tv After Words Richard Clarke The Fifth Domain CSPAN July 29, 2019 12:02am-1:02am EDT
footnoted. ten years ago i wrote a book called cyberwar and we said things own one - - then that military would become dominant. and then attacking each other in cyberwar infrastructure is the target set. and i'm not just stealing information speak in and we were criticized. so at one level wrote this ten years later just to say we were right. but we also wanted to say what has changed? and while we were right about some things we were wrong
about others. so if you look at the major taxes of the last three years for the russian military's. so if you look at that target set the united states more or less admitted the power grid is the infrastructure target. but with the largest destructive attack and other than attacking them and stealing information so we were wrong you cannot defend
yourself. we were talking to dimitri the other day and he said you can have all the defenses in the world but if the massage is after you you are screwed. >> so the major difference of the landscape from ten years ago so big corporations but there are corporations in america are they in vulnerable? no. but they are resilient can they penetrate the network? not that there is a perimeter but can they do real damage? >> the answer is no. if you look at this there is a long list of american
companies that were in the ukraine that had their networks in the us destroyed. but there's also a list of the companies that were in the ukraine so what is the difference? what makes the company able to be resilient? while others don't? so there are a lot of answers to that question that is a determinative answer is money. how much do they spend? it is a gross metric but if they are spending 3 percent on their it budget or cybersecurity which is kind of normal for a lot of companies but if you are in that eight or nine or 10 percent on
security products, year after year after year you can achieve with technology. >> mentioning the cofounder with the ipo for the firm but in the book you discuss about back in the day there were two types of companies those that were hacked and knew it and those that were hacked and did not know it and those that are essentially and money is a key factor. and then to create that third class. >> and money buys good
product. so i started in this business in 1997 if you wanted to defend your network you can buy firewalls which was not very good and antivirus system which was not very good and in 1997 there was a third product which was intrusion detection system so a light would go off saying somebody was trying to get in. if you wanted to spend more money you couldn't. but we interviewed people for major wall street banks that are running networks 50, 60, 70 different it security products from almost as many vendors and then to get into all of that. but look at j.p. morgan they
are spending $700 billion per year $700 million a year i mean with it security and thousands of it security people running that network. they can buy a lot of products to be very specialized with there is a new threat product comes out pretty quickly. we have to be constantly buying and updating. the other thing that has changed in this sounds wonky but it is governance the it security person was way down in the organizational hierarchy and reporting to the deputies cio.
never saw the people running the company. but now a quarterly board meeting of a major company every agenda is the chief information security officer and she is in the room and briefing metrics and showing what has happened since the last quarterly meeting and what the risks are and what has to be done. that is part and parcel now of the board meeting and that c s i o-letter is way up on the food chain reporting and reporting to the ceo. talk about the company in the book they don't like to use their name because they don't want to be a target but they were in the ukraine and they were hacked but no damage was
done. and it just so happens the chief information security officer worked with the chairman of the board right along with everybody else and if he wants money he doesn't have a budget he just spends it we have a problem somebody denies him what he needs to talk to the chairman of the board and that is unusual it's also unusual for that company to be that secure. >> talk about being hacked and rush is doing very bad things i'm not sure i share all the optimism but that the bad things are happening. after you see this growth in the private sector and so forth isn't it true the
adversaries are getting better to shut down the power grid? >> the threat actors are very sophisticated. we have a chapter in the book about machine learning and artificial intelligence. so now you go to the cybersecurity conferences every company now advertises machine learning. but very few actually have them. that with the adversarial ai it is a thing and right now only being used by governments but it is and they talk in the book how the united states government at the packer
convention at darpa the pentagon research arm sponsored a competition among universities for adversarial ai where they had five large devices on stage and at the signal they all turned on and walked away and for the next couple hours there was no intervention all of the programs to attacked the target they mapped it how to figure how to get in and the defenses how to capture the flag and how to get out. it turns out if you try to steal information, getting in is only half the battle. and they did it. they got through very
sophisticated systems. i think that is happening now but that means the response time that you have to defend the network gets down to minutes not days or hours. >> something else you mentioned in the book is glass houses and to level the playing field. and one of the things that you say is united states have the sharpest stone but we live in the classiest one - - the classiest house. >> in the last book we said people who live in glass houses should not throw code. we are really good on the offense. i know cia gets bad reviews
from time to time to not defend their own attack tools that they are still not in use by other peopl people, but they are still several years old and at any given time the tools are really good and if you are being attacked by the united states government you will not know it. >> so there is a lot of tendency in the government with cyberpolicy and jobs if we are really good we can just go on to the athens line - - offense but there's very little attention paid that there are key parts of infrastructure of our
government that's really easy to attack and destroy and disrupt. but the good news is some major corporation but the bad news is the government and the military are really quite bad at defense. and therefore we do see this i will have been stolen and used against us. the science for gao, year after year issuing reports that our very expensive and very sophisticated technological weapon systems are easily hacked. and the list of those weapon systems with gao that is talked about is staggering with 35 freedom class naval combatants and antimissile systems and it goes on and on.
we paint a picture that the united states has to go to war with the sophisticated cyberopponent and maybe with the shiny objects on the battlefield because they have been hacked. >> i want to get to borer in a moment but another book with the government and the private sector and who should be responsible for the national cyberspace. and ultimately to come down on the side private sector first and foremost in the support not just from the government but the government taking over as others have advocated would be a bad idea. is that because they cannot secure their own networks cracks or are there more reasons? that's a good place to start.
why should you be defending other people? there is a tendency among some ceos and some corporate boards to say you me to spend so much money towards the russian or chinese military cracks i thought we had the difference department to protect us against foreign military without a paid taxes for that obviously corporations don't pay taxes. and they think we should just have cybercommand defend us steel or wells fargo. how do you talk to the banks and say you really want to hand over your consent for cybercommand cracks they are horrified. they don't want the us government running around. this is very complicated go
and there's nothing in the government like it. they don't know how to run a power grid or how to secure a power grid they don't have the expertise. expertise is in short supply. so this panacea of cybercommand it's a pipe dream. individual companies have to defend themselves. but they can get help they can outsource security go there our managed security service companies that run the security of your network if you can't do it yourself. if you your network in the cloud and doing a pretty good job then you can have a
managed security provider. and it sets a level playing field for slot regulation there has to be a quarter of an inch rather smart regulation and this is the goal. california got a lot of criticism last year to pass legislation that said the internet of things devices must be secure. i didn't say much more than that. people so what does that mean? we need a standard? yes. but it's also a pretty good start. if you put a device on the internet that ran something like a heart and lung machine or the iv drip.
or a power grid, you figure out how to do that. and get industry together to come up with industry standards that are realistic and in the government can look at those standards and say i don't think that's enough. which has happened with the power grid until you come together to come up with your own regulations and now the government says you need to do more. >> but the title of your book is the fifth domain with air and land and sea in space and the concept you mentioned and that is a kinetic war but and to take down power grids there
were attacks that given that the risks are that high to have a few hundred billion dollars. >> for the knowledge of how to secure these networks really is in the hands of the industry. you mentioned airplanes i have done a lot of work for the aviation industry and what strikes me is some of them look pretty good but the product despite the engines are great the aircraft is great but then there is a whole lower level in the
supply chain of companies we have never even heard of that all the airports use for the infrastructure layer and most of them are not secure. now all of a sudden the flight controls that the pilots have with the little ipads don't work now the kiosks don't work. so what the government can do is the requirements is to secure your own product not to secure your own network but your ecosystem. to identify the supply chain. those are dependencies and to have an industry work together
the entire industry is secure. >> to be clear to say in the book weather information sharing when you were in government that does have a role to play but but to that and i'm curious how the administration is currently doing and to help secure site this is the first time in a long time to have a national strategy i have written two of them. that the national strategy of the trip administration it is
a lot. i do think it is disconnected at the actual strategy because part of the strategy you have to have that governmental mechanism and the trip administration disassembles the government that we need we need someone to say that person is in charge of cybersecurity policy implementation but we don't have that anymore. early in the administration they had a guy who used to work for an essay. he was there in the white house everyone in the industry said that's good but then he
didn't replace him at the white house. now the state department we have a small team, too small but worrying about international norms and also with arms contro control. >> so on paper the strategy was good but not actually what was going on. so in terms of regulation the trip administration says any new regulation has to identify two regulations to abolish before you can have one new one.
if that regulation is enacted by this administration and also to people in congress become but in the book there are 12 different government agencies that have cyberregulations of the federal level. they are all inconsistent. they were developed holistically so we call for a clean slate to have all the regulators come together and together figure out protection then in those industries have different features but to have a set of differences in those regulations those that were intentionally made. because in addition to the
corporate level to figure out what regulation i have to worry about, then you have regulations at the state level. actually coming off the girl but then that's because the federal government isn't doing it. >> to go back to ambassador bolton and to push out rob from his position. >> i go every year and stay for ten years. but one of those specific things we would go a little wonky but this is one of my favorite topics of the
national presidential memorandum that those reversed policies from the obama administration have required an elaborate process but now from what we understand to have a much freer hand of these attacks. so no matter what you think of that approach, is that necessary to deal with russia or iran or others that it leads to spiraling out of control trump signs don't have signs for now ms 13 but before that happened and with the
you have to have done that way in advance. it takes weeks or months and you have to keep it updated. that's the secret we reveal in the book is despite the fact everybody is out there running around hacking their way into things, it wasn't. it wasn't authorized and there were serious steps you have to go through to get approval. they were told that no one will know it was us. they figured out very quickly
with the help of people in europe even though there was no network connection, it ran around the world. other people caught it in the decompiled. it didn't do any damage. there's a brilliant piece of software but people call it, decompiled and started building their weapons off of it so the administration said that didn't work. it didn't do as much damage. we were the first nation states to be seen engaged in an active cyber war and it will make it difficult to do that again. we have the obama administration
on the battlefield and now we have trump divulging the power. having worked for three presidents in the white house, i know when an agency has authority to do something like from the covert operation, if it goes wrong, it's the president who gets blamed to the president has a right and obligation to have some white house oversight supervision. some of the critics would say we
don't want him to have that authority maybe you are right the white house should have oversight but in this case we trust the pentagon more than the white house. do you agree with that? you brought up here on in the escalation between the united states and washington and tehran. in the book you have a hypothetical scenario where hostility between israel and iran in the scenario you describe the situation where the president is informed that the united states blocked the cyber attacks and turning to the
secretary defense saying david and began bombing iran. is that possible? >> guest: is a short piece of fiction in the book and i think it is realistic. we go through and deconstruct it. yes, it could happen in fact it almost did. my co-author and i looked at each other and said it's going to take place before our book is
as like-minded nations to help each other, but do prosecute crime and share information and do agree on the international norms. if you will not implement them then you don't get to play. we had in mind something with money laundering. a group together that was a small group. anybody who doesn't live up to the standards doesn't get to clear their money from the bac
the. and those defenses they ask for them to stop them if they don't when we say this is the visual arrest them, they don't. there has to be a system to deal with that. i don't want to advocate a system where we say okay russia, okay china, you can come in and be the founder of the new safe internet. i don't trust them.
it. the russians took things that they had been doing for 100 years. the it's been in their doctrine for a hundred years. they took those things and powered them on steroids by using the internet and using social media. we were not ready for that so we asked the wall to regulate social media so while facebook and others say they are doing good things, we don't really know. there is no auditing of what they are doing and frankly we
know that they are still doing it, creating hatred going on both sides of every issue. why is that and pretending to be american talking about vaccination is on the sides of the issue? and you can do that on any issue and they are still in the social media grouping of dissent, hatred, causing us to hate each other and focus inward, not just on the election, but every day into the congress hasn't done his job. it's held hearings that hasn't passed any law, no orbited three agency has. in the past if you have a new problem like this, you put somebody in the white house to be in charge of it and give her
all the power she needs to coordinate a government response. is that a person? no one. some people in the nsa in cyber command, but there's no coordinating strategy or funding of the effort. in addition to social media, we also have counter the activity in the system itself. >> the fbi has been really slow and the dhs has been slow explaining the extent. if yo you want to disband the
system, you have to serve the campaigns and parties, the candidates. then you've got to defend the data. there's ways of manipulating that cause then you have to worry about the machines and reporting. there is a whole system. people say that it's the responsibility of the states and counties. you'd think they givyou think te cybersecurity skulls and the county election board? i love the people of my tone but they don't have the skills or the resources to protect against
the russian military. here when i say corporations to defend themselves, here i think the government has to say this is a federal election of federal resources that they are not saying that. they are saying those states can all decide on their standards. they have to defend themselves. they have to come up with the money. that's crazy. the constitution says the state shall do it and then there's another word i don't know if it exists it says but the congress may pass laws to do this in other words they may preempt the states and counties.
i think the answer is mitch mcconnell. why does he not want that to happen? i think it's because the people he realizes that are doing this manipulation are supporting his side. >> congress to appropriate for the states and i believe that it was in 2018. i want to say that is not enough and we certainly are not seeing any new activity in congress. >> we are seeing it on the house side. the house has passed more reasonable amounts of money is mitch mcconnell has co-opted from even going to the floor and being voted on. >> one of the proposals that you write about is this idea going forward about a digital identity
i think you call it continued with the social media companies needing to do more to roo prevet these problems and control the networks, i'm struck by the idea that -- >> guest: i'm all in favor of your being able to go to a library anonymously and take out any book and sit down and read it but i don't want you to go into a bank and take out money anonymously. there are places in the physical world where you need to show id, and that there should be places in the virtual world where you need to show id. it should be easy to get and
easy to use. and it's complicated right now. i have a password manager and you probably do also. i have more than 28 passwords and they are all different because you never want to use the same one twice. we have a whole chapter on this but we will get back to that. passwords are a 20th century technology. we ought to be using something more simple to use. the american people don't trust the government to issue national id cards. i get that instant o instant eve issues a drivers license uses a national id card in every country in the world has national id cards, but we don't.
>> against the internet of china and other authoritarian countries is there not a concern that by doing more to polic give police on the platforms by creating all these rules about what can be said and how it can be said. >> i want to know who the people are saying it. i don't want anybody to regulate what i say or what anybody else says that if you are going to participate in the process, you should be able to say who you are. there are places i want anonymity. certainly if you were a human
rights worker in egypt, you want to be able to use the internet and communicate anonymously without the police coming in. but the system we have right now is not a government system. he's a mastercard which by the way is making a lot of progress, doing something like what we proposed. mastercard or visa or google. some multiple agencies and organizations should create federated identity just as i can go into any store today and use the visa or mastercard, i should be able to go into any website and use a new identification issued by one of the certified card issuers. the technology exists.
we just need the government to say if you live up to these standards and create this system we will take it when you go on a veterans website, the social security website we will be the first. if the government would do that, the system could happen if we he could get rid of passports and all sorts of other ids. >> a couple of more comments before we close out to any extent we are our own worst enemy is and whaenemies in whatt is the theory holds the link to
more than our adversaries. what do you make of this tension and we need more oversight and public discussion about how the nsa is deciding whether to use the tools were disposed in so they can fix the problem. >> there are two issues one is the social security and its contractors because i think in all these cases the investigations are likely to show some other contractor that was the problem in having the tools and if people were stealing the tanks with nuclear weapons, it would be a horror. they are stealing our cyber weapons and so we should be equally horrified. they felt they had a trusted security in the nsa, and i think we need to do a better job
obviously. the contractors need to suffer when they screw up because there is no penalty right now. the other issue though is when nsa or cia becomes aware of a vulnerability in a widely utilized system, what should they do? president obama decided based on recommendations of an outside group of experts which i was one of the default value is if you discover a flaw that could be exploited in widely used software, you told the software manufacturer and help them fix it. only in very rare occasions and
for very short. of time should be otherwise. i am not sure that is happening and the public doesn't have any way of penetrating to know whether that is happening or not. but i think it is the case that certainly with one of cry that the government knew about a default in the microsoft server software and probably was using it for a couple of years and told microsoft after it was going to leak anyway. that is not acceptable and the reason it's not is wireless may be fun to use that in the offense against the russians were somebody from the russians are going to see that also been figured out that same vulnerability and go after american companies and we are not even going to know it. if we found a vulnerability in a
piece of software, other people do also. we are not. our only obligation should be to tell microsoft or whoever it is right away. we are running out of time if i want to end on a positive note because you are book is an optimistic look at cybersecurity. the last chapter discusses things you can do to protect your own cybersecurity. what is one thing we told them to do to better secure the internet >> use a password manager that will generate the passwords for you and they will all be different. never use the same password twice and never forget. your book is an excellent read. thanks for joining us.
this and all of our "after words" programs are available as podcast and can be viewed on the website booktv.org. last week took tv covered authors a that the libertarian conference in las vegas. up next founder and producer talks about the politics of the late author jack london. >> okay. let's start decided to have you here the call of the wild west t is what i call this from the rugged individualist were socialist, turned out to be both. so, jack london, the most