United States is ill-prepared for a cyberwar, former adviser says
The government has offensive capabilities but no defensive plan, according to a George W. Bush administration official.
A former cybersecurity official is warning that the nation would be unable to defend itself against a cyberwar that could knock out transportation systems and the power grid.
"If a country decided to go war with the United States -- and if they then take their cyber unit and attack our basic infrastructure, there is no plan to defend it," said Richard Clarke, special adviser for cybersecurity to President George W. Bush, during a talk Monday evening hosted by the American Association for the Advancement of Science. "The government's capabilities extend so far as perhaps being able to defend the government's own networks and then only a few of them. . . . There is no plan nor capability that the United States government has to defend its railroads, its pipelines, its electric power grid, its aviation system, or its banking system from nation state cyberattack in a cyberwar."
The discourse centered on whether the government can keep up with the evolution of the Internet. The prices of technological devices are dropping rapidly, new online tools are arriving every day, and viruses targeting such gadgets and gizmos are appearing just as fast. Observers are concerned technical changes are outpacing government's ability to execute controls.
Clarke, co-author of the nonfiction book Cyber War, which came out in April, acknowledged the U.S. military has said it can knock out an adversary's power grids and turn enemy nations into blacked-out countries, but added, "While we have these offensive capabilities, we don't have a defensive plan."
The question of whether cyberwar is an actual threat took on a new level of urgency this summer, with the rise of malicious software that can crater industrial operations. "All of this seemed somewhat academic, somewhat science fiction until recently somebody launched a worm known as Stuxnet," Clarke noted.
The difference between Stuxnet and other bugs intended to steal identities or money is that it targets industrial control systems, with perhaps the intent to sabotage commercial facilities, such as gas pipelines. Most of the computers that Stuxnet has penetrated are in Iran, according to security experts. Specialists have identified 1,600 infections in the United States, where much of the equipment that would be vulnerable to such attacks resides in the manufacturing sector.
"I think the debate about whether cyberwar can happen is over," Clarke said. "I think the evidence is clear it can happen. . . . [Government] just might think about having a plan and having capabilities to defend the United States in case of cyberwar."