Document: Testimony of Richard Clarke on Cyber Security, 2/13/02.

Testimony of Richard Clarke, Special Advisor to the President for Cyberspace Security.
Date: February 13, 2002.
Event: Senate Judiciary Committee, Administrative Oversight and the Courts Subcommittee, hearing titled "Administrative Oversight: Are We Ready For A Cyber Terror Attack?".
Source: Tech Law Journal transcribed from its audio recording of the event.

Senator, thank you very much. I welcome this opportunity to brief you on the first ninety days of the President's Board. I appreciate your kind words. I hope that I can live up to them today. I also appreciate your understanding of the White House rules, that White House staff cannot testify, and instead have to brief.

Let me walk through a little discussion of the threat, as much as you have outlined it, and a little discussion of what we have been able to accomplish in the last ninety days since the President created the Board. As you say, the Board is called the President's Critical Infrastructure Board. It deals with cyber security, and the digital security of cyber related facilities, such as those that you mentioned. It has ten operating committees of staff from throughout the government. There are probably twenty-three federal agencies involved at this point.

And, the Board is not meant to be a new bureaucracy. It is instead meant to coordinate the activities of the government that are already under way.

Let me turn to the threat, and begin first by talking about the threat from the perspective of our vulnerabilities, and then go on to talk about the threat with respect to our enemies' capabilities. I think you need to look at both. I think in the past, all too often, with terrorism and with other issues, we have looked only at the enemies' capabilities as we understood them -- the enemies' intent. And, we didn't look enough at our own vulnerabilities.

Our vulnerabilities take a long time to change. But, the enemies' capabilities and intent could change very quickly. So, let's start with our vulnerabilities. As you said, electric power, banking, financial markets, air traffic control, railroad management -- all of the basic infrastructures that make the economy work, and almost all of which are in the private sector -- over the course of the 1990s, because it was cheaper to do so, because of productivity increased if you did so, all of these industries, one by one, without any master plan, migrated there key functionality onto networks -- networks that are linked with each other all over the world. You can it the Internet. You can call it a networks of networks. But, all of these key parts of our economy, banking, financial markets, railroads, air traffic control, you name it, electric power, oil and gas, every part of our economy, now run by computer controlled networks. And, there is no going back. There is no way to revert to the prior system that we did ten years ago.

And, not only is it the obvious things that we think of as network, or Internet connected. But, it is also manufacturing and public utilities. Manufacturing and public utilities are largely run by digital control systems. What does that mean? It is software. It is not the software that is running on your desktop, but it is fairly common, open, world wide available software. The same software that runs a power plant or a manufacturing facility in Ohio, runs the same manufacturing facility in China, runs a power plant probably in Tehran. A limited number of digital control systems software, or ___ systems software, that is run around the world.

And, the basic structure of the Internet -- the domain name servers, the ___ gateway protocols, the routers -- all of these things that are the hardware of the Internet, were never designed with security in mind. And they themselves, in addition to both the large enterprises, the actual infrastructure of the Internet, is vulnerable. Throughout these infrastructures there is ubiquitous and essential software, and hardware, that has never been designed with security in mind. We do not have a high number _______ software or hardware. Now, there are some industries in the United States where precise, surgical, precision in the development of the product is necessary. No one to date -- and I think that is about to change -- has ever thought that was necessary to operate. We have been fault tolerant, because we never assumed that this software or hardware would be used for the many purposes that it is used for today.

Replacing that software -- replacing the first generation hardware -- will take years. And particularly, when the telecoms market, for example, the telecom industry is in a big financial downturn, the money just isn't there to replace some of this vulnerable software.

Let's talk then about threats from the enemies' intent, and the enemies' capabilities. So far, we have seen terrorism, that you know well, Hamas, Hezbollah, Al Queda. They have only been using the Internet, _____, for propaganda purposes, for fund raising, some very sophisticated usage. But, none of the traditional terrorist groups has yet attacked over the Internet. That may be about to change, because, as you said, there is now, thanks to the exploration of some of the caves in Afghanistan, there is evidence that Al Queda was using the Internet to do at least reconnaissance of American utilities, and American facilities, by going to publicly available web sites, where all too often we have too much information about our facilities.

But, the threat spectrum goes far beyond the traditional terrorist groups. It involves organized criminals, as you mentioned. It also involves fourteen year olds and fifteen year olds who hack for the fun of it. And as much damage can be done by the individual fourteen year old as by some sophisticated terrorist. When have seen fourteen or fifteen years old hack their way into things like a control system for a damn in Arizona, a control system for an airport in Massachusetts.

And at the far end of the spectrum, at the opposite end from the fourteen year old hacker, is the nation state. And again, as you mention, many nations are now developing information warfare units, either in their military, or in their intelligence services, or both. And those nations do include Iraq, Iran, North Korea, China, Russia, other states, some which are our friends, and some which are our enemy.

Most of the damage that we have seen so far, in terms of hacks, viruses, worms, and distributed denial of service attacks, most of the damage seems to have been done by individuals, or clubs of hackers. But, that does not mean that it has not been significant. We estimate that last year alone, 12 billion dollars were required to clean up the mess from those attacks in the U.S. economy. One attack, the nimda virus, last November, caused over two billion dollars in damage to American firms. At one point, one virus last year, had taken over three hundred and fifty thousand servers throughout the United States.

We are also aware that hackers seem to be turning their attention to, not just individual enterprises, but to wide spread attacks, like nimda, like code red, that go across the entire country. And some attacks, which may be focused on the Internet's mechanics.

So that is a back drop. Let me tick off what we have been able to do in the last ninety days quickly. I will give you my top ten list.

I think that the most important thing, the President has instructed us to develop a national strategy on how we will defend cyber space. Now, its not a strategy that will be a table top book; it's not a strategy that will have single point in time for its life; and, not a strategy written by bureaucrats for bureaucrats. The strategy, written with the private sector, with the academic community. Already we have groups in banking, in finance, in transportation, in electric power, in universities, wrapping portions of that national strategy, which we hope will be available in late spring or early summer. But, the process of developing that will be a full participatory process across the country, with all of the experts we can find in every sector. And when it is released, it will only be just beginning. It will live in Internet time. It will live in cyber space. It won't be a single document. And it will change as it needs to, based on the threat, and based on our understanding of whether the strategy is working or not.

Secondly, the President's budget submitted for FY 03 has a dramatic increase in the amount money we asking asking to defend federal agencies' IT security network. It is up 64%. And that makes, as a percentage of overall federal IT spending, security will be 8.1%. Senator, if that could be said of other institutions, particularly companies in the private sector, we wouldn't have this problem. We cannot, however, cure the many problems in federal computer networks in one year. It will take sustained high levels of investment.

Thirdly, there has been a major break through in our thinking, in our relations with major IT companies. The leaders of IT companies, Bill Gates at Microsoft, John Chambers at Cisco, Larry Ellison at Oracle, among them, have all, within the last two or three months, declared that they intend to change the way they do business, so that their products will be highly secure. And, they are changing their products, and they are redesigning the next generation.

Fourthly, we have agreement from the major tier one Internet providers to work with us on the ways of improving the security of those tier one backbones.

Fifth, we have overcome some of the institutional stove piping that has slowed bureaucratic cooperation in the past, by gaining an agreement that the Commerce Department's Critical Infrastructure Assurance Office, CIAO, the FBI's National Infrastructure Protection Center, and the President's new board is staffed together in one facility where they can do cooperation and coordination in one location. We hope that will open next month.

Sixth, the first class of students receiving cyber corps scholarships have arrived on campus in eight colleges. We have now through an agreement with the National Science Foundation just added sixteen more colleges for eligibility for next year for scholarships. These are scholarships in IT security, for undergraduates and graduate students, and these students agree that they will do one year of service in the federal government for every year of scholarship they are granted. The average grant recipient this year is receiving thirty thousand dollars towards scholarships and stipends.

Number seven, we have agreement within government and with leading private sector companies to form a network, of a cyber intelligence warning network, that will share information between the government and the private sector in real time about the threat.

Eighth, we have 167 companies that have contributed their response to a request for information about whether or not it is feasible to create, for certain things, like air traffic control, and other federal functions, an air gap network, separate from the Internet.

Ninth, we are opening for the first time a national infrastructure modeling simulation center to model how these various infrastructures work with each other.

And tenth, we have now announced a cyber space security campaign, a public awareness campaign, going after the home user, and the small business. This national cyber space security alliance has been formed by AOL, Cisco, Microsoft, other leading members of the IT community. And they will be running ads through out the year, and they will be having web pages available to the public, so that the public can achieve IT security on their home systems.

That is a brief and quick overview of what we have been up to for the first ninety days. I welcome your questions.

Excerpts from Question and Answer Session.

Schumer: ... Why have we been spared from any type of attempt by, other than individuals, who seem to be seeking thrills, I quess. I don't know of anyone, except in the bank account instances, who is doing this for any other purpose. Why have we been spared thus far? Are they not -- are the countries, or the terrorist groups that are looking into cyber terrorism, are they not yet able to do something? ...

Clarke: ... You don't know what you don't know. And we clearly do not know whether or not there have already been successful penetrations of our networks, the we don't know about. If I were a betting person, I would bet that many of our key networks have already been penetrated. The trap doors, or trojan horses, or logic bombs, may already be in many of our key infrastructures. Because, it is easy to do, and as you quite rightly point out, it is much cheaper for a nation, or a group, to develop cyber weapons capability than it is any other kind of weapon. I think we have to assume that whenever we have a conflict in the future with a nation state or a terrorist group or an organized criminal group, whenever there is a reason for them to come after us, that we have to assume that cyber attacks may be part of it. What I think -- the reason we haven't seen attacks yet is that in one respect cyber weapons are like other weapons: you don't use them just because you have them. You use them when you have a reason to do so. But, I think if we do see a -- as we have seen in the last ten years -- a period of tension, with a major power, a period of hostility with a nation state, I do think that we will be seeing cyber attacks because it is cheaper to do, and easier to do.

... It could very well be that nation states have engaged in espionage, using cyber hacking techniques, that we have not detected.

...

Schumer: ... Can you give us some idea of how capable these states are right now of doing damage to us?

Clarke: Well, unfortunately, we can't. And, this is one of the differences between, say, weapons of mass destruction, and information warfare weapons. As you well know, when we were looking at Iraq, to see if they had nuclear weapons, or when we look at Iran to see if it has biological weapons, there are things that we can look for, that our satellites can take pictures of. You can look for, particularly, types of facilities, and try to estimate, based upon the things like what they are buying, and what, how far along they are in the process of weapons development. ... But, on information warfare, there is nothing for our satellites to take a picture of. And, it is not possible to take a look at what there procurement records are, and deduce from that that they have this capability or that capability. So, it is a little bit tougher to know how far along they are.

... There are certain states that have been at it for so long, and have such good technology to begin with, that they are probably very capable.

Schumer: ... Do we have any evidence that some of these other states, these rogue states if you will, go and try to hire computer experts from some of these countries.

Clarke: We haven't seen that. But, it wouldn't be a crazy assumption to make at all. ... Most of the really popular hacking tools, most of the really destructive hacking tools, are open information on the Internet. You can go to a web site, Senator, and create your own virus, and launch it on the Internet.

Schumer: ... Is there anything different about how a terrorist group, that didn't have a nation, like an Al Queda, would approach this, from, say, an Iraq, or an Iran?

Clarke: Essentially, no. What we have seen so far, that we have clear evidence, is that Al Queda was trying to learn about digital control systems, and was trying to learn about our utilities, and our major infrastructure. And there is a great deal you can learn on the Internet.

... Over the last ten years we all seem to have a compulsion to have our own web page and put everything we know about ourselves and our organization on that web page. If you put all of that unclassified information together, sometimes it adds up to something that probably ought to be classified.

Schumer: As I understand it, you don't have to be a country. I mean, you can get twenty really good hackers, put them in a cave somewhere, as long they are connected to the Internet, they could figure this stuff out. You don't need special materials, like you would for biological, chemical, nuclear weapons. You don't really need special facilities, other than a good mind and a good computer. Is that fair to say?

Clarke: That is right. That is perfectly fair. And indeed, what you do need, you can get by downloading over the Internet.

...

Schumer: ... What could we do to stop them, as opposed to making ourselves immune to what they would do?

Clarke: I think we have had a policy that has not been well known. But I think that it is a fairly well articulated policy, for the last several years, which is that any one that engages information warfare against us, be they a nation state, or a terrorist group, has to realize that we will respond in whatever way we think is appropriate. Somehow, people have gotten the idea in some academic circles that if an information warfare attack is launched on the United States, the only thing that we can do is respond with information warfare attacks of our own. That is not true. If we find a terrorist group or a nation state that is engaged in information warfare against us, we reserve the right to respond in any way appropriate -- through covert action, through military action, any one of the tools available to the President.

...

When the enemy looks at us from a vulnerability perspective, there is a lot of low hanging fruit. There are a lot of really easy things to do. ...

...

Grassley: ... the government's vitally important work to protect critical infrastructure can only be done in partnership with private industry. For that to happen, I think we all know there has to be trust. But the private sector can be hesitant to report information, especially if it's proprietary, and they don't want their competitors to know about it. Corporations are even more hesitant to give this type of information to a law enforcement agency. ... National Information Protection Center ... I would like to hear, if you think the Center should be somewhere else, other than under the FBI, maybe under a more neutral entity, that would improve information sharing with other agencies and the private sector? What about moving it, for instance, at least this is my suggestion, under your supervision at the National Security Council, or the Office of Homeland Security?

Clarke: ... The NIPC was, from 1999 and 2000, to some extent into 2001, having problems exchanging information ... But I think the attention that you focused on that problem through your own activities, and the GAO study that you requested, did a great deal to focus our attention, and the attention of the FBI leadership on the problems that were there. There is a new management team at the NIPC. ... I think that the private sector is beginning to trust them, although it does take time. We probably should not have put the NIPC in the FBI to begin with. But, it is there now, and is working well now. And, rather than pull it out, which I think would be disruptive, I think we should continue to let this new management team make the improvements that they have underway. And you are absolutely right, there is a problem right now. Companies don't tell the government when they have been hit. The nimda virus in November of last year attacked many household name companies in the banking industry, the finance industry, and elsewhere, and yet, we don't know that officially. And, I can't tell you officially the names of these banks and companies that were hit because the only way we know is through the rumor mill. Well, why won't they tell us? The real block seems to be the Freedom of Information Act. The Freedom of Information Act, justifiable, or unjustifiably, scares corporate counsel. And, I have been told by numerous companies across the country, "Our lawyers tell us not to share information with you in the government because it could then be requested by any citizen through a Freedom of Information Act request". I think that is an inaccurate reading of the law. I think that information could be exempt under the existing law. But, what I think isn't what counts. What counts is what the corporate lawyers are telling the companies. And so I support, and the President supports, a very narrowly, very narrowly, crafted amendment to the Freedom of Information Act that would remove that barrier ...

...

Edwards: [question about what the government can do to incent companies to improve cyber security]

Clarke: Senator, you talk about inducements and mandates to the private sector. And, we decided not to do either. We don't think that a tax credit is the way to go. We don't think that the government mandating IT security practices is the way to go. By the time the government issued a regulation, it would be out of date, and it would probably be wrong. What we think has to be done is that the private sector has to realize the importance of this issue, and they have to organize themselves to deal with this issue. That means that the average company needs to ask, "Why don't I have a secure product? Why was I have by code red in July? Why was I hacked by nimda in November?" ...