Why the U.S. should worry about cyber security
Richard Clarke, former chief counter-terrorism adviser on the U.S. National Security Council testifies before the House Armed Services Committee on January 27, 2010 at the State Department in Washington, D.C.
David Brancaccio: Iran's oil ministry says it was able to fend off a computer virus attack that began last weekend, although it could be another day or two until it can do a full assessment. In the U.S., lawmakers are looking at legislation to get companies to harden their computer systems against worms, viruses, and other malicious intruders. While Democrats and Republicans in Congress and the Obama Administration agree that cyber attacks are bad, there's little agreement on the best way to raise standards.
Richard Clarke is a former national security official who has served both Democratic and Republican White Houses and follows cyber security closely. Mr. Clarke, Good morning.
Richard Clarke: Good morning.
Brancaccio: What do you make of these bills working their way through Congress that try to protect American infrastructure and American companies from online computer data cyber attacks?
Clarke: I think the major issue is regulation. The Senate bill, and the White House bill, propose something that looks like regulation but has no teeth; and the House bills oppose anything that looks like regulation at all. So this major issue of cyber security -- protecting our country -- has come down to a matter of ideology.
Brancaccio: I saw one of the concerns was that you have all this regulation but it might not actually increase security and not, in fact, help gaurd us against these attacks -- you don't agree?
Clarke: No. And it's not "all this regulation" -- it's a very simple idea, which is that the industries themselves would establish their own best practices. Then, against those best practices, the companies would be audited by a third party. I don't think that's a lot of regulation, and I think something as key as the electric power industry, or the oil and gas industry, should be protected because we're all relying on it and we need to know that they're living up to a set of standards.
Brancaccio: You're heading toward answering this question, which is just: how much is at stake? Why do we have to get this right in your view?
Clarke: There are two things -- potentially three things -- that are at stake: a lot of money being stolen through cyber theft; secondly, a lot of intellectual property being stolen, given to foreign companies that then compete against our own companies. And the potential for the third is cyber war, where a smaller country could attack the United States through cyberspace and do severe damage to things like the banking and finance industry. And we might not even know precisely who's doing it.
Brancaccio: I'm sure you saw the reports just this week that there was some sort of cyber attack on an Iranian oil facility. What do you make of that?
Clarke: Well, I think it points out that all infrastructure industries are now dependent upon cyber connectivity. Things that used to be done manually are now done by software -- often done without humans in the loop. And if you can get into those control systems, you can not only shut things off, but you can damage things that cannot be quickly prepared or replaces.
Brancaccio: Well, Richard Clarke, a former national security official who served three different White Houses -- thank you very much.
Clarke: Thank you.