Cyber War: The Next Threat to National Security and What to Do About It
Richard Clarke served in the White House for four presidents and was appointed National Coordinator for Security, Infrastructure Protection, and Counterterrorism under Bill Clinton, and the first Special Advisor to the president for cybersecurity under George W. Bush. Clarke teaches at Harvard University’s Kennedy School of Government. Robert Knake is an international affairs fellow at the Council on Foreign Relations. (Knake, whose name is printed in a signficantly smaller font on the front cover appears to have written one chapter in this book, “Cyber Peace.” For simplicity’s sake, this reviewer will refer to both authors as Clarke.) The take-away a reader will get from this book is that cyber war is real, a global menace that has already begun, and the main difficulty preventing a good defense is the absence of clear policy. “We do not have an authoritative articulated policy to day about how we would regard a cyber attack and what we would do in response.” “The biggest secret in the world about cyber war may be that at the very same time the U.S. prepares for offensive cyber war, it is continuing policies that make it impossible to defend the nation effectively from cyber attack.” The author gives the reader a breathless description of significant events in cyber warfare interspersed with hyperventilating hypotheses and disaster scenarios. The narrative jumps backward and forward in time and place, presenting difficulty in separating the past from the present, and what event may have lead to what response, if any. The style makes it difficult to distinguish facts from conjecture. As such this book might be read as intending to inflame the public, like CNN’s broadcast of the fictional news network GNN’s report of a cyber attack or in the style of Orson Wells’ broadcast of War of the Worlds. But there is some real meat beneath the hyperbole. The purposes of cyber warfare appear to be many: to disable an enemy’s defenses, to gain information, to disrupt infrastructure, to reduce the will to fight. The advantage of cyber warfare is that an attack may be performed from a great distance, at the speed of light, at the click of a button. An attack that prevents attribution hides the source of the attack. Hiding the source hides the responsibility, preventing legal recourse or targeting for counter attack. The kinds of attack noted to date are: 1. Data downloads2. Subversion of systems3. Distributed Denial of Service attacks The author starts his story with actual events in cyber warfare, details of reports of cyber attacks sourced by Russia and China on other nations, which stand to serve as examples of what could happen if the U.S. were to be a target. And the U.S. has been a target. In 2003, China created a cyber warfare unit that downloaded terabytes of unclassified data off of DOD servers. This activity got its own codename, “Titan Rain.” China also took data off of a laptop brought in by a visiting U.S. Secretary of Commerce (whom Clarke names). China also copied and sold counterfeit Cisco routers, which showed up in the U.S. market in 2004. A distinction that Clarke doesn’t ask is of this is, What should be considered cyber attack and what should be considered opportunism? It doesn’t appear easy to get clear information on U.S. policy or action toward China, and this book doesn’t provide any answers on national policy, only questions. In describing Israel’s jet attack on Syria’s nascent nuclear facility in 2007, Clarke mixes romance with facts, interspersing real events with imagined scenarios and confusing cyber warfare with its more traditional kin, electronic warfare. In describing a Russian cyber attack on Estonia in 2007, Clarke describes the method of cyber attack with much less hyperbole. The method was a distributed denial of service (DDOS) attack on Estonia’s servers, targeting the telephone network, credit card verification system, and Internet directory. The cyber attack lasted for weeks, and Estonia asked for international assistance in repulsing it. In 2009 Google reported an attack on itself, one that installed malware on researchers’ computers, sourced from China. Clarke identifies Canadian researchers who published a paper investigating a compromise of more than a thousand computers across several countries’ embassies around the world. In this attack, which the researchers called “Ghostnet,” the cyber controllers were able to turn on victims’ computer cameras and microphones and send the data back to servers in China. Again in 2009, starting on July 4th, the U.S. government was cyber attacked, most likely originating from North Korea. The attack brought down dhs.gov as well as servers in the U.S. Treasury, the FTC, and the DOT. The cyber attribution trail however, dead-ended in the U.K. A cyber attack on civilian infrastructure may leave no physical damage, and with no attribution, provide no justification for escalation to a shooting war. A cyber attack in peacetime might however justifiably lead to cyber counter tit-for-tat. In this instance note that a cyber attack from North Korea would be as asymmetric that asymmetric can be. There is no computer network in North Korea to counter-attack. Clarke provides details on the political infighting in the DOD and the civilian spy agencies that occurred in determining who should be responsible for what in providing for a civilian cyber defense. Responsibility for civilian defense gained a home in the Department of Homeland Security (DHS). As for the DoD, in 1997, when Clarke worked with NSA to test the Pentagon’s cyber security, he noted that within two days a cyber attack team was able to penetrate a classified network, and the exercise had to be halted. DoD classified networks are separated from the Internet by an “air gap” and data crossing this gap must be transferred by manual attachment of physical media, for example, a thumb drive. There is no open information as to whether DOD classified networks have ever been subverted to the point of causing damage, but the opportunity continues to exist for such subversion via virus insertion via thumb drive. Clarke claims that a Russian virus was detected on a classified network, presumably via this method in 1998. There is a significant difference between commercial and government unclassified networks. The U.S. Government effort to date has been acting to secure only its own computers: .mil today and .gov sites in the future. There are no plans for government securing of private sector computers. Clarke quotes President Obama as clearly defining this policy, “So let me be very clear: My administration will not dictate security standards for private companies.” As the U.S. government websites batten down their computer networks in response to cyber attack, commercial providers, unaware or unconcerned, continue to add Internet services over public networks. One risk is in providing remote services to control and monitor embedded devices. This trend moves the potential for cyber warfare from the server and desktop to any device that can be connected to the Internet. The concern here is not just that personal mobile devices, such as Internet enabled cell phones, automobiles, and televisions may be attacked but that devices within the U.S. critical infrastructure such as those controlling the U.S. power grid may be attacked. One can imagine the scenario of a single press of a button shutting down the U.S power grid. (Of course, this could happen by accident or by home-grown hacker, too.) Why the Internet is so vulnerable comes down to: 1. Flaws in design of the Internet2. Flaws in hardware and software comprising the Internet3. Critical infrastructure accessing the Internet Clarke gathers several sets of solutions from different sources, and refines them into a list, the need to reduce vulnerabilities in: 1. The Domain Name System (DNS)2. Hardware and Software routing control and data between ISP’s.3. Governance (No one “owns” the Internet)4. Network control (should be encrypted)5. Internet architecture: A decentralized design with no central authority has disadvantages in combating attack. Current design permits easy propagation of malicious traffic. Clarke proposes a three- part solution for defense of U.S. infrastructure, that he calls the Cyber Triad: 1. Smart Regulation of the Tier I ISPs that includes “deep packet” inspection.Smart regulation is defined here as regulation that doesn’t violate privacy or slow down the Internet. (Clarke admits that the U.S. government has a credibility gap in adherence to its own laws on privacy.)2. Secure the power grid by disconnecting critical infrastructure control from the Internet.3. Improve the DoD unclassified network by greater use of firewalls, encryption, and network monitoring, even for networks not attached to the Internet. Clarke notes that there are vested interests in not changing things, pointing out that regulating industries that fund political parties is a difficult thing to do (which may be obvious from recent disasters in financial institutions, coal mining, and offshore oil drilling with corresponding reports of lax regulation). In regards to the software industry, Clarke makes such extreme claims about Microsoft’s intransigence that one might hazard to guess that Ecco’s lawyers were involved in keeping the libelous word treason out of the text. Clarke claims that Microsoft: 1. Prevents regulation of security in the software industry2. Prevents the DoD from not abandoning flawed security software3. Prevents discussion about software production overseas and deals with China In another chapter Clarke covers cyber war games and provides the details of the lessons learned in these games. Clarke notes that the greatest difficulty with extracting usefulness from war gaming is that knowledge gained in practice is limited and self-defeating, that once an attacker uses an exploit, the defender soon figures out how to block it, rendering that exploit useless. Exploits must be kept in reserve, and with the best hackers, you’ll never know you were a victim. The chapter titled “Cyber Peace” addresses the proposition of having International Laws of Cyberspace. This chapter is written with less purple, more coherent prose, leaving a trail pointing perhaps to the minority partner in authorship, Robert Knake. This chapter provides a balanced look at international law and the potential of a treaty to ban cyber war and cyber espionage, or at least making an attempt to ban cyber war on civilians. That there is always dependence on civilian infrastructure will thus make the civilian infrastructure a tempting target. If you can hack the banks, power, communication, and supply logistics, i.e. the infrastructure, the enemy’s troops won’t be paid, won’t have food, fuel, spare parts, bullets, or even the ability to call for outside help. Pointing out that the U.S. has greater dependence on the Internet and so is more vulnerable to the destructive effects of cyber warfare, Clarke indicates that it would be in the U.S.’s best interests for a cyber arms limitation treaty. Alas, the U.S. government has been surprisingly consistent in its opposition to cyber arms control. The rationale provided is that without having a national policy in place there is no official stand to take, so the policy remains status quo, no stand at all. One likely reason for not having an open national cyber policy is in preexisting DoD cyber policy for secrecy. That there is “[s]ecrecy surrounding U.S. cyber offense means we have no demonstrated capabilities.” The U.S. refuses to show what it can do, and without a demonstrated capability, cannot induce an adversary into self-restraint. As cyber warfare is “conventional” (at least until the nuclear power plant infrastructure goes online) there can be no fear of mutually assured destruction to induce self-restrain. That a cyber war limitation proposal is both a complex issue and won’t be addressed by the U.S. government doesn’t mean that things can’t be made better. The first step is in having an open discussion of the issues, and this book provides that first step. The difficulty in proposing a cyber arms limitation treaty is in the nature of cyber attack. As the lifeblood of law depends on clear-cut distinctions as to what can be shown, proven and disproven, so the definition of what cyber war is and is not, hangs on cyber warfare’s measurable effects. The author states that a limitation proposal should include these understandings (reordered by this reviewer): 1. International agreements that prohibit certain acts such as attacks on civilian infrastructure will be to our advantage.2. There is a need to cease activity on development of capability for civilian attack.3. Cyber arms control cannot eliminate capability, but can only prohibit acts.4. Broad definitions of cyber warfare that include cyber espionage are not verifiable.5. High confidence verification of compliance will not be verifiable due to inability for attribution. The understanding as listed above were reordered from the order presented in the book to highlight the circular logic of the need for but also the impossibility of, reducing capability, verifying attribution, and limiting espionage. “Determining whether a nation is engaging in cyber espionage may be close to impossible.” And certainly, more work needs to be done in this area. Note that the need for measurement in treaty verification basically eliminates from consideration legal limits on spying. Clarke claims that Americans are not good at the human aspects of spying because of what he calls “deeply rooted cultural issues” (which if true would be a worthy study in itself), but Americans are superior to the rest of the world in electronic spying. As to how the U.S. truly rates in cyber espionage, without a demonstration of capability, we’ll never know. This is the Catch 22: before public dialog can begin on civilian protection there needs to be greater openness on offensive capabilities. There cannot be openness on capabilities because what we are capable of, one may assume the enemy is also capable of. And in order to have an effective defense, one has to know what to defend against. Having a dialog therefore gives the advantage to the enemy. As to ceasing activity on capability for civilian attack when the military is dependent on civilian infrastructure also remains problematic. The author claims that civilian targets to date are 1) not off-limits to U.S. cyber attack, and 2) the U.S is capable of hacking into banking institutions. Clarke concludes his book with a summing up where he offers an agenda for going forward consisting of the following steps: 1. Initiate a broad public dialog about cyber war2. Enact the cyber war triad3. Beef up efforts to reduce cyber crime4. Start international talks on a cyber warfare limitation treaty5. Provide more research on secure network design6. Get the U.S. President involved in cyber war policy This book as an object for review in itself is problematic. On the one hand, the book is written in simple English, and provides the lay reader with clear explanations of technical terms, including a glossary. On the other hand, Clarke’s arguments on cyber war are spoiled by hyperbole and inconsistent editing. Claims are unreferenced, and mutually supporting claims are diluted by change of topic separations in the text. Events described have dates but the events are not time-ordered in the text. The book would also be improved by providing the reader with references, an index, and an ordered timeline of significant events. But, as an opening shot on the subject matter, this book currently stands alone. Reviewer Robert Schaefer is a Research Engineer at MIT Haystack Observatory.