Monday, April 26, 2010

Richard Clarke: "Cyber War: The Next Threat to National Security"

Authors: Richard A. Clarke and Robert K. Knake

Title: "Cyber War: The Next Threat to National Security and What to Do About It"

Publication: ECC, Harper; 2010; ISBN 978-0-06-196223-3; Introduction and 8 long chapter, glossary; 290 pages, hardcover.  Amazon link.

When I was working on my first “do ask do tell” book in the 1990s and justifying the idea that the military gay ban really was a national security issue, I still thought that Communism (especially North Korea) or hyper-nationalism (as in Russia) was still the big threat; I didn’t yet grasp how dangerous radical Islam had become. If you had talked to a lot of “good Democrats” in the 1990s, including President Bill Clinton, you probably would have found agreement.

And as far cybersecurity, the biggest threat to a total meltdown probably does come from hostile governments remaining from the Communist world. That is one theme of Richard Clarke’s book. After all, jihadists need a functioning Internet to spread their propaganda and recruit. And teenage hackers probably don’t have the skills or connections to do the kind of damage that Clarke is talking about. But hostile governments do, and some of them might well become tempted to do so, even as you compare “pre-emption” doctrine with respect to cyber issues to older Cold War issues of nuclear deterrence and MAD.

A critical part of Clarke’s thesis is that there really are a lot of “back door” connections between our critical infrastructure, especially the electric power grid, and the public Internet, even if the “average” pesky programmer would have no idea how to find or exploit them.

In general, a defense strategy is more important in cyber security policy than it was in the Cold War. The United States does probably lead the world in the ability to cyber-spy or corrupt enemies, but our own infrastructure is much more dependent on cyber capability and much more easily attacked by a enemy that knows what it is doing (probably a government).

The centerpiece of the book outlines a “triadic” or three-prong approach. First, ISP’s (especially the Six Sisters among the telecomm providers) should be required to let end users know when their computers are compromised (and used for DDOS botnets), and end users probably should demonstrate some competence in Internet security and using security products (that sounds like the “Internet driver’s license). Second, much more attention should be focused on the systems that run critical infrastructures, and they really should be separated completely into “intranet-like” objects. Third, the military needs to be reformed. I could chuckle here that the old “don’t ask don’t tell” policy starts to look silly in a military world where so much warfare is conducted on computer screens. On the other hand, the whole IT world starts to migrate toward a military environment.

Clarke mentions, at one point, the Applied Physics Laboratory of Johns Hopkins, as having NSA contracts, in the details of just how to make these complete separations to protect the power grid and military infrastructures. In late 2008, at least one technician there took a “hit” at her apartment in suburban Maryland, and if you put all the pieces together it sounds rather alarming. (The story by Aaron C. Davis is still on the Washington Post, Sept. 4, 2008, here.)

Clarke sketches some really chilling hypothetical scenarios of escalating attacks on US infrastructure, leading to months-long power outages in some parts of the country and many deaths, along with total economic collapse and the demise of individual liberty as we know it. Our “just in time” focus in maintaining our infrastructure could become our total undoing. He mentions several movies predicated on cyber attacks, including Oceans 11, not mentioning that a blackout in that movie is precipitated by a ground EMP (electromagnetic pulse) microwave device, nor that the power would not come back on immediately after such an event. In fact, that hardware possibility is one sinister scenario that he should have taken up.

Richard Clarke served under presidents Reagan, both Bush presidents, and under Bill Clinton he was National Coordinator for Security, Infrastructure and Counterterrorism.

From PBS: "Richard Clarke: The man who saw it coming."

No comments: