PENGUIN PRESS
An imprint of Penguin Random House LLC
penguinrandomhouse.com
Copyright 2019 by Richard A. Clarke and Robert K. Knake
Penguin supports copyright. Copyright fuels creativity, encourages diverse voices, promotes free speech, and creates a vibrant culture. Thank you for buying an authorized edition of this book and for complying with copyright laws by not reproducing, scanning, or distributing any part of it in any form without permission. You are supporting writers and allowing Penguin to continue to publish books for every reader.
Library of Congress Cataloging-in-Publication Data
Names: Clarke, Richard A. (Richard Alan), 1951 author. | Knake, Robert K., author.
Title: The Fifth Domain: Defending Our Country, Our Companies, and Ourselves in the Age of Cyber Threats / Richard A. Clarke and Robert K. Knake.
Description: New York: Penguin Press, 2019. | Includes bibliographical references and index.
Identifiers: LCCN 2019012065 (print) | LCCN 2019016384 (ebook) | ISBN 9780525561972 (ebook) | ISBN 9780525561965 (hardcover)
Subjects: LCSH: CyberterrorismUnited States. | Computer securityUnited States. | Computer networksSecurity measuresUnited States. | CorporationsSecurity measuresUnited States. | National securityUnited States.
Classification: LCC HV6773.2 (ebook) | LCC HV6773.2 .C585 2019 (print) | DDC 363.325dc23
LC record available at https://lccn.loc.gov/2019012065
While the authors have made every effort to provide accurate internet addresses and other contact information at the time of publication, neither the publisher nor the authors assume any responsibility for errors or for changes that occur after publication. Further, the publisher does not have any control over and does not assume any responsibility for author or third-party websites or their content.
Version_1
To the late Michael A. Sheehan:
Soldier, Diplomat, Patriot, Iconoclast, Friend
RICHARD A. CLARKE
To my son, William, whose deep interest in the causes of war is driven by his even deeper desire for peace.
ROBERT K. KNAKE
Contents
PART I
THE TWENTY-YEAR WAR
Chapter 1
THE BACK OF THE BEAST
The future is already here; its just not very evenly distributed.
WILLIAM GIBSON
Sitting in the back of the Beast, the armored vehicle custom made for the President of the United States, Bill Clinton wanted to talk about his cousin from Hope, Arkansas. He didnt want to talk about the major speech he was about to give at the National Academy of Sciences. It was January 1999, and Clinton had just proposed budget initiatives to combat emerging threats, including those in the cyber domain. Few people then saw cyber threats as a major problem. But he did. Dick Clarke sat next to him with a PowerPoint deck and an annotated version of the speech, but the President was channeling his Bubba persona, telling a story about Arkansas, and not to be stopped.
When the Beast pulled into the underground parking at the academy, Clinton finally turned to the business at hand. I read the speech. Its okay. That meant it wasnt.
But really, isnt what we want to say something like this: Throughout history there is a competition between offensive and defensive technologies and a gap between their development. A guy in a cave carves a rock and attaches it to a stick and creates a spear, and then someone needs to defend against that, so they get some animal hides and make a shield. Later on, people defend towns with walls and then some guy invents battering rams and catapults. But there is time between when an offensive weapon is created and when the defensive counter to it comes along. A Secret Service agent standing next to the vehicle opened the heavy door of the Beast. You cannot really open it from inside.
The President kept going, warming to his theme. And right now, the problem is that the new offensive technologies have taken to the field and they now have the advantage over the things that we have to defend against them. So, what we have to do is invest in new technologies that will give the defense the advantage again, or at least even out the playing field. Have I got it right?
Clarke looked at the President, bemused, reminded again about the preternatural ability he had to make the complex comprehensible. Clarke put away his copy of the draft speech and the PowerPoint deck, sighed, and said, Yeah, Mr. President, you should say that today. And he did.
Nineteen years and three months later, Clinton said the same thing verbatim in answering a question about his cyber-oriented novel while sitting on stage in Washingtons Warner Theatre. It was still true. In the intervening twenty years, hundreds of billions of dollars in public and private investment in cybersecurity research, development, and deployment had not fundamentally changed the advantage. It remains a case of what military theorists call offensive advantage or offensive preference.
Offensive Preference in Cyberspace
Any scenario between adversaries is a balance between offense and defense. When the offense has the advantage because of some combination of technological superiority or cost, military theorists write, there will be conflict. When the reverse is true, when it costs more to attack, or when the chances of an attack defeating the defenses is low, greater stability will prevail. We think these generalities apply now to the ongoing hostilities between hackers and corporations, to the current covert espionage done by nation-states, and to the potential for a future nation-state-on-nation-state cyber war. Today, as for the last twenty-five years, the conventional wisdom in the fields of computer science, information technology, and networking is that there is an enormous offensive preference. That might not have been a big deal to most people, except that in the last twenty-five years, we have also made almost everything dependent upon computer networks. In fact, because the offense is thought to have the advantage right now, in a crisis situation of possible conventional warfare, there is likely to be an inclination to go first with a cyberattack.
This book is about how the balance between offense and defense is changing and how the rate of change can be increased to set us on the path to stability. We think it is possible to reduce the risks posed by offensive cyber technologies and actors, and to increase peacetime stability for corporations and crisis stability for nations.
As we write this in 2019, we see a pattern of malicious activity in cyberspace that suggests we are already engaged in a low-grade, simmering cyber conflict with Russia, China, and Iran. We also are beginning to turn a corner on this problem. Estimates put worldwide cybersecurity spending at $114 billion in 2018. Venture capital investment in cybersecurity technology is up, topping $5 billion in 2018 alone. More than three thousand new technology firms have sprung up, backed by ample venture capital, to develop new solutions. Cyber insurance was long a fringe product. Today, the market is (finally) growing and thriving, with almost $2 billion in premiums written in 2017.
Long-standing problems created by government, such as barriers to information sharing, have been solved and companies are actually beginning to organize communities not only to share information, but also to provide mutual aid during crises. One chief information security officer (CISO) at a major bank we spoke with thinks that in five years his bank will largely be immune to cyberattacks as it upgrades from legacy systems that are inherently insecure to systems that are secure by design. Many leaders in Silicon Valley, where optimism is never in short supply, would tend to agree.