Former White House cybersecurity adviser Richard Clarke, author of the book "Cyber War," served 19 years in the Pentagon, intelligence community and State Department. At the firm he founded, Good Harbor Consulting, he advises clients on security risk management; and also teaches at Harvard's Kennedy School of Government.
Speaking with Network World Senior Editor Ellen Messmer, Clarke shares his thoughts on the hactivist group Anonymous, why we shouldn't trust SLL certificates, and more.
Do you find the hactivist group Anonymous to be threatening?
I think of them more positively than most people, though I can't endorse their breaking the law. They're not trying to steal intellectual property to give it to the competition -- a lot of what is going on in the world is about that. But a lot of what [Anonymous is] doing is highlighting vulnerabilities we see in the enterprise. I'd just like to see this done legally. I'm not condoning law-breaking.
Who do you think was behind Stuxnet (the malware worm aimed at industrial control systems that hit the Iranian nuclear reactor last year)?
I don't know for sure, but many think it was the U.S. or Israel. I'd say the U.S.
Is it just dumb luck that the power grids here haven't been hit with a cyberattack like that?
We are having attacks here that go so far into penetrating the networks, but no attacks yet to take down the power systems. The only reason to get into the grid is for war. They're getting set up so if they were called on to attack the power grid, they can. Today, no one has the motivation. I don't know if I'd call an attack to disrupt and damage the power grid inevitable. We haven't yet seen non-state actors, like terrorists, try.
Does the US have good cyber intelligence?
I think we have very good cyber intelligence with one exception: The US government is not well-informed on attacks done on U.S. companies.
If you had the influence, what would you change to improve US cybersecurity?
I would require the major Internet providers as a matter of regulation to filter the packets to look for signatures of attacks and blackhole them. I'd give the signatures to them. In a regulated industry -- finance, power and telecommunications -- I'd require all the software be vetted for all kinds of mistakes.
Over the years, you've been candid in your criticism of Microsoft and the endless cycles of patching month after month. These days, businesses are using virtualisation software, primarily from VMware along with others such as Citrix. Do you think that brings any new security concerns?
I think virtualisation and the cloud can be more secure or less secure, depending on how you configure. But there's a dialogue of the deaf going on between the user and the [cloud] provider. The user is saying, "It's up to you to provide security," and the provider says the same to the user.
In the past few weeks, the compromise of SSL server certificate providers such as Comodo, DigiNotar and GlobalSign have raised questions about certificates as a source of trust. Do you have any view on this?
My takeaway is you can't trust digital certificates. It's a turning point not just for digital certificates. In the attack on RSA, hackers are now going after two-factor authentication. Then they went after the defense companies, after having broken into a security company. That's a game-changer. I'm not just going to bust into RSA, I'm going to bust into Lockheed. RSA says you can continue to have confidence in two-factor authentication. But how much confidence? Are you really going to rely on them? I wouldn't be happy relying on RSA two-factor authentication or on an SSL certificate solution.
There are security regimens, such as PCI for payment cards. Would it be possible to come up with a security regimen for SSL certificates?
We've been willing to allow the marketplace to regulate them in effect. I'm not sure I could devise anything for this.
The trend we see in business today is that employees are insisting on using their own mobile devices, such as smartphones, for use at work. Sometimes, the corporation agrees to manage the device, sometimes they don't. Do you have any particular viewpoint on that in terms of security?
This is the newest and largest vulnerability in corporate America now. Employees say they must have these devices and the corporations have given in under pressure. That's the same corporation that put millions of dollars into firewalls and intrusion-prevention systems. But the CIOs are knowingly authorizing another way into the network. Maybe they've been told it's not secure, and done it anyway. There are thousands of apps for these mobile devices. Are they secure? What's in the Apple store or Droid store or elsewhere? No one has looked. If there is a corporate device, the corporation has a responsibility to its shareholders to ensure that everything that is allowed there is secured. They should insist they must vet the application, or have the provider vet the application. There should be a "secure app store" checked for security.
The Defense Department is also looking at using smartphones by giving them to soldiers. Is that a good idea?
It's a good idea if they're secure. Whether it's the Defense Department or a private company, they have every right to restrict use and every obligation to make sure they're secure.
When the question of supply-chain security comes up, and with so much manufacturing coming from China, do you think there's reason to be concerned about security of products made in foreign countries where sometimes there are political tensions?
My attitude is whether it comes from New York state or Shanghai, it probably has the same risk in software. There are people in the US who can be bribed, too.
You recently joined the board of Bit9. Are you on the board of other companies as well?
I'm on the board of a few non-profits, as well as Veracode. I joined Bit9 because I think their software can be used to help prevent advanced persistent threats [APTs].
APTs [stealth attacks to steal sensitive information such as intellectual property and proprietary information to advantage industry competitors or foreign governments] are now a huge concern. As in the RSA case, we hear about them more regularly. But when are we going to see justice? Why is it so hard to bring criminals to justice in APT cases?
If the attacker is a government or a cyber-sanctuary, you don't get justice. As long as there are cyber-sanctuary countries -- or a country that's a scofflaw.
What countries would those be?
Eastern Europe, Russia, Belarus, Ukraine, China. It's sometimes unclear whether attacks are coming from China or authorized by the Chinese government. There are two types of non-government attacks, the attack the Chinese government is letting happen and the attacks they ask to happen. It's against organizations with political involvement, such as Tibetans or other groups to which China is opposed, or economic competitors. The Chinese government is engaged in espionage against the Defense Department.
Is the US also engaged in this type of espionage?
Yes, the US is also engaged.