*** TRANSCRIPTION COMPANY BOUNDARY ***
Richard Clarke: On The Growing 'Cyber War' Threat
TERRY GROSS, host:
This is FRESH AIR. I'm Terry Gross.
Richard Clarke warned about the threat of al-Qaida before September 11th. Now
he's warning about cyber-war in his new book, "Cyber War." He writes that
cyber-war has already begun. Nations are already preparing the battlefield,
hacking into each other's networks and infrastructures, adding a dangerous new
dimension of instability.
Clarke served as national coordinator for counterterrorism in the Clinton and
George W. Bush administrations and became the special advisor to President Bush
on cyber-security and cyber-terrorism. He resigned from the Bush and in 2003
and went on to write a memoir critical of the Bush administration, called
"Against All Enemies." Clarke now heads a security consulting company.
In recognition of the reality of cyber-war, the Defense Department has created
a Cyber Command operation. President Obama's nominee to head the command,
Lieutenant General Keith Alexander, said last Thursday that computer networks
essential to the Pentagon and military are attacked by individual hackers,
criminal groups and nations hundreds of thousands of times every day.
Richard Clarke, welcome back to FRESH AIR. So I guess you weren't surprised by
General Alexander's comments that defense computer networks are attacked
thousands of times every day. What are those daily attacks like?
Mr. RICHARD CLARK (Author, "Cyber War: The Next Threat to National Security and
What to Do About It"): Well, Terry, it's good to be back with you. The word
attack is used all too easily, I think, and when Alexander says the Pentagon is
attacked thousands of times a day, we may get the wrong image.
What's actually happening is that thousands of times a day, computer programs
around the world are sending off little pings to see if there's a chink in the
armor somewhere, if there's a hole that they can get through. That really
probably isn't an attack in the way you and I might think about it, but a
probe, a little test.
We don't know how many times the test succeeds every day, but we do know tests
do succeed, because the Pentagon admits it. and they admit that, for example,
the secretary of defense's own personal computer was successfully penetrated.
GROSS: What's the worst attack the military or the Defense Department has had
that you can actually speak about publicly because it wouldn't surprise me if
there were attacks that the Pentagon doesn't want anyone to know about?
Mr. CLARKE: Well, one of the worst ones that they admit is that somehow, from a
thumb drive - those little USB things that you carry around from computer to
computer - somehow from a thumb drive, a virus, a worm, got into the classified
network - which is supposed to be a closed-loop network of CENTCOM - and
attacked, compromised thousands of computers of our war fighters in Iraq and
Afghanistan, and probably exfiltrated large amounts of information to someplace
in the Internet.
GROSS: And when was this?
Mr. CLARKE: This was last December, a year ago December, 2008. We also know
that the secret plans for our new fighter plane, the F-35, an airplane that
hasn't even flown yet, have been stolen by hackers.
GROSS: What's the worst military or Defense Department attack that you were in
the White House during?
Mr. CLARKE: Well, there were several. There was one in the 1990s, when we were
getting ready to do something to Iraq - not to go to war, but to threaten them
and to try to push them into complying with U.N. resolutions. And so Bill
Clinton ordered lots of fighter planes and whatnot move to Iraq. And as they
began to move to Iraq, all of the Air Force bases involved, all of the
logistics bases involved, had their computers taken over by someone.
And we originally thought at the time it was Iraq that knew this was coming,
and they were trying to stop or slow down our buildup. We then discovered that
it was three teenagers, one in Tel Aviv and two in San Francisco.
(Soundbite of laughter)
GROSS: So you write in your book that a cyber-attack can be almost as
devastating as weapons of mass destruction in its ability to cripple the
country. Fortunately, nothing like that has happened yet. You've mentioned some
cyber-attacks, but they haven't crippled the country. Give us a scenario in
which a cyber-attack can actually cripple the country and be the equivalent of
Mr. CLARKE: Well, I think - I will in a sec, but before I do, I should point
out that weapons of mass destruction that most people are real â nuclear
weapons â people worry about them. They've never crippled the country, either.
So suspend disbelief when I talk about a cyber-war doing it because, after all,
you believe in nuclear war, and nuclear war hasn't done it.
What could cyber-war do? It could derail trains all over the country. It could
blow up pipelines. It could cause blackouts and damage electrical power grids
so that the blackouts would go on for a long time. It could wipe out or confuse
financial records so that we would not know who owned what, and the financial
system would be badly damaged.
It could do things like disrupt traffic in urban areas by knocking out traffic
control computers. It could, in nefarious ways, do things like wipe out medical
GROSS: Now, you warned the Bush administration about the threat from al-Qaida
in the early days of the Bush administration, and you were kind of shoved
aside, and then al-Qaida attacked. So I take your warnings very seriously.
(Soundbite of laughter)
GROSS: So you're warning about the threat of cyber-war. Do you feel like people
are listening? I mean, is the Pentagon very alert to this already, and are you
just explaining to us? Or do you feel again that you are in the position of
shouting: Look, guys. You have to worry about this.
Mr. CLARKE: A little bit of both. The Pentagon is all over this. The Pentagon
has create a four-star-general command called Cyber Command, which is a
military organization with thousands of people in it to go to war using these
And also, Cyber Command's job is to defend the Pentagon. Now, who's defending
us? Who's defending those pipelines and those railroads and the banks? The
Obama administration's answer pretty much is you're on your own. The Cyber
Command will defend our military. The Homeland Security Department will someday
have the capability to defend the rest of the civilian government. It doesn't
today. But everybody else will have to do their own defense. That is a formula
that will not work in the face of sophisticated threats.
GROSS: Well, when you're saying everybody else is on their own, does that
include the electricity grid, the power grid, banking?
Mr. CLARKE: Yes. What the Obama administration is saying and what the Bush
people said before that is the private sector doesn't want the government
defending it. The private sector doesn't want the government telling it what to
do. And therefore, we will have sort of vague guidelines that suggest what the
electric power grid should do, but we won't really go out and do anything.
And if an attack happens, the government has no ability to stand up and do
anything about saving the power grid.
GROSS: Why not?
Mr. CLARKE: Because of this philosophy that the government shouldn't be
defending the private sector, and a belief that the private sector doesn't want
to be defended by the government. Now, I think that...
GROSS: Now, the way â go ahead.
Mr. CLARKE: I think that believe is wrong. I think that when I talk to CEOs I
the private sector, they say: Heck, this is why I pay my taxes. No one would
have said, in World War II, to U.S. Steel, you know, you've got some big steel
factories in Pittsburgh. If the Nazi bombers come over, you'd better have some
of your own guns to shoot them down.
GROSS: Now, if I read your book correctly, one of your concerns is that my
computer is attached to the same network that the whole banking system and the
power grid is attached to.
Mr. CLARKE: Well, there's only one Internet, and lots of things that people
don't realize are connected to the Internet turn out to be connected, like the
controls for the electric power grid.
GROSS: So how does that leave, like, the electric power grid and the banking
system more vulnerable, and what are the alternatives? Like, if you were
proposing an alternative way for the government to help protect the power grid
and the banking system and other things that are fundamental to the functioning
of society, what kind of intervention would the government be doing?
Mr. CLARKE: Well, one is a day-to-day intervention, where the government says
and enforces rules. It could say, for example, there really can be no
connection between the Internet and the power grid controls.
Now, power companies today will tell you there's no connection, but every time
the government has tested or private companies have tested, they've found a way
to get very quickly from the Internet to the controls and take over the
controls. So one government intervention would be to be serious about
Regulation's a dirty word in Washington, but how can anyone object to a
regulation that says the electric power grid should be disconnected from the
You could also say to the phone companies and the Internet service providers:
You have to stop these attacks from happening, because they're coming over your
wires and your fiber. They could be looking not at the content of your email or
your Web searches, but at the digital picture of them, the digital format of
them, and they could be spotting attacks - at least attacks whose signatures we
already know. They could be spotting them and stopping them, but they're not.
GROSS: My guest is Richard Clarke, who was counterterrorism czar under
Presidents Clinton and George W. Bush, and served as Bush's special advisor on
cyber-security. Clarke's new book is called "Cyber War." We'll talk more after
a break. This is FRESH AIR.
(Soundbite of music)
GROSS: If you're just joining us, my guest is Richard Clarke. He's former
counter-terrorism czar. He was the first White House advisor for cyber-
security. His new book is called "Cyber War: The Next Threat to National
Security and What to Do About It."
You make several points about the new problems that are posed by cyber-wars.
You say cyber-war happens at the speed of light. It skips the battlefield, and
you often can't tell for sure who did it. When you say it skips the
battlefield, what do you mean?
Mr. CLARKE: Well, the Chinese are interesting. The Chinese looked at the first
Gulf War in 1991 and said: My heavens, the Americans have a huge technological
advantage over us. Even though we have many, many more troops, we would
probably lose to them if we ever had a war. What do we do? Do we try to build
12 aircraft carriers, the way the Americans have?
And they came to the conclusion, publicly, that no, what they should try to do
is find a way of using technology to do a form of jujitsu and go after the
American heartland. So rather than fight the 12 aircraft carriers that might
someday be off the Chinese coast, they decided, have a capability to reach back
into the U.S. and destroy the essential functioning of the U.S. through cyber-
GROSS: And to what extent has China actually practiced cyber-attack against the
Mr. CLARKE: Well, there are reports in reliable places like the Wall Street
Journal that China has placed so-called logic bombs inside the American power
grid so that in case there ever were a period of tension between the United
States and China, they could, without attribution, without saying it was them,
begin to turn off electric power systems and damage electric power systems.
And if China has done that to our power grid, we have probably done it to
theirs. Now, what that means is that without anybody knowing it, except a few
people in the military, we and other countries have probably started preparing
the battlefield by lacing each other's networks with logic bombs. We have
software already hiding, that all we have to do is activate, and that software
will go out and do appropriate things to destroy or damage the network.
GROSS: Okay. Now, if you compare this to nuclear capability and the nuclear
standoff, a lot of people say that, you know, deterrence, mutually assured
destruction helped prevent nuclear war between the U.S. and the Soviet Union.
So say China has these logic bombs in our defense computers, and we have logic
bombs in their computers, does that mean that it will have a deterrent effect?
Or is kind of a game of chicken who, you know...
Mr. CLARKE: There are lots of parallels between the development of nuclear
strategy in the 1960s and the strategy for cyber-war that one could develop now
- I don't think one has been developed, and one of the things we say is we'd
like a strategy to be developed and publicly discussed â that the key part of
nuclear strategy was, as you say, deterrence. Don't blow me up because even if
you do that, I will be able to blow you up.
That doesn't work in cyberspace. All too often, we don't know who's attacking -
the attribution problem, as it's called. You can say I'm China, and I'm
attacking, and it may be somebody else. You can spoof who is doing the attack.
And because there hasn't been, yet, a big, destructive cyber-war, we don't
really believe what the effects will be. With nuclear war, we had had two
cities destroyed, Hiroshima and Nagasaki. There were 2,200 nuclear bombs that
had been exploded in the atmosphere over the course of many years by the United
States, Russia, China and other countries.
So the â there was credibility behind the use of the weapon. For deterrents to
work in cyberspace, we'd have to know who had weapons and how powerful they
would be and how successful they would be, and when the attack came, we'd have
to know with good certainty who it was that was attacking, and none of that
GROSS: And so if you're attacked, you don't know what to do. If you attack the
country you think it is, and it's the wrong country, that would be very bad.
And if you do nothing, that, too, is very bad.
Mr. CLARKE: And it all happens in seconds. It all happens so quickly that for
political authorities, for national leaders to really gain control of this,
would be hard. I think once a cyber-war starts, it could be a spasm war that,
in a few minutes, decisions are made, signals are sent and destruction occurs,
and we may have gotten it very, very wrong.
GROSS: Now, getting back to your point about how cyber-war can skip the
battlefield, you can attack through cyber-war without an elaborate military,
you said that North Korea is a real power in terms of cyber-war. What are their
Mr. CLARKE: Well, they're a real power because they don't have certain kinds of
capabilities. This is very counterintuitive. I think the way you determine how
powerful a nation is in cyber-war is to add up how good it is in offense and
how good it is in defense and get a sum total.
So the United States is very good at offense and very bad at defense, because
we really can't defend anything beyond the military. So our score is kind of
If you look at the North Korea, there's some good intelligence information that
they have a fairly decent - not world-class, but fairly decent offensive
capability. And they do it from outside North Korea. They attack from South
Korea. They attack from China. And in terms of a defensive capability, they're
about the best, because there are only a few lines leading into North Korea,
and very few things in North Korea are controlled by computer networks.
So in terms of a pure cyber-war against one country and the cyber-war back,
North Korea can do some damage to us, and we can do almost no damage to them.
GROSS: What do you think the odds are that they would actually launch a cyber-
Mr. CLARKE: Well, with North Korea, I think it's actually pretty high. Because
when you say: Why would China hurt the U.S. banking system? They're invested in
it. There's a lot of truth to that. Nations have an investment in the
international system and the international stability it creates. North Korea
doesn't. North Korea could very well pull the temple down around it at some
And on July 4th, 2009, they appear to have conducted an experiment: launching
attacks from China and from South Korea against the United States and against
South Korea, clogging up the pipes, the largest attack in terms of number of
digits and volume that has ever been seen on the Internet.
And it had an effect on some sites in Washington. It appears to have been an
experiment to see how much they could generate and how much of the pipes would
be blocked if they did it.
GROSS: What did it temporarily disable?
Mr. CLARKE: I think it was less of an attack designed to actually get in and
destroy things than it was an attack designed to scale, to see how many
computers it took to clog pipes.
This is called distributed-denial-of-service attack - distributed denial of
service, DDOS. And what that means is you get thousands of computers - maybe
even yours and mine - without our knowing it. And you get into these computers,
and you cause these computers to set off little pings along a certain path on
the Internet every second, jamming the Internet so that, in effect, the
Internet stops working.
GROSS: And weren't there, like, companies that were temporarily disabled by
Mr. CLARKE: There were. But for the most part, all a distributed-denial-of-
service attack can do is prevent Internet traffic from moving. It doesn't get
in behind your system and into your internal documents and destroy them. So
there was very little destruction done. It was just that the Internet itself,
the ability to use communications along certain paths of the Internet, ceased
GROSS: So in other words, whoever was behind this attack - probably North Korea
- they found the key into the system, and that's what they were trying to do,
see if (unintelligible)...
Mr. CLARKE: They were trying to see: How loud do I need to make the music on my
stereo before the neighbors complain?
GROSS: What do you think they learned from this experimental attack?
Mr. CLARKE: One thing they learned is that it is easy, at a certain volume, to
pretty much stop traffic between South Korea and the United States. If you were
planning a war, a traditional war, that might be helpful to you because in the
United States, we'll need to coordinate closely the movement of troops and
logistics and whatnot to South Korea if North Korea ever did a conventional
GROSS: What do you think the United States learned from the attack?
Mr. CLARKE: I think the United States learned that South Korea had a â North
Korea had a capability. We had traditionally looked at North Korea and said
there are only a couple of fiber-optic lines leading in and out. There's not
much they can do. And it hadn't really occurred to us that their offensive
cyber-war units were outside of their country.
GROSS: Now what do you mean when you say that?
Mr. CLARKE: Well, we know when we look at that July 4th attack in 2009 that it
began in various places in China and various places in South Korea. And we now
know that the North Koreans had moved cyber experts from their military,
including their equipment, into whole floors of hotels in China and pretty much
set up shop as a cyber-warfare unit in hotels in Chinese cities.
GROSS: With the Chinese permission?
Mr. CLARKE: You'd have to think so, wouldn't you?
GROSS: And why would the Chinese give them permission?
Mr. CLARKE: Well, that's a very good question. It could be that the Chinese
were watching very closely because they wanted to see what the results were.
They wanted to see what North Korea could do, and they wanted to see what the
effect would be on the United States.
GROSS: My guest is Richard Clarke. His new book is called "Cyber War." He'll be
back in the second half of the show. Clarke was counter-terrorism czar under
Presidents Clinton and George W. Bush.
I'm Terry Gross, and this is FRESH AIR.
(Soundbite of music)
TERRY GROSS, host:
This is FRESH AIR. Iâm Terry Gross back with Richard Clarke, who's written a
new book called "Cyber War." It's not only about the threat of cyber war; it's
about the attacks that have already been launched against the U.S. and other
countries. Clarke was the national coordinator for counter-terrorism in the
Clinton and George W. Bush administrations and was special adviser to President
Bush on cyber security and cyber terrorism.
You say that the United States has a very good offensive cyber war system, not
so good at defense. Let's talk about the United States offensive ability in
cyber war. What's the closest weâve come to actually launching a cyber attack
against another country?
Mr. CLARKE: Well again, this depends on how you define it. But when we began
the second Gulf War, we got into the Iraqi military's closed loop secret
private Internet and all Iraqi military officers received an email that began:
Good morning. This is the United States Central Command. We are about to invade
your country. Please step away from the tank. Please go home. Put your troops
on leave. And that actually had an effect. A lot of the Iraqi military did line
up their tanks in the desert, as requested, and put on civilian clothes and go
GROSS: And you say that right before the invasion, the Bush administration
considered freezing assets in the Iraqi banking system to prevent Saddam
Hussein from having any access to money for the military, for anything. Why did
the Bush administration consider doing that? Why did they decide against it?
Mr. CLARKE: There was a fear, Terry, that, you know, if the war started, Saddam
would flee and take his money with him. Or at the very least, he would transfer
his money out of the country and transfer it to places that we wouldnât know
where it was. And so there was a proposal made, before the war started, to go
in a seize control of the Iraqi financial network and transfer it to places
where we had control of it, or just bring it down altogether.
And the plan was a good plan. The plan was one that could have been done rather
quickly, and President Bush decided not to do it because he didnât want to do a
precedent. That if we started destroying international banking systems, other
people might too.
GROSS: And wasnât there a fear, too, that there would be global financial
Mr. CLARKE: It was a fear that we might make a mistake, that we might have sort
of collateral damage. We thought we were only destroying one bank, but that
bank was linked to another bank and then so on.
GROSS: Did you have any input into that decision? I can't remember if you were
still with the Bush administration then.
Mr. CLARKE: So I'm still covered by secrecy rules over things that I was
Mr. CLARKE: And can only say those things which I have been cleared to say.
GROSS: Right. So you were in the Bush administration then?
Mr. CLARKE: Yes.
GROSS: Yeah. Now another thing that you say that the U.S. considered was some
kind of cyber attack during the first Gulf War. What was the military
considering and why didnât they do it?
Mr. CLARKE: Well, this was 1990 and it was very early days. A proposal was made
to fly a team of commandos into Iraq and attack a small outpost on the Air
Defense Network. Get inside and get into the computers at that outpost, which
were connected to the entire network of Air Defense computers throughout the
And General Schwarzkopf decided not to authorize that because he didnât believe
it would work. He thought if you want to destroy the Air Defense Network, blow
it up and that was reliable. That was something he understood. He didnât
understand this concept of cyber war.
GROSS: So does that illustrate to you, a disconnect between our cyber capacity
back then and the ability of the military leadership to comprehend it?
Mr. CLARKE: Back then - not anymore. That was 20 years ago, and I think
American military commanders now have totally integrated the idea of cyber
attack into all of their plans. This new cyber command with the four-star
general is supporting all the other commands around the world and I think if we
went to war with Iran, for example today, that cyber would be a big part of the
GROSS: Is there a fear that, like, if we're the first country to actually
launch a really big and effective, crippling cyber attack that it will set a
Mr. CLARKE: There is. There very much is that fear. On the other hand, a
commander in the future, an American president in the future will probably be
told, Mr. President, if you donât do this 3,000 Americans may die trying to do
the exact same them in the more traditional kinetic way of doing it. Under
those circumstances I think a president is going to probably say, fine. Let's
GROSS: You write about a cyber attack that really surprised me, because it
involves a story weâve discussed on FRESH AIR and I didnât understand how cyber
attack had played into it. And I'm thinking of the Israeli attack on a Syrian
nuclear facility. And it was a very, very secretive attack. I mean there was
some bombing. There was evidence that there was bombing. Neither Israel nor
Syria talked about it initially; it was so secretive and you write about this
cyber component of the attack. What was that like?
Mr. CLARKE: So we're talking about a place in the desert on the Euphrates
River, 75 miles into Syria south of the Turkish border. And there's some big
thing being built there in the dark. There are no lights. There's none of the
usual security around it. It's a very low observable thing going on. And then
one night, all hell breaks loose and there are flares and there are explosions
and everyone wakes up in the morning and this huge facility that was being
built has been reduced to rubble. And no one talks about it. Nothing happened.
Months go by. Eventually the story comes out and CIA does the unusual thing.
The CIA issues a video - a video about what happened. Itâs amazing. A public
CIA video. And what it says is that this thing that was being built was being
built by North Koreans with the cooperation of the Syrian government who was
inside Syria, and it was an exact replica of a nuclear reactor that had been
already built in North Korea - a nuclear reactive that was designed to make
nuclear materials for nuclear bombs.
And the Israeli government eventually admits that F-15s and F-16s from Israel
had flown secretly through Turkey, come up from behind and destroyed this
facility. Now, F-15s and F-16s are big old planes. They were designed in the
1970s. They're not stealthy. They're the exact opposite of stealthy. And Syria
has huge amounts of radar systems and anti-aircraft missile defense systems
that should have seen this attack coming.
And, you know, when the Syrians went back and looked at their radar, they saw
nothing. They saw nothing at the time. They saw nothing after the fact when
they went back and looked, and their radar should've been lit up like a
Christmas tree. What happened was that the Israelis had used cyber war as part
of a traditional attack. They had taken control of the Syrian air defense
system and made all the radars look like there was nothing in the sky, even
though the sky was filled with Israeli fighter bombers.
GROSS: That's just kind of amazing to me. And part of what's amazing too, is
that the radars says nothing but there are the planes. And didnât nobody notice
the planes or was it too late by then?
Mr. CLARKE: By the time people realized it was an attack, they realized it
because they were seeing and hearing explosions and they were trying to get on
the phone and call to air defense headquarters and say we're under attack. By
the time anyone realized that, the Israelis were back outside of Syrian
GROSS: Has the United States ever tried anything like that?
Mr. CLARKE: There's good reason to believe that the Israelis used a system very
similar to one developed by the United States.
GROSS: So you think we have that potential.
Mr. CLARKE: Oh, yes.
GROSS: My guest is Richard Clarke who was counterterrorism czar under
Presidents Clinton and George W. Bush and served as Bush's special adviser on
cyber security. Clarke's new book is called "Cyber War."
We'll talk more after a break.
This is FRESH AIR.
(Soundbite of music)
GROSS: If youâre just joining us, my guest is Richard Clarke and his new book
is called "Cyber War: The Next Threat to National Security and What to Do About
You write about flaws in the software and hardware of our computers, that can
leave them very vulnerable. And one of the things you write about is how the
hardware and software parts of typical computers in the United States are from
a supply chain that can include about 400 different countries and several
different continents. Why? Why is the supply and chain so vast?
Mr. CLARKE: Well, the world economic system works very efficiently now, so that
we find the place where the least cost is incurred to build software or write
software or compile software. And similarly, with the pieces - the hardware
pieces, the firmware pieces of a computer, and that's why you can get a Dell
computer so cheaply because it's made all over the world wherever it is the
cheapest to do it.
GROSS: Okay. Now well, why is this big supply chain, the fact that components
of your computer are made in so many different countries, why is that a
Mr. CLARKE: Well, the Bush administration, when it did its review in 2008,
identified this as one of the top 12 concerns about cyber security, that it is
so easy to slip in some software or just slip in some hardware that no one will
ever detect; and that software or that hardware could be then, the back door
that someone can use to get control of your computer.
GROSS: And so somebody could do that maliciously, with the idea of cyber war,
somebody could just be a hacker or somebody could be just doing it for a prank?
Mr. CLARKE: Yeah, all the above. Someone could be doing it as a criminal
activity. So they could go out into the black parts of the Internet and say
hey, do you want access to Terry Gross's computer? I know how you can do that.
More typically they'd say hey, I have access to 500,000 Dell computers made
between this point and that point because somehow I was working at Dell or I
hacked my way into Dell and I slipped in a trapdoor that's on all of those
computers. And I donât mean to pick on Dell. This would be anybody.
GROSS: Is there any evidence that that's actually happened?
Mr. CLARKE: Yes. There's a lot of evidence that that's happened. And it's not
just people working in the factories; it's in fact, governments. And this
doesnât mean that if you buy something that was made in China, as my Mac Pro
laptop was, that necessarily the Chinese government put the trapdoor in. It may
be some other government did it. Just because it was made in China doesnât mean
the Chinese government did it. But governments and criminal cartels are
constantly trying to find ways of putting trapdoors in software and hardware,
at the factory and even after you get the machine home.
GROSS: Why would they want to do that in personal laptops, in personal
computers, as opposed to say Pentagon computers?
Mr. CLARKE: Well, it turns out that millions of personal computers have been
compromised so that let's say you go to a Web page, while youâre on that Web
page that Web page is secretly downloading a trapdoor into your computer. Now,
that Web page may be your church, it may be your synagogue. It may be a really
nice organization and they donât know that their Web page has been compromised
in doing it. But they also donât have a lot of money to worry about cyber
security, so your church or synagogue or whatever organization hasnât looked
for this possibility, doesnât have good cyber defenses. You go there. It
downloads a trapdoor into your computer.
Then your computer phones home to whoever has done this and says whenever you
need me I'm on the network, and then you can make a million of these computers
do something simultaneously. You won't even notice it happening to your
computer. Maybe your computer will be running a little slowly that day. Maybe
your bandwidth won't look like it's normal. But while youâre doing your emails,
you computer could be sending out a denial of service attacks as part of a
million other computers all trying to knock off a bank in Estonia.
GROSS: So your computer can become drafted into a cyber attack that you donât
even know youâre participating in.
Mr. CLARKE: Happens everyday and these computers that are drafted are called
zombies and the things that they're drafted into are called botnets - robotic
networks - and it happens everyday.
GROSS: Now, another concern you express in your book is that the prevalence of
Microsoft computers can unintentionally make us more vulnerable. What's your
Mr. CLARKE: Well, it used to be that the Defense Department had very high-end
sophisticated computers that only they had, computers that were designed for
the Pentagon and built and sold only to the Pentagon. And then along came the
revolution of something called commercial off-the-shelf technology. People
saying why pay 10 times as much for a purpose built Defense Department computer
when you can buy a cheap computer like a Dell, and you can buy cheap software
like Microsoft, and it'll work just as well. And it was a huge cost-saver. And
by now, that has happened throughout the U.S. Defense Department. So you have
big billion dollar cruisers in the U.S. Navy running, essentially, the same
sort of Microsoft Windows program that you have at home.
The problem is that Microsoft never said it was building a highly secure
software program that lives could depend on. And in fact, what they were
building, was the quickest cheapest dirtiest thing that they could do. And they
made a lot of money on it, and for most applications it's great. But for highly
secure things, like running bank networks or military systems, it probably
wasnât a good idea. And we have seen, over the course of the last decade, a
huge amount of penetrations of Microsoft software because it was not written as
a highly reliable highly secure program.
GROSS: You also write that Microsoft has actually shared more information with
the Chinese government than with U.S. government.
Mr. CLARKE: No, more information with the Chinese government than with U.S.
banks and other institutions.
GROSS: Oh, I see.
Mr. CLARKE: What happened was that China went to Microsoft and said we're
afraid that the U.S. government may have put some secret trapdoor in Microsoft
products and therefore, we want to see all of the secret lines of code behind
the Microsoft products, or effectively, we'll throw you out of the Chinese
market. And Microsoft blinked and said, fine. Open the kimono. Here's
everything. Please let us stay in your market. When American banks, as an
association of big banks, went to Microsoft and said the same thing, they were
GROSS: Now obviously, youâve advised the United States government, both the
White House. You advise the Obama campaign. You advise businesses. What advice
do you have for individuals like me and everybody whoâs listening now, who are
just like using their computers at work and at home? They're not working for
the Pentagon. They're not inside the financial industry, but they donât want to
become zombies. They donât want to be used for botnets and attacks and they
donât want to be attacked.
Mr. CLARKE: Well, I think the average user can't do much except protect
themselves. And that means things like if youâre going to buy things online,
have a credit card for that purpose with a low credit limit, so that if your
card is compromised there's a limit as to how much money goes out the door.
Donât do banking online or stock broke work online and have a lot of money at
risk, unless your stock company gives you something more than just a password
to get in. In other words, a two-step method of proving your identity. And for
high-end users, some stock companies will give you that second access method so
that it won't just be a name and password.
GROSS: Have you spent a lot of time talking with the people who work the dark
side of the computer, the cyber underworld who are - the people who are very,
very knowledgeable and use their knowledge in malicious ways?
Mr. CLARKE: I talk to them. I think they're people who use their knowledge in
malicious ways. They say they're not. Every indication is that they are. No one
wants to admit to having committed a felony, so that it's all about my friend
can do this and my colleague can do that, or I know a guy. But yes, I talk to a
lot of people who are clearly aware of what's going on on the dark side of the
Internet. I then run that information by intelligence agencies and law
enforcement agencies to double check it, and there's a fairly good consensus
about what's going on out there.
GROSS: Which is?
Mr. CLARKE: Huge amount of criminal activity. Very sophisticated criminal
cartels and gangs. We're not talking about one or two people operating at a
time. Billions of dollars going on in illicit activity through identify theft
and through industrial espionage. One company will say gee, I'd really liked to
know about my competitor and that information will get to them.
GROSS: And are there instances of these cyber criminals working with
governments, partnering together to attack?
Mr. CLARKE: There's a lot of evidence that these very sophisticated cyber gangs
in Russia and in China exist because the government lets them. And it's a bit
like the scene in the "The Godfather" where Marlon Brando says, some day I will
come to you and ask you for a special favor. That's what goes on. The Russian
government says, fine, you do that. Donât rob anybody here in Russia. Go play.
Attack the United States. Whatever you want to do. We'll protect you. But some
day when we're attacking Georgia, when we're attacking Estonia, we'll need you
to do it so that we, the Russian government, have some deniability.
GROSS: My guest is Richard Clarke who was counter-terrorism czar under
Presidents Clinton and George W. Bush, and served as Bush's special adviser on
cyber security. Clarke's new book is called "Cyber War."
We'll talk more after a break.
This is FRESH AIR.
(Soundbite of music)
GROSS: My guest is Richard Clarke and he was a counter-terrorism adviser to
Presidents Clinton and Bush and was the first cyber security adviser to a
president - that was President George W. Bush.
You point out in your book, that so far, terrorists have used the Internet as a
way to mobilize, raise money, communicate. But terrorists have not used the
Internet to disable other country's computer systems. Are you concerned that
terrorists will soon have the capacity to do that and may use that?
Mr. CLARKE: Now Terry, I'm very concerned with the use of the phrase by a lot
of commentators, cyber terrorism. People talk about me as a cyber terrorism
expert. I donât think there has been the phenomenon of cyber terrorism. I think
there's cyber activity and I think there's terrorism, and so far the overlap of
the two has consisted in almost entirely of terrorist organizations, like Hamas
and Hezbollah and al-Qaida, using the Internet the way you use it - to have a
webpage, to communicate with followers, to raise money.
That's what they do on the Internet. That's what NPR does on the Internet. It's
just no case that I know of where a terrorist organization, or somebody hired
by a terrorist organization, has gone online and said, let's blow up the
electric power generator in Haifa. Let's disrupt banking in Tel Aviv. I haven't
GROSS: Do you expect to see it?
Mr. CLARKE: I donât know why it hasnât happened. Certainly, it could happen.
There are lots of people in terrorist organizations who have advanced degrees
in information science. And clearly, there are a lot of hackers out there in
the world for hire. So they could hire them or they could probably use some of
their own people. They haven't. I donât know if they will.
GROSS: Now, this might be a little off topic for you, but today - we're
recording this in the morning - and today is the anniversary of the Oklahoma
City bombing. It's the anniversary of the end of the standoff between the
Branch Davidians and the Bureau of Alcohol, Firearms and Tobacco in Waco,
Texas. And it's also the day - oh, it's the anniversary of the first shots in
the Revolutionary War, and it's also the day that was chosen for a pro-gun,
pro- Second Amendment March in Washington, D.C., and another march in Virginia.
And in the Virginia march, marchers have been encouraged to bring their guns.
Now, these rallies will have played out by the time many people hear our
broadcast today. But, as somebody who's worked a lot in counter-terrorism, what
do you think of a pro-gun march being on the anniversary of the Oklahoma City
Mr. CLARKE: Well Terry, itâs deeply disturbing. But on the one hand, most of us
who own guns - and millions of Americans do - most of us who own guns are
perfectly normal human beings who have those guns for legitimate reasons. But
there is a small percentage of people who own guns that I find very scary. And
they are the ideological remnants of the Ku Klux Klan, the ideological remnants
of the John Birch Society.
Throughout our history, weâve had right wing people who say they donât like the
U.S. government, they want to take down the U.S. government, they think
violence against the U.S. government is okay; and since the election of Barack
Obama these people have grown in volume and I think theyâve grown in number.
And we have to remember, when we worry about al-Qaida and a foreign threats,
that one of the biggest, certainly the second largest and second most
destructive terrorist attack in our history, inside our borders, were done by
these people, American right wing people - extreme right wing, anti-government,
I think the United States has a serious threat today, from those people,
because legitimate public officials are egging them on. And legitimate public
officials who are conservative and who are Republican aren't criticizing them
or aren't criticizing them enough. We need to de-legitimatize these people or
we will have another Oklahoma City.
GROSS: Youâre afraid some politicians are courting their vote instead of de-
Mr. CLARKE: Oh, you could see it during the health care debate and all around
the country in the last year. There are people who are saying well, I don't
support the crazy people, but I support these guys who are just right on the
boarder of the crazy people, of the people who have guns and are making bombs.
We need every politician, every church leader, every synagogue leader, every
Mosque leader in this country, on a regular basis, to be preaching against
violence, and against people who would attack the government.
GROSS: Richard Clarke, itâs always interesting to talk with you and always a
(Soundbite of laughter)
GROSS: ...because there's always some bad news - things to worry about. But
thank you for talking with us. Thank you very much.
Mr. CLARKE: And Terry, itâs always great to be on FRESH AIR.
GROSS: Richard Clarke's new book is called "Cyber War." He was the national
coordinator for counter-terrorism in the Clinton and George W. Bush
You can read a chapter from his new book and see a timeline of major cyber
security attacks since 2007 on our website, freshair.npr.org where you can also
download Podcast of our show.
(Soundbite of music)
GROSS: I'm Terry Gross.
(Soundbite of music)
Transcripts are created on a rush deadline, and accuracy and availability may vary. This text may not be in its final form and may be updated or revised in the future. Please be aware that the authoritative record of Fresh Air interviews and reviews are the audio recordings of each segment.