You always feel a little shaky when you are planning on asserting that someone else is wrong. You feel more so when it is someone who is known as darn near a prophet in the particular field. However, no one has ever said that I was unwilling to express my opinions, so here goes.
Richard Clarke, former adviser to multiple presidents, the Cassandra who warned of a coming attack before 9/11, now has a hit book out on the threat of a coming cyber war, why we are unprepared for it and what we must do. The book, “Cyber War: The Next Threat to National Security and What to do About It” (written with Robert Knake), is now being widely read. One recent attendee at a major one-day cyber security symposium in Washington opined that it seemed every one of the speakers had referred to the book. I was there too, and this is a bit of hyperbole, but several did mention it. While not everyone agrees with Clarke, his opinions in the areas of infrastructure and cyber security cannot be easily discounted.
I will not attempt to do a complete review of the book, because several others have already done so and because so many people have already read it. I do want to point out, however, two areas where I think Clarke missed the mark in his thinking. I am also adding to the mix remarks and Q&A Clarke did at the very fine Aspen Security Forum at the end of June, which I had the pleasure of attending.
Truth in writing: these are two areas which might be considered my pet rocks. I have written and spoken on both, and while it is daunting to disagree with a “big guy,” in this case, I cannot be intellectually honest if I just let it go.
The first area is the usefulness of wide-spread cyber education and awareness for the American people. Clarke basically discounts this as a waste of time. He says the benefit of such an effort is about nil. You cannot properly train every grandmother and retired auto worker to be a computer scientist. Clearly he is right, but just as clearly (to me anyway), that is not the point.
Right now, experts say that nearly 80 percent of cyber incidents could be stopped if people would merely have good cyber personal hygiene. In other words, if they would understand where not to go, what in general not to open, why they should have protective software, and why it must be updated regularly, many would do it. Also, many of those same “everyman” folks could apply the same hygiene principles they would use at home in their jobs, thus giving us improvements on two fronts.
Look, we are obviously never going to stop the big sophisticated penetrations simply by intellectually arming the masses. The high-end 20 percent require a completely different approach. Nor are we going to get everyone who uses a computer to do all the “right things” anymore than we can get every driver to stop speeding or rolling through stop signs. People are people, and many will do unhelpful things, even if they are told how to avoid them. However, to give up on this front and dismiss all education and awareness efforts as of no use is intellectual conceit. We can better “arm” our population, and most of them will respond. Let’s close the doors we can and at least shrink the opportunities the bad guys have to attack. This is NOT a battle that will only be fought by our high-end “mounted cyber knights.” We have to engage all our citizen yeoman as well.
The second area Clarke dismisses is the possibility of a significant terrorist cyber event. He, like many other experts, seem to think that it is simply impossible for a terrorist organization to have the wherewithal to pull off a “real” cyber event. Well, if you define it as only so large as to be an all-out cyber war, his position has validity. If you think, as I have written and spoken about, that a terrorist attack could focus on a specific geographic and single sector target, it is indeed quite feasible.
Terrorists no longer have to develop their own cyber army; they can rent one from the multiple criminal networks that exist and who regularly sell their services. By keeping their target restricted enough (one small city, the electrical grid in one part of the country, one specific bank, etc.), terrorists could pull it off. Terrorists do not have to bring down our entire system but only do enough to provoke fear and reaction. They could also use cyber as a significant enhancer for a more traditional attack. Police in many cities worry that someone will hack their dispatch systems and route responders to an ambush or route them away from real events, a tactic that might ensure more people die from an attack and one that will truly shake public confidence.
Clarke is “right” when he says public education will not solve the cyber problem and when he says that no terrorist group is capable of conducting cyber war on America. He is wrong to dismiss the value of that education and awareness in mitigating everyday dangers and difficulties, and he is wrong to give the impression that a terrorist cyber event would be of no consequence.
We cannot throw these babies out with the bathwater. Read Clarke’s book, particularly if you need to get a better understanding of the cyber threats we face. It is well written and a fairly easy read for a tough subject. But please do not think that because Clarke gives the two areas of education and terror short shrift that they are not significant. That would be a costly mistake.