Are we really in a "Cyber War?" Are unidentified enemies around the world scheming to bring down Western civilization with a single keystroke? Or is the whole thing overblown paranoia?
In his compelling book Cyber War, written with Robert K. Knake, Richard A. Clarke, former head of counterterrorism security in the Clinton and Bush administrations, argues with great force that our electrical grid and banking system are vulnerable to a "cyber" attack coming from Tehran or Beijing or North Korea. A cyber attack could disable trains all over the country claims Clarke. "It could blow up pipelines. It could damage electrical power grids... It could confuse financial records, so that we would not know who owned what."
Clarke asserts that cyber attacks can come from an enemy country -- or from a lone hacker. It's easy to learn to be a hacker. A Google search for the term yields 70,700,000 hits in 0.28 seconds. Malicious code may infect a computer via a security flaw in a Web browser, or it could be distributed through secret back doors built into computer hardware in foreign countries at the point of manufacture. And though the government has set up security measures to protect military and intelligence networks, Clarke frets that not enough is being done to protect the private sector, which largely accesses the Internet with Windows-based software especially vulnerable to attack.
Our security forces are loath to patch or fix holes in Microsoft Windows programs since they may need to exploit these vulnerabilities one day should our cyber arsenal go on the offensive against an enemy attacker. Thus, it is these very vulnerabilities which represent Cold War style deterrence in cyber space.
"The Pentagon is all over this," Clarke states. It has appointed a four-star general to run a fiefdom called Cyber Command, the job of which is to defend the Pentagon. Says Clarke, "Now, who's defending us?" Says Clarke, "Who's defending those pipelines and the railroads and the banks?"
Director of National Intelligence Dennis Blair, who testified to Congress that "malicious cyber activity is growing at an unprecedented rate," echoes Clarke's assessment and claims the country's efforts to defend against cyber attacks "are not strong enough." Piling on was Blair's predecessor as DNI, Mike McConnell who wrote in a much-cited Washington Post piece that the "United States is fighting a cyber war today, and we are losing." McConnell called for a policy of deterrence, grounded in the threat that the United States would massively retaliate against any cyber attacker, that is to say, any cyber attacker it could identify.
All quite alarming, if true. The problem is that the Obama administration disagrees with Clarke's assessment. Interviewed by the blog Wired.com last March, Howard Schmidt, Obama's recently appointed cyber czar, said, "There is no cyber war... I think that is a terrible metaphor and I think that is a terrible concept." Schmidt said Obama has no plan to re-engineer the Internet. Last we checked the President and Secretary of State Clinton favored global Internet freedom. The President has promised that the government will not monitor the Internet at large.
Schmidt completely rules out a successful attack on the electrical grid. "As for getting into the power grid," Schmidt says, "I can't see that that's realistic."
Schmidt may well be right. If a geek hacks into our electrical grid, it would be a serious matter. But, it appears that the Windows based systems controlling electrical distribution are not centralized but localized. And they are apparently not "online." In order to "hack" into a control system, the "hacker" would have to enter the station and access each of the local control systems. Just how likely is that?
Georgetown's Evgeny Morozov, one of the most prolific commentators around on Internet issues, believes that Clarke's talk of a "cyber war" and "cyber nukes" is pure "science fiction" and suggests that cyber war has emerged as the new favorite plank of self-interested security consultants on the Right.
So which is it? Are we at war or are we not at war? Is it the threat part of someone's political agenda? Are the flames being fanned by former government officials now in the business of security consulting who are attempting to scare up some business?
Maybe so. But Richard Clarke was the Paul Revere of the 9/11 attacks. In a briefing memo to Condoleezza Rice dated August 6, 2001, entitled "Bin Laden Determined To Strike in US," he sounded an early alarm of a possible al Qaeda attack. His track record entitles him to no little credence.
If Israel takes out Iran's nukes, perhaps we are at war (and we wonder which is scarier -- if Israel takes them out or it doesn't). But if a geek hacks into our electrical grid or our financial system, it may not be war unless we can identify the culprit as a state actor and not an amateur hacker. It would be nice to figure out a strategy for the private sector. Or should we just hold hands and sing Kumbaya -- until the lights go out.
James D. Zirin is a lawyer in New York. He is a member of the Council on Foreign Relations and co-host of the cable television program "Digital Age." A previous truncated version of this article appeared in the Washington Times of May 3, 2010.