Seven Questions: Richard Clarke on the Next Cyber Pearl Harbor

ALEX WONG/Getty ImagesCyberwarrior: The real cyberthreat, Richard A. Clarke warns, is that all of our information is being stolen.

Foreign Policy: Last year, a Pentagon computer network serving Defense Secretary Robert M. Gates was hacked into, allegedly by the Chinese military. Do you think the Chinese military was behind the attacks, and if so, what was it trying to accomplish with these attacks?

Richard A. Clarke: I think the Chinese government has been behind many, many attackspenetrations. Attacks sounds like theyre destroying something. Theyre penetrations; theyre unauthorized penetrations. And what they are trying to do is espionage. Theyre engaged in massive espionage, not only in the U.S. government, in the U.S. private sector as well, but also around the world. The British security service, MI5, sent a note to the 300 largest corporations in England a few months ago, telling them that the Chinese government had probably penetrated their networks.

FP: How vulnerable do you think the U.S. government is to a cyberattack or cyberpenetration? How seriously should this threat be taken?

RC: Well, I think its being taken very seriously. President Bush signed a National Security Presidential Directive on the 8th of January redirecting billions of dollars into protection against it. I think it should be taken very seriously. The United States government and private corporations are quite vulnerable even though they think theyre not.

FP: Whats the worst-case scenario from a cyberpenetration of the U.S. governments computer network? Are we talking about things like remotely attacking nuclear power plants and things on that scale?

RC: Well, people tend to think about, sort of, attacks that change thingsturn off power grids, or whatever. And while thats possible, what is happening every day is quite devastating, even though it doesnt have a kinetic impact and there are no body bags. Whats happening every day is that all of our information is being stolen. So, we pay billions of dollars for research and development, both in the government and the private sector, for engineering, for pharmaceuticals, for bioengineering, genetic stuffall sorts of proprietary, valuable information that is the result of spending a lot of money on RDand all that information gets stolen for one one-thousandth of the cost that it took to develop it.

FP: Both China and Russia have received attention as cyberthreats. Which country do you think is more of a threat, and are there other countries, or nonstate actors, to be worried about also?

RC: I think nonstate actors could develop capabilities rivaling that of nation-states because this is the classic case of asymmetrical warfare where small numbers of highly skilled people could have the same effect as could a nation-state.

FP: What do you expect the capabilities of the new Air Force Cyber Command to be?

RC: I think theyre probably both offensive and defensive. But on the defensive side, all they can do is defend the Air Force or perhaps other DOD [U.S. Department of Defense], or maybe even other federal government, entities. And the problem is that much of what we need to protect is not in the U.S. government; its in our private companies and our private networks.

There should be a White House senior person who has oversight of all government programs in the area of cyberdefense. There hasnt really been someone since I left, and I think they need to re-create that position.

FP: You mentioned both the defensive and offensive capabilities of the Air Force Cyber Command. What kind of offensive cybercapabilities should the United States ideally have?

RC: Highly classified ones.

FP: You mentioned earlier in discussing the Air Force Cyber Command that its not just cyberpenetrations of government computers that we should be concerned about, but also private industry. So, are you concerned about cyberpenetrations by foreign governments against U.S.-based defense contractors?

RC: Well, yeah. Im also concerned about penetrations of U.S. research-and-development firms, everything from pharmaceuticals to genetics to aerospace engineeringall the things we have to sell in our knowledge-based economy. We are a post-industrial, knowledge-based society. Thats what we sell to the world. If other people can steal it readily, then we wont have much of a margin.

Theres been a lot of talk about a cyber Pearl Harbor. People say that I coined the phrase, and Im afraid I actually didnt. But, if we wait for thatjust as we waited for 9/11 to do something about al Qaedaif we wait for a cyber Pearl Harbor to do something about cyber[security], it may never come. But we will, nonetheless, be losing huge amounts of valuable information to our competitors and to cybercriminals who cost our society billions of dollars a year. Just because we havent had the big attack doesnt mean that we should wait to act.

Richard Clarke is chairman of Good Harbor Consulting. He was formerly the principal counterterrorism advisor on the U.S. National Security Council under presidents Bill Clinton and George W. Bush.