Former National Security Council cyber security director Richard Clarke says the military hasn’t done enough to secure today’s networked weapons systems against hacking and is likely to find out what they’ve missed the hard way once a conflict with a sophisticated adversary begins.
“The nightmare scenario that I hear a lot of flag officers worrying about is, they get involved in a combat situation against a sophisticated enemy and that sophisticated enemy activates trap doors and shuts off systems and you’ve got beautiful aircraft and beautiful naval vessels or missiles that just sit there,” Clarke told me yesterday at an American Institute of Aeronautics and Astronautics conference in Washington, where he spoke on cyber security.
In his speech, Clarke called for an international treaty to put certain entities off-limits to cyber attacks, require signatory nations to pass laws enforcing such norms and enable the United Nations Security Council to impose sanctions on violator nations, as it did when Iran was found to be violating the International Atomic Energy Agency safeguards against nuclear proliferation. Noting that President Xi Jinping of China and President Obama signed an agreement last fall that in principle bans either government from cyber theft of the other nation’s intellectual property, Clarke said banking, hospitals and aviation should be put off-limits as well.
Clarke’s AIAA remarks focused on the evolution of the cyber threat from its beginnings a decade and a half ago in the form of government on government hacking for espionage to government hacking for industrial espionage to criminal hacking for profit to today’s increasing threats of hacking to disrupt everything from power grids to movie studios or to make corporations pay to be freed from ransomware. After his speech, I asked Clarke if the military is winning or losing the cyber arms race with Russia, China, Iran and North Korea — four nations known to engage in cyber attacks with gusto.
“The problem is that we don’t know,” said Clarke, who as chairman and chief executive officer of Good Harbor Security Risk Management spends most of his time consulting on cyber security and, in 2012, published Cyber War, one of his many books. “The problem is that there’s millions of code applications running in weapons systems. Some of them have been verified by running repeated different ways of checking the code,” Clarke said.
“But there’s so much code there, and the way you develop code today in major corporations is, you take the code that’s out there in open source material and bring it in. Frequently, people don’t even know that they have open source code buried in the code that they’re just bought from somebody. That makes it very hard to tell whether the code that is running in weapons systems is secure. And the only time I think we’re going to find out is when somebody actually proves that they’ve put a trap door in, put a vulnerability in, by shutting off a weapons system. And they’re not going to do that until we’re engaged in combat.”
The good news, Clarke said, is that “the military’s aware of the problem and it’s begun to pay enough attention to the problem, particularly on the hardware side, with the chips and to some extent with the firmware.” At the same time, he added, “I don’t think it (the military) has a full handle on the (cyber security of) support systems necessary for the weapons systems. You think of all the software that’s necessary for the support systems to work. If the support systems don’t work, it doesn’t really matter if the weapons system does. I don’t think they’ve begun to be able to address that.”
Clarke also said during his speech that ISIS and Al Qaeda would gladly hire hackers to disrupt western aviation or other systems if they could, and someone in the audience asked how a treaty to put aviation or other networks off-limits to cyber attack could help against those threats.
“When you think that international norms are all sort of airy fairy things that have no teeth — they can have teeth if we want them to have teeth,” Clarke said. “With regard to criminal cartels and terrorists, they live in countries, they need sanctuaries. They need countries that will tolerate their activity. And countries that tolerate their activity should be subject to the sanctions and punishment of the international norms.”