“There are two kinds of companies: those that have been hacked, and those that will be.”
If you listen to people talk about cyber security long enough, you’ll hear a hundred subtle variations of that statement. Another version goes: “There are two kinds of companies: those that know they’ve been hacked, and those that don’t,” implying that every server and every computer the world over is not only vulnerable to attack, but has at least been probed in the past. It’s this version of the saying that cyber security expert and former White House counter-terrorism advisor Richard Clarke buys into, at least when it comes to U.S. companies. Not only have all the companies been hacked at random, either. They’ve all been hacked by China.
- I’m about to say something that people think is an exaggeration, but I think the evidence is pretty strong. Every major company in the United States has already been penetrated by China.
So claims Clarke in a recent Smithsonian Magazine article by Ron Rosenbaum. The article is a follow-up on Clarke’s 2010 book Cyber War, which details the vulnerabilities of the U.S. and its citizens to cyber attacks that do things far worse than steal your credit card information. In it, Clarke points out how much of the United States’s critical infrastructure is connected to the Internet, and thus how easily it could be attacked.
Clarke tells Rosenbaum that the U.S. lacks at present a well-developed, comprehensive cyber defense system. What’s potentially worse, he says, are the ramifications of the United States’s aggressive policy of cyber offense. Referring to the 2009 Stuxnet worm attack that temporarily disabled centrifuges belonging to Iran’s nuclear program, Clarke says, “I think that the U.S. government did the attack and I think that the attack proved what I was saying in the book [which came out before the attack was known], which is that you can cause real devices—real hardware in the world, in real space, not cyberspace—to blow up.” Other nations may also believe that the U.S. was responsible for the attack, or may even have evidence of attacks against their own networks. Clarke fears that the U.S. has extended its reach and offended too many governments, without properly covering its own cyber butt.
While he points out the potential for a massive, crippling cyber attack that takes down U.S. power grids, communications networks, and transportation controls, Clarke says his main concern involves a subtler, more prolonged Chinese cyber attack which targets industry secrets and steals documents from corporations’ — and government’s — research and development programs, crippling the economy and rendering the U.S. uncompetitive:
“My greatest fear,” Clarke tells Rosenbaum, “is that, rather than having a cyber-Pearl Harbor event, we will instead have this death of a thousand cuts. Where we lose our competitiveness by having all of our research and development stolen by the Chinese. And we never really see the single event that makes us do something about it. That it’s always just below our pain threshold. That company after company in the United States spends millions, hundreds of millions, in some cases billions of dollars on R&D and that information goes free to China. … After a while you can’t compete.”
Is Clarke accurate in his assessment? He has both his supporters and his critics, but his credentials bear mentioning. Chief counter-terrorism advisor under Bush I, Clinton, and Bush II, and later Special Advisor to the President on cybersecurity, you may know Clarke best as the guy who warned W. Bush’s administration, 10 weeks before the September 11th attacks, that an attack was imminent. Clarke later released a public apology — followed up by a book titled after the statement — telling U.S. citizens: “Your government failed you.” Clarke is currently Chair of Good Harbor Consulting, a strategic planning and security firm in Arlington, Virgina. He is also an adjust professor of the Harvard Kennedy School of Government.
On the other hand, Wired magazine pooh-poohed Clarke’s book, Cyber War, in a 2010 book review, claiming that the book included numerous embellishments and inaccuracies.
Regardless of the merits of his book, Clarke’s background in cyber security — as well as the plausibility of his argument — makes it at least worth lending an ear to his concerns.