Few today would argue that the threat surface in cyberspace has expanded significantly in the past decade. Just ask your fridge. From the new risks we’ve brought into our own kitchens, to the increased capabilities of nation states to disrupt everything from electricity to elections, there is an even greater (panic) questioning of what to do about it.
In The Fifth Domain: Defending Our Country, Our Companies, and Ourselves in the Age of Cyber Threats, (released on Tuesday) authors Richard Clarke, who served as the first U.S. official in charge of U.S. cybersecurity policy and Rob Knake, who served from 2011-2015 in the White House as director for cybersecurity policy at the National Security Council, try to tackle some of those questions.
While the authors also chillingly predict that “America’s next major war is likely to be provoked by a cyber attack,” they argue that we also know much more than we did a decade ago about defending the nation, our businesses, and ourselves.
The Cipher Brief’s State Secrets podcast caught up with Clarke to talk about today’s cyberthreats posed by nation states, and what we need to be doing about them right now.
The conversation has been slightly edited for length and clarity.
The Cipher Brief: Help us make sense of how you assess today’s cyber threats in your new book, The Fifth Domain.
Clarke: When Rob Knake and I wrote the book, Cyber War, ten years ago, we said then that the threat would move from individual hackers and criminal gangs to nation states and their armies and that they would then move from stealing information to attacking infrastructure and to causing destruction. All of that, I think, has happened so now we’re in a situation of heightened tensions among the four or five major players in cyberspace: the United States, Russia, China, Iran and North Korea. The U.S. has more or less admitted that Cyber Command has attacked the Russian Internet Research Agency, the [Russian] intelligence front that was so involved in our 2016 election. Apparently, they did that back in October of last year and now the U.S. government has intentionally leaked that Cyber Command is somehow in the control plane for the Russian power grid. Of course, this comes after DNI Dan Coats said the Russians were in the control plane of our electric power grid.
And then after the recent downing of the U.S. drone by Iran, the President decided not to bomb Iran with kinetic and conventional weapons, but to retaliate with a cyberattack. So, there have been a lot of U.S. cyberattacks lately. There have been a lot of attacks by the other four players as well and that creates a period of crisis and instability in cyber space.
The Cipher Brief: It's so interesting to look at your predictions a decade ago and then see the landscape that you just described and how things have progressed and now it's almost as if people are being held cyber hostage. It's really advanced from spying and stealing information to having destructive capabilities. I'm almost afraid to ask this question but where do you think this is going to lead us ten more years down the road?
Clarke: The problem is people. When Trump decided not to use bombs against Iran, but to use cyber weapons instead, I think he, in some way, validated the way I think many leaders regard cyberspace, which is “Well, you know it's not so bad, it doesn't kill people.” "I don't want to kill people," he said. But it's a way of showing that we're mad or that we're concerned. The problem is, eventually, a second level of cyber damage will cause nations to slip over into conventional warfare. The Israelis, for example, recently decided that they had had enough of cyberattacks by Hamas and so they flew an F16 and dropped a bomb and blew up Hamas' cyber headquarters. So, it can easily move from one sphere to the other. The Pentagon's public policy is that if there is a cyberattack on the United States by a nation state, and it's sufficiently painful to us - whatever that means - that we reserve the right to respond with kinetic and conventional weapons so saying, "I'll just do a cyberattack," sounds easy but it could be a slippery slope that could lead to a greater war.
The Cipher Brief: You have a really interesting perspective on this and you're also a novelist so you think creatively about what could happen. You've said that you believe it's safe to conclude that the next major war will begin with a cyberattack. Walk me through how you see that most likely happening.
Clarke: The cyberattack could either be the trigger or it would be part of the initial volley of a conventional war. No nation that has cyber capability now is going to start a conventional war without the simultaneous - or just before the conventional attack - cyberattack to destroy the other guy's defenses.
What concerns me is that if you look at what the Pentagon's own Defense Science Board has said, what the Government Accountability Office has said over and over again is that our weapons are very vulnerable to cyberattack and so if we were about to go to war - with Russia or China, maybe even Iran - I would think that the first thing they would do in a period of crisis leading up to hostilities, would be to conduct cyberattacks to take out our weapons systems, to make them not work, to jam them, to wipe them of software, and to go after the civilian infrastructure that supports our military.
In the book, The Fifth Domain, we have a fictional scenario where Iran and Israel get into a fight and the President decides to help Israel. We resupply them like Richard Nixon did in 1973 and when he orders that, it doesn't happen because the civilian infrastructure that supports our navy bases, our ports, our air bases, our defense industrial base, they're all attacked and things happen. Derailments happen, wiper attacks on ports happen, power systems go down and we're not able to conduct the military mission of resupply and support for Israel.
The Cipher Brief: Do you think the U.S. is or is not prepared for a scenario like this?
Clarke: I do not think we're prepared. I think our weapons systems according to all the experts that looked at them, are way too vulnerable for cyberattack. The infrastructure on which we rely, both civilian and military, is way too susceptible to attack and in our last book, Cyber War, I think we coined the phrase, "People in glass houses shouldn't throw code."
We have a great offensive capability in Cyber Command and CIA, supported by NSA, but we still do not have defensive capability for critical things, like the gas pipeline system. DNI Coats also said earlier this year, that the Chinese could attack and disrupt the gas pipeline system. Well, we've moved most of our electric power generation over to gas-fired plants. If you disrupt the very few major gas pipelines in this country, we won't have electricity.
The Cipher Brief: You also have pointed out in the past that you don't think the government really, as a whole, has a clear strategy on how to address these issues, yet you also say that there is some hope. I've very interested to get your take on this Administration's new, more aggressive policy when it comes cyber. Is it something that's good or problematic?
Clarke: I did say in the past that the Administration had no policy or strategy, but it does now, it's published a document called, The National Cyber Security Strategy. It looks a lot like the one I wrote for George Bush, so many years ago. The document's not bad. I don't think they're doing it, though There's certainly no one in the White House who's in charge of implementing it because they eliminated the Cyber Czar job in the White House, the job that I had.
In terms of their Defend Forward strategy, I think that can be good, but the problem is, as always in Washington, the pendulum is on one side or the other, it's never in the middle where you want it. Obama, toward the end, had wrapped up the cyber offense decision making process in so many lawyers that nothing could happen. Trump has gone to the other extreme and pushed decision making power down into the Pentagon and below the Secretary of Defense, to a cyber committee. I think that's too extreme in the opposite direction. But the real missing piece here is cyber arms control. It's okay to have an attempt at deterrence, an attempt at mutually assured destruction if you will, but only if at the same time, you have rules of the road and international norms and risk reduction measures and confidence building measures. And the people who were doing that, who were trying to get all that started over in the State Department were either fired or demoted and reassigned by Rex Tillerson, during his great purge of State Department capability.
So, we don't have an initiative to conduct arms control in cyberspace. And what I'd like to see is the U.S. get together with like-minded nations. What we propose in the book is an alliance of like-minded nations that would set the rules of the road as norms and figure out how we're going to deal with the rogue nations like Russia, China, Iran, and North Korea.
The Cipher Brief: Even if that were to happen, how concerned would you then be about the rogue threat of cyber? Because these tools it seems today are becoming so easy to use that it's not difficult for a rogue terrorist organization to get its hands on cyber tools that could wreak enough havoc to bring significant destruction to systems, or critical infrastructure.
Clarke: People have been concerned about that possibility for over 20 years and it hasn't happened. I've followed closely the possibility of Al Qaeda or ISIS or some other terrorist group doing that, and they never have. I'm told by some of my hacker friends that perhaps there were attempts by Middle East terrorist groups to recruit people out of Europe and pay them a handsome fee, and those people refused to do it because they don't support the kind of state that Al Qaeda or ISIS wants to create.
So, I don't think we have that threat present today. It's always possible that it will emerge in the future. But right now, we have a really major threat, ongoing threat, from the four rogue nations.
The Cipher Brief: Let's talk about the private sector. The Cipher Brief spoke with General Michael Hayden last fall about the cyber cavalry, and he said if you're a private sector entity and you're waiting for the government to save you, you're going to be very disappointed. He said when it comes to cyber, “The cavalry ain’t coming.” You said something very similar, that the private sector needs to understand how to protect itself. How do you do that if you're not a major corporation with the money to invest in a significant and robust cyber defense system?
Clarke: Let me first say that Mike was right. The government's not going to do it, but moreover, the government shouldn't do it. We don't want the government defending our companies at the granular level. The government can't even defend itself. Civilian agencies of the government are woefully poorly defended, and I certainly wouldn't want JP Morgan or Citi Bank defended by the government. They do a much better job defending themselves. You asked what if you're a small company? If you're a small company, outsource it. There are MSSPs, Managed Security Solutions Providers, that do a really good job. And oh, by the way, if you're using cloud services from AWS or Azure, you're also getting a certain level of security that you couldn't create yourself. And then you layer on top of that a Managed Security Provider and you have good defenses.
I think everybody can do it, but a point we make in the book is that one major difference between now and 10 years ago when we wrote Cyber War is that we said no company can defend itself against a nation state attacker. Now what we say, is there are companies that are defending themselves. You know the old joke that there are only two kinds of companies, those that have been hacked and know it and those that have been hacked and don't know it.
We've added to that. Now we say there are three kinds of companies, and that third kind that exists today are the companies that can either prevent intrusions or be quickly resilient when it happens. You hear about Marriott and Equifax, and Target, and Yahoo, and all of the famous hacks, but there's a long list of companies you've never heard of being hacked. In some cases, that's because they won't admit it, and in some cases, it's because it hasn't happened. And we ask in the book, what's the difference between those companies that are regularly hacked, whether they know it or not, and those that are good at defending themselves?
The Cipher Brief: And what’s the answer?
Clarke: Well, the book asks that question in some detail and we come to a couple of conclusions. Whether or not it's cause and effect, there are at least two indicators that seem to correlate. One is the governance structure of the companies. To whom does the CISO report? If she reports to the CIO, that's not going to work too well. Companies that do well at defending themselves have a CISO reporting in a different reporting chain, and they have an active member of the board who understands cybersecurity and is involved with developing the program and is looking for regular metrics and updates.
The second thing, and it actually flows from the governance piece, is the money. How much are they spending? There's a crude metric, which is, what percent of your IT budget are you spending on cybersecurity? I know it's crude, I know there's an issue of definition here, but I can tell you, if I look at a company in my consulting practice that has eight or 10% or higher of its IT budget, however you define that and however you define cybersecurity within it, if it's eight to 10% running for security, that company is probably immune to attack.
The reason for it dates back to the 1990s and the early 2000s when there wasn't a lot you could do, or buy to protect yourself. You could have AV, Firewall, Intrusion Detection Systems. Now, when we interviewed people who are running major networks and banks, they told us they've got 50, 60, 70 different software security, cybersecurity applications and pieces of hardware running. If you're going to have that many solutions and integrate them well, you're going to have to spend a lot of money.
The Cipher Brief: Since you do have significant experience in the private sector, I assume that you've gone into board rooms and met with CEOs who have, I'm sure, a lot of questions for you. Have you seen the nature of those questions changing or are you seeing new ones pop up?
Clarke: The truth is that when I talk to a CEO for the first time, the questions are much more basic. They ask, "How am I doing? How do we compare to others in our sector?" And, "What are the metrics that can assure me that I am doing well?" Those are the first questions. The second questions are always, "What could happen?" I think most of the CEOs want to know, is there some relationship with spend and outcome. Are there metrics? Because boards, in particular, as well as CEOs, love metrics. Are there metrics that we can look at on an ongoing basis so we can know how well we're doing and when we're running into risk?
And of course, they're concerned about compliance, as well. One of the things they ask me a lot is what would happen in a crisis? How could we react in a crisis? Are we prepared for a crisis? And what I do for them, very often, is help them develop a crisis game plan and then exercise that game plan. I've gone into big companies who had nice plans, but they were unprepared because they had never exercised it.
Our slogan is never let your first crisis be a real one. Have a crisis simulation, make it as real as possible, and test the team and test the plan.
The Cipher Brief: Solid advice. What other messages are you hoping to get across in your new book?
Clarke: That cybersecurity today is achievable in an enterprise. It's not hopeless. The technology has evolved, on the defensive side, finally, so that you can defend yourself if you spend the amount of money that's required to do that. But on the public policy side, things have not gotten any better. We have about 80 recommendations in the book and most of them come down on the public policy side, because the government hasn't made the necessary decisions to create the atmosphere. Even if you're a good enterprise and you spend money and you defend yourself, you're still vulnerable to the whole system collapsing outside of your company. And the government really hasn't done the work needed to create the right public policy.
The Cipher Brief: You were the first White House official who was tasked with taking charge of U.S. cybersecurity policy. So obviously, you worked for the President, who felt like it was important. How much did the President understand about the threat back then, do you think? And are we kind of tackling it with a bit more education and creativity in approach?
Clarke: When I started in '96, '97, President Clinton didn't have an idea about it, but neither did I, you know? We were blessed to have a commission run by General Robert Marsh, the Commission on Critical Infrastructure Protection, that came back and told us we had a problem.
In the mid 1990s, everybody, even in the private sector and in government was moving functionality into the internet, into cyberspace. And they were doing that without any thought for security. Clinton, after we told him about it, and after he read the Commission report, really got it. And so he opened up the spigots for the government to start spending money on this. He asked for the first national plan to protect cyberspace. And he created organizations within the government and within the private sector, things like the Information Sharing and Assessment Centers. So, Clinton was great on this stuff. He still talks about cybersecurity a lot. George W. Bush, not so much. In part, I suppose you could say because 9/11 happened and he also had a great desire to go to war with Iraq. And that occupied him for at least the first four or five years. I think toward the end of this administration, he did some of the right things on cybersecurity. And President Obama, I would like to have seen him do more. He had very good people working on it, but I don't think he was personally committed. And it probably does take a President being personally committed. The only thing I've seen on President Trump, aside from firing and eliminating the jobs was his intent to make Rudy Giuliani as some sort of an informal cyber czar.
The Cipher Brief: But there have been developments, like the creation of the Cybersecurity and Infrastructure Security Agency within DHS (CISA), yet when we talk with CISOs from organizations of all sizes, which we did just recently, so many of them still say "We don't know who to call."
Clarke: I know. I hear the same things. There is now, a cyber security agency within Homeland Security. And it's at the same level as FEMA and the Coast Guard and the Secret Service. But, the administration required as part of the deal for the creation of that unit, that it get no new resources. So, the Cyber Security Agency at Homeland is just renaming the bits that were already there. We call in the book for that new agency to be given a lot more resources and a lot more power. We have a senior executive service in the government, we have a senior foreign service, a senior intelligence service. We'd like to see a senior cyber service, based out of the Cyber Agency in Homeland. But give them the authority to do security for all of the civilian agencies and departments. I think it's ridiculous that we ask all the civilian agencies like OPM, to name one, to do their own security. They're not up to it. Agriculture, Interior, Labor; they're not up to running networks against the Chinese People's Liberation Army. Let's create cyber security as a service. Let's create IT as a service, and take it away from the departments and have it done centrally.
The Cipher Brief: I think that's something that probably, while I won't speak for him officially, Director Christopher Krebs would fully endorse and would appreciate the additional resources. So, what is it that we’re still missing when it comes to today’s cyber landscape?
Clarke: Well, it's ever changing. Right? You can say, "Oh, it's good news," when you think, now, that companies can be secure, let's rest on our laurels. No. We can't rest on our laurels, because technology keeps changing. And so we have three chapters in the book on the new technologies and their implications: A chapter on a machine learning, a chapter on quantum computing and finally, a chapter on 5G and the Internet of Things, and the relationship between the two. Because as those three technologies evolve over the course of the next three years, we will either become safer as a result, or the security that we've already achieved could be eroded. So, you've always got to be on top of the new technologies and ask what implications they have for cybersecurity.
The Cipher Brief: Thank you so much for talking with us today. I just have to end with one more question. What's your next novel going to be about?
Clarke: My next novel's about AI.
The Cipher Brief: Any teasers?
Clarke: Well, the novel takes place in China and our hero is a Chinese police officer from the cyber squad, and he is trying to find out who is behind a lot of AI activity in China. And then, maybe, it goes global.
The Cipher Brief: Will you come back and talk to us about that when it's released?
Clarke: Absolutely.
The Cipher Brief: Excellent. Thank you so much for being with us.
LAUNCHING THIS MONTH: The Cyber Initiatives Group, powered by The Cipher Brief. The CIG is a public-private sector group of cyber professionals who share high-level thought and expert perspective on cyber issues impacting today’s businesses.
With a team of principals including Former CIA and NSA Director, General Mike Hayden (Ret.), former NSA Director, General Keith Alexander (Ret.), former Deputy NSA Director Rick Ledgett, former NCTC Director Matt Olsen, former Vice Chairman of the Joint Chiefs of Staff, Adm. Sandy Winnefeld and former DHS Deputy Undersecretary for Cybersecurity, Mark Weatherford, the new Cyber Initiatives Group will focus on connecting experts in ways that share best practices on cybersecurity.
If you’re interested in becoming an inaugural member or sponsor of this thought leadership group, please send an email to CIG@thecipherbrief.com.
‘I’m excited to facilitate this critical cyber conversation and to be working with leaders from across the private sector as they tackle the very difficult cyber issues that impact every company doing business today.’ – Michael V. Hayden
