Richard Clarke: Your Company Is a Front in a Future Cyberwar

In Cyber War: The Next Threat to National Security and What to Do About It, you write about how vulnerable America is to electronic attack. Is it possible to create an effective deterrence policy against cyberwar, as was done for nuclear war?

That doesn’t work in cyberspace for lots of reasons. In the nuclear era, there were more than 2,000 tests worldwide. Nations demonstrated they could do damage. It’s hard to demonstrate cyberweapons in advance. In a nuclear war, you see missiles. In cyberwar, it’s not clear who’s attacking. People can pretend to be other people. (See our review of Cyber War.)

How can the federal government protect companies?

Do more. As a matter of law and policy, the federal government should actively counter industrial espionage.

Most U.S. government counterintelligence operations are focused on intelligence against the government, not companies, and most of those are focused on spies. It’s a very 20th-century approach.

Until someone makes law or policy changes that say the U.S. Cyber Command can defend ATaannddT or Bank of America, it doesn’t have the legal authority to do that. I think it should. The government also has to explain the threat to corporations. The British government sent a letter from the head of [intelligence agency] MI5 to the CEOs of the top 300 companies in Britain telling them they’d been hacked by the Chinese.

What should ­companies do?

Corporations need to figure out what their crown jewels are. You can’t protect everything and defend your entire corporate network equally. It’s not all equally important, either.

So is it your intellectual property? Your marketing plans? Your research and development? Isolate them and provide them with special defenses and recognize that the other stuff will escape or be stolen.

Why don’t companies do this?

Until CEOs and boards of directors are faced with black-and-white evidence that they have lost a terabyte of information and that this has resulted in some other company beating them to market, until they have their noses rubbed in it, they’re reluctant to do anything special. They just say, “The CIO will do that,” and assume the CIO is doing a good job.

Often, the CIO really needs board-level commitment and CEO commitment, not just of resources but to policies necessary for protection. Most of the time, all people want the CIO to do is keep the network up and costs down. As a result, many CIOs have been hired for their expertise in those areas, not for expertise in figuring out how to make a resilient network that resists attack.

The common refrain is that attack-proof security is expensive.

It’s not all that expensive and it may not even require an increase in IT spending. We’re spending a lot of money now on cybersecurity software and services that don’t work, or work only against low-level threats.

Many corporations in financial services, utilities and telecommunications are part of our critical infrastructure. Should the government notify these companies, or any companies, when they’ve been hacked?

It should be the federal government’s responsibility to tell companies not only when they’ve been attacked but when others have been, such as their competitors, so they realize this sort of thing is going on.

Google said it was being transparent about its alleged attack by the Chinese, but most other companies aren’t. They don’t tell stockholders or the public.

Part of the issue is that sometimes companies don’t know they’ve been hacked. But frequently they realize after the fact. You don’t know you’ve lost information until a knockoff of your product or some competing products start showing up in the marketplace.

Richard Clarke is a partner in Good Harbor Consulting. Contact Senior Editor Kim S. Nash at knash@cio.com. Follow her on Twitter: @knash99.