Protecting Cyberspace from Terrorist Attack

Richard A. Clarke isn't known for understatement. The former White House security official wrote a 2004 book that criticized his ex-boss, President George W. Bush, for dropping the ball before the 9/11 attacks, and later testified before Congress that Bush's invasion of Iraq "greatly undermined the war on terrorism." Now Clarke has co-authored a new book, Cyber War: The Next Threat to National Security and What to Do About It. Once again, he's not subtle: U.S. companies and government agencies are unprepared for digital terror, intellectual-property theft, and other threats. "The U.S. probably gets an F in its ability to defend in cyberspace," he says. His advice:

1. Get serious about industrial espionage. Clarke says many companies aren't aware of how common trade-secret theft has become, partly because the federal government doesn't keep track of the financial consequences. He says the U.S. needs to be more like the U.K. More than a year ago, the security agency MI5 told the biggest 300 companies in Britain to assume their computers had been hacked by the Chinese and then met with executives to discuss the breaches it knew about and how to prevent future ones.

2. Create information quarantines. Too few companies and agencies keep their most valuable information on a computer network that's separate from the rest of the company—and thus easily sealed off from the Internet as a last resort, Clarke says. He tells the story of Johns Hopkins University's Applied Physics Lab, which does defense research. Last year the lab noticed that data were being pilfered, but they couldn't figure out how to plug the leaks. So it disconnected from the Net. "When a sophisticated place like APL has to resort to unplugging from cyberspace, you realize it's a difficult problem," says Clarke.

3. Build, don't buy, security. Off-the-shelf software may be cheaper, but the more widely available a program is, the more practiced hackers are at cracking it. Clarke identifies two areas too important to leave to nonproprietary technology: military networks and the U.S. electricity grid. Grids worldwide use one of a few commercial brands of systems known as SCADA, for supervisory control and data acquisition; the Pentagon runs on software such as Microsoft's (MSFT) Windows. He says the military should even have a custom-designed, Internet-like network. "Then you couldn't hop from the Internet into the classified networks," he says.

4. Sign a cyber-arms control treaty. Clarke says a good place to start would be an agreement that the international banking system is off limits to government-sanctioned attacks. Every year, he says, some kind of cyber-weapon nonproliferation proposal appears before the U.N. And every year the U.S. opposes it.

The bottom line: Governments and hackers-for-hire are already launching constant, sophisticated attacks on U.S. trade secrets and digital infrastructure.

    Before it's here, it's on the Bloomberg Terminal.