This interview originally appeared in The Cyber Issue in Winter 2016.
How can the United States prevent a cyber war from breaking out and deter terrorists from targeting the country with cyber weapons? The Journal of International Affairs talked to Richard Clarke, who served as a senior White House advisor to three consecutive U.S. presidents, about cyber risks and how the United States can counter threats to its national security.
Is the threat of cyber war underplayed or overhyped?
This depends on how you define cyber war. If you define it the way I do, a government engaged in destruction against another within cyberspace, it hasn’t really happened yet. The few instances of cyber attacks that have occurred (that we know about) have been executed with only limited objectives in mind.
But that doesn’t mean that a “full-scale” cyber war won’t happen in the future—it most certainly will. The point is, though, that governments will only engage in “total” cyber war within the context of a war that they were already going to fight militarily otherwise.
Do U.S. leaders fully appreciate the cyber threats facing the country’s national security?
I do think that U.S. leaders, by and large, understand the magnitude of the threat and the potential damage that cyber threats can inflict on our country, but they haven’t yet acted on it. I believe it isn’t clear to many of them exactly what action to take. Frankly, until the United States is the victim of a large-scale cyber attack, it is unlikely that lawmakers will prioritize increasing the resilience of our cyber infrastructure in the private sector.
Is it possible to build a credible cyber deterrent?
No, and cyber war is unique in this respect. We have to deter cyber attacks by threat of conventional or economic retaliation. It’s difficult to develop an effective cyber deterrent, because you have to have already demonstrated the capabilities of your retaliatory arsenal. Your assailants have to know what you’re capable of.
This wasn’t a difficult thing to do in the Cold War, because you just had to detonate a few hydrogen bombs on some uninhabited island and everyone knew you had that weapon available to you. This is not really possible in cyber war for two reasons. First, every state’s network infrastructure is different and you can’t prove that an attack you carried out on Country A will also affect Country B. And second, there’s no cyber equivalent of that uninhabited island that you can annihilate just to prove to everyone else that you can.
Deterrents also necessarily operate in a system where each player can attribute an attack to a particular party with a very high degree of confidence, but cyber war functions with a fundamentally different playbook, where actors carry out attacks while concealing their identity and never publicly take responsibility for it. Deterrents are a nice concept in conventional warfare, but they have not yet worked in cyber.
Does the development of new technologies help non-state actors? How can terrorists use new technologies and cyberspace to target states?
Absolutely. The “Internet of Things” is tremendously helpful to malicious non-state actors because it’s so notoriously insecure. For those who aren’t familiar, the Internet of Things is an umbrella term used to describe the aggregate collection of modern consumer, commercial, and industrial electronics that rely on network connectivity to function.
I’m not just talking about your new Wi-Fi-enabled toaster, I’m talking about electronically controlled valves in nuclear power plants, switches on the electrical grid, machines that keep people alive at hospitals, pressure regulators on natural gas pipelines, and the list goes on. These are devices that are found in every single city in this country that are vulnerable to cyber attacks right now, and have the potential to cause real, tangible harm to the American people if the wrong person gains access. This is one of the primary reasons that network security is so important in the modern era, especially for industry.
NATO officially recognized cyberspace as a military operational domain. Is this a big deal?
NATO is itself now an organization that has recognized the threat of cyber warfare, and is trying to do things to defend its own networks. That’s indeed a big deal, because never before has a coalition of countries worked together to increase the resilience of their networks for the sake of mitigating cyber threats.
The United States, Britain, Israel, Russia, and China are often considered the world’s cyber superpowers. Are there new or emerging cyber powers that will play an important role in the field?
Nations like Iran and North Korea have already demonstrated some of their capabilities in recent years, and they will continue to be big players going forward. There is a low barrier of entry for cyber warfare, and as technology proliferates and the world collectively becomes more tech-savvy, I believe that new players will continue to emerge whether they are non-state actors or states themselves.
Will it eventually be possible to regulate the use of cyberspace with international agreements?
Eventually, yes. We need more international agreements that assist in combating cybercrimes and aid in establishing cyber norms by deeming certain cyber behavior a violation of international law; an expansion of the existing Budapest Convention. For example, I think it would be wise for everyone to agree that compromising hospitals’ or financial services’ networks is off limits. There is, still, the aforementioned attribution question of how can you ever prove that a certain actor carried out a particular attack? But this could, theoretically, be countered by coming to some agreement that obligates every country to take responsibility for attacks coming through servers within their borders. There are obviously major issues associated with this kind of framework today, but I believe it’s nothing that the global community can’t solve given enough time.
What is the correct balance between security and freedom of information?
In the context of cyberspace, security and privacy are mutually reinforcing, not competing. It’s not a choice between one or the other; it’s not a zero sum game. Information security is paramount for trusting information to begin with. Without secure systems, you can’t say with any certainty that the information you have is accurate.