When the second plane hit the World Trade Center on 9/11, Richard Clarke didn't wait around for President Bush to react. The former counter-terrorism adviser to the US National Security Council, claims to have been already executing one of the biggest national infrastructure continuity plans in US history while the Bush administration was still reeling from the first strikes. Instead of waiting for Bush to act, Clarke and his team were busy grounding 4,200 planes.
Clarke is probably best known for his outspoken personality and his attacks on the Bush administration over the invasion of Iraq. Last year after he left his post as cybersecurity tzar at the White House, he openly criticised the president's handling of the 'war on terror', claiming Bush could have prevented the 9/11 attack if he had listened to his advisors.
Clarke, who now heads up security firm Good Harbour Consulting, has an impressive CV. He has served as a counter-terrorist expert and cybersecurity advisor under four US presidents and was a civil servant for 30 years. But he experienced a mixed reception when he released his book, Against All Enemies , which made the allegations against the Bush administration.
Two days after the US elections, at the European RSA Conference in Barcelona, ZDNet UK sat down with Clarke, to discuss whether cyberterrorism is a misnomer or a real threat and whether he regrets publicly criticising the Bush administration.
Q: With all the areas you've worked in, does looking at the cyberworld seem trivial?
A: No. I've been looking at the cyberworld for about eight years now. I don’t think it's trivial at all. Some people, when they talk about security, they use 9/11 as a benchmark. They say unless it's going to result in a 9/11 where we have 3,000 body bags, it's no big deal. You know there are lots of things in our life that are important. And there are important security problems that don't create 3,000 body bags. Cybersecurity is enormously important. Just because it doesn't create a lot of body bags, doesn't mean it's not important. It's vitally important for our economies
A couple of days ago a UK bank was hit by a denial-of-service attack. Alan Paler, the director of research for SANS said that every online gaming Web site is probably paying extortion demands. Is this something you're seeing?
Yes they are. Over the last year botnets have gone from 2,000 to about 30,000. I don’t know what the average number of machines is per botnet, but you can bet it's in the thousands. The only thing I know botnets are good for is denial-of-service attacks. Even if no one is reporting denial-of-service attacks, you know they are happening.
How long will it be before we see some type of vigilante group to tackle the people carrying out denial-of-service attacks?
Well I know companies are reluctant to have their employees to be vigilantes. It increases their own liability. I think we are going to see companies asking their ISPS to do more. A lot of denial-of-service attacks could be prevented if ISPs co-operated with each other.
Are governments looking in to using cyberwarfare on other countries?
Oh yes. One thing I know that the United States did before the war was to use the internet to communicate directly with Iraqi soldiers and to send personalised messages saying 'We're about to invade. We're going to overwhelm you and if you resist us we're going to kill you. But we don’t want to do that. So really the best thing for you to do when we invade is to go home. Each senior officer of the Iraqi army got that message and most of them went home.
How much can governments see of what goes on in the Internet? Can they see every email?
Oh no. There are technical and legal reasons. The legal reason is, in the US at least, is that you need a court order for each person [to see each email]. The technical reason is that there is too much traffic.
It's interesting what you say about liberty and security and how the two mirror each other…
They can. But I argue that you can't have civil liberties without some degree of security. On the other hand, if you do security improperly, then it can erode civil liberties. So it's getting the balance of security and civil liberties right so one reinforces the other without eroding the other. Take privacy rights -- if you pass privacy legislation, say, and make all information 'protected' but then the companies aren't required to have real IT security. The fact that [information] is supposed to be protected and you can't be insured commercially doesn't mean it's protected. So privacy laws are only as good as the security that supports them.
How well do you think governments are dealing with security?
In what sense? The governments themselves?
In protecting their countries.
Well, I think most governments are not doing a very good job of protecting government. And that's unfortunate given all the privacy information about all of us that governments have. I think governments are also not doing a good job of protecting cyberspace that their citizens employ. They are certainly not doing a good job of helping companies within their countries. Private companies for their own part, and for that matter citizens, are pretty much on their own in the cyberworld.
We see an awful lot of fear, uncertainty and doubt heading our way, which almost seems to reflect the state of politics today. Some would say that the IT security market seems to be taking advantage of this. How do you feel about that?
I think that the IT security companies have grown up and no longer are employing fear, uncertainty and doubt as a marketing message. I think what they are saying instead is IT security can be an enabler that can allow companies to do things they would otherwise have been unable to do. And you can open up markets by having IT security. The distinction between IT security and IT management is also blurry. I see less marketing now in terms of fear, uncertainty and doubt.
Howard Schmidt [another head of cybersecurity at the White House] said that people are doing a better job of security. Would you agree with him?
I think many companies have improved their security. Many are taking security seriously, spending the amounts of money they need to spend. If you go back about five years ago I think the average large company was spending 4 percent on its average IT spending. The average company is now spending about 8 percent. You and I both know you can double your spending on security and not achieve security. It's not just a matter of spending. Spending is an important indicator. That indicator would suggest that the companies are taking it more seriously, but it's also what they are spending it on and how they deploy it. Certain industries are doing a much better job. The financial services industry, at least in most modern countries, is doing a very good job.
There are a lot of disparate security bodies and user groups that don't seem to act in a coordinated way. A lot of them talk but don’t seem to have a strategy or roadmap.
Well part of what we do is information sharing. Forums are great places to do that. But all too often the participants have no decision making authority in their own companies and the real problem is persuading the CIO or the CFO that there is a return on investment in increasing security. Information sharing forums are great for technical solutions but haven't been all that great in helping the CISO to tell their story to their superiors.
It seems that most useful piece of information a CISO can have is how to get to the board member, the CEO or the CFOs, and make a case in their language. Every expertise speaks its own language. What would be useful for these user groups is learning ways to speak the language of the people who are making the decisions.
Do you miss working at the White House?
No. Not at all.
Would you ever go back?
Never. I spent 30 years there as a civil servant. And I consider that as 30 years of hard labour. No I don't think I could do it anymore.
Some people might say you came under a lot of flak when you did what you did [criticised the Bush administration]. Did come under a lot of pressure?
There are those people who took it personally and that's unfortunate. I didn’t think I had any choice in the matter. I didn’t think or conceive of working for the Bush administration as much as for working for the American people. And the American people have a right to know certain things. What I wrote in the book would have come out any way in the 9/11 commission investigation. Frankly there is some stuff I wanted to use in my book but I wasn't allowed to. The government did have to clear the book. Most of that information came out in the 9/11 commission. So my emails and my memos are in the 9/11 commission report. So it came out anyway, but I wanted to tell it in a coherent way and in a way that's usually understood.
Some people would criticise security professionals for going out and whistle blowing. What would you say about that?
There's a lot that anyone one who has been in the security business as long as I have should never reveal because it will make it easier for terrorists and hackers. And we all have to be careful when we do right, that that information is not revealed. In the case of the United States, if you were in the government and you had top secret clearance, your books have to be reviewed by the government to make sure there's nothing in them that's revealing or could be used. There's a double check. You hopefully do it yourself, but the government does it for you too. There's nothing in my book that would in anyway help an enemy.
Do you still regard yourself as a patriot?
In the Michael Moore film Fahrenheit 9/11, Moore shows the scene when the president was informed of the 9/11 situation for the first time and he sits and reads a children's book for seven minutes. Is that true?
Yeah that's true.
What was happening where you were?
Well we were making decisions, we weren't waiting for him. During that time frame we were making the decision to ground all the 4,200 aircraft that were aloft at the time beginning with Washington and New York corridor and getting all the aircraft out of there. No one had ever done it before and we weren't sure that we could it, but it worked.
It must have been a real test for the critical national infrastructure…
It was and for the most part it worked. Some of the problems we had were things like the companies with operation plans envisioned that the alternative headquarters for various departments would be staffed by people in the [original] headquarters.
That didn’t work and the people in Washington couldn't get out. There were two million people trying to get out at the same time. All the roads, the metro and everything were jammed. So we couldn't get the continuity teams out to the continuity sites. That was something we discovered on 9/11 we didn't know before. Most of the system worked.