Former counter-terrorism advisor Richard Clarke has a new book out, and it's scary stuff for all of us concerned about the national security of the United States. Scarier still, the alarms sounded by the book -- "Cyber War: The Next Threat to National Security and What to Do About It" -- aren't news to anyone who has even a minimal clue about the state of cybersecurity.Long-story short, Clarke essentially raises the kinds of warnings which have been in the air for years, including recently in the Cyber Security Institute's report. That document raised alarms about whether government systems are adequately protected from emerging threats such as cybercriminal mobs in Eastern Europe or from the Chinese military.
Clarke's assessment is much blunter. The United States is at risk of have its power grid and communications networks taken out by a foreign power. Doubly scary is that fact that a bad-actor government wouldn't have to employ the ne plus ultra of hackers to do us damage. That's because we're pretty much completely unprotected, he warns.
Clarke also notes that things could get ugly if we are so attacked, because we would have to respond, possibly with a massive conventional military strike. (Ol' fashioned infantry would be necessitated because a damaged command and control infrastructure wouldn't support more sophisticated responses such as unmanned drones.)
On the plus side, the United States is not completely a sleeping giant on this stuff. I use the Pearl Harbor analogy deliberately, in making the point that missives like that from Clarke , who's an ex-government security official, after all, constitute differential confirmation that we're not taking this stuff lying down.
Proactive U.S. efforts were hinted at publicly last fall by former National Security Agency director Mike McConnell. Appearing on 60 Minutes, he leaked the previously undisclosed news that a series of power-grid outages in Brazil in 2005 and 2007 were caused by hackers. He also characterized a 2007 breach of U.S. Defense Dept. computers as our "electronic Pearl Harbor."
The good news, as I wrote at the time is that "whatever the Chinese and Russians are doing to us, we're doing to them, too. However, Jim Lewis, director of the Center for Strategic and International Studies, did make the point that the United States is the big target, and we've got a lot more to lose from cyberattacks than do our adversaries."
Going forward, my concerns are two-fold. First off, I understand that in a free society, it's difficult to get commercial companies, which are primarily focused on shareholder value, to expend the excessive efforts and funds required for serious security. I'm thinking here of the power companies, which are undoubtedly not only averse to the high cost of real security, but probably suffer from an institutional cluelessness as far as the technology of security. Add to that the fact that creaking physical power-distribution infrastructure is the utilities' first-order problem, and you've got a prescription for security exposure.
I should add that I expect that telecom providers are far less exposed on the security front, both because they're in the mainstream of networking technology and because security is an obvious necessity to them, completely apart from putative foreign cyberattacks.
Add to that the NSA tie in (that room in San Francisco) and you gotta figure that the telecom folks may be more locked down than we think. OTOH, they pose such a juicy target that attacks might be working that angle just that much harder. (This'd be an analogy to Windows-versus-Mac virus writers. As in, the bigger the bulls eye, the more attention you attract.)
So my second point is that that's the commercial side. What about the vulnerability of government networks? There's no excuse there, though there is a reason. It relates to institutional inertia and the laws of large systems -- both causes to despair.
All of which probably means that Clarke is pitching his warnings into the wind. But that doesn't mean we shouldn't listen.
Follow me on Twitter: (@awolfe58)
What's your take? Let me know, by leaving a comment below or e-mailing me directly at [email protected].
Like this blog? Subscribe to its RSS feed: (here)
My videos on ( YouTube)
Alex Wolfe is editor-in-chief of InformationWeek.com.