tv After Words Richard Clarke The Fifth Domain CSPAN August 24, 2019 12:10am-1:11am EDT
clarke discusses the growing role that cyberspace place and were in national secured. he is interviewed by dustin boltz, cybersecurity and intelligence reporter for the wall street journal. "after words" is a weekly interview program with the relevant guest host interviewing top nonfiction authors about the latest work. >> let's dive right in. this is not your first book on cybersecurity action were 110 years ago. why follow that up with this book no an now. >> they give for reading the book you might find some your great reporting referenced in the book, all appropriately footnoted. ten years ago i wrote a book called cyber war and we said things then that militaries were going to become dominant in the landscape in cyberspace and that
militaries would attack each other in cyber war, we said infrastructure will become part of the target set and there can be large damage and destruction. not just information damage. at the time we are criticized to integrate review that said file under fiction. so i think at one time robin i decided to write the book that we were right but we also wanted to say, what has changed in the ten years and while we were right about something, we were wrong about others. yes the militaries have become the dominant threat and if you look at the major attacks in the last three years of all the military, arena, north korea, chinese, russia, america if you
look at the target they are going after every structure and just last month the united states more or less submitted they penetrated the power grid claiming they had done it to us. it is destruction if you look at the attack, the largest destructive attack over $10 billion worth of damage, it is wiped out networks to not just attack them and still. >> we write about all that, what we were wrong we said ten years ago you cannot defend herself y. he said, you can have all the defenses in the world but if the mossad is coming for you, you are screwed.
we say in the book about the difference in the landscape right now from ten years ago is there are corporations, big corporations in america that are pretty secure. are they invulnerable to the attacks? no but there resilient. can someone penetrate their network? i'm not sure because there's no perimeter. but can they do real damage to those companies and the answer is, no. if you look at that, there's a long list of american companies there were in the ukraine the heather networks in the u.s. destroyed. but there is also a list of companies in the ukraine that did not. but we tried to ask, what is the difference, what makes a company able to be resilient and defend
itself while others do not. there are lots of answers to the question, one of which the predominance, money. how much do they spend. i know it's a gross metric, but if they are spending 3% of their it budget on cybersecurity, which is kind of normal for a lot of companies they will get attacked and hurt. and if they are spending eight, nine, 10% on the high side, we saw committees spending 17%. if you're in the eight, nine, 10% of the it budget, on the security product and services, year after year after year, you can achieve a lot of security given today's technology that evolved a lot.
you mentioned the cofounder of crowd strike in the firm. in the book you discussed back in the day there was two companies and they were hacked and did not know. he and others believe there are three companies, those two in addition those that are essentially successful repelling the attack edges and. >> money is a key factor are there other factors, what else has let us to create the third class. >> money buys good product and there are good products. and what we saw, i started in this business and 1987, when you wanted to defend your network you could buy one of three products, you could buy firewalls which were not very
good, you could buy in antivirus system which was not very good, and in 1997 there is the third product that you could buy which was an intrusion protection system so you can have a blinking light that would go off all the time. if you wanted to spend more money you really cannot. he interviewed people from major wall street banks that were running networks with 50, 60, 70 different it security products with almost as many vendors so they have the really difficult task of integrating all that. but if you look at j.p. morgan, their spending six, $700 billion a year -- 600 or $700 million a year trying to do it security and have thousands of it
security people running the network. so they can buy a lot of products. the products have dissolved and governed specialized when there's a new threat, a product comes out pretty quickly after the threat. you have to constantly be buying and updating. >> the thing that has changed, and i know this sounds wonky. it is governance. it used to be the ic it securitn was way down in the hierarchy and reporting to the deputy cio, maybe not even to the cio, but ever so the people are running the company. now you go to a board meeting of
a major company in on the agenda every quarter is a report from the chief information security officer and she is in the room and she is breaking on metrics and showing what is happened since the last quarterly meeting. and showing what the risks are and will has to be done. that is just on personal the board meeting. in the cia also the chief information secure the officer is reporting way up on the food chain in the real big companies reporting to the ceo. we talk about a company in the book, they do not like to use their name because nobody wants to be a target. but they were in the ukraine and got hacked and no damage was done and it just so happens that the chief information security officer reports to the chairman of the board way over everybody else and when he wants money, he cahedid not have a budget, he jt
been sprayed when he has a problem that somebody's denying him what he needs he talks to the chairman of the board. that is unusual an example of the company that is really secure. >> i read a lot of stories about bad things happening people getting hacked, and people nurture during very bad things. i'm not sure i share all the optimism but maybe the exposure to the bad things happening so i'm curious as you've seen the gross and the private sector for governance investment support. is it not also true that officers are knocking better and what they doing? >> the actors are very sophisticated. the chapter in the book about machine learning. in artificial intelligence.
and as you know, you go to the cybersecurity conferences. every company is advertising machine learning and the clock. very few actually have anything that's really sophisticated machine learning. but it turns out the adversarial a.i. and the serial artificial intelligence is the same thing. and i think right now italy being used by governments but it is being used by government and we talk about with the united states government showed itself a little. a few years ago at the hacker convention where the pentagon research sponsor competition among universities for adversarial a.i. where they had five large
devices on stage and of the signal the altar known in humans walked away and for the next couple of hours it was human intervention and all the artificial intelligence programs attack the target. it was very well defended target and they had to map it, figure out how to get in and how to get around and how to get the flag and capture the flag and how to get it out because if you're trying to steal information, getting in and getting out they get to very sophisticated defenses with no human in the loop. i think that is happening now. and it means the response time that you have to defend the network get down to minutes, not
days or hours. another metaphor is from the glasshouse, this is the offense and defense as you mentioned in leveling the playing go. one of the things that you say in the united states has a sharpest stone in the country in the world. what do you mean by that, we used a different phrase which was people who live in glass houses should not throw a room. we give off a lot of good information and anno and the cit defending their own attack tools and they get stolen and used by other people. but the tools that are stolen are several years old and i
think within time the tools they are using are really good and if you're being attacked by the united sees government you will not know it, there is a lot of tennessee and the government on policy and jobs. there is a lot for the government to say, we could just go on the offense and deter the other guy and very little attention or insufficient attention paid that there are key parts of our infrastructure and our government that are really easy to attack and really easy to destroy and disrupt the place. the good news we talk about is some major corporations, the bad news is the government and the
military really good of the distance. and therefore we do see the weapons being stolen and used against us. we do see the defense science board, the government accountability office, year after year issuing reports but are very expensive and very sophisticated technological weapon system are easily hacked in the list of those references, the gao has talked about it is staggering, the f35, freedom class naval combatant, it's a sad patriot antimissile system. it goes on and on.
you come down but the private sector should be dealing with that and with support from the government and the government taking over of another advocate would be about idea. is because what you mention because of networks and so for forth, are there more reasons why? >> that be a good place to start. if you can defend yourself why defend other people. there is a tendency among ceos and some corporate boards to say you want me too spend all this money defending against the russian military or the chinese
military. i thought we had the defense department to protect us against for military, i thought i pay taxes for that which a lot of these corporations do not pay taxes. but that's a different story. and they think we should have cyber command defend u.s. steel or the banks. but if you go and talk to the banks and say do you really want to hand over your defense to cyber commit, they are horrified at the thought, they don't want the u.s. government running around, the u.s. government does not know anything about government banks. this is a very complicated thing. there is nothing in the government like it. they're not running a parking, they don't have the expertise. expertise is in short supply.
highly qualified people are in short supply. so we think the panacea of having cyber defense defend us, they'll have to defend themselves. they can get help, outsource security, there are many securities that will come in and run the security of your network if you can't support yourself. if you put your network in the cloud, amazon will do a good job securing it or many securities provided to do that. what recent government should do is to a level playing for real by having a smart regulation, that doesn't mean the regulation
that exists, the screw has been court of an inch and turned to the right three times. this is the goal. california had a lot of criticism last year for passing legislation which devices must be secure, they do not say much more than that and what does that mean, we need a standard. but it's also a pretty good start of saying you a legal obligation and putting a device on the internet that is one something or an iv drip machine or power grid. you figure out how to do that. and get the industry together and come up with standards that are realistic, if they're not
good enough, though safe that's not enough. which can happen. in the industry to get together in the government is saying you need to do more. >> on the title of your book they are defended by the government and the military and the concept they mentioned earlier in cyber spiraling into kinetic war, and greasy adversaries do things like the program, given that the risks are that high, why not give the pentagon a few hundred billion dollars to get dedicate and taken the lead on.
>> in the knowledge about how the security and private network is really in the hands of the industry, you mentioned airplanes, i've done a lot of work with the aviation and what strikes me about the aviation, is probably a metaphor for other industries, individual airlines, some of them are pretty good, the product of the 737 max are pretty damn good. the aircraft is generally great in terms of cybersecurity. there is a whole lower level in the supply chain and companies you never heard of and all the airlines used in all the airports used to provide an infrastructure layer, they are not regulated. most of them are not secure and
if you take down this company that no one ever heard of all the flight controls that the pilots have, they don't work in all the kiosks in the airport where you get your tickets do not work. so what the government can do is say the requirement is to secure your own product and secure your own network and your own ecosystem. and to identify the supply chain in the interdependencies and have an industry work together toward the entire industry is secure. >> and you say in the book the government has a role to play whether nudging, information sharing, you help set up this
when you're in government so it does have a role to play but it's sort of a less blunt into that, i'm curious how you think the turbo ministration is currently doing on cybersecurity a guess we will start with industry on the defense side. >> administration in a long time to write a national strategy. i have written two of them. the national strategy is pretty good. >> it's a lot from previous strategies. >> that's not the only reason it is pretty good. it's disconnecting what the government is doing to find that
out yet to have a governmental mechanism to implement the strategy and the turbo ministration has gone for all reasons disassembly parts of the government that we need in a used to have a senior person in the government saying that person is in charge of cybersecurity, policy, we don't have that anymore. early in the ministration they got a guy named rob joyce, he used to work for nsa and still does and he was there in the white house where everyone in the industry and expertise, everyone thought that is good and then joh john on john boehnd fight him. he did not replace him at the white house. at the state department we of a small team, two small worrying about international norms and
control negotiation someday and really need cyber norms and international norms so on paper the strategy looks good and very little going on to implement and in terms of regulation, the turbo ministration literally says any new regulation has to identify two regulations to abolish before you can have one new one. and i'm sure that's a scientifically formula the anymore, the regulation and frankly to a lot of people in congress. so they say no regulation but the federal government does regular and cyber government all the time.
we list 12 different government agencies have cyber regulations at the federal level. they're all inconsistent, they were never developed ballistically. what we call for is a clean slate on the federal regulation, let's have all the regulators come together and together figure out an architecture that makes sense in different industries you can of different feature sets but you not have differences that we intentionally made, not that we stumbled into. in addition to the corporate level trying to figure out what regulation has to worry about in the inconsistent, then you have regulation at the state level and the reason you have great regulations coming out of new
york and some out of california, the reasons of those of the state level is because the federal government incident. >> let's get back to bolton, he does defense argue that they do not push from his position. but you are right. >> he was up every year. >> once he left it was illuminated. so there is no court nader at the white house. but i think both of his critics disrupted things at the white house impulses. so one of those specific things that we will get a little wonky but one of my favorite topics is president trump tiny referendum 13. in that effectively a reversed policy that was in place under the obama ministration that required an elaborate process anytime a cyber command wanted
to use offensive cyber operation. even those classified from them random the pentagon is to have a much freer hand into the cyber attacks. i'm curious what do you think of that approach, is that necessary to deal with russia and others and are you worried that that might lead to things spiraling out of control ? >> we talk about in the book, before trump signed the national security, for the happen the congress did something that almost nobody noticed that the time, the defense authorization bill, there is language slipped in the said preparation of the battlefield which is a buzzword, preparation through cyber activity in peacetime is
considered normal military activity and if you read that you may not understand at all, what that means is our military in peacetime can hack its way into foreign military, command control and communications. and plant bombs back so when we go to war, we can push a button and that weapon will die or that network will die. because you cannot do that when the word starts, you have to have had done that way in advance which takes weeks and sometimes months to do this work and you have to keep it updated. our military was not doing that. that is a secret to which we revealed in the book that
despite the fact that they thought cyber command was running around and hacking the way into things, it was not. it was not hacking its way into foreign military networks because the obama administration really did but in a very serious steps they had to go through to get to the approval because they thought they were like to and they were told no one will ever know it was us and the iranians will not know for years and it will never leave the building role that turned out not to be true, they figured out pretty quickly with the help of people in europe it did leave the building and even though there was no network connection to the building, there's another story on that, then it ran around the world. other people caught it and decompile the, it did not do any
damages to anybody else because the way it was written which is a brilliant piece of software. the other people caught it, decompile the and started building their weapons. so the obama ministration said that did not work, it did not stop the program, we did get caught, we were the first nation-state to be seen and engaged in an act of cyber war. we will make it hard to do that again. as always in washington, the pentlanpendulum is here or heree have the obama administration making it difficult on the military to do preparation of the battlefield and hard on the cia to do the things i expect no. now we have trump way over here devolving that power and i think
excessively, the three presidents in the white house and i know that when an agency has authority to go out and do something like invade a country or hack something or cover in operation, if it goes wrong it is the president who gets point. so the president has the right and obligation to have white house oversight and division. he cannot give that up. and i think the president has given up to an excessive degree into the bm 13. the counterpoint that some of us critics would say that we don't want him to have that authority and maybe you're right the white house should have oversight and in this case we trust the panic on more than the white house, do you agree with that?
>> that is a tough one. it is hard to imagine who in the white house would do a good job with that. >> speaking of white house scenarios, he talked to run was given the escalations between the united states and washington into rome, give a really vivid high political scenario where israel and iran reach and force united states to become involved in our ally but in the scenario described the situation room where the president is informed and blocked their readin. and they say begin bombing around, do you think that's a scenario that is truly possible and if so is it about this white house or any white house and how
the cyber war escalates. >> it's a short piece of fiction in the book. and i think it's realistic. after that piece of fiction, we take it apart, we analyze the fiction and say this happened in the fictional scenario, we go through and deconstruct it and i think the conclusion is yes it can happen and almost did, three weeks for the book came out united states did a cyber attack and my co-author and i looked at each other and said our scenario is going to take place before our book is out. it'd only stood. i think it could. what we see in the scenario is israel getting attacked, israel
has been bombing armenians facilities in syria. and at some point i wrong for not take it anymore and launch an attack back on israel. and if they use their friends and all the rockets and missiles that they have in the region, it could overwhelm israel. israel likes to say they were great missile system, and it does but numbers can overwhelm things like that. so in the scenario, they turned to united states as they did in the 73 were and they say hurry up, send us these things, and in the 73 were, the united states and richard nixon did launch an immediate outreach on the air
bridge and incense they went straight from the airport, straight into battle. and it turned the tide and they won right away. could we do that again. no, not if we have an enemy, i wrong, russia or somebody who wants to attack the logistics. to do that supply, the railroads have to work at certain points have to work in electric power plants have to work, even if you attack the u.s. military and just go after the civilian info structure that the military relies on, you can stop the resupply. >> we could spend all the talking about the likelihood of a cyber attack into a war in the
middle east. but there's other parts of your book i want to get to. you have a chapter discussing for what you call a shading in a cork to the internet and in the chapter you write while we fully endorse the position, we are no longer convinced the vision of the internet will also be global. it is likely time to take a new approach. why do you not believe it will be global anymore and what's a new approach. >> this is designed because is very provocative. >> that's why i asked. >> will give you an idea, basically it is the name of an agreement of among a bunch of countries, most in that you. that eliminated borders by the establishment fee.
and by a perimeter. what you are suggesting, maybe we want to think about how that might happen in cyber space if you want to have countries that country like russia, iran, north korea and china, are international laws when it comes to cybersecurity that will not cooperate on investigation and it will not punish people in their countries and who are cyber commercials attacking us or when their government is attacked by cyber as in the case of north korea. maybe we ought to say you cannot play in our yard. maybe we say this is a protective garden and do you
agree on the international norms? since you are not part of the and won't agree, if you will not actually implement them then you don't get it. we have in mind something that we did back in the obama administration with money longer. we got individuals together, a small group and we said let's established internet, standards that will allow us to stop the wondering. and anybody who does not live up to the standards get to clear the money through the banks. >> we went around to countries and say this is a model law against money laundering, you have to pass into th to your ler
and then reinforce it. >> this is the end of the time and you have not done it, your currency will not be cleared with the eu for the pound of the dollar. have a nice day. the hypokalemi apocalypse is a . establish into the international form on cybercrime and cyber war and mutual cooperation and mutual defense, if you are not part of the then your access to her internet is going to be limited, you cannot just pop into the cyberspace eventually
have they played enough pressure on the russians and around and finally to discuss the come along and participate or is it the recommendation that the intra- has become indifferent world. >> they are creating something that has an idea that would be one free open system without walls, that did not happen. and we should not continue to pretend it's going to happen. or pretend it has not already stopped happening. there is a great wall of china, a great firewall, other nations are having other similar firewalls. and from with in those defenses the return air companies. where we ask for them to stop, they do not.
we say this individual in your country did the hack, reston. they do not. there has to be some system to deal without, i don't want to advocate a system where we say okay russia, okay china you come in and be a founding member of the internet, i do not trust them. i will set up a new safe internet and run it for a while and if i have a problem and they want to come in they should go through a trial. the having them in the beginning is having the fees. >> speaking of those, one of the countries that is been the best against us has been russia and obviously i'm referring to the 2016 election and election interference.
i could go down the list. you have a chapter discussing election security and while your optimistic throughout the book about the progress we've made, i'm not so sure your optimistic in this realm, how are we doing on election security. why so bad and how to prepare for 2020? >> we a surprise attack on this country in 2016, even when it was happening in the obama administration saw signs, they did not see the whole war that russians were waging, they sell some but did not recognize the importance. we did not realize that in a very short period of time most americans had moved to getting news from social media, we do not recognize how easy it was to manipulate social media. so the russians took things they
been doing for 100 years, they even have a great name for it, it has been in the doctrine for 100 years. he took those things and empower them you weren't ready for that, we still haven't establish regulations or pass laws to regulate social media, and while facebook and google and none of these consider doing good things, we don't really know there has been a standing of what they're doing. and frankly we know the russians are still willing, to bring hatred, americans against americans, why is the russian government pretending to be
americans fighting about vaccinations, on both sides of the issue. and you could do that on every issue. the election government still in the social media whipping up the scent hatred, housing us to hate each other, for each other and focus inward. not just on the reelection but every day. the congress has not done his job and has no federal regulatory that any agency has. and in the past, the ministration, republican and demonstration, he had a new problem like this. you put the money in the white house to be in charge and you get for all the power and resources that she needs to corny a government response, who is that person. no one. you have some people trained to
do good work for some people the fbi tries to get do good work, but there is no coordinate that the strategy, funding and nutrition to countering the russian activity through social media, we also have to have it against itself. 39 states, we realize were hacked, the fbi has been really slow in dealing with it and admitting the extent of the hacks, if you want to defend the system, you have to defend the campaigns, parties, candidates, we get secret service protection as a candidate but we don't get the cyber protection.
then you have to defend the data registration which the russians hacked into in many states. who is on the role, there's ways of manipulating to change outcome. then you have to worry about the election machines, reporting, whole ecosystem. people say it's a responsibly of the states and counties. there was a 4000 guilty. you think they have the cybersecurity skills in the county election board, i live in virginia and i love the people for my county for election. they don't have the skills or the resources to protect against a russian military. here unlike -- corporations have to defend themselves, i think the government has to say this is the federal election.
>> federal laws and federal standards and resources, they are not saying that, they're saying those states kill time on their standards, the states have to defend themselves, come up with the money, that is crazy. the constitution says, for the election of the president and the congress. that the state shall do that and then they said forward that i don't know if it exists anywhere else, but the congress may pass laws to do it. in other words the congress may preempt this daily counties when it comes to federal elections. , why does mitch mcconnell not want that to happen. why does he not want federal aid, i think because he realizes the people who are doing the
manipulation are supporting his site. >> they appropriated 380 million to the states in early 2018, a law say that's not enough. >> we certainly are seeing any new activity and congress. >> we are seeing it on the house side. the houses past more reasonable amounts of money in mitch mcconnell has blocked it from going to the floor. and to focus on the disinformation side of things. >> one of the proposals that you write about is an idea of going forward we could have a digital identity and i think you call it you, the u. >> when you talk about these companies named more and to root
out the problems and control networks, ideas like that, i'm struck by the idea that it is been something i'm so cherished on the internet. >> you can have it. i am all in favor of you being able to go to library and pick out any book at the same time and read it. but i don't want you to go into a bank and pick up a body. there are places in the single world we need to show id in the spaces in the virtual world we need to show id, that id should be easy to get into use. i have a password manager and you probably due to because somebody said the average was 20
>>. >> i don't anyone to ever regulate what i say but if you're going to participate in the process you should be able to do so in safe you are. yes there are places certainly if you are a human rights worker in egypt you have to be able to use the internet and communicate anonymously without the egyptian police coming after you. but the system we have in mind
is not a government system in order to do something like we propose like mastercard or visa or google, somebody, multie agencies or organizations, should create this identity just as i could go into any store to use visa or mastercard i should build use any website and use a really you identification that is certified card issuers. the technology exist we just need the government to say okay. if you live up to these standards of security we will
then to leak those online and then used to launch a global ransomware attack that affects hundreds of countries around the globe that has really impacted the health care system in the united kingdom. so that same tool with the ransomware attacks with baltimore and to be clear with that discussion to harm the american people. >> if we need more oversight or public discussion.
>> there are two issues one is a security of nsa and the contractors the investigations are likely to show another contractor to have the tools. but if people were stealing our tanks or nuclear weapons that would be a horror. but they are stealing our cyberweapons. so we should be equally horrified. the obama administration thought it had national security with nsa and we need to do a better job obviously i don't know a proposal but one way to be oversight by somebody else that is one issue and there is no penalty
but another issue is when it nsa or cia becomes widely available of the threat. based on those recommendations and that default value and with widely used software with the software manufacturer. and only for very short periods of time but i'm not sure that's happening. in the public doesn't have any way to penetrate but i think that's the case and with the
server software and probably using it for a couple of years and then told microsoft afterwards. that isn't acceptable and the reason and in the offense against the russians or somebod somebody, the russians will see that to. if we see that vulnerability and that obligation as a government to tell apple right
>> it's great to see you congratulations on the book. >> thank you very much, david. great to be with you. >> this is fun for me because about 25 years ago i was the young reporter that cornered you in a local newsroom in albuquerque to quiz you that about your career and for me to continue the conversation i will continue right left off 25 years ago. [laughter] >> i remember that very clearly then we worked