tv After Words Richard Clarke The Fifth Domain CSPAN July 28, 2019 9:00pm-10:01pm EDT
>> let's dive right in that this is not your first book on cybersecurity also you worked with your co-author ten years ago called cyberwar. and that with some of your great reporting but that as appropriate footnotes. >> we wrote cyberwar and we said things then that militaries would become dominant in cyberscape in the landscape and attack each other in cyberwar and infrastructure would be part of the target set.
and not with that damage and destruction. >> and sell at one level i decided to write this book to say we were right. [laughter] but also what has changed in those ten years. and we were right about some things but we were wrong about others. guests, the military has become the dominant threat factors looking at the major attacks in the last three years that were military. and if you look at the targets they are going after infrastructure just last month the united states were less
said we penetrated the power grid. and then just to attack them. and what was wrong as everybody ten did years ago and that you can have all the differences in the world but if the massage comes from you you are screwed. and the major difference in the landscape right now from ten years ago there are corporations that are in
america that are pretty secure. are they invulnerable? no. and i'm sure because there is no perimeter anymore but can they do damage to those quicksand the answer is no. that was a long list of american companies that were in the ukraine that had their networks in the us destroyed. but there's also a list of companies in ukraine that didn't and then to be resilient and defend itself. and there are some answers and one of which is money.
it is a gross metric but if they are spending 3 percent of their it budget on cybersecurity which is kind of normal for a lot of companies they will get hacked and hurt. at their spending eight or nine or 10 percent we found some spending 17 percent. that is your it budget on security year after year after year you can achieve a lot of security with today's technolog technology. >> with a cofounder and ceo that said i fear for the firm but in the book actually said
with those two types. and the now he and others those are successfully repelling that money is a key factor. >> that there are many others and if you go back, i started in this business in 1997 if you wanted to defend your network and with that antivirus system which was a very good and in 1997 and that was the intrusion detection system that only sets off a
sum he tries to get in perk of you want to spend money you couldn't but we met people that were running networks with 50 or 60 or 70 different it security products with almost as many vendors. but some are expanding six or $7 billion, million dollars per year trying to do it security and thousands of it security people running a network. so they can buy the products they are very specialized when
there is a new product it comes out pretty quickly you have to constantly be buying and updating. the other thing that has changed is governance. it used to be the it security person was way down in the organizational hierarchy. and reporting to the deputy cio. never saw the people running the company. now there is a quarterly board meeting of a major company and on the agenda is a report from the chief officer reporting and metrics and showing what's happening at the quarterly meeting and the risks and what has to be done.
that is just part and parcel now of the board meeting. and that csi oh is now way up on the food chain and now reporting to the ceo. in the book they don't like to use their name because nobody wants to be a target but they were in the ukraine and they were hacked. no damage was done. but it just so happened the chief information security officer was chairman of the board and one he wants many he doesn't have a budget he just spends. if there is a problem where somebody denies him what he needs now that is unusual but also a company that is really
secure. >> i wrote a lot of stories about bad things happening and companies getting hacked and doing very bad things and i'm not sure i share all the optimism that may be the exposure to the bad things. so as you see the growth in the private sector, is it not also true that they are shutting down power grids quick. >> the actors are very sophisticated. and talk about machine learning in artificial intelligence and very few of them have anything but it
turns out the adversarial ai is a thing. and i think right now it's only being used by governments. it is. we talk in the book about the united states government showing itself over a few years ago and then to sponsor a competition among the universities for adversarial ai where they have five large devices on stage. and at the signal they all turned on and then for the next couple of hours all of
these artificial intelligence programs they have to map the target to figure out how to get in, how to get the flag and capture the flag and then how to get out if you're trying to steal information getting in is only half the problem. and they have some very sophisticated defenses that no human in the world and that response time is down two minutes. >> and then when you mention in the book and the united
states has the sharpest stone but we live but we live in the classiest house. >> we use a different phrase. people in glass houses should not throw code. and as a nation but they are stolen and then used by the attack tools that are stolen or seven years old but if you are being attacked you will not know what they are very
stealthy. >> and if we are really good we can just go on the offense and deter the other guy and very little attention paid to the fact the key parts of the infrastructure and government that are really easy to attack and to destroy and disrupt and with those major corporations but the bad news is that government in the military is really bad at defense. and then the cyberweapons to be stolen and used against us. and the gao and year after
year issuing reports that are very expensive, very sophisticated technological weapon systems and the list of those weapon systems with gao but if the united states has to go to war against a sophisticated cyberopponent we could put all of these shiny objects onto the battlefield and it won't hurt because they had - - about work because they have been hacked. >>host: getting to war and escalation but another theme of the book but also whose
those should be response of national cybersecurity. and then the government taking over and that is a bad idea. is that just because of what you just mentioned or is there more reasons why cracks work that's a good place to start. so why should you be defending other people cracks there is a tendency among some ceos frankly in some corporate boards you want me to spend all this money to defend against the russian or chinese military cracks i that we had the defense department to protect us. i thought i pay taxes for that. a lot of these corporations don't pay taxes but that is
another story. and they think just to defend us steel or wells fargo, how does he talked to the bank and say hand over your defense to cybercommand. they don't want the us government running around. they don't know anything about that it is very complicated and there's nothing in the government like it it is in the power grid they don't have the expertise. expertise is in short supply people who are qualified are in short supply. so this panacea is a pipe dream.
individual companies have to become themselves. they can get help and they can outsource security and the security of your network if you cannot do it yourself. amazon will do a pretty good job to layer your own security or have manage security provided. but to set a level playing field and have smart regulation. to have a regulation that says this is the goal. california got a lot of criticism last year to pass
legislation that the devices must be secure. it's much more than that. what does that mean cracks we need a standard. but is also a pretty good start. you have a legal obligation. you cannot put a device on the internet like a heart lung machine or iv drip machine. you have to secure it. you figure out how to do that. and get the industry to gather to come up with industry standards. and if that's not good enough then the government can look at those and say that's not enough. which has happened the industry did get together with the regulations and now the
government says you have to do more. >> the title of your book is the fifth to mean the other for our airland to see in space traditionally defended by the government and the military. so the concept you mentioned earlier, then to take down the power grids quick's and with those cyberattacks even of the risks are not that high and with a few hundred billion dollars. >> the knowledge how to expand really is in the hands of industry.
i have done a lot of work with the aviation industry. and what strikes me is it's a metaphor for other industries. look at the airline some of them are pretty good but like the 737 c max the engines are great the aircraft is great in terms of cybersecurity but there is a whole lower level in the supply chain of companies that all the airline jews are all the airports use of the infrastructure layer that are not regulated and if it's a company nobody has heard of with those flight controls that the pilots have with their little i plan on - - i had with the flight plan
don't work now all over the kiosk in the airport. so what the government can do is say the requirements of the security of our own product or the security of the ecosystem to identify the supply chain or the interdependency and to have an industry work together that the entire industry is together. >>. >> and government does have a role to play. >> weather information sharing and it does have a role to
play. >> and to that and i'm curious how you think the trump administration is doing in cybersecurity. so we will start to help secure on the defensive side our critical infrastructure. >> this is the first administration in a long time to write a national strategy. i have written two of them. national strategy is pretty goo good. i would give it a b+. but it is pretty good. i think it's disconnected from what the government is doing and that has always been the problem but to find a strategy you have to have a governmental mechanism to implement the strategy. and the trump administration has gone about four odd reasons disassembling parts of the government that we need.
reese to have a senior person and that person is in charge of cybersecurity policy. we don't have that anymore. and early in the administration a guy who used to work for nsa was there in the white house everybody thought that was good then john bolton fired him. but he did not replace him at the white house. at the state department we have a small team worrying about the national norms and arms control negotiations if we have cybernorms or international norms of arms control.
so on paper the strategy looks good even though there's very little going on to implement and in terms of regulation the trump administration literally says any new regulation has to identify two regulations to be abolished before you can have new one. i am sure that is at odds with the formula but the regulation and frankly to a lot of people in congress. so they say no regulations but the federal government does regulation in cyberall the time. twelve different government agencies have cyberregulations at the federal level. there always consistent and never developed and what we
call four is a clean slate on federal regulation and to figure out the architecture that makes sense and if there are differences and differences that we intentionally made. because in addition to what they have to worry about if they are inconsistent the reason you have a great regulation coming out of new york and some out of california because the federal government is not doing it. >> talking about ambassador bolton.
>> i stayed for ten years. so there is no cybersecurity coordinator at the white house but both of his critics disrupted things at the white house so we'll get some wonky here but president trump national security strategy that rescinded and reverse policy that had an elaborate process that cybercommand wanted to use and from what we understand from the memorandum. and also a cyberattacks.
so just what you think of that approach is that necessary and are you aware that could lead to things spiraling out of control. >> before he signed the national security memo, before that happened in the senate on - - in the end to defend the authorization bill that said for preparation of the battlefield which is a buzzword through cyberactivity in peacetime is considered normal military activity. and if you read that what that
means is that our military and peace time with foreign communications. so when we go to war, we can push a button because you cannot do that when the war starts. we have to do that way in advance it takes weeks or months and you have to keep updating. >> that's a secret which we revealed in the book despite the fact of cybercommand running around but it wasn't hacking its way is the foreign military networks because it
wasn't authorized or the obama administration implemented a very serious steps that you have to go through to get approval. >> because they thought they were lied to and the iranians for years and from the people of europe it did leave the building and with that network connection but that's another story for call but it did and other people caught it but it's only the way it was written it was nearly destroyed. but other people caught it so
they said that will not work that didn't do as much damage as you told me it would do we are the first nation state to be seen engaged in that cyberwar we will make it very hard to do that again. but the pendulum is over here are over here so the administration really makes it difficult for the battlefield for the cia and then normally with trump way over here to devour that power and i think excessively to free presidents on - - with the president in the white house when they have authority to go do something
but the president gets blamed the president has a right and an obligation to have oversight. and he has to and excessive degree. >> but the counterpoint those critics would say maybe you are right the first - - white house should act but do you agree with that? >> that is a tough one because otherwise the white house to be doing a good job of that right now. >>host: talk about the white house scenarios between the
united states and in the book you have a vivid scenario with hostilities between israel and iran for the united states to become involved and in this scenario you describe is seen in the situation room that the assistance has been blocked and the scene ends with the president turning to the secretary of defense to say do it. do you think that is a scenario that is truly possible? is at a remark on this white house or any white house quick. >> it is a short piece of fiction in the book and i think it is realistic. add to that piece of fiction we take it apart and analyze
it this captioned in the fictional scenario and then deconstruct that. so yes it could happen. in fact it almost did. three weeks before the book came out the united states did a cyberattack on iran my co-author and i said now the scenario will take place before the book is out. i think it could. what we see is the scenario is israel gets attacked. in fact it has been bombing iranian facilities in syria in the real world. and they will not take it anymore and they will launch an attack back and if they use
their friends hezbollah and hamas all of the rockets in the missiles that they have come it could overwhelm the israeli differences there is a gray antimissile system and it does that numbers cannot overwhelm things like that. so in that scenario they turn to the united states like they did in the 73 war and say quick. sent us these things. then in 1973 the united states with richard nixon actually did launch an immediate outreach and sent his real arms that went straight from the airport and straight into battle. that change the tide and they won the 73 war.
>> we couldn't nod if we have an enemy like russia or somebody who wants to attack the logistics system. so to do that the power plans have to do that so even with the military that the military relies on you can stop the resupply. >> talking about the apocalyptic war and the middle east but there's much i want to get to. and for the internet that we fully endorse and the likely
time to have a new approach. so why do you not believe that to be global anymore quick. >>. >> that basically but that is the name of the agreement of the countries most of those in the eu. that eliminated internal borders but what we are suggesting is how that might happen in cyberspace if you're going to have countries like russia or iran or north korea
or china with cybersecurity and the left cooperating in the investigation with criminals attacking us but if it is the government as in the case of north korea for us to say you cannot play in our yard. maybe we say this is a protected garden of like-minded nations that help each other. that do prosecute cybercrime and share information and security standards and agree on the seven international laws. and if you are not part of that or agree on those norms or implement them, then you
don't get to play. something that we did back in the trump administration with money laundering initially it was a small group and said what is the published standards that allow us to stop money laundering? and anybody who doesn't live up to those standards does not get to have money cleared through our banks. so we went around and said this is the law you have to pass that through your legislature and then you have to enforce it. it took them a few years to do that but if at the end of that time then your currency cannot be used with the eu or the dollar.
so they passed those laws. but here what we say is like-minded nations follow international norms on cybercrime and cyberwar and mutual cooperation and if you are not part of that then your access to the internet is limited you cannot just pop into our cyberspace yes you have to connect but it would be a way that it goes through a system and it's very limited. >> that is us coalition of health to put enough pressure on iran or china that they finally decide to come along and participate is it like dad or the recognition that it is
balkanized we will just never see those issues in that world quick. >> the creators had an idea would be one free and open world but that did not happen so we should not continue to pretend that it will happen or pretend that it hasn't already stopped happening. there is a great wall of china a great firewall of china. other nations are erecting similar firewalls. and from within those offenses they are attacking our companies. when we ask for them to stop they don't. when we say this is a hack arrest them they don't. there has to be some system to deal with that.
i don't want to advocate a system where we say okay you can come in and be a founding member of the new state of the internet but i don't trust them. i want to set up the new safe internet and run it for a while. and if they have a problem and want to come in then we should look for trial. but to have them in at the beginning. >> one of the countries that has been the best is russia from the 2016 election and through social media. you could go down the list so you have a chapter discussing elections. and over the progress we have
made in this rome - - realm. so what can we do to prepare for 2020 quick. >> we had a surprise attack on 2016. we didn't know it was happening the obama administration saw signs but they did not see the whole war of the russians forgot they saw some but they did not recognize it. we did not realize in a very short period of time most americans move from getting their news to social media. we did not recognize how easy it was to manipulate social media. and the russians took things they had been doing for years. that has been in their doctrine for 100 years.
they put those on steroids through the internet and social media. we still really haven't established regulations are passed laws for social media. so they can all say they are doing good things. but we don't know there is no auditor. there is no standards. and frankly we know the russians are still doing it. they are spreading hatred it's on both sides of every issue so why is the government russian government pretending to be a government talking about vaccinations? that they can do that on every issue.
with the dissenter it in hatred causing us to hate each other. >> not just the election but every day and the congress is not doing its job. with no federal regulatory agency. with those administrations republican and democrat that i have served if you have a problem then you appoint somebody in the white house. but with all the resources to coordinate a definite response. what is that response on election security? because some people at dhs try to do gerd work and the fbi is trying to do good work. but the strategy there is no
special funding and then to count that russian activity. >> 35 states and 39 states but they have been very slow to admit and explain. >> but if you want to defend the electoral system he said the campaigns and send the parties and the candidates and secret service protection but we don't give cyberprotection. then we defend the building data registration which the russians hacked into in many states. there are ways to manipulate
that to change outcome then you have to worry about the electio election. there is a whole ecosystem. people say it's the responsibility of states and counties over 4000 counties and the county election board i love the people of my county election board but they don't have the resources. and that corporations have to defend themselves. there are no laws or federal standards or resources and to say those states can all decide on the standards and they will have to defend themselves.
it's crazy. the constitution says that the state shall do it that congress may pass laws to do this. with the states and the counties. why don't we? but the answer is mitch mcconnell. why is mitch mcconnell does not want federal aid or those standards? and with this manipulation. >>host: congress did appropriate one - - appropriate million early 2018.
>> it was a drop in the bucket. >>. >> but we are seeing it on the house side. the house has passed more reasonable amounts of money even from going to the floor so effectively whatever test they want but. >> do the soviets on the information side one is that you write about this idea going forward that digital identity you call it a nice declaration. >> so if we don't have anything more to root out these problems that the anonymity, you can have it.
and for you to go to a library to check out the books and sit down and read it but i don't want you to go out to a bank to take out money. there places we physically need to show id and places in the virtual i want - - the virtual world to show id. but right now it is complicated i have a password manager the average was 28 passwords i have more than that. they are all different because you don't want to use the same password twice. many people use the same password twice there is a whole chapter on that but
passwords are 20th century technology. you really need to do something that's much more simple to use and the american people don't trust the government. okay. i get that. instead every state uses a drivers license we use as a surrogate but if we should use a national id card but we don't. >> and looking at the internet and for those certain principles and with those platforms to create these rules what can be said in fact actually becoming more like the systems.
>> and those issues i want to regulate what i say or what anybody else says but to participate in this process you should be able to do so under who you are. now there are places they want anonymity like if you are a human rights worker in egypt you should be able to use the internet and communicate anonymously without the egyptian police coming to get you. but it is not a government system. that mastercard is making all the progress. visa or mastercard or google
multiple agencies and organizations should create federated identities so i could go into any stored use of visa or mastercard or american express, i should be able to go to any website and find out if it is a really you identification issued by wine of the certified issuers. and the technology exist. is just for the government to say if you live up to the standards with the identification system we will take it when you go to the irs website or to the veterans website or social security website. if the government would do
that. >> so now just a couple more topics and those controversial discussions about cyberpolicy is to what extent that they are designed to use to plug-in the adversaries to target us. and those that you describe in the book in 2017, there are still murky details but the shadow brokers with russian intelligence hacking tools from the national security agency were leaked online and then picked up by hackers and then used to launch intentionally global attack
that affected hundreds of companies around the globe and affecting the healthcare system in the united kingdom that more recently we have had reporting that same tool and the nsa was used in baltimore and other cities but this is ongoing and to what extent are they harming the american people or our allies as adversaries? >> what do you make of this tension do we need more oversight or public discussion how an essay decides to use these tools? >> two issues. one is the security of nsa and its contractors because in all these cases the investigations are likely to show that some
of these contractors are working and to have the tools not secured. if people are stealing the nuclear weapons they are stealing cyberweapons. we should be equally horrified. when they tried to address security with the nsa we need to do a better job obviously. i have a proposal for that but were there can be oversight of the security by somebody else. >> and the contractors need to suffer. >> the other issue when the nsa or cia has a widely
utilized system president obama decided based on recommendations of experts of which that i was one that if you discover a flaw that could be exploited in widely used software then you default the software manufacturer and you have to fix it. only in very rare occasions and very short periods of time should it be otherwise. but i'm not sure that's happening. and again the public has no way to penetrate whether or not that is happening but if that's the case then certainly the government knew about the server software and was probably using it for a couple of years and only then told
microsoft about the leak anyway and that is unacceptable. because maybe that is used as an offense against the russians or somebody, the russians will see that to. they can figure out and they will go after american companies and we will not even know it. so therefore our obligation should be to tell microsoft or apple or whomever it is right away. >>host: we are running out of time but your book overall is great about cybersecurity the last chapter discusses things you can do to protect your own cybersecurity what's one thing
wrote the book the method to the madness. [applause] we are going to talk about it and we will be signing books after. there are 60 bucks if we don't sell them all we are going to be mad, so make us happy. basically, he came to me about a year and three quarters ago saying how the hell do you be a ee
IN COLLECTIONSCSPAN2 Television Archive Television Archive News Search Service
Uploaded by TV Archive on