running the election around the nation. Again, there are no federal standards for security of their machinery. No standards, no third party auditing.

SREENIVASAN: Part of that is also our reluctance to give up any of that authority to the federal government versus the states. Right? The counties say hey, look, these are our purview, the states say, we’re supposed to run our election, not you from D.C.

CLARKE: And Ari, that’s fine if they’re electing the dog catcher. If they’re electing the United States president or the United States Congress, then it’s a federal election, there ought to be federal standards. And if the federal government has higher security standards than the counties have, the federal government should pay for it. And there are bills in the Congress to give money to the states to improve security. Right now they’re being held up by the senate majority leader, Republican Senator Mitch McConnell is blocking aid to the states and the counties. But you know, the states and the counties say, well, we didn’t detect any Russian attacks last time. They don’t have the equipment to detect them. That’s the key point here. When a — when a major U.S. company is attacked by the Russians or the Chinese, they normally, in most cases, they do not detect the attack. They’re told later on by somebody that there was an attack. But most companies cannot detect the attack.

SREENIVASAN: And that’s with sophisticated I.T. departments in-house.

CLARKE: Much more sophisticated than any state government or any county government has monitoring elections. So I love all he local people who say, we’re doing a good job, we haven’t been attacked. But the truth of the matter is they wouldn’t know if they were attacked.

SREENIVASAN: You have called 2016 kind of our Pearl Harbor in this cyber arena. I mean, if that was the Pearl Harbor and we did not react, what’s it going to take for us to care about it?

CLARKE: Well, I think if we cannot get a coordinated whole of government approach to stopping it again, we’ll have the same outcome. The Russians will choose candidates that they like, maybe the same ones they supposed last time, maybe someone differently. The Russian goal is not necessarily to support one candidate or the other, the Russian goal is to divide us as a nation and keep us divided as a nation, keep us at each others’ throats, keep us inwardly focused and in chaos. And so far, they’re achieving that.

SREENIVASAN: How do you get a bunch of nations to agree on any kind of the rules of the road, a Geneva Convention for the cyber world? How does that happen?

CLARKE: We don’t have a Geneva Convention, we have a Budapest Convention.

SREENIVASAN: OK.

CLARKE: There is a Budapest Convention that identifies what’s a cyber crime and what’s the obligation of a nation to prevent cyber crime from their country attacking another. So the Budapest Convention is limited, it doesn’t have enforcement, doesn’t have any teeth, but it’s a beginning. And what we ought to be doing is cyber arms control building on the Budapest Convention to get confidence building measures, risk reduction measures, international norms agreed among nations, or at least agreed among a group of like-minded nations. America ought to be leading that effort. But Donald Trump and his administration are note. They reduced the rank of the people in the State Department doing this, fired some of them, they eliminated my old job of cyber czar, coordinating all of this. This administration’s not pushing cyber peace. It does appear to be pushing cyber war.

SREENIVASAN: Are you generally optimistic about where this is headed?

CLARKE: I think unlike when we wrote cyber war 10 years ago, we are optimistic. That had (ph) lots of studies and commissions look at how to fix this problem, and we don’t need another one. The way to fix the problem is known. It’s a lot of different decisions that have to be make — made, the Congress has to be involved, the president has to be involved, we have to be willing to spend the money, we have to involve other nations, but we could achieve cyber peace rather than cyber war.

SREENIVASAN: Richard Clarke, thanks so much for joining us.