Clarke was already executing one of the biggest national infrastructure continuity plans in U.S. history while the Bush administration was still reeling from the first strikes, the former counterterrorism adviser to the U.S. National Security Council says. Instead of waiting for Bush to act, he and his team were busy grounding 4,200 planes.
Clarke is probably best known for his outspoken personality and his disagreement with the Bush administration over the invasion of Iraq. Last year, after he left his post as cybersecurity czar at the White House, he openly criticized the president's handling of the "war on terror," claiming Bush could have prevented the Sept. 11 attacks if he had listened to his advisers.
Clarke, who now heads up security company Good Harbor Consulting, has an impressive resume. He has served as a counterterrorism expert and cybersecurity adviser to four U.S. presidents and was a civil servant for 30 years. But he experienced a mixed reception when he released his book "Against All Enemies: Inside America's War on Terror," which criticized the Bush administration.
Two days after the U.S. elections, at the European RSA Conference in Barcelona, CNET Networks' ZDNet U.K. sat down with Clarke to discuss whether cyberterrorism is a real threat and whether he regrets publicly criticizing the Bush administration.
Q: With all the areas you've worked in, does looking at the cyberworld seem trivial?
A: No. I've been looking at the cyberworld for about eight years now. I don't think it's trivial at all.
Some people, when they talk about security, they use 9/11 as a
benchmark. They say unless it's going to result in a 9/11, where we
have 3,000 body bags, it's no big deal. (But) you know there are lots
Cybersecurity is enormously important…It's vitally important for our economies.
A couple of days ago a U.K. bank was hit by a denial-of-service
attack. Alan Paler, the director of research for SANS, said that every
online gaming Web site is probably paying extortion demands. Is this
something you're seeing?
Yes, they are. Over the last year bot nets have gone from 2,000 to about 30,000. I don't know what the average number of machines is per bot net, but you can bet it's in the thousands. The only thing I know bot nets are good for is denial-of-service attacks. Even if no one is reporting denial-of-service attacks, you know they are happening.
How long will it be before we see some type of vigilante group to tackle the people carrying out denial-of-service attacks?
Well I know companies are reluctant to have their employees be vigilantes. It increases their own liability. I think we are going to see companies asking their ISPs to do more. A lot of denial-of-service attacks could be prevented if ISPs cooperated with each other.
Are governments looking into using cyberwarfare on other countries?
Oh yes. One thing I know that the United States did before the war was to use the Internet to communicate directly with Iraqi soldiers and to send personalized messages saying: 'We're about to invade. We're going to overwhelm you, and if you resist us, we're going to kill you. But we don't want to do that. So really the best thing for you to do when we invade is to go home.'
Each senior officer of the Iraqi army got that message, and most of them went home.
How much can governments see of what goes on in the Internet? Can they see every e-mail?
Oh no. There are technical and legal reasons. The legal reason is, in the U.S. at least, that you need a court order for each person. The technical reason is that there is too much traffic.
It's interesting what you say about liberty and security and how the two mirror each other…
They can. But I argue that you can't have civil liberties without some degree of security. On the other hand, if you do security improperly, then it can erode civil liberties. So it's getting the balance of security and civil liberties right, so one reinforces the other without eroding the other.
Take privacy rights--if you pass privacy legislation, say, and make all information 'protected.' But then the companies aren't required to have real IT security. The fact that (information) is supposed to be protected, and you can't be insured commercially, doesn't mean it's protected. So privacy laws are only as good as the security that supports them.
How well do you think governments are dealing with security?
In what sense? The governments themselves?
In protecting their countries.
Well, I think most governments are not doing a very good job of protecting government. And that's unfortunate, given all the privacy information about all of us that governments have.
I think governments are also not doing a good job of protecting
cyberspace that their citizens employ. They are certainly not doing a
We see an awful lot of fear, uncertainty and doubt heading our way,
which almost seems to reflect the state of politics today. Some would
say that the IT security market seems to be taking advantage of this.
How do you feel about that?
I think that the IT security companies have grown up and no longer are employing fear, uncertainty and doubt as a marketing message. I think what they are saying instead is IT security can be an enabler that can allow companies to do things they would otherwise have been unable to do. And you can open up markets by having IT security.
The distinction between IT security and IT management is also blurry.
Howard Schmidt (another White House adviser) said that people are doing a better job of security. Would you agree?
I think many companies have improved their security. Many are taking security seriously, spending the amounts of money they need to spend. If you go back to about five years ago, I think the average large company was spending 4 percent on average on IT spending. The average company is now spending about 8 percent.
You and I both know you can double your spending on security and not achieve security. It's not just a matter of spending…it's also what they are spending it on and how they deploy it. Certain industries are doing a much better job. The financial services industry, at least in most modern countries, is doing a very good job.
There are a lot of disparate security bodies and user groups that
don't seem to act in a coordinated way. A lot of them talk, but don't
seem to have a strategy or road map.
Well, part of what we do is information sharing. Forums are great places to do that. But all too often, the participants have no decision-making authority in their own companies and the real problem is persuading the CIO or the CFO that there is a return on investment in increasing security. Information-sharing forums are great for technical solutions, but haven't been all that great in helping the (chief information security officer) to tell their story to their superiors.
It seems that the most useful piece of information a CISO can have is how to get to the board member, the CEOs or the CFOs, and make a case in their language. Every expertise speaks its own language. What would be useful for these user groups is learning ways to speak the language of the people who are making the decisions.
Do you miss working at the White House?
No. Not at all.
Would you ever go back?
Never. I spent 30 years there as a civil servant, and I consider that as 30 years of hard labor. No, I don't think I could do it anymore.
Some people might say you came under a lot of flak when you did what
you did (criticized the Bush administration). Did you come under a lot
There are those people who took it personally, and that's unfortunate. I didn't think I had any choice in the matter. I didn't think or conceive of
Frankly, there is some stuff I wanted to use in my book, but I wasn't allowed to. The government did have to clear the book. Most of that information came out in the 9/11 commission. So my e-mails and my memos are in the 9/11 commission report. So it came out anyway, but I wanted to tell it in a coherent way and in a way that's usually understood.
Some people would criticize security professionals for going out and whistle-blowing. What would you say about that?
There's a lot that anyone who has been in the security business as long as I have should never reveal, because it will make it easier for terrorists and hackers. And we all have to be careful…that that information is not revealed.
In the case of the United States, if you were in the government and you had top secret clearance, your books have to be reviewed by the government to make sure there's nothing in them that's revealing or could be used. There's a double-check. You hopefully do it yourself, but the government does it for you too. There's nothing in my book that would in any way help an enemy.
Do you still regard yourself as a patriot?
In the Michael Moore film "Fahrenheit 9/11," Moore shows the scene
when the president was informed of the situation for the first time,
and he sits and reads a children's book for seven minutes. Is that true?
Yeah, that's true.
What was happening where you were?
Well, we were making decisions, we weren't waiting for him. During that time frame, we were making the decision to ground all the 4,200 aircraft that were aloft…beginning with Washington and the New York corridor and getting all the aircraft out of there. No one had ever done it before, and we weren't sure that we could it, but it worked.
It must have been a real test for the critical national infrastructure…
It was, and for the most part, it worked. Some of the problems we had were things like the companies with operation plans envisioned that the alternative headquarters for various departments would be staffed by people in the (original) headquarters.
That didn't work, and the people in Washington couldn't get out. There were 2 million people trying to get out at the same time. All the roads, the metro and everything were jammed. So we couldn't get the continuity teams out to the continuity sites. That was something we discovered on 9/11 we didn't know before. Most of the systems worked.
Dan Ilett reported for London-based ZDNet UK.