If the first war was fought with sticks and stones, the next one likely will be fought with data. Cyber threats both big and small are increasing around the world, and they come with serious implications for governments and businesses that struggle to stay a step ahead of digital criminals.
Cyberspace has become what the Pentagon calls the fifth domain, and a new book by Richard A. Clarke and Robert K. Knake looks at how to protect it. Clarke spent 30 years working in the U.S. government, including as a White House counterterrorism coordinator under Presidents Bill Clinton and George W. Bush. He was the first White House official to be in charge of cybersecurity. Here is part of an interview with him.
Q: With the advent of 5G technology, do the issues surrounding cyber threats become even more ramped up?
A: We have reached a moment where existing technology allows a lot of American corporations to defend themselves successfully. They are the dogs that don’t bark. You hear about the Yahoos, the Targets, the Equifaxes, the Marriotts. But then there’s a long list of companies you don’t hear about, and the reason is they’re being successful. But that’s a moment in time. At this moment in time, there is the technology that you can use to defend yourself. But technology is always moving, and the moment in time is fleeting.
To answer your specific question, we think 5G was rushed to market without adequate concern about security. The problem with 5G is that it empowers the Internet of Things. Many, if not most, of the devices that will be connected on the Internet of Things don’t have security functionality. They were not designed with that in mind. For many of those devices, you can’t retrofit security into them. The chipsets, the firmware, are too small to put in authentication, to put in antivirus or end-point detection and remediation. You’re going have to re-architect the network. That includes things like hospitals, where heart-lung machines, IV drip machines, all sorts of things that preserve life, are hackable. People have proved that over and over again.
Q: I would imagine the cost of trying to retrofit or make those changes would cut into profits for these companies.
A: That’s absolutely right. With regard to many of the companies, they buy these devices and expect them to last for 25 years. They’re not about to replace them, so they have to architect around the Internet of Things.
The Food and Drug Administration for years said that once a device is certified, you can’t change it in any way. So, the comedy that was created was that many devices were unpatched Windows 98 operating systems. It’s a million ways to hack into them, right? Finally, in recent months, the FDA has come around and said, “No, no, no. We didn’t mean that. What we mean is that all devices on the internet or network connected have to be securable, and you can change things to do that.” So, we’re making some progress.
Q: But that requires a significant mindset change by people who are making these decisions in order to move forward, correct?
A: Right. Even big hospitals don’t spend much on cybersecurity. They don’t have chief information security officers who have big budgets. Going back to our major conclusion in the book: You can defend yourself today. Major corporations are. The way they’re doing that is they’re spending, and they have a governance system where the issue isn’t buried. The CISO, the chief information security officer, she’s not buried somewhere in the bureaucracy. She can report to the CEO. She can report to the board. There’s a member of the corporate board who understands this stuff.
That’s the model in good companies, and that governance model results in people spending 8% or 10% of their IT budget every year on security. For JPMorgan, that means $700 million a year. For Bank of America, it’s over $1 billion a year spent on IT security. If you’re not spending at 8% or 10% of your IT budget, you’re going to be hacked.
Q: What about security against cyber threats for the average consumer?
A: The individual has a whole different problem. There’s a whole section in the book on how to protect yourself as an individual. Basically, you outsource it, which is also what you do if you’re a small- or medium-sized company. You have a managed security provider.
Most Americans who are online have somewhere on the order of 28 different passwords that they use with some regularity. I know that sounds like a lot, but if you just sit down and list all the passwords that you have — also then burn that piece of paper — you’ll find you probably have two dozen. What you will find is that half of them are the same. You’re using the same password over and over and over again. So, the password you used for your Marriott account just got hacked. Whoever hacked it is going to try that password on your email, on your bank, and most of the time, it’ll work.
People ask, “What’s your No. 1 recommendation for personal security?” Get an application called a password manager. There are three or four good ones. I’m not going to advertise for them, but I use one. They will generate passwords for you that are really hard to remember, but you don’t have to remember them. They’re also really hard to hack. The reason you don’t have to remember them is the application will enter your password automatically, and it will do it across all your devices. There’s only one problem: You have to remember one password, and that’s the password for the password application.
Q: Technology has enabled better, faster delivery of infrastructures like electricity and natural gas. Yet at the same time, has it potentially opened the door for more of these problems?
A: Only because when we designed these systems, the internet wasn’t around. And when the internet was connected to these corporations, they didn’t realize that people could hack their way from their bill-paying website into the corporate net, and from the corporate net into the control system. For years, the electric power people were in denial that that was possible. When I was in government, we used to get teams from the Department of Energy to go prove it was possible by hacking power companies, with their permission, and showing that we could get into the control room. People thought this was theoretical.
Q: What do we need to do to improve security against cyber threats moving forward?
A: I think corporations need to look at their governance model, get their governance model right, raise this issue up to the board, to a senior committee of the corporation, spend appropriately. Because frankly, it’s “pay me now or pay me later.” And the reputational damage, the damage to R&D, intellectual property information, would be huge if a corporation is hit. So, at the corporate level, I think the path is clear. The technologies are there. You can buy them, you can integrate them, you can be secure.
The government has to recognize that it, too, has to spend more. It has to outsource this stuff to one organization within the government, on the civilian side of the government. It has to also regulate in a sensible way. Not 20 different regulatory regimes confusing everybody. Not state regulation built on top of 20 federal regulations. But one easy-to-understand, modern, light-touch, if possible, regulatory regime.
And at the personal level, we all have to be very careful about clicking anything that’s attached to an email. Don’t click on an attachment. Don’t click on a link. Just don’t ever do it.
Q: Do you think the U.S. will see something like the General Data Protection Regulation in Europe?
A: Ideally, we’d like to create a group of like-minded nations that has one single set of regulations, because major corporations are global corporations. They can’t be worrying about one set of regulations in India, one in Japan, one in the United States, one in Europe. We should try really hard to align our regulations on privacy and security among like-minded nations. Create the club. Create the rules.