When the second plane hit the World Trade Center on 9/11, Richard Clarke didn't wait around for President Bush to react. The former counter-terrorism adviser to the US National Security Council, claims to have been already executing one of the biggest national infrastructure continuity plans in US history while the Bush administration was still reeling from the first strikes. Instead of waiting for Bush to act, Clarke and his team were busy grounding 4,200 planes.
Clarke is probably best known for his outspoken personality and his attacks on the Bush administration over the invasion of Iraq. Last year after he left his post as cybersecurity tzar at the White House, he openly criticised the president's handling of the 'war on terror', claiming Bush could have prevented the 9/11 attack if he had listened to his advisors.
Clarke, who now heads up security firm Good Harbour Consulting, has an impressive CV. He has served as a counter-terrorist expert and cybersecurity advisor under four US presidents and was a civil servant for 30 years. But he experienced a mixed reception when he released his book, Against All Enemies , which made the allegations against the Bush administration.
Two days after the US elections, at the European RSA Conference in Barcelona, ZDNet UK sat down with Clarke, to discuss whether cyberterrorism is a misnomer or a real threat and whether he regrets publicly criticising the Bush administration.
Q: With all the areas you've worked in, does looking at the cyberworld seem trivial?
A: No. I've been looking at the cyberworld for about eight years now. I don’t think it's trivial at all. Some people, when they talk about security, they use 9/11 as a benchmark. They say unless it's going to result in a 9/11 where we have 3,000 body bags, it's no big deal. You know there are lots of things in our life that are important. And there are important security problems that don't create 3,000 body bags. Cybersecurity is enormously important. Just because it doesn't create a lot of body bags, doesn't mean it's not important. It's vitally important for our economies
A couple of days ago a UK bank was hit by a denial-of-service attack. Alan Paler, the director of research for SANS said that every online gaming Web site is probably paying extortion demands. Is this something you're seeing?
Yes they are. Over the last year botnets have gone from 2,000 to about 30,000. I don’t know what the average number of machines is per botnet, but you can bet it's in the thousands. The only thing I know botnets are good for is denial-of-service attacks. Even if no one is reporting denial-of-service attacks, you know they are happening.
How long will it be before we see some type of vigilante group to tackle the people carrying out denial-of-service attacks?
Well I know companies are reluctant to have their employees to be vigilantes. It increases their own liability. I think we are going to see companies asking their ISPS to do more. A lot of denial-of-service attacks could be prevented if ISPs co-operated with each other.
Are governments looking in to using cyberwarfare on other countries?
Oh yes. One thing I know that the United States did before the war was to use the internet to communicate directly with Iraqi soldiers and to send personalised messages saying 'We're about to invade. We're going to overwhelm you and if you resist us we're going to kill you. But we don’t want to do that. So really the best thing for you to do when we invade is to go home. Each senior officer of the Iraqi army got that message and most of them went home.
How much can governments see of what goes on in the Internet? Can they see every email?
Oh no. There are technical and legal reasons. The legal reason is, in the US at least, is that you need a court order for each person [to see each email]. The technical reason is that there is too much traffic.
It's interesting what you say about liberty and security and how the two mirror each other…
They can. But I argue that you can't have civil liberties without some degree of security. On the other hand, if you do security improperly, then it can erode civil liberties. So it's getting the balance of security and civil liberties right so one reinforces the other without eroding the other. Take privacy rights -- if you pass privacy legislation, say, and make all information 'protected' but then the companies aren't required to have real IT security. The fact that [information] is supposed to be protected and you can't be insured commercially doesn't mean it's protected. So privacy laws are only as good as the security that supports them.
How well do you think governments are dealing with security?
In what sense? The governments themselves?
In protecting their countries.
Well, I think most governments are not doing a very good job of protecting government. And that's unfortunate given all the privacy information about all of us that governments have. I think governments are also not doing a good job of protecting cyberspace that their citizens employ. They are certainly not doing a good job of helping companies within their countries. Private companies for their own part, and for that matter citizens, are pretty much on their own in the cyberworld.