The Defense Department declaring that it will only be responsible for protecting its own computer networks and that the private sector must fend for itself would be like telling U.S. Steel in Pittsburgh that an air assault is coming and it must go out and buy its own fighter jets and antiaircraft guns.
So said Richard Clarke, former national coordinator for security and counterterrorism coordinator under three presidents, at an American Bar Association speech.
Neither the Pentagon nor the U.S. government has anything resembling a strategy when it comes to protecting the nation’s computer networks — including their own, said Clarke, who now works for Good Harbor consulting, and has written a book, Cyber War: The Next Threat to National Security and What to Do About It.
As far as the private sector in concerned, “The defenses we have do not work,” he said. Firewalls, anti-virus software don’t work, either: “None of that stuff is stopping the intrusions,” he said.
Cyberespionage against U.S. corporations is so rampant that companies should now assume that most of their trade secrets are long gone and in China, he said.
The difference between cyberspying and cyberwar “is just a few keystrokes,” he said.
In a scenario where the United States entered into conflict with Iran, for example, the government there could massively retaliate against the United States without leaving its borders or calling on its proxies to launch terrorist attacks. It could shut down power grids, derail trains, blow gas lines or mess with the stock market.
He is not a big believer in so-called “air-gapped” computer systems that are supposedly separated from the wider Internet and therefore invulnerable to outside attacks. There have been many successful attacks against these intranets, including, by the military’s own admission, the Pentagon’s SIPRNET.
“Nation states do not go out and attack each other just because they have a new weapon — thankfully,” he said.
Nevertheless, the United States is like a football team with a great offense, but no defensive players, he said.
There are solutions, but they would require federal regulations, he said. When he first looked at cybersecurity issues in the 1990s as a member of the Clinton administration, the thinking was that everything had to be protected.
Now he believes that priority should be placed on certain sectors. Power grids must be secured first and foremost. After that, the half-dozen main Internet service providers should be required to filter traffic going over their networks for malware and other attacks. That could take care of 85 percent of the problem, he asserted.