TERRY GROSS, host:
This is FRESH AIR. I'm Terry Gross.
Richard Clarke warned about the threat of al-Qaida before September 11th. Now he's warning about cyber-war in his new book, "Cyber War." He writes that cyber-war has already begun. Nations are already preparing the battlefield, hacking into each other's networks and infrastructures, adding a dangerous new dimension of instability.
Clarke served as national coordinator for counterterrorism in the Clinton and George W. Bush administrations and became the special advisor to President Bush on cyber-security and cyber-terrorism. He resigned from the Bush and in 2003 and went on to write a memoir critical of the Bush administration, called "Against All Enemies." Clarke now heads a security consulting company.
In recognition of the reality of cyber-war, the Defense Department has created a Cyber Command operation. President Obama's nominee to head the command, Lieutenant General Keith Alexander, said last Thursday that computer networks essential to the Pentagon and military are attacked by individual hackers, criminal groups and nations hundreds of thousands of times every day.
Richard Clarke, welcome back to FRESH AIR. So I guess you weren't surprised by General Alexander's comments that defense computer networks are attacked thousands of times every day. What are those daily attacks like?
Mr. RICHARD CLARK (Author, "Cyber War: The Next Threat to National Security and What to Do About It"): Well, Terry, it's good to be back with you. The word attack is used all too easily, I think, and when Alexander says the Pentagon is attacked thousands of times a day, we may get the wrong image.
What's actually happening is that thousands of times a day, computer programs around the world are sending off little pings to see if there's a chink in the armor somewhere, if there's a hole that they can get through. That really probably isn't an attack in the way you and I might think about it, but a probe, a little test.
We don't know how many times the test succeeds every day, but we do know tests do succeed, because the Pentagon admits it. and they admit that, for example, the secretary of defense's own personal computer was successfully penetrated.
GROSS: What's the worst attack the military or the Defense Department has had that you can actually speak about publicly because it wouldn't surprise me if there were attacks that the Pentagon doesn't want anyone to know about?
Mr. CLARKE: Well, one of the worst ones that they admit is that somehow, from a thumb drive - those little USB things that you carry around from computer to computer - somehow from a thumb drive, a virus, a worm, got into the classified network - which is supposed to be a closed-loop network of CENTCOM - and attacked, compromised thousands of computers of our war fighters in Iraq and Afghanistan, and probably exfiltrated large amounts of information to someplace in the Internet.
GROSS: And when was this?
Mr. CLARKE: This was last December, a year ago December, 2008. We also know that the secret plans for our new fighter plane, the F-35, an airplane that hasn't even flown yet, have been stolen by hackers.
GROSS: What's the worst military or Defense Department attack that you were in the White House during?
Mr. CLARKE: Well, there were several. There was one in the 1990s, when we were getting ready to do something to Iraq - not to go to war, but to threaten them and to try to push them into complying with U.N. resolutions. And so Bill Clinton ordered lots of fighter planes and whatnot move to Iraq. And as they began to move to Iraq, all of the Air Force bases involved, all of the logistics bases involved, had their computers taken over by someone.
And we originally thought at the time it was Iraq that knew this was coming, and they were trying to stop or slow down our buildup. We then discovered that it was three teenagers, one in Tel Aviv and two in San Francisco.
(Soundbite of laughter)
GROSS: So you write in your book that a cyber-attack can be almost as devastating as weapons of mass destruction in its ability to cripple the country. Fortunately, nothing like that has happened yet. You've mentioned some cyber-attacks, but they haven't crippled the country. Give us a scenario in which a cyber-attack can actually cripple the country and be the equivalent of WMD.
Mr. CLARKE: Well, I think - I will in a sec, but before I do, I should point out that weapons of mass destruction that most people are real nuclear weapons people worry about them. They've never crippled the country, either. So suspend disbelief when I talk about a cyber-war doing it because, after all, you believe in nuclear war, and nuclear war hasn't done it.
What could cyber-war do? It could derail trains all over the country. It could blow up pipelines. It could cause blackouts and damage electrical power grids so that the blackouts would go on for a long time. It could wipe out or confuse financial records so that we would not know who owned what, and the financial system would be badly damaged.
It could do things like disrupt traffic in urban areas by knocking out traffic control computers. It could, in nefarious ways, do things like wipe out medical records.
GROSS: Now, you warned the Bush administration about the threat from al-Qaida in the early days of the Bush administration, and you were kind of shoved aside, and then al-Qaida attacked. So I take your warnings very seriously.
(Soundbite of laughter)
GROSS: So you're warning about the threat of cyber-war. Do you feel like people are listening? I mean, is the Pentagon very alert to this already, and are you just explaining to us? Or do you feel again that you are in the position of shouting: Look, guys. You have to worry about this.
Mr. CLARKE: A little bit of both. The Pentagon is all over this. The Pentagon has create a four-star-general command called Cyber Command, which is a military organization with thousands of people in it to go to war using these weapons.
And also, Cyber Command's job is to defend the Pentagon. Now, who's defending us? Who's defending those pipelines and those railroads and the banks? The Obama administration's answer pretty much is you're on your own. The Cyber Command will defend our military. The Homeland Security Department will someday have the capability to defend the rest of the civilian government. It doesn't today. But everybody else will have to do their own defense. That is a formula that will not work in the face of sophisticated threats.
GROSS: Well, when you're saying everybody else is on their own, does that include the electricity grid, the power grid, banking?
Mr. CLARKE: Yes. What the Obama administration is saying and what the Bush people said before that is the private sector doesn't want the government defending it. The private sector doesn't want the government telling it what to do. And therefore, we will have sort of vague guidelines that suggest what the electric power grid should do, but we won't really go out and do anything.
And if an attack happens, the government has no ability to stand up and do anything about saving the power grid.
GROSS: Why not?
Mr. CLARKE: Because of this philosophy that the government shouldn't be defending the private sector, and a belief that the private sector doesn't want to be defended by the government. Now, I think that...
GROSS: Now, the way go ahead.
Mr. CLARKE: I think that believe is wrong. I think that when I talk to CEOs I the private sector, they say: Heck, this is why I pay my taxes. No one would have said, in World War II, to U.S. Steel, you know, you've got some big steel factories in Pittsburgh. If the Nazi bombers come over, you'd better have some of your own guns to shoot them down.
GROSS: Now, if I read your book correctly, one of your concerns is that my computer is attached to the same network that the whole banking system and the power grid is attached to.
Mr. CLARKE: Well, there's only one Internet, and lots of things that people don't realize are connected to the Internet turn out to be connected, like the controls for the electric power grid.
GROSS: So how does that leave, like, the electric power grid and the banking system more vulnerable, and what are the alternatives? Like, if you were proposing an alternative way for the government to help protect the power grid and the banking system and other things that are fundamental to the functioning of society, what kind of intervention would the government be doing?
Mr. CLARKE: Well, one is a day-to-day intervention, where the government says and enforces rules. It could say, for example, there really can be no connection between the Internet and the power grid controls.
Now, power companies today will tell you there's no connection, but every time the government has tested or private companies have tested, they've found a way to get very quickly from the Internet to the controls and take over the controls. So one government intervention would be to be serious about regulation.
Regulation's a dirty word in Washington, but how can anyone object to a regulation that says the electric power grid should be disconnected from the Internet?
You could also say to the phone companies and the Internet service providers: You have to stop these attacks from happening, because they're coming over your wires and your fiber. They could be looking not at the content of your email or your Web searches, but at the digital picture of them, the digital format of them, and they could be spotting attacks - at least attacks whose signatures we already know. They could be spotting them and stopping them, but they're not.
GROSS: My guest is Richard Clarke, who was counterterrorism czar under Presidents Clinton and George W. Bush, and served as Bush's special advisor on cyber-security. Clarke's new book is called "Cyber War." We'll talk more after a break. This is FRESH AIR.
(Soundbite of music)
GROSS: If you're just joining us, my guest is Richard Clarke. He's former counter-terrorism czar. He was the first White House advisor for cyber-security. His new book is called "Cyber War: The Next Threat to National Security and What to Do About It."
You make several points about the new problems that are posed by cyber-wars. You say cyber-war happens at the speed of light. It skips the battlefield, and you often can't tell for sure who did it. When you say it skips the battlefield, what do you mean?
Mr. CLARKE: Well, the Chinese are interesting. The Chinese looked at the first Gulf War in 1991 and said: My heavens, the Americans have a huge technological advantage over us. Even though we have many, many more troops, we would probably lose to them if we ever had a war. What do we do? Do we try to build 12 aircraft carriers, the way the Americans have?
And they came to the conclusion, publicly, that no, what they should try to do is find a way of using technology to do a form of jujitsu and go after the American heartland. So rather than fight the 12 aircraft carriers that might someday be off the Chinese coast, they decided, have a capability to reach back into the U.S. and destroy the essential functioning of the U.S. through cyber-attack.
GROSS: And to what extent has China actually practiced cyber-attack against the U.S.?
Mr. CLARKE: Well, there are reports in reliable places like the Wall Street Journal that China has placed so-called logic bombs inside the American power grid so that in case there ever were a period of tension between the United States and China, they could, without attribution, without saying it was them, begin to turn off electric power systems and damage electric power systems.
And if China has done that to our power grid, we have probably done it to theirs. Now, what that means is that without anybody knowing it, except a few people in the military, we and other countries have probably started preparing the battlefield by lacing each other's networks with logic bombs. We have software already hiding, that all we have to do is activate, and that software will go out and do appropriate things to destroy or damage the network.
GROSS: Okay. Now, if you compare this to nuclear capability and the nuclear standoff, a lot of people say that, you know, deterrence, mutually assured destruction helped prevent nuclear war between the U.S. and the Soviet Union.
So say China has these logic bombs in our defense computers, and we have logic bombs in their computers, does that mean that it will have a deterrent effect? Or is kind of a game of chicken who, you know...
Mr. CLARKE: There are lots of parallels between the development of nuclear strategy in the 1960s and the strategy for cyber-war that one could develop now - I don't think one has been developed, and one of the things we say is we'd like a strategy to be developed and publicly discussed that the key part of nuclear strategy was, as you say, deterrence. Don't blow me up because even if you do that, I will be able to blow you up.
That doesn't work in cyberspace. All too often, we don't know who's attacking -the attribution problem, as it's called. You can say I'm China, and I'm attacking, and it may be somebody else. You can spoof who is doing the attack.
And because there hasn't been, yet, a big, destructive cyber-war, we don't really believe what the effects will be. With nuclear war, we had had two cities destroyed, Hiroshima and Nagasaki. There were 2,200 nuclear bombs that had been exploded in the atmosphere over the course of many years by the United States, Russia, China and other countries.
So the there was credibility behind the use of the weapon. For deterrents to work in cyberspace, we'd have to know who had weapons and how powerful they would be and how successful they would be, and when the attack came, we'd have to know with good certainty who it was that was attacking, and none of that exists.
GROSS: And so if you're attacked, you don't know what to do. If you attack the country you think it is, and it's the wrong country, that would be very bad. And if you do nothing, that, too, is very bad.
Mr. CLARKE: And it all happens in seconds. It all happens so quickly that for political authorities, for national leaders to really gain control of this, would be hard. I think once a cyber-war starts, it could be a spasm war that, in a few minutes, decisions are made, signals are sent and destruction occurs, and we may have gotten it very, very wrong.
GROSS: Now, getting back to your point about how cyber-war can skip the battlefield, you can attack through cyber-war without an elaborate military, you said that North Korea is a real power in terms of cyber-war. What are their capabilities?
Mr. CLARKE: Well, they're a real power because they don't have certain kinds of capabilities. This is very counterintuitive. I think the way you determine how powerful a nation is in cyber-war is to add up how good it is in offense and how good it is in defense and get a sum total.
So the United States is very good at offense and very bad at defense, because we really can't defend anything beyond the military. So our score is kind of middling.
If you look at the North Korea, there's some good intelligence information that they have a fairly decent - not world-class, but fairly decent offensive capability. And they do it from outside North Korea. They attack from South Korea. They attack from China. And in terms of a defensive capability, they're about the best, because there are only a few lines leading into North Korea, and very few things in North Korea are controlled by computer networks.
So in terms of a pure cyber-war against one country and the cyber-war back, North Korea can do some damage to us, and we can do almost no damage to them.
GROSS: What do you think the odds are that they would actually launch a cyber-attack?
Mr. CLARKE: Well, with North Korea, I think it's actually pretty high. Because when you say: Why would China hurt the U.S. banking system? They're invested in it. There's a lot of truth to that. Nations have an investment in the international system and the international stability it creates. North Korea doesn't. North Korea could very well pull the temple down around it at some point.
And on July 4th, 2009, they appear to have conducted an experiment: launching attacks from China and from South Korea against the United States and against South Korea, clogging up the pipes, the largest attack in terms of number of digits and volume that has ever been seen on the Internet.
And it had an effect on some sites in Washington. It appears to have been an experiment to see how much they could generate and how much of the pipes would be blocked if they did it.
GROSS: What did it temporarily disable?
Mr. CLARKE: I think it was less of an attack designed to actually get in and destroy things than it was an attack designed to scale, to see how many computers it took to clog pipes.
This is called distributed-denial-of-service attack - distributed denial of service, DDOS. And what that means is you get thousands of computers - maybe even yours and mine - without our knowing it. And you get into these computers, and you cause these computers to set off little pings along a certain path on the Internet every second, jamming the Internet so that, in effect, the Internet stops working.
GROSS: And weren't there, like, companies that were temporarily disabled by this, too?
Mr. CLARKE: There were. But for the most part, all a distributed-denial-of-service attack can do is prevent Internet traffic from moving. It doesn't get in behind your system and into your internal documents and destroy them. So there was very little destruction done. It was just that the Internet itself, the ability to use communications along certain paths of the Internet, ceased to exist.
GROSS: So in other words, whoever was behind this attack - probably North Korea - they found the key into the system, and that's what they were trying to do, see if (unintelligible)...
Mr. CLARKE: They were trying to see: How loud do I need to make the music on my stereo before the neighbors complain?
GROSS: What do you think they learned from this experimental attack?
Mr. CLARKE: One thing they learned is that it is easy, at a certain volume, to pretty much stop traffic between South Korea and the United States. If you were planning a war, a traditional war, that might be helpful to you because in the United States, we'll need to coordinate closely the movement of troops and logistics and whatnot to South Korea if North Korea ever did a conventional attack.
GROSS: What do you think the United States learned from the attack?
Mr. CLARKE: I think the United States learned that South Korea had a North Korea had a capability. We had traditionally looked at North Korea and said there are only a couple of fiber-optic lines leading in and out. There's not much they can do. And it hadn't really occurred to us that their offensive cyber-war units were outside of their country.
GROSS: Now what do you mean when you say that?
Mr. CLARKE: Well, we know when we look at that July 4th attack in 2009 that it began in various places in China and various places in South Korea. And we now know that the North Koreans had moved cyber experts from their military, including their equipment, into whole floors of hotels in China and pretty much set up shop as a cyber-warfare unit in hotels in Chinese cities.
GROSS: With the Chinese permission?
Mr. CLARKE: You'd have to think so, wouldn't you?
GROSS: And why would the Chinese give them permission?
Mr. CLARKE: Well, that's a very good question. It could be that the Chinese were watching very closely because they wanted to see what the results were. They wanted to see what North Korea could do, and they wanted to see what the effect would be on the United States.
GROSS: My guest is Richard Clarke. His new book is called "Cyber War." He'll be back in the second half of the show. Clarke was counter-terrorism czar under Presidents Clinton and George W. Bush.
I'm Terry Gross, and this is FRESH AIR.
(Soundbite of music)
TERRY GROSS, host:
This is FRESH AIR. Im Terry Gross back with Richard Clarke, who's written a new book called "Cyber War." It's not only about the threat of cyber war; it's about the attacks that have already been launched against the U.S. and other countries. Clarke was the national coordinator for counter-terrorism in the Clinton and George W. Bush administrations and was special adviser to President Bush on cyber security and cyber terrorism.
You say that the United States has a very good offensive cyber war system, not so good at defense. Let's talk about the United States offensive ability in cyber war. What's the closest weve come to actually launching a cyber attack against another country?
Mr. CLARKE: Well again, this depends on how you define it. But when we began the second Gulf War, we got into the Iraqi military's closed loop secret private Internet and all Iraqi military officers received an email that began: Good morning. This is the United States Central Command. We are about to invade your country. Please step away from the tank. Please go home. Put your troops on leave. And that actually had an effect. A lot of the Iraqi military did line up their tanks in the desert, as requested, and put on civilian clothes and go home.
GROSS: And you say that right before the invasion, the Bush administration considered freezing assets in the Iraqi banking system to prevent Saddam Hussein from having any access to money for the military, for anything. Why did the Bush administration consider doing that? Why did they decide against it?
Mr. CLARKE: There was a fear, Terry, that, you know, if the war started, Saddam would flee and take his money with him. Or at the very least, he would transfer his money out of the country and transfer it to places that we wouldnt know where it was. And so there was a proposal made, before the war started, to go in a seize control of the Iraqi financial network and transfer it to places where we had control of it, or just bring it down altogether.
And the plan was a good plan. The plan was one that could have been done rather quickly, and President Bush decided not to do it because he didnt want to do a precedent. That if we started destroying international banking systems, other people might too.
GROSS: And wasnt there a fear, too, that there would be global financial chaos?
Mr. CLARKE: It was a fear that we might make a mistake, that we might have sort of collateral damage. We thought we were only destroying one bank, but that bank was linked to another bank and then so on.
GROSS: Did you have any input into that decision? I can't remember if you were still with the Bush administration then.
Mr. CLARKE: So I'm still covered by secrecy rules over things that I was involved in.
Mr. CLARKE: And can only say those things which I have been cleared to say.
GROSS: Right. So you were in the Bush administration then?
Mr. CLARKE: Yes.
GROSS: Yeah. Now another thing that you say that the U.S. considered was some kind of cyber attack during the first Gulf War. What was the military considering and why didnt they do it?
Mr. CLARKE: Well, this was 1990 and it was very early days. A proposal was made to fly a team of commandos into Iraq and attack a small outpost on the Air Defense Network. Get inside and get into the computers at that outpost, which were connected to the entire network of Air Defense computers throughout the country.
And General Schwarzkopf decided not to authorize that because he didnt believe it would work. He thought if you want to destroy the Air Defense Network, blow it up and that was reliable. That was something he understood. He didnt understand this concept of cyber war.
GROSS: So does that illustrate to you, a disconnect between our cyber capacity back then and the ability of the military leadership to comprehend it?
Mr. CLARKE: Back then - not anymore. That was 20 years ago, and I think American military commanders now have totally integrated the idea of cyber attack into all of their plans. This new cyber command with the four-star general is supporting all the other commands around the world and I think if we went to war with Iran, for example today, that cyber would be a big part of the opening salvo.
GROSS: Is there a fear that, like, if we're the first country to actually launch a really big and effective, crippling cyber attack that it will set a precedent?
Mr. CLARKE: There is. There very much is that fear. On the other hand, a commander in the future, an American president in the future will probably be told, Mr. President, if you dont do this 3,000 Americans may die trying to do the exact same them in the more traditional kinetic way of doing it. Under those circumstances I think a president is going to probably say, fine. Let's to cyber.
GROSS: You write about a cyber attack that really surprised me, because it involves a story weve discussed on FRESH AIR and I didnt understand how cyber attack had played into it. And I'm thinking of the Israeli attack on a Syrian nuclear facility. And it was a very, very secretive attack. I mean there was some bombing. There was evidence that there was bombing. Neither Israel nor Syria talked about it initially; it was so secretive and you write about this cyber component of the attack. What was that like?
Mr. CLARKE: So we're talking about a place in the desert on the Euphrates River, 75 miles into Syria south of the Turkish border. And there's some big thing being built there in the dark. There are no lights. There's none of the usual security around it. It's a very low observable thing going on. And then one night, all hell breaks loose and there are flares and there are explosions and everyone wakes up in the morning and this huge facility that was being built has been reduced to rubble. And no one talks about it. Nothing happened.
Months go by. Eventually the story comes out and CIA does the unusual thing. The CIA issues a video - a video about what happened. Its amazing. A public CIA video. And what it says is that this thing that was being built was being built by North Koreans with the cooperation of the Syrian government who was inside Syria, and it was an exact replica of a nuclear reactor that had been already built in North Korea - a nuclear reactive that was designed to make nuclear materials for nuclear bombs.
And the Israeli government eventually admits that F-15s and F-16s from Israel had flown secretly through Turkey, come up from behind and destroyed this facility. Now, F-15s and F-16s are big old planes. They were designed in the 1970s. They're not stealthy. They're the exact opposite of stealthy. And Syria has huge amounts of radar systems and anti-aircraft missile defense systems that should have seen this attack coming.
And, you know, when the Syrians went back and looked at their radar, they saw nothing. They saw nothing at the time. They saw nothing after the fact when they went back and looked, and their radar should've been lit up like a Christmas tree. What happened was that the Israelis had used cyber war as part of a traditional attack. They had taken control of the Syrian air defense system and made all the radars look like there was nothing in the sky, even though the sky was filled with Israeli fighter bombers.
GROSS: That's just kind of amazing to me. And part of what's amazing too, is that the radars says nothing but there are the planes. And didnt nobody notice the planes or was it too late by then?
Mr. CLARKE: By the time people realized it was an attack, they realized it because they were seeing and hearing explosions and they were trying to get on the phone and call to air defense headquarters and say we're under attack. By the time anyone realized that, the Israelis were back outside of Syrian airspace.
GROSS: Has the United States ever tried anything like that?
Mr. CLARKE: There's good reason to believe that the Israelis used a system very similar to one developed by the United States.
GROSS: So you think we have that potential.
Mr. CLARKE: Oh, yes.
GROSS: My guest is Richard Clarke who was counterterrorism czar under Presidents Clinton and George W. Bush and served as Bush's special adviser on cyber security. Clarke's new book is called "Cyber War."
We'll talk more after a break.
This is FRESH AIR.
(Soundbite of music)
GROSS: If youre just joining us, my guest is Richard Clarke and his new book is called "Cyber War: The Next Threat to National Security and What to Do About It."
You write about flaws in the software and hardware of our computers, that can leave them very vulnerable. And one of the things you write about is how the hardware and software parts of typical computers in the United States are from a supply chain that can include about 400 different countries and several different continents. Why? Why is the supply and chain so vast?
Mr. CLARKE: Well, the world economic system works very efficiently now, so that we find the place where the least cost is incurred to build software or write software or compile software. And similarly, with the pieces - the hardware pieces, the firmware pieces of a computer, and that's why you can get a Dell computer so cheaply because it's made all over the world wherever it is the cheapest to do it.
GROSS: Okay. Now well, why is this big supply chain, the fact that components of your computer are made in so many different countries, why is that a potential problem?
Mr. CLARKE: Well, the Bush administration, when it did its review in 2008, identified this as one of the top 12 concerns about cyber security, that it is so easy to slip in some software or just slip in some hardware that no one will ever detect; and that software or that hardware could be then, the back door that someone can use to get control of your computer.
GROSS: And so somebody could do that maliciously, with the idea of cyber war, somebody could just be a hacker or somebody could be just doing it for a prank?
Mr. CLARKE: Yeah, all the above. Someone could be doing it as a criminal activity. So they could go out into the black parts of the Internet and say hey, do you want access to Terry Gross's computer? I know how you can do that. More typically they'd say hey, I have access to 500,000 Dell computers made between this point and that point because somehow I was working at Dell or I hacked my way into Dell and I slipped in a trapdoor that's on all of those computers. And I dont mean to pick on Dell. This would be anybody.
GROSS: Is there any evidence that that's actually happened?
Mr. CLARKE: Yes. There's a lot of evidence that that's happened. And it's not just people working in the factories; it's in fact, governments. And this doesnt mean that if you buy something that was made in China, as my Mac Pro laptop was, that necessarily the Chinese government put the trapdoor in. It may be some other government did it. Just because it was made in China doesnt mean the Chinese government did it. But governments and criminal cartels are constantly trying to find ways of putting trapdoors in software and hardware, at the factory and even after you get the machine home.
GROSS: Why would they want to do that in personal laptops, in personal computers, as opposed to say Pentagon computers?
Mr. CLARKE: Well, it turns out that millions of personal computers have been compromised so that let's say you go to a Web page, while youre on that Web page that Web page is secretly downloading a trapdoor into your computer. Now, that Web page may be your church, it may be your synagogue. It may be a really nice organization and they dont know that their Web page has been compromised in doing it. But they also dont have a lot of money to worry about cyber security, so your church or synagogue or whatever organization hasnt looked for this possibility, doesnt have good cyber defenses. You go there. It downloads a trapdoor into your computer.
Then your computer phones home to whoever has done this and says whenever you need me I'm on the network, and then you can make a million of these computers do something simultaneously. You won't even notice it happening to your computer. Maybe your computer will be running a little slowly that day. Maybe your bandwidth won't look like it's normal. But while youre doing your emails, you computer could be sending out a denial of service attacks as part of a million other computers all trying to knock off a bank in Estonia.
GROSS: So your computer can become drafted into a cyber attack that you dont even know youre participating in.
Mr. CLARKE: Happens everyday and these computers that are drafted are called zombies and the things that they're drafted into are called botnets - robotic networks - and it happens everyday.
GROSS: Now, another concern you express in your book is that the prevalence of Microsoft computers can unintentionally make us more vulnerable. What's your concern?
Mr. CLARKE: Well, it used to be that the Defense Department had very high-end sophisticated computers that only they had, computers that were designed for the Pentagon and built and sold only to the Pentagon. And then along came the revolution of something called commercial off-the-shelf technology. People saying why pay 10 times as much for a purpose built Defense Department computer when you can buy a cheap computer like a Dell, and you can buy cheap software like Microsoft, and it'll work just as well. And it was a huge cost-saver. And by now, that has happened throughout the U.S. Defense Department. So you have big billion dollar cruisers in the U.S. Navy running, essentially, the same sort of Microsoft Windows program that you have at home.
The problem is that Microsoft never said it was building a highly secure software program that lives could depend on. And in fact, what they were building, was the quickest cheapest dirtiest thing that they could do. And they made a lot of money on it, and for most applications it's great. But for highly secure things, like running bank networks or military systems, it probably wasnt a good idea. And we have seen, over the course of the last decade, a huge amount of penetrations of Microsoft software because it was not written as a highly reliable highly secure program.
GROSS: You also write that Microsoft has actually shared more information with the Chinese government than with U.S. government.
Mr. CLARKE: No, more information with the Chinese government than with U.S. banks and other institutions.
GROSS: Oh, I see.
Mr. CLARKE: What happened was that China went to Microsoft and said we're afraid that the U.S. government may have put some secret trapdoor in Microsoft products and therefore, we want to see all of the secret lines of code behind the Microsoft products, or effectively, we'll throw you out of the Chinese market. And Microsoft blinked and said, fine. Open the kimono. Here's everything. Please let us stay in your market. When American banks, as an association of big banks, went to Microsoft and said the same thing, they were rebuffed.
GROSS: Now obviously, youve advised the United States government, both the White House. You advise the Obama campaign. You advise businesses. What advice do you have for individuals like me and everybody whos listening now, who are just like using their computers at work and at home? They're not working for the Pentagon. They're not inside the financial industry, but they dont want to become zombies. They dont want to be used for botnets and attacks and they dont want to be attacked.
Mr. CLARKE: Well, I think the average user can't do much except protect themselves. And that means things like if youre going to buy things online, have a credit card for that purpose with a low credit limit, so that if your card is compromised there's a limit as to how much money goes out the door. Dont do banking online or stock broke work online and have a lot of money at risk, unless your stock company gives you something more than just a password to get in. In other words, a two-step method of proving your identity. And for high-end users, some stock companies will give you that second access method so that it won't just be a name and password.
GROSS: Have you spent a lot of time talking with the people who work the dark side of the computer, the cyber underworld who are - the people who are very, very knowledgeable and use their knowledge in malicious ways?
Mr. CLARKE: I talk to them. I think they're people who use their knowledge in malicious ways. They say they're not. Every indication is that they are. No one wants to admit to having committed a felony, so that it's all about my friend can do this and my colleague can do that, or I know a guy. But yes, I talk to a lot of people who are clearly aware of what's going on on the dark side of the Internet. I then run that information by intelligence agencies and law enforcement agencies to double check it, and there's a fairly good consensus about what's going on out there.
GROSS: Which is?
Mr. CLARKE: Huge amount of criminal activity. Very sophisticated criminal cartels and gangs. We're not talking about one or two people operating at a time. Billions of dollars going on in illicit activity through identify theft and through industrial espionage. One company will say gee, I'd really liked to know about my competitor and that information will get to them.
GROSS: And are there instances of these cyber criminals working with governments, partnering together to attack?
Mr. CLARKE: There's a lot of evidence that these very sophisticated cyber gangs in Russia and in China exist because the government lets them. And it's a bit like the scene in the "The Godfather" where Marlon Brando says, some day I will come to you and ask you for a special favor. That's what goes on. The Russian government says, fine, you do that. Dont rob anybody here in Russia. Go play. Attack the United States. Whatever you want to do. We'll protect you. But some day when we're attacking Georgia, when we're attacking Estonia, we'll need you to do it so that we, the Russian government, have some deniability.
GROSS: My guest is Richard Clarke who was counter-terrorism czar under Presidents Clinton and George W. Bush, and served as Bush's special adviser on cyber security. Clarke's new book is called "Cyber War."
We'll talk more after a break.
This is FRESH AIR.
(Soundbite of music)
GROSS: My guest is Richard Clarke and he was a counter-terrorism adviser to Presidents Clinton and Bush and was the first cyber security adviser to a president - that was President George W. Bush.
You point out in your book, that so far, terrorists have used the Internet as a way to mobilize, raise money, communicate. But terrorists have not used the Internet to disable other country's computer systems. Are you concerned that terrorists will soon have the capacity to do that and may use that?
Mr. CLARKE: Now Terry, I'm very concerned with the use of the phrase by a lot of commentators, cyber terrorism. People talk about me as a cyber terrorism expert. I dont think there has been the phenomenon of cyber terrorism. I think there's cyber activity and I think there's terrorism, and so far the overlap of the two has consisted in almost entirely of terrorist organizations, like Hamas and Hezbollah and al-Qaida, using the Internet the way you use it - to have a webpage, to communicate with followers, to raise money.
That's what they do on the Internet. That's what NPR does on the Internet. It's just no case that I know of where a terrorist organization, or somebody hired by a terrorist organization, has gone online and said, let's blow up the electric power generator in Haifa. Let's disrupt banking in Tel Aviv. I haven't seen that.
GROSS: Do you expect to see it?
Mr. CLARKE: I dont know why it hasnt happened. Certainly, it could happen. There are lots of people in terrorist organizations who have advanced degrees in information science. And clearly, there are a lot of hackers out there in the world for hire. So they could hire them or they could probably use some of their own people. They haven't. I dont know if they will.
GROSS: Now, this might be a little off topic for you, but today - we're recording this in the morning - and today is the anniversary of the Oklahoma City bombing. It's the anniversary of the end of the standoff between the Branch Davidians and the Bureau of Alcohol, Firearms and Tobacco in Waco, Texas. And it's also the day - oh, it's the anniversary of the first shots in the Revolutionary War, and it's also the day that was chosen for a pro-gun, pro- Second Amendment March in Washington, D.C., and another march in Virginia. And in the Virginia march, marchers have been encouraged to bring their guns.
Now, these rallies will have played out by the time many people hear our broadcast today. But, as somebody who's worked a lot in counter-terrorism, what do you think of a pro-gun march being on the anniversary of the Oklahoma City bombing?
Mr. CLARKE: Well Terry, its deeply disturbing. But on the one hand, most of us who own guns - and millions of Americans do - most of us who own guns are perfectly normal human beings who have those guns for legitimate reasons. But there is a small percentage of people who own guns that I find very scary. And they are the ideological remnants of the Ku Klux Klan, the ideological remnants of the John Birch Society.
Throughout our history, weve had right wing people who say they dont like the U.S. government, they want to take down the U.S. government, they think violence against the U.S. government is okay; and since the election of Barack Obama these people have grown in volume and I think theyve grown in number.
And we have to remember, when we worry about al-Qaida and a foreign threats, that one of the biggest, certainly the second largest and second most destructive terrorist attack in our history, inside our borders, were done by these people, American right wing people - extreme right wing, anti-government, violent people.
I think the United States has a serious threat today, from those people, because legitimate public officials are egging them on. And legitimate public officials who are conservative and who are Republican aren't criticizing them or aren't criticizing them enough. We need to de-legitimatize these people or we will have another Oklahoma City.
GROSS: Youre afraid some politicians are courting their vote instead of de-legitimatizing them?
Mr. CLARKE: Oh, you could see it during the health care debate and all around the country in the last year. There are people who are saying well, I don't support the crazy people, but I support these guys who are just right on the boarder of the crazy people, of the people who have guns and are making bombs. We need every politician, every church leader, every synagogue leader, every Mosque leader in this country, on a regular basis, to be preaching against violence, and against people who would attack the government.
GROSS: Richard Clarke, its always interesting to talk with you and always a little unnerving...
(Soundbite of laughter)
GROSS: ...because there's always some bad news - things to worry about. But thank you for talking with us. Thank you very much.
Mr. CLARKE: And Terry, its always great to be on FRESH AIR.
GROSS: Richard Clarke's new book is called "Cyber War." He was the national coordinator for counter-terrorism in the Clinton and George W. Bush administrations.
You can read a chapter from his new book and see a timeline of major cyber security attacks since 2007 on our website, freshair.npr.org where you can also download Podcast of our show.
(Soundbite of music)
GROSS: I'm Terry Gross.
(Soundbite of music)
NPR transcripts are created on a rush deadline by a contractor for NPR, and accuracy and availability may vary. This text may not be in its final form and may be updated or revised in the future. Please be aware that the authoritative record of NPR’s programming is the audio.