You are using an outdated browser.
Please upgrade your browser
and improve your visit to our site.

The New Vulnerability

Cyber War: The Next Threat to National Security and What to Do About It

By Richard A. Clarke and Robert K. Knake

(Ecco Press, 290 pp., $25.99)

I.

For several months in late 2009, computer operators in China scoured Google Web pages and networking sites such as Facebook and LinkedIn to gather personal information on high-level Google employees working in China. They used this information to create and send a Google employee (probably a network administrator) an instant message that convincingly appeared to be written by a friend or co-worker. The message contained a link to a computer in Taiwan that the Chinese operators had taken over and loaded with a software “payload” designed to exploit a previously unknown vulnerability in Microsoft’s Internet Explorer. 

When the Google employee clicked on the link, through her Explorer browser, to a fake but credible website on the Taiwan computer, the payload was secretly delivered to and installed on her computer, creating a virtual “trapdoor.” The Chinese operators marched through this trapdoor. They surreptitiously took over the Google employee’s machine. Acting from computers in China but appearing to be a trusted user inside Google’s computer network in Mountain View, California, they gained access to information about the accounts of democratic dissidents in China as well as some of Google’s crown jewels, including its intellectual property, its development plans, and its password system. The same operation that hacked into Google also infiltrated scores of other prominent American information technology and defense firms.

For the past few decades, and with increasing frequency, many thousands of foreign agents like the Google hackers, sitting before computer monitors abroad, have “entered” the United States to steal or to destroy valuable digital assets. They have raided the Pentagon and other government agencies to disrupt their communications and to lift sensitive or classified information. They have attacked American corporations and taken or destroyed untold millions of dollars worth of data or intellectual property. They have contacted CEOs and credibly threatened to destroy their businesses unless the CEOs met the extortionists’ demands. And they have planted malicious software--known ominously as malware--inside government and corporate headquarters, and in critical infrastructure systems such as electrical grids and power plants. Some of this malware allows them to monitor activities in these places; other malware, called “logic bombs,” enables them to trigger a destructive attack years later, if doing so would be useful. 

If this were happening before our eyes--if thousands of foreign agents were physically entering our borders, breaking into brick-and-mortar buildings, and removing or destroying billions of dollars of proprietary information and monetary assets--the government would declare a national emergency. But it is happening largely out of public sight, on computers and computer networks, and so most people are not worried. The press is increasingly filled with scary stories about cyber thefts, cyber attacks, and even cyber war, and Google’s public confrontation with the Chinese raised awareness of the problem. But the cyber menace is still largely invisible to the public, which naturally discounts threats it cannot see, no matter how alarming the headlines.

Yet the threat is not invisible to the government. And the government is alarmed. “This cyber threat is one of the most serious economic and national security challenges we face as a nation,” President Obama declared in May 2009, before pledging that the protection of “our digital infrastructure” was a national security “priority.” In February, Director of National Intelligence Dennis Blair warned that “malicious cyber activity is occurring on an unprecedented scale with extraordinary sophistication,” and concluded that America’s digital infrastructure was “severely threatened.” Blair’s predecessor, Michael McConnell, said last year that “a coordinated attack from a remote location by a small group on our electric grid, transportation network, and banking system could create damage as potentially great as a nuclear weapon over time.”

Richard Clarke agrees with these assessments of the cyber threat. He worries in particular that it could lead to a “full-scale cyber war” with the “potential to change the world military balance and thereby fundamentally alter political and economic relations.” Clarke was George W. Bush’s adviser on cyber security and cyber terrorism for two years after a long career as a senior counterterrorism official during many administrations. His book focuses too much on a single aspect of the cyber problem, and sometimes it fails to carry its analysis to its proper conclusion; but it is nonetheless a good introduction to this esoteric but very serious national security problem, and citizens should read it.

Many factors make computer systems vulnerable, but the most fundamental factor is their extraordinary complexity. Most computers connected to the Internet are general-purpose machines designed to perform multiple tasks. The operating-system software that manages these tasks--as well as the computer’s relationship to the user--typically has tens of millions, and sometimes more than one hundred million, lines of operating instructions, or code. It is practically impossible to identify and to analyze all the different ways these lines of code can interact or might fail to operate as expected. And when the operating-system software interfaces with computer processors, various software applications, Web browsers, and the endless and endlessly complex pieces of hardware and software that constitute the computer and telecommunications networks that make up the Internet, the potential for unforeseen mistakes or failures becomes unfathomably large.

The complexity of computer systems often leads to accidental mistakes or failures. We have all suffered computer crashes, and sometimes these crashes cause serious problems. Last year the Internet in Germany and Sweden went down for several hours due to errors in the domain name system that identifies computers on the Internet. In January of this year, a software problem in the Pentagon’s global positioning system network prevented the Air Force from locking onto satellite signals on which they depend for many tasks. The accident on the Washington Metro last summer, which killed nine people and injured dozens, was probably caused by a malfunction in the computer system that controls train movements. Three years ago, six stealth F-22 Raptor jets on their maiden flights were barely able to return to base when their onboard computers crashed.

The same complexity that leads to such malfunctions also creates vulnerabilities that human agents can use to make computer systems operate in unintended ways. Such cyber threats come in two forms. A cyber attack is an act that alters, degrades, or destroys adversary computer systems or the information in or transiting through those systems. Cyber attacks are disruptive activities. Examples include the manipulation of a computer system to take over an electricity grid, or to block military communications, or to scramble or erase banking data. Cyber exploitations, by contrast, involve no disruption, but merely monitoring and related espionage on computer systems, as well as the copying of data that is on those systems. Examples include the theft of credit card information, trade secrets, health records, or weapons software, and the interception of vital business, military, and intelligence communications.

Both cyber attacks and cyber exploitations are very hard to defend against. “The aggressor has to find only one crucial weakness; the defender has to find all of them, and in advance,” wrote Herman Kahn in 1960 in his famous book On Thermonuclear War. This generally true proposition about defense systems has special salience for computer networks. Even if (as is often not the case) those trying to find and patch computer vulnerabilities outnumber those trying to find and exploit the vulnerabilities, the attacker often still has an advantage. Under the Kahn principle, some fraction of the time the attacker will discover a vulnerability that the defender missed. And she need only find one, or a few, vulnerabilities to get in the system and cause trouble.

Once a vulnerability is identified, an attack or exploitation is relatively easy to disguise, because the operation of a computer is almost entirely hidden from the user. Malware can be embedded in a computer system without the user’s knowledge, either remotely (when the user downloads an infected program or when she visits an infected website) or at any point in the multi-country global supply chain that develops and produces most commercial software. And once it is embedded, malware can be used for any number of tasks, including data destruction, theft, taking over the computer for various purposes, recording keystrokes to discover passwords, and much more. Many forms of malware are hard for engineers to find through diagnostic testing and are missed by anti-virus software. Computer users often do not discover malware before an attack makes clear that something has gone wrong. They often never discover malware that facilitates computer exploitations or, as in the Google case, they discover it too late.

The inherent insecurity of computer systems is exacerbated by the number and incentives of actors around the globe who are empowered to take advantage of computer vulnerabilities. In real space, geography serves as a natural barrier to attack, theft, and espionage: only if you get near the Pentagon can you attack it; only if you get near the Citibank branch in New York can you rob it. And if you are near these places in real space, American law enforcement and military authorities can exercise their full powers, within U.S. sovereignty, to check or deter the attack. In cyberspace, geography matters much less because the Internet links computers globally with speed-of-light communication. As the Google case shows, someone sitting at a terminal in China can cause significant harm in the United States. And of course there are countless people around the globe with access to a computer who would like to do bad things inside the United States. To the extent that they are located outside the United States, American law enforcement authorities have much less effective power to stop or to deter them. The FBI must rely on law enforcement authorities in foreign countries who are often slow and uncooperative, giving bad cyber actors time to cover their tracks. And the American military cannot enter a foreign country unless the threat or attack rises to the level of war.

Law enforcement and military authorities seeking to check malicious cyber activity face another fundamental challenge: the “attribution problem” of identifying the author of a cyber attack or cyber exploitation. It is very difficult, and very resource-intensive, and sometimes impossible, to trace with much certainty the computer origin of a professional cyber attack or cyber exploitation; it is even harder to do so in real time or even in the short-term. A thoughtful adversary can hide its tracks by routing attacks or exploitations through anonymizing computers around the globe. Last summer, a denial-of-service attack--a massive spam-like attack that clogs channels of communication--brought down some American and South Korean websites. Early reports said that the attack came from North Korea, but a few weeks later it was learned that the attack originated in Miami (and possibly, before Miami, elsewhere) and was routed through North Korea. We still do not know for sure who launched the attack, or from where.

Even if we can determine with some certainty which computer in the world is behind an attack or exploitation, that fact alone does not indicate who, or even which country, is responsible for the aggression. In 2009, a detailed study by the Information Warfare Monitor uncovered an extensive plot known as “Ghostnet,” which emanated from computers in China and infiltrated more than one thousand sensitive government and commercial computer systems from over one hundred countries. But the report could not determine whether the plot was controlled by the Chinese government, or by private “patriotic hackers” acting in the Chinese interest but without government involvement, or by a criminal network in China. Nor could it rule out the possibility that “a state other than China” was behind the plot, using agents to launch the operation from China in an attempt to “deliberately mislead observers as to the true operator(s) and purpose of the GhostNet system.” Law enforcement and military officials are hobbled not only by geography, then, but also by their inability to know for sure where and by whom a cyber attack or exploitation originated.

Taken together, these factors--our intimate and growing reliance on computer systems, the inherent vulnerability of these systems, the network’s global nature and capacity for nearinstant communication (and thus attack), the territorial limits on police power, the very high threshold for military action abroad, the anonymity that the Internet confers on bad actors, and the difficulty anonymity poses for any response to a cyber attack or cyber exploitation--make it much easier than ever for people outside one country to commit very bad acts against computer systems and all that they support inside another country. On the Internet, states and their agents, criminals and criminal organizations, hackers and terrorists are empowered to impose significant harm on computers anywhere in the world with a very low probability of detection.

II.

Most damaging cyber acts are the equivalent of real-space crimes committed by private actors: identity and data theft, extortion, destruction of property, illegal copying and other intellectual-property crimes, and the like. Computers and computer networks have been employed to facilitate crime since the dawn of the Internet, but for most of this time criminal efforts were ad hoc and disorganized. In the last six or seven years, however, we have witnessed what Tyler Moore, Richard Clayton, and Ross Anderson describe in a recent essay for the Journal of Economic Perspectives as “the rapid growth and industrialization” of online crime.

Today powerful criminal organizations operate in flourishing online black markets to buy and sell information about software vulnerabilities and an endless variety of sophisticated malware weapons that can be used to exploit these vulnerabilities. They infect, gather, and rent huge clusters of compromised zombie computers known as “botnets” that can be used for denial-of-service attacks or “phishing” expeditions (feigned trustworthy messages of the general sort that tricked the Google administrators). They buy and sell criminal services ranging from phishing-for-hire to money laundering. And they trade in stolen goods such as credit card and Social Security numbers and identification and login credentials. According to the computer security firm Symantec, a stolen credit card number fetches between eighty-five cents and thirty dollars on the black market. For twenty bucks you can buy someone’s essential identity information: name, address, birth date, and Social Security number.

President Obama noted last year that cyber criminals stole an estimated $1 trillion in intellectual property from businesses worldwide in 2008. In truth, we lack both the reliable data and the metrics needed to know for certain the amount of losses from online criminal activities. Most security experts believe that the already massive online criminal industry is growing in size, sophistication, and success at a faster rate than companies, individuals, and law enforcement authorities are improving computer defenses. And the losses are surely much greater than have been made public, for most companies that are targets of cyber attacks and cyber exploitations have a powerful incentive not to report their losses, which might lead to stock-price drops, lawsuits, and consumer anger.

Clarke is aware of the scope of cyber crime by individuals and private organizations, but he believes that the most serious cyber threat to the United States lies with states that have cyber weapons far superior to anything possessed by individuals or organizations. Some of those weapons were employed in Russia’s shutdown of Georgian governmental websites during the South Ossetia conflict in 2008; and in Israel’s takedown of Syrian air defenses as a prelude to its military strike on a nuclear facility in the Deir ez-Zor region in 2007; and in the Bush administration’s cyber attacks on cell phones and computers used by insurgents in Iraq.

Clarke says that those skirmishes are “far from indicative of what can be done.” States have “more sophisticated capabilities” that could “devastate a modern nation” by destroying its military and civilian infrastructure, either as part and parcel of a traditional war, or as a prelude to it, or as a substitute for it. Indeed, Clarke declares that in fact cyber war has already begun. “In anticipation of hostilities, nations are already ‘preparing the battlefield’” by “hacking into each other’s networks and infrastructures, laying in trapdoors and logic bombs--now, in peacetime.”

The nation that most worries Clarke is China. He says, basing his judgment on public sources, that the Chinese military is committed to using cyber tools to make up for its military deficiencies against the United States. Its twin strategy is to steal America’s military-technological know-how and, in the event of a military confrontation, to damage the American home front “asymmetrically, through a cyber attack.” Clarke details the many ways that China has, since the 1990s, “systematically done all the things a nation would do if it contemplated having an offensive war capability.” It has stolen many American military and technological secrets, created citizen hacker groups, established cyber-war military units, prepared elaborate cyber defenses, and laced American infrastructure (especially our electrical grids) with logic bombs.

Clarke argues that the technologically highly developed United States has the most to lose from a large-scale cyber confrontation, both in absolute terms and especially compared to China. We are among the nations most dependent on “cyber-controlled systems.” For over a decade, the Pentagon has been networking every element of the American military--from the soldiers, sensors, and (computer-controlled) robots on the ground, in the air, and at sea to commanders around the globe and every relevant node in between--with the aim of dramatically enhancing our knowledge about the enemy and making military decision-making faster and more accurate. Our intelligence services are similarly wired. And our civilian infrastructure sectors--which include banking and finance, energy, health care, telecommunications, and critical manufacturing--are both deeply computer-dependent and deeply reliant upon the Internet.

Clarke is most concerned about the security of the critical infrastructure sectors that are in private hands. He is especially worried about the privately-owned backbone telecommunications networks, over which private communications, and more than 90 percent of American military and intelligence communications, travel. These are the channels through which a cyber attack on the government and the infrastructure of the United States would come. The companies that own these networks are supposed to receive security support from the Department of Homeland Security, but DHS is “the most dysfunctional department in government” and lacks the authority or the capacity to provide real help. By contrast, Clarke notes, the Chinese government completely controls its networks, and has the full power to defend them from attack or disconnect them from the global Internet in the event of a major cyber conflict.

In these and many other ways, Clarke believes that our cyber defenses are woefully down. He proposes a three-part response, which he calls a “Defensive Triad Strategy.” To address “private sector vulnerabilities to cyber war,” as well as the more general problem of malware used for attacks and exploits on private and government systems alike, he would establish a system that scanned every Internet communication transiting the United States for known malware and removed any infected communications for examination and perhaps elimination. Many firms have such “intrusion prevention systems,” as does the federal government in inchoate form. Clarke would have the government pay for what is in effect a vast nationwide intrusionprevention system. But for privacy reasons, he would have private backbone providers--rather than the government-run the system.

Clarke’s second initiative is to better secure the power grid, the defense of which is fundamental to the running of all computer systems. He would remove the grid from the Internet altogether and significantly raise its protections against unauthorized access. And in the third element of his defensive triad, Clarke would implement a series of detailed computer security steps to protect Department of Defense networks, which he says are an especially likely target of cyber attack. “If the Obama Administration and the Congress were to agree to harden the Internet backbone, separate and secure the controls for the power grid, and vigorously pursue security upgrades for Defense IT systems, we could cast doubt in the minds of potential nation-state attackers about how well they would do in launching a large-scale attack against us,” Clarke says. “And even if they did attack, the Defensive Triad could mitigate the effects.”

 III.

There is much to agree with in Clarke’s analysis, including his description of the absorption of cyber weapons into all aspects of military planning, his account of the secret cyber-arms race among nations, and his assessment of America’s cyber-security weaknesses, especially in its privately owned critical infrastructure sectors. But there are problems as well. The first is with his obsessive focus on cyber war. There is little doubt that several nations have significant offensive cyber capacities that could in theory cause enormous destruction. What Clarke never adequately explains is why nations would use these weapons in this way. Yes, China is stockpiling cyber weapons and planning for cyber war. But so, too, is the United States. Capacities and contingency plans, taken alone, do not add up to a serious threat. There must also be a plausible scenario in which a nation has the motivation to use these weapons.

Clarke addresses this issue briefly, in trying to explain why China might destroy American infrastructure by means of a cyber attack even though “China’s dependence on U.S. markets for its manufactured goods and the trillions the country has invested in U.S. treasury bills mean that China would have a lot to lose.” His explanation is weak. He says that the United States and China might be drawn into a war over Taiwan or the oil-rich islands in the South China Sea. Perhaps. But it is hard to imagine that China would wipe out the New York Stock Exchange or the electrical grid of the East Coast unless it were in a total war over those islands--the sort of war that would also involve enormously destructive non-cyber weapons, including even nuclear weapons.

This does not mean we should stop worrying about China’s offensive cyber weapons. Clarke is right that these weapons might (like China’s conventional forces) deter the United States from intervening against China in a Pacific Rim contest. But he should also acknowledge that this deterrent is weakened by China’s dependency on a functioning American economy, which significantly reduces the credibility of its cyber threat. It is also true, as Clarke argues, that the stealth cyber-arms race, the difficulty of knowing for sure which nation is behind a cyber attack, and the absence of norms to govern such attacks combine to create an unstable situation in which destructive cyber activities might escalate by accident. We should indeed worry about cyber war. But Clarke does not justify his central claim that cyber war is in fact the most serious cyber threat, the one we should worry most about and take the most aggressive steps to meet. His error is to focus on the worst-case cyber-war scenario without a hard-nosed assessment of its likelihood, and without comparing its expected harms, given its small likelihood, with the expected total harms from other smaller but more likely cyber threats.

A cyber-attack threat that Clarke appears to understate comes from terrorists, some of whom have powerful motives to destroy our domestic infrastructure and nothing to lose from doing so. For years the government insisted that Al Qaeda and its friends lacked the technological capacity to inflict cyber attacks and had shown no interest in doing so. “Cyber terrorism is largely a red herring,” says Clarke, repeating the old government line. But some have worried that Al Qaeda might purchase cyber capabilities on the black market. And while Clarke’s book was in production, the government changed its tune. In November, the FBI announced that it was investigating individuals affiliated with Al Qaeda “who have recognized and discussed the vulnerabilities of U.S. infrastructure to cyber attack, who have demonstrated an interest in elevating their computer hacking skills, and who are seeking more sophisticated capabilities from outside of their close-knit circles.”

There is a good case to be made that the greatest cyber threats are not cyber-attacks by states or terrorists, but rather cyber espionage and cyber theft. Private cyber criminals are growing in numbers and sophistication, and they are causing enormous economic damage. Presumably the efficiencies of online banking and stock trading (to take two out of thousands of examples) still outweigh the costs of these criminal activities, but the balance of benefits to costs is probably shrinking. Consumer trust in online activities--an essential ingredient for successful e-commerce and more generally for the continued flourishing of the Internet--is certainly shrinking. In contrast to the very uncertain motives that states have to engage in cyber war, untold and growing thousands of cyber criminal miscreants have powerful incentives to steal from American firms, and are doing so daily.

And so, too, are states. “The extent of Chinese government hacking against U.S., European, and Japanese industries and research facilities is without precedent in the history of espionage,” Clarke notes. “The secrets behind everything from pharmaceutical formulae, to bioengineering designs, to nanotechnology, to weapons systems, to everyday industrial products have been taken by the People’s Liberation Army and been given to China, Inc.” Clarke provides no convincing explanation why China would jeopardize this economic bonanza and its economic prosperity more generally by destroying the networks that make this massive wealth transfer possible. Nor does he explain why he thinks the serious damage caused by ongoing public and private cyber espionage and cyber theft should be less feared than the possible evils of a cyber war.

If Clarke overstates the threat of cyber war, he understates the difficulties the United States faces in meeting the cyber threat, attack and exploitation alike. Many of these difficulties result from misaligned incentives. One reason why the private infrastructure sector is so vulnerable is that companies tend to invest in levels of cyber safety that satisfy their profit aims and not in the security levels that serve the larger national interest. Another large cause of insecurity in the network is excessively buggy software. Software manufacturers could improve software security--but because they are not legally responsible for the many harms the software causes, they rush software products to market without taking the time or spending the money to ameliorate these harms. Similarly, individual home and office computer users have little incentive to take time-consuming and costly steps to stop their systems from being infiltrated and exploited as vehicles for botnet attacks on third-party military or corporate computer systems.

The government has understood these and other causes of cyber insecurity for a long time now. But despite years of public worry, it has taken practically no steps to fix them--for example, by imposing liability when buggy software injures, or by requiring Internet service providers to deny Internet access to botnet-entangled or spam-discharging computers. Clarke says that several presidential administrations have had a misplaced fear of regulating information technology firms, but the problem is more complex. Regulating software quality and Internet service providers will raise the costs of computer use and Internet access, perhaps dramatically. These costs would be politically controversial; and some analysts believe that they would stifle innovation and kill economic and productivity gains in ways that would outweigh the costs of plausible cyber attack and exploitation losses.

The problem goes still deeper. Every digital advance brings immediate, concrete, and often large economic and social benefits. It also brings the increased security vulnerabilities of ever-more-complex computer systems and ever-deeper reliance on these systems. But these vulnerabilities and their associated costs are mostly invisible, hard to quantify, and downstream. And so for decades the government has opted for the politically attractive and visible short-term digital gains and largely ignored the less apparent medium- and long-term security costs. This trend continues today. At the same time that the Obama administration is screaming loudly about the cyber threat, it is pushing initiatives for more bandwidth, networked smart grids, computerized health records, and next-generation air traffic control, all of which promise short-term improvements and large new security vulnerabilities.

Another fundamental obstacle to cyber security is our nation’s deep skepticism about extensive government involvement in defending private computer networks. When someone enters the United States physically at the border (by air, sea, or land), or when someone physically enters a government building or a sports stadium, the government has the authority to inspect the visitor to ensure that he or she does not present a threat, and to take steps­--sometimes bold ones--to ensure that a threatening visitor does not do harm. The government asserts similar authority at airport screening stations and driving checkpoints. It also asserts the power to intercept air, sea, and land attacks on critical infrastructure components such as nuclear power or chemical plants.

But these traditional security prerogatives of government do not apply in cyberspace. We have historically treated computer networks as communication and data storage systems protected by constitutional and statutory norms that strongly presume no government monitoring or interference. These same networks are now also targets and channels of public and private espionage and criminal and potentially military attack, but in general the government lacks legal access to, or potential control over, the computers and physical cables and microwave and satellite signals through which malicious attack and exploit payloads travel.

Even Clarke blanches at full government involvement in this context. He says that privately owned infrastructure sectors are our Achilles’ heel, and he complains that the government is not doing enough to protect them. But in response to fears of “Big Brother spying on us,” he would have private firms rather than the government run a nationwide intrusion prevention system in the telecommunication backbone. Such a system is not nearly adequate to address the cyber insecurities in the private network that Clarke identifies, for it would miss altogether “zero-day attacks” based on previously unknown vulnerabilities as well as vulnerabilities or payloads introduced in the software and hardware supply chain.

Beyond that, there is the vexing matter of the privatization of our national security. There is no reason to think that private firms alone have adequate incentives or adequate means to run a proper national intrusion-prevention system. The reasons why the government takes the lead in security against air, land, and sea attacks argue strongly for government involvement in the security of the network, doing real-time traffic analysis, real-time detection, and real-time response, in order to find and to thwart the tiny malicious digital needles hidden inside giant haystacks of billions of innocent communications that each day travel at the speed of light through the United States.

But the prospect of such government activity is a scary thought for many people, one made scarier by the fact that the technically proficient but much-feared National Security Agency wouldinvariably be heavily involved. Yet this is precisely where the logic of Clarke’s security analysis leads. And this seems also to be where the government is headed. The NSA is quietly building a one-million-square-foot cyber-security data center, at a cost of $1.5 billion, at Camp Williams in Utah. The facility’s mission will, according to the NSA, include the gathering of information about cyber threats “in order to better secure the nation’s infrastructure,” and in particular to “learn valuable lessons that will assist the private sector . . . in securing their own networks.” This government jargon suggests that the NSA already has a quiet role in domestic cyber security beyond mere protection of military networks. A major challenge for the government, and one it has not yet figured out how to accomplish, is to give the NSA wider latitude to monitor private networks and respond to the most serious computer threats while at the same time credibly establishing that the agency is not doing awful things with its access to private communications. Such credibility is hard to establish, and so the government will likely hold back until we suffer a catastrophic cyber attack.

IV.

In addition to his domestic policy ideas, and consistent with his focus on cyber war, Clarke also proposes an international cyber-arms control agreement to temper the largest threats posed by the thirty or so nations with offensive cyber-war units. His proposal is simple: a treaty ban on cyber attacks against civilian infrastructure targets but not against military targets; and no ban on cyber exploitation of any sort. This proposal is designed to dovetail with what is best for the United States. The ban on attacking civilian targets is good for us on balance, Clarke says, because we are very dependent on our insecure civilian networks; but the United States should not agree to a ban on cyber exploitation because the NSA is really good at espionage and our national security establishment depends heavily on it.

The obvious problem with such a proposal is that our adversaries’ interests are usually opposed to our own. Clarke tells us that China loves juicy American civilian infrastructure targets, and that China’s own civilian networks are more secure than ours and less depended on by its military. So China would gain little and lose a lot from Clarke’s proposal to ban civilian infrastructure targeting, and would thus have little interest in signing on. Similarly, nations subject to NSA snooping but not good at snooping themselves would not be interested in a carve-out for state-sponsored snooping. Clarke never explains why our adversaries would, to their own detriment, agree to help the United States enhance its relative offensive and defensive cyber postures.

Here and throughout his book, Clarke is blinkered in a way that is unfortunately common in Washington discussions about the international dimensions of the cyber threat. Secretary of State Clinton wore similar blinkers in a muchacclaimed speech on “Internet freedom,” in January, on the heels of the Google episode. Clinton decried cyber attacks on American economic and national security interests, and said that countries that engage in cyber attacks “should face consequences and international condemnation,” and advocated for “norms of behavior among states” that encourage respect for the global networked commons. The problem with Clarke’s and Clinton’s positions lies in two related assumptions: that the United States is a major victim of the cyber threat rather than a part of the problem; and that American cyber activities abroad are legitimate while adversary cyber activities in the United States are not. Neither assumption is sound. Both are significant obstacles to international cooperation.

They are not sound because the United States is widely viewed as--and actually is--a major source of cyber attacks and a major spur to the cyber-arms race. We have among the biggest botnets that are used for cyber attacks around the globe, and we have done practically nothing to clean them up. The American government provides support for “hacktivists” who use digital tools to achieve political ends, such as circumventing content filters in networks in authoritarian states. It views these activities as benign, but the Chinese view them on a par with the Google hack. The United States has what is purportedly the most sophisticated offensive cyber-attack capability. These weapons that are now lodged in “Cyber Command,” the new sub-unified combatant command under the direction of General Keith Alexander, the director of the NSA, which is itself the most powerful cyber snoop in the world. The government has not talked publicly about which aspects of our prodigious public and private offensive cyber activities it might terminate in exchange for reciprocal concessions from our adversaries, and there is no indication that it is seriously interested in the question. Until that happens, American talk of a cyber-arms agreement is empty talk.

Even if the United States did get serious about opposing points of view and possible concessions for a cyber-arms agreement, true international cooperation on cyber security is not very likely. The main reason is that attribution of any attack is slow and uncertain, and thus verification of a cyber-attack ban is hard if not impossible. Unless the attribution problem can be fixed, which few think is possible, it is hard to imagine nations (including the United States) giving up significant offensive capabilities. Clarke offers three ideas to resolve this difficulty. He would make every nation responsible for all cyber attacks on civilian targets that emerge from its borders, even if the attacks are not sponsored by that nation. The idea here is to ameliorate the attribution problem by eliminating the “it wasn’t us, it was private hackers” defense that Russia and China have invoked when criticized for cyber attacks from inside their borders. Clarke would also require the nation from which an attack originates to assist the nation under attack in identifying and holding responsible the bad actors. And finally he would establish an “International Cyber Forensics and Compliance Staff” to monitor and to determine compliance with these norms.


This imaginative solution is not feasible. Clarke says little about what would count as a banned “attack” or as “civilian infrastructure.” Cyber weapons and cyber targets do not come packaged in ready-made categories; definitions would be hard and invariably vague, making verification and enforcement challenging on top of the attribution problem. In addition, international cooperation of the type proposed by Clarke has been worked out to only a small extent in the easier context of cyber crime among some OECD nations, and even there it is not terribly successful or helpful. It is hard to imagine that Clarke’s more sovereignty-intrusive regime among more heterogeneous nations concerning a much harder and broader problem would work. Even if the attribution and verification problems could be overcome, Clarke’s idea for sanctions against non-compliant nations--cutting off certain communication flows from scofflaw states, export controls, and visa denials--is both unrealistic and inadequate. And most difficult of all is Clarke’s requirement that each nation take responsibility for all attacks emanating from its borders, regardless of ultimate origin or author, and assist the nation under attack. Assuming this were possible, it would require just the type of extensive and intrusive governmental activity in the private network that Clarke eschewed when thinking about domestic regulation. China would have a much easier time delivering on this promise than the United States.

Neither the known causes of cyber insecurity nor extensive worries about the cyber threat are new. The wake-up call came in 1988, when Robert Tappan Morris, a graduate student at Cornell, introduced a “worm”--a self-replicating computer program--on the Internet that was designed to determine the Net’s size but that inadvertently shut down about 10 percent of the sixty thousand computers then connected to it. This event startled the Defense Advanced Research Projects Agency, the futuristic Department of Defense research wing. DARPA had developed what became the Internet to ensure that the command-and-control communications of the American military could withstand nuclear attack, but suddenly its young creation seemed vulnerable from within. DARPA immediately funded a Computer Emergency Response Team, which is still located at the Carnegie Mellon Institute, to coordinate and respond to Internetrelated computer security concerns.
It also asked the National Research Council to study “the security and trustworthiness” of American computing and communications systems. “We are at risk,” began the subsequent NRC report, which was released in 1991. In terms remarkably similar to Clarke’s, the report noted that America increasingly “depends on computers [for] power delivery, communications, aviation, and financial services,” described these systems as “vulnerable ... to deliberate attack,” and declared that only luck had prevented their subversion. “The modern thief can steal more with a computer than with a gun,” it said, adding that “tomorrow’s terrorist may be able to do more damage with a keyboard than with a bomb.” The report warned that the instability of the international system, and the rapid rise in both reliance on computer systems and the sophistication of computer attacks, meant that the United States was on the cusp of a cyber-security crisis. Cyber threats, it concluded, “are changing qualitatively; they are more likely to be catastrophic in impact.”

The NRC report makes for sober reading today. Its basic analysis of computer-system vulnerabilities would be repeated with slight elaborations over the next two decades in a dozen subsequent NRC reports and a half-dozen high-level executive branch studies. So, too, would its warnings, which are nearly identical to contemporary cries about the cyber threat. Yet no catastrophic cyber event has occurred in the intervening twenty years, despite deeper and deeper integration of computer systems and significantly greater reliance on them in all sectors of society. This has led some to think that the cyber menace is exaggerated. But experts such as Richard Clarke continue to insist that we are on the cusp of a national security crisis related to our dependence on computer systems. “Sometimes the boy who cries wolf can see the wolf coming from a lot further than everyone else,” says the man who before September 11 raised hell inside the government, to little avail, about the looming terror threat to the homeland. Let us hope that the wolf is still far away.

Jack Goldsmith teaches at Harvard Law School and is a visiting fellow at the Hoover Institution at Stanford University. He is co-author of Who Controls the Internet?: Illusions of a Borderless World (Oxford University Press).

For more TNR, become a fan on Facebook and follow us on Twitter.