'Cyber War' author: U.S. needs radical changes to protect against attacks

Ex-Presidential advisor Richard Clarke writes: "U.S. military is no more capable of operating without the Internet than Amazon.com would be."

In his new book, Cyber War, Richard Clarke says nations are building up their online armies and weapons largely far from public view, increasing the danger of a deliberate or accidental cyberwar, which in turn could trigger violent conflicts across the globe.

"Cyber war has already begun," Clarke writes. "In anticipation of hostilities, nations are already preparing the battlefield.' They are hacking into each other's networks and infrastructures, laying in trapdoors and logic bombs -- now, in peacetime. This ongoing nature of cyberwar, the blurring of peace and war, adds a dangerous new dimension of instability."

The United States, he says, has a weak cyber-defense posture and should make radical changes, such as regulating ISPs to be able to play a role, under government supervision, in defending the country should a serious cyberattack strike.

Is the U.S. the nation most vulnerable to cyberattack?

Clarke, turning 60 this year, served as special advisor to the president for cyber security in 2001 and now teaches at Harvard's Kennedy School for Government and works at Good Harbor Consulting. He tapped Robert Knake, international affairs fellow at the Council on Foreign Relations, with a specialty studying cyberwar, as co-author of the new book, expected out April 20. (See exclusive excerpt here.)

But Cyber War at heart is Clarke's passionate view on the dangers lurking just below the surface and what steps might be taken to prevent cyberwar. With a background decades ago in nuclear arms control and espionage in the Cold War, he compares that era with today's secretive world of military cyber commands operating over the Internet where attacks, such as disruptive denial-of-service attacks, break-ins and dangerous Trojans that could steal or alter data, are extremely difficult to trace back to their source.

"The force that prevented nuclear war -- deterrence -- does not work well in cyber war," Clarke says. "The entire phenomenon of cyber war is shrouded in such government secrecy that it makes the Cold War look like a time of openness and transparency."

With considerable detail, Clarke and Knake render vivid accounts of how significant waves of cyberattacks in the past few years have hit Estonia, Georgia, South Korea and the United States, among other places, and why some in particular bear the hallmarks of state-sponsored efforts to disrupt an adversary's Internet-based banking, media and government resources.

It's known that the United States, China, Russia, North Korea, Israel, France and others  have established cyber military structures to serve as both offense and defense in any cyber conflict. But though the United States likely has the best cyberwar capabilities in the world, "that offensive prowess cannot make up for the weaknesses in our defensive position," Clarke contends.

Because the United States is the most Internet-dependent and automated in terms of supply chain, banking, transportation-control systems and other modern facilities, it's also the most vulnerable to cyberattack, Clarke argues. And the military's dependence on the Internet also means it would be vulnerable to disruptions of it.

"The U.S. military is no more capable of operating without the Internet than Amazon.com would be," Clarke says. "Logistics, command and control, fleet positioning -- everything down to targeting -- all rely on software and other Internet-related technologies."

On the other hand, he sees China with an advantage because its military aims to guard both enterprise and government resources, plus the Chinese government basically controls the Chinese Internet outright in many ways. "The Chinese government has both the power and the means to disconnect China's slice of the Internet from the rest of the world, which they may very well do in the event of a conflict with the United States," he writes

"Cyber gap" in protecting businesses

The United States has made the U.S. Cyber Command responsible for defending Department of Defense systems and the Department of Homeland Security responsible for defending civilian government agencies in any cyberattack. But Clarke sees a "cyber gap" in protecting business networks, including banking systems and the electric grid.

Electric power grids are a central source of concern for Clarke because he believes that countries are secretly placing logic bombs -- malicious software hidden away that could be activated to cause power failures -- in each other's power grids. These logic bombs (Clarke's book fails to provide us with concrete examples) might be activated as an act of cyberwar, but might just as easily go off in different scenarios, such as by mistake or by a hacker discovering them and triggering them.

Logic bombs bringing down power grids could inordinately harm civilians through massive loss of electrical supply, and this is a topic that needs to be publicly addressed, Clarke says. He also argues it's time the United States consider establishing international treaties aimed at banning cyberwar against civilian infrastructures.

Clarke writes: "The main reason for a ban on cyber war against civilian infrastructures is to defuse the current (silent but dangerous) situation in which nations are but a few keystrokes away from launching crippling attacks that could quickly escalate into a large-scale cyber war, or even a shooting war. The logic bombs in our grid, placed there in all likelihood by the Chinese military, and similar weapons the U.S. may have or may be about to place in other nations' networks, are as destabilizing as if secret agents had strapped explosives to transmission towers, transformers and generators.

"America's national security agencies are now getting worried about logic bombs, since they seem to have found them all over our electric grid. There is a certain irony here, in that the U.S. military invented this form of warfare." 

Clarke suggests that in the United States, it should be up to the U.S. president to approve use of logic bombs against an adversary.

"When U.S. cyber warriors talk about the 'big one,' they usually have in mind a conflict in cyberspace with Russia or China, the two nations with the most sophisticated offensive capability other than the U.S.," Clarke says. "No one wants hostilities with these countries to happen."

Russia -- which has stated it would view a massive cyberattack as an act that would warrant retaliation with traditional weapons -- has been the main advocate of starting talks that could lead to international treaties related to cyber arms. While Clarke acknowledges he has previously rejected Russia's ideas on this score, he now says he's warming up to them because he thinks it's likely in the best interests of the United States and the rest of the world. He says the United States should consider a "no first use" pledge related to cyber weapons. But currently, he notes, the official U.S. position effectively blocks arms control in cyberspace.

Clarke would also like to see a new regulatory structure put in place in which larger ISPs, under government supervision and perhaps what would be a new agency called the Cyber Defense Administration, would play a formal monitoring and protection role for the nation. The United States would likely have to pay for these types of new services.

Indeed, there would be treaties that would require ISPs around the globe to proactively "be able to detect and  'black-hole' major worms, botnets, DDoS attacks and other obvious malicious activity." The goal would be to trace back attacks that might appear to violate treaties.

Amazing cyber espionage

Clarke does not appear to support the notion of banning cyber espionage, however, among nations. In fact, he seems to like it.

"The idea of limiting cyber espionage requires us to question what is wrong with doing it, to ask what problem is such a ban intended to solve?" Clarke asks in his book, with his answer being, "espionage is about getting knowledge."

And he marvels at modern cyber-espionage.

"Cyber espionage is in many ways easier, cheaper, more successful and has lower consequences than traditional espionage. That may mean that more countries will spy on each other, and do more of it than they otherwise would," he writes. But elsewhere, he also acknowledges "cyber espionage does have the potential to be damaging to diplomacy, to be provocative, and possibility even destabilizing."

Clarke doesn't hold back in the book from airing a few grievances.

Though a supporter of President Obama, Clarke is a fierce critic of some of the president's policies such as the electric-power "smart grid," which he thinks will be "a Less Secure Grid."

That's largely because a modernized U.S. power grid, for which billions of dollars has been allocated, will be more highly networked and automated with more points of attack, but as yet no clear defenses, such as encryption requirements, he points out.

Clarke also takes more than a few swipes at Microsoft, whose software is widely used by federal agencies, "even though Linux is free." Clarke is angry because Windows-based software over the years has had so many vulnerabilities that have been exploited in attacks against the government. And he perceives Microsoft as largely unwilling to change.

"Microsoft is a terribly successful empire built on the premise of market dominance and low-quality goods," he states. "For years, Microsoft's operating system and applications, like its ubiquitous Internet browser, have been pre-packaged on the computers we buy."

He says that although Microsoft "did not originally intend for its software to be running critical systems," the problem is that has happened "from military weapons platforms to core banking and finance networks. They were, after all, much cheaper than custom-built applications."

The Pentagon buying commercial-of-the-shelf software brought in "all the same bugs and vulnerabilities that exist on your own computer." Clarke adds, "Microsoft can buy a lot of spokesmen and lobbyists for a fraction of the cost of creating more secure systems."

He resents that Microsoft refused to "share a copy of its secret operating code to its largest U.S. commercial customers," but was so compliant with demands from the Chinese government.

"By threatening to ban Chinese government procurement from Microsoft, Beijing persuaded Bill Gates to provide China with a copy of its secret operating code," he says, and as part of the deal, "China modified the version sold in their country to introduce a secure component using their own encryption." He says China has also developed its own operating system, Kylin, modeled on open source Free BSD, which has been approved by the People's Liberation Army for use on their systems.

Clarke also finds it alarming that Chinese companies have been selling counterfeit Cisco routers at cut-rate discounts around the world. One firm, Syren Technology, that was indicted by the FBI and Justice Department as having a customer list that included the Marines Corps, Air Force and multiple defense contractors.

Clarke concludes that the United States, despite whatever advantages it thinks the military may have, has to act now to come up with a viable and comprehensive cyber strategy.

"While it may appear to give America some sort of advantage, in fact cyberwar places this country at greater jeopardy than it does other nations," Clarke says. "Nor is this new kind of war a figment of our imaginations. Far from being an alternative to conventional war, cyber war may actually increase the likelihood of the more traditional combat with explosives, bullets and missiles. If we could put the genie back in the bottle, we should -- but we can't."

Join the Network World communities on Facebook and LinkedIn to comment on topics that are top of mind.

Copyright © 2010 IDG Communications, Inc.