If the first war was fought with sticks and stones, the next one likely will be fought with data. Cyber threats both big and small are increasing around the world, and they come with serious implications for governments and businesses that struggle to stay a step ahead of digital criminals. Cyberspace has become what the Pentagon calls the fifth domain, and a new book by Richard A. Clarke and Robert K. Knake looks at how to protect it. Clarke spent 30 years working in the U.S. government, including as a White House counterterrorism coordinator under Presidents Bill Clinton and George W. Bush. He was the first White House official to be in charge of cybersecurity. Clarke, a Penn graduate, visited with the Knowledge at Wharton radio show on Sirius XM to discuss the book, The Fifth Domain: Defending Our Country, Our Companies and Ourselves in the Age of Cyber Threats. (Listen to the podcast at the top of this page.)
An edited transcript of the conversation follows.
Knowledge at Wharton: We’ve seen congressional hearings where it seems like policymakers don’t have a deep understanding of these cyber threats. How do you feel about that?
Clarke: I think it varies. There are congressmen that get this very, very well. Rep. Jim Langevin from Rhode Island. Rep. Mike McCaul from Texas. There are people who understand it. There’s just not a consensus to spend at the level that we need to secure the government itself. What we learned by writing the book and talking to people around the country is that there are corporations that are doing a very good job of securing their networks. What makes them different is that they’re spending to do it. Congress won’t spend appropriately to secure government networks, and it also tries to make every government agency run its own network and secure its own network. We have these ridiculous situations like the personnel office defending itself against the Chinese People’s Liberation Army and losing 2 million top-secret clearance records, including all the details of my life since the time I was born. They probably know more about me now in Beijing than I do.
Knowledge at Wharton: What about on the military side? If the government is not spending the way that it should to protect cyberspace, should we be concerned about the military?
Clarke: Yes and no. The military likes to spend money on the offense, and Congress likes to give them money for the offense. So, we have a very good offensive capability, building on the work of the intelligence community, building on the work of the National Security Agency in particular. We now have something called the U.S. Cyber Command. It’s 10 years old. It’s a military organization. It has recently been authorized to do offensive operations, and it’s been doing them against Russia and Iran, that we know of.
They’re not very good at defense, nor are the big corporations that make our weapons systems. We have lots of very expensive, overpriced weapons systems that may not work when the time comes because they are hackable. That’s not me saying this. It’s the Defense Science Board, the Pentagon’s own agency. It’s the Government Accountability Office. There are long lists of weapons systems, from ships to airplanes to missiles, where they just didn’t do a good job of designing security in. The likely enemy next time we go to war, whether it’s Iran, North Korea, China, or Russia, they all have very good offensive capability. And they’re all thinking very hard about how to get into our weapons systems.
Knowledge at Wharton: Is that part of the reason why there is concern about bringing in third-party government contractors? They’re supplying material, but they’re another link that can be hacked in the process.
Clarke: The Pentagon has recently begun focusing seriously on their supply chain. Their supply chain consists not only of the big companies like Lockheed and Boeing and Raytheon that integrate the weapon systems and turn the weapon systems over for use, but hundreds if not thousands of companies in the supply chain for every weapon system. Second-order, third-order. Some of the third-order stuff ends up having been made in China.
“Congress won’t spend appropriately to secure government networks.”
Then they’ve got all the civilian infrastructure on which they depend. They depend on the electrical power grid, on the gas pipelines, on the commercial seaports, just as we do in the civilian economy. All of that stuff, according to the government, is hackable. The [outgoing] head of U.S. National Intelligence, Dan Coats, said in public testimony to Congress that the Russians can hack into the controls of our power grid, the Chinese can hack into the controls of our gas pipeline system. The Pentagon, as well as our civilian economy, depends on those things.
Knowledge at Wharton: But how much capability do we have to do the same things against those entities?
Clarke: Well, as we say in the book, we probably do. But let’s imagine the future scenario where an enemy state has turned out the electricity and destroyed the transformers and the generators, so you can’t just flip the power back on. It’s the middle of winter. The food shelves in your local supermarket are empty, the ATMs aren’t working, you’ve run out of paper currency, and the credit card machines aren’t working, so there’s no way you can buy food even if there were food. But there is no food because everything is not working because the power is out. And the president comes on the radio and says, “Don’t worry, we just did that to Moscow.” What we say in the book is, “I don’t know how that’s going to make you feel, but at least in Moscow they have a lot of vodka.”
Knowledge at Wharton: With the advent of 5G technology, do these issues surrounding cyber threats become even more ramped up?
Clarke: We have reached a moment where existing technology allows a lot of American corporations to defend themselves successfully. They are the dogs that don’t bark. You hear about the Yahoos, the Targets, the Equifaxes, the Marriotts. But then there’s a long list of companies you don’t hear about, and the reason is they’re being successful. But that’s a moment in time. At this moment in time, there is technology that you can use to defend yourself. But technology is always moving, and the moment in time is fleeting. We have three chapters in the book: one about 5G and the Internet of Things; one about machine learning; and one about quantum computing. We’re looking at where the technology is going to be in three years.
To answer your specific question, we think 5G was rushed to market without adequate concern about security. The professional staff at the Federal Communications Commission asked 134 questions about 5G security. The answers weren’t too encouraging from the vendors, but the commissioners themselves refused to regulate 5G for security. The commissioners also refused to regulate the internet for security because they don’t think they should be able to regulate the internet. They claim they don’t have the legal authority, whereas I think most of us realize they do. Or, if they wanted it more explicitly, they could get it more explicitly.
The problem with 5G is that it empowers the Internet of Things. Many, if not most, of the devices that will be connected on the Internet of Things don’t have security functionality. They were not designed with that in mind. For many of those devices, you can’t retrofit security into them. The chipsets, the firmware, are too small to put in authentication, to put in antivirus or end-point detection and remediation. You’re going have to re-architect the network. That includes things like hospitals, where heart-lung machines, IV drip machines, all sorts of things that preserve life, are hackable. People have proved that over and over again.
“We have lots of very expensive, overpriced weapons systems that may not work when the time comes because they are hackable.”
Knowledge at Wharton: I would imagine the cost of trying to retrofit or make those changes would cut into profits for these companies.
Clarke: That’s absolutely right. With regard to many of the companies, they buy these devices and expect them to last for 25 years. They’re not about to replace them, so they have to architect around the Internet of Things.
The Food and Drug Administration for years said that once a device is certified, you can’t change it in any way. So, the comedy that was created was that many devices were unpatched Windows 98 operating systems. It’s a million ways to hack into them, right? Finally, in recent months, the FDA has come around and said, “No, no, no. We didn’t mean that. What we mean is that all devices on the internet or network connected have to be securable, and you can change things to do that.” So, we’re making some progress.
Knowledge at Wharton: But that requires a significant mindset change by people who are making these decisions in order to move forward, correct?
Clarke: Right. Even big hospitals don’t spend much on cybersecurity. They don’t have chief information security officers who have big budgets. Going back to our major conclusion in the book: You can defend yourself today. Major corporations are. The way they’re doing that is they’re spending, and they have a governance system where the issue isn’t buried. The CISO, the chief information security officer, she’s not buried somewhere in the bureaucracy. She can report to the CEO. She can report to the board. There’s a member of the corporate board who understands this stuff.
That’s the model in good companies, and that governance model results in people spending 8% or 10% of their IT budget every year on security. For JPMorgan, that means $700 million a year. For Bank of America, it’s over $1 billion a year spent on IT security. If you’re not spending at 8% or 10% of your IT budget, you’re going to be hacked.
Knowledge at Wharton: What about security against cyber threats for the average consumer?
Clarke: The individual has a whole different problem. There’s a whole section in the book on how to protect yourself as an individual. Basically, you outsource it, which is also what you do if you’re a small- or medium-sized company. You have a managed security provider.
Most Americans who are online have somewhere on the order of 28 different passwords that they use with some regularity. I know that sounds like a lot, but if you just sit down and list all the passwords that you have — also then burn that piece of paper — you’ll find you probably have two dozen. What you will find is that half of them are the same. You’re using the same password over and over and over again. So, the password you used for your Marriott account just got hacked. Whoever hacked it is going to try that password on your email, on your bank, and most of the time, it’ll work.
People ask, “What’s your No. 1 recommendation for personal security?” Get an application called a password manager. There are three or four good ones. I’m not going to advertise for them, but I use one. They will generate passwords for you that are really hard to remember, but you don’t have to remember them. They’re also really hard to hack. The reason you don’t have to remember them is the application will enter your password automatically, and it will do it across all your devices. There’s only one problem: You have to remember one password, and that’s the password for the password application.
“If you’re not spending at 8% or 10% of your IT budget, you’re going to be hacked.”
Knowledge at Wharton: Technology has enabled better, faster delivery of infrastructure like electricity and natural gas. Yet at the same time, has it potentially opened the door for more of these problems?
Clarke: Only because when we designed these systems, the internet wasn’t around. And when the internet was connected to these corporations, they didn’t realize that people could hack their way from their bill-paying website into the corporate net, and from the corporate net into the control system. For years, the electric power people were in denial that that was possible. When I was in government, we used to get teams from the Department of Energy to go prove it was possible by hacking power companies, with their permission, and showing that we could get into the control room. People thought this was theoretical.
We conducted an experiment in Idaho where we blew up a generator by hacking into it. You have to convince people. Now, I think people are persuaded because the Russians hacked their way into the Ukrainian power grid twice and shut off the power. Given the access that they achieved, they could have blown up transformers and generators.
Knowledge at Wharton: It makes you wonder about the vulnerability of countries like India and Kenya that are still trying to build out electricity to all of its people.
Clarke: If you’re building an electric power grid from scratch now — not that there are many people doing that — you can build in security. You can design the system, architect the system, put in the right modules for cybersecurity. It’s hard to do that with a 100-year-old system, which is what we have.
Knowledge at Wharton: What do we need to do to improve security against cyber threats moving forward?
Clarke: I think corporations need to look at their governance model, get their governance model right, raise this issue up to the board, to a senior committee of the corporation, spend appropriately. Because frankly, it’s “pay me now or pay me later.” And the reputational damage, the damage to R&D, intellectual property information, would be huge if a corporation is hit. So, at the corporate level, I think the path is clear. The technologies are there. You can buy them, you can integrate them, you can be secure.
The government has to recognize that it, too, has to spend more. It has to outsource this stuff to one organization within the government, on the civilian side of the government. It has to also regulate in a sensible way. Not 20 different regulatory regimes confusing everybody. Not state regulation built on top of 20 federal regulations. But one easy-to-understand, modern, light-touch, if possible, regulatory regime.
And at the personal level, we all have to be very careful about clicking anything that’s attached to an email. Don’t click on an attachment. Don’t click on a link. Just don’t ever do it.
Knowledge at Wharton: Do you think the U.S. will see something like the General Data Protection Regulation in Europe?
Clarke: Ideally, we’d like to create a group of like-minded nations that has one single set of regulations, because major corporations are global corporations. They can’t be worrying about one set of regulations in India, one in Japan, one in the United States, one in Europe. We should try really hard to align our regulations on privacy and security among like-minded nations. We have a chapter in the book that outlines this and says don’t start out trying to get China and Russia, Iran and North Korea in the club. Create the club. Create the rules.
“At this moment in time, there is technology that you can use to defend yourself. But technology is always moving, and the moment in time is fleeting.”
We did this for money laundering when I was in the White House. We created something called the Financial Action Task Force. The first thing we did was got a very small number of nations together. We all agreed on the rules for banking and financial matters with regard to money laundering. Then we said, “Here’s a model law.” We all passed it, and we all started enforcing it. Then we went out to a broader membership group and asked, would you like to be part of this? Because there are some advantages for your financial institutions if your country is part of it. People came on and agreed to the rules. We propose in the book doing the same thing for cybersecurity.
Knowledge at Wharton: How do you then move on to include countries like China and Russia and Iran?
Clarke: When I graduated from Penn, I went to work in the Pentagon and worked on nuclear arms control. Then I went to work at the State Department and worked on nuclear arms control, chemical arms control, biological arms control. We were negotiating with the Soviet Union when we called it the Evil Empire. We were negotiating with them on arms control, confidence-building measures, rules of the road and risk-reduction measures at the very height of the Cold War, when they were the enemy. We ought to be able to do that today with Russia, China, Iran, even maybe someday North Korea. But first, we and our allies need to agree.
The president, of course, has shut down all of this. He’s eliminated the position I had as cyber czar in the government. He’s taken the people who were working on international arms control and norms for cyberspace in the State Department [and] fired some of them, demoted others. This administration is all about offensive activity, which is fine in the right circumstances. But you have to have an arms control and a risk-reduction process and an international norms process at the same time.