Civilization's High Stakes Cyber-Struggle: Q&A With Gen. Wesley Clark (ret.)
Dec 2, 2009 4:00 AM PT
In wanting to give peace a chance, the Dalai Lama and John Lennon don't have much company; fighting and causing trouble seem to be the preference of most of the world.
The conflicts in the Middle East and Afghanistan, to name the most prominent, are taking their toll on human life and limb. However, the escalating cyberconflict among nations is far more dangerous, argues retired general Wesley Clark, who spoke with TechNewsWorld in an exclusive interview.
That cyberconflict will take a far greater toll on the world, contends Clark, who last led the NATO forces to end the ethnic cleansing in Albania. There is a pressing need for new institutions to cope with the ongoing conflict, in his view.
Clark is a member of the boards of several organizations. He has a degree in philosophy, politics and economics from Oxford University and a master's degree in military science from the U.S. Army's Command and General Staff College.
Background: In November 2008, the Center for Strategic and International Studies, a Washington-based bipartisan think tank, presented recommendations on national security to the then-incoming Obama administration. These called for an overhaul of the existing national cybersecurity organization. Since then, the state of national cybersecurity has appeared chaotic. In August, White House cybersecurity adviser Melissa Hathaway resigned for reasons that echoed the departure in 2004 of Amit Yoran, who then held essentially the same post. In an exclusive interview earlier this year, Yoran told TechNewsWorld that national cybersecurity was still a mess.
TechNewsWorld: Security experts warn that nations are preparing for a new cyberwar. Is our government doing enough to protect our national cyber-infrastructure? Or is it in the process of protecting the cyber-infrastructure?
Gen. Wesley K. Clark: I think we're in the process of trying to get it protected, but unlike conventional security considerations, where one can easily see an attack and take the appropriate response, the cyberstruggle is a daily, ongoing affair. It's a matter of thousands of probes a day, in and out, against systems that belong to obvious targets like the United States Department of Defense; not-so-obvious targets like banks and energy companies; and individual consumers or taxpayers. It's ongoing, it's undeclared, it's often unreported, and it's very much an ongoing concern at all levels -- business, commerce and individual privacy.
TechNewsWorld: The national security infrastructure has repeatedly been reported to be sorely lacking. Is the government moving fast enough? Does it need to do more?
Clark: It does need to do more. It's in the process of doing more, and there's a tremendous amount of public and private sector effort going into cybersecurity right now. Whether it's going to be adequate or not is not the issue. There are many approaches to this problem that are mainly based on software, but software is vulnerable. When you open up to communicate with the Web, when you bring in data and programs from another source, when you bring in applications -- all that entails huge risks. It's dealing with those risks and trying to gain the rewards of doing so that make it such a difficult proposition.
Online banking was a novelty 20 years ago. Now, everything happens on the Internet. People pay their bills, they do business, they do their work with customers. People don't fax documents any more if they don't have to -- they do webinars and briefings.
All of this exposes the opportunity for mischief. You don't know the source of the mischief. You don't know whether it's individuals trying to solve a difficult technical challenge on their own or if they're connected to governments, or if they're cells attached to governments -- and it's very difficult to pin down ... incoming probes to a source.
TechNewsWorld: While it's generally agreed that the next war may be a cyberwar, much of our infrastructure is either hooked up to the Internet or in the process of being hooked up to the Internet. Electricity companies, for example, are agitating for the use of smart meters. That being the case, and with hackers increasing the frequency and sophistication of their attacks, does the increasing pace of hooking everything up to the Internet pose a real security threat?
Clark: We're going into completely digitized medical records, which could lead to a huge invasion of privacy. It could also lead to things like blackmail and is physically dangerous because people can tamper with records of vital signs, or can alter prescriptions. There's no telling just what could be done.
Companies could lose their supply chain management, lose their accounting records, lose their customer lists. Trying to rebuild this on paper when we've all been interconnected on the Internet will cause years of economic decline. We are, as a civilization, quite vulnerable to disruption, and this security problem doesn't just affect one nation but the whole global economic infrastructure.
You can't conceive of the threats from the point of view of a traditional war. Cyber-efforts are ongoing today; we're in a cyber-struggle today. We don't know who the adversaries are in many cases, but we know what the stakes are: continued economic vitality and, ultimately, global civilization.
TechNewsWorld: What about hackers and cybercriminals? How much of a threat are they, especially now that it's become much easier to create malware with prepared scripts already out on the Web whose parts you can assemble like a puzzle?
Clark: That's not the only threat, and you shouldn't overstate the ease with which people can do this. An ordinary person can't go in and wreck a financial system, but when you have skilled professionals with malign intent, with the right funding and the right technology -- and, maybe, inside information -- we don't know what damage is possible. We suspect it could be significant and we have to expend a lot of effort to safeguard the system.
Background: NATO, the North Atlantic Treaty Organization, implements a system of collective defense under which member states will come to one another's defense when any is attacked by a third party. Some security experts suggest that when a country comes under cyber-attack, other countries should launch a joint military action against the attacker in retaliation, whether the attacker is an individual or a gang or a country.
TechNewsWorld: One part of the problem is that certain countries harbor cyber-attackers and protect them. That has reportedly happened with Russia, according to security experts. Some in the security community are saying that perhaps we should launch controlled attacks -- invoke NATO's protection clause. Isn't that dangerous?
Clark: That's a matter of policy. You need the capacity to defend against these cyber-attacks and to run them back to the source. If you can run them back to the source and find it is a government or business, you could respond more effectively. For example, if it's a business, you could take them to court and put them out of business.
If the government where they're set up in doesn't help, you can take the government to court. There's a lot of things that can be done.
When people are indicted under international criminal tribunals or courts, [there] are very powerful sanctions against individuals. You can pull the individuals' passports and prevent them from traveling, or pull their financial transactions.
Background: Cybercrime rings are international in nature, with credit card numbers stolen in the U.S. being sold via underground sites in Eastern Europe, for example. Often, state and local police don't cooperate with one another or with federal law enforcement officers. Internationally, police may need to extradite criminals from other countries to charge them, but the lack of cross-border cooperation among police forces helps keep the cybercrooks several steps ahead of the law.
TechNewsWorld: Another problem commonly cited by security experts is the lack of police cooperation, both domestically here in the United States, as between local police and the FBI, and internationally, where police forces of different nations do not cooperate against crime rings. How do we fight this?
Clark: Some countries' police forces don't understand what a bot is or understand cloud computing. This is not surprising; technology is usually ahead of the law, and we need people who can work both realms and can bring the law up to speed.
We need some new institutions for this. Most businesses, especially banks and data storage companies, are reluctant to report cyberattacks. We need trusted private institutions which can anonymously assess and protect the health of these institutions and provide the kind of legal structures to protect them in case of attacks.
A lot of things can be done that are not cyber against cyber. It's far more powerful to pull this invisible struggle out into the daylight, to create the laws and institutions necessary to deal with this problem. But you can't get it out there unless you have the right defenses and institutions.
TechNewsWorld: Still on the international front -- while it's fashionable to sound off and say that many of the threats come from China, in reality, the problem is often not Chinese hackers but foreign cybercriminals who set up shop there either physically or virtually because it's so easy to do so, as regulation is weak or nonexistent. Should setting up shop on the Internet be more regulated?
Clark: I think we should have international, legal community studies of cybersecurity and necessary laws, and countries should be encouraged to adopt these laws through the United Nations just like they adopt laws to prevent the abuse of children and protect human rights.
There needs to be a multidimensional, multilayered and multi-azimuth defense. That is, defense has to look in all directions. When you're talking about cybersecurity, you're talking about being able to protect your points. It's not directed against a country, but to secure your points of access or specific end points or network access. It's not as though you're arming yourself against a specific threat -- you're simply undertaking all aspects of protection.
Background: One of the companies whose advisory board Clark chairs is InZero Systems. This company offers the InZero Secure PC, which is effectively two computers in one: a standalone module and a secure InZero Gateway module. The InZero Gateway module is directly connected to the Internet and basically creates a physically safe, separate operating environment where viruses cannot execute. Think of it as a sandbox or virtual machine. The browser is checked to ensure it's still running and has not been changed. If it's not running or has been changed, it's shut down and restarted with a clean copy from the PC's read-only memory. This security approach is extended to all applications in the InZero Gateway module.
TechNewsWorld: Why are you endorsing InZero's approach?
Clark: InZero is a qualitatively different approach. Where we got into trouble was -- we have an open-architecture Internet designed for communications but not for security. Packets of information are passed back and forth according to their IP addresses, and you have to open them up to know what's inside.
Traffic has exploded over this network. It's been a principal driver of global commerce and modernization and productivity improvements when combined with personal computing over the past 15 years.
It relies on software. InZero has combined a software issue with a hardware solution, and that's the best way to beat that, because attackers are infecting, attacking, undercutting, spying on and entering through your software. In principle, whatever layers of software you have out there can be worked with by other software. With InZero you have a hardware solution to a software problem. Software that comes into the sandbox is read-only.
In this ongoing struggle, there are definite benefits to be gained from taking a different approach.