Richard Clarke (@richardclarke) served for 30 years in national security policy roles in the US Government and worked directly for three presidents. He is the host of the Future State Podcast and co-author of The Fifth Domain: Defending Our Country, Our Companies, and Ourselves in the Age of Cyber Threats.
What We Discuss with Richard Clarke:
- How we’re in constant low-grade cyber conflict with Russia, China, Iran, and other adversarial nation states — and the forms this can take.
- Cyber crime was a $600 billion industry (one percent of global GDP) in 2018, much of it perpetrated by rogue nations like North Korea.
- How cyberattacks can be (and have been) used to wreak physical damage on infrastructure, and why we should take them as seriously as traditional weaponry.
- Is it the government’s job to protect private companies against cyberattacks from foreign powers, or is it up to private companies to be responsible for their own safety?
- Why there’s a crisis-level shortage of cybersecurity expertise coming out of our country’s most serious tech schools, and where it’s being found instead.
- And much more…
Like this show? Please leave us a review here — even one sentence helps! Consider including your Twitter handle so we can thank you personally!
Far from being a quaint, insulated contest between subterranean hackers trying hard to prove their l337ness to one another, cyberattacks are now being employed by nations (our own included) to pummel other nations with infrastructure-crippling precision more potent than our most devastating traditional weapons. In some ways it’s a leveler — after all, who needs a nuclear missile program when you can attack your enemy anonymously from the other side of the world via a scruples-devoid mercenary working from a laptop?
In this episode we talk to Richard Clarke, who served for thirty years in national security policy roles in the US government, and finally for an unprecedented decade of continuous service for three presidents in the White House. He’s the host of the Future State Podcast and co-author of The Fifth Domain: Defending Our Country, Our Companies, and Ourselves in the Age of Cyber Threats, and his message should give you a realistic overview of how 21st century warfare is evolving in unexpected ways. Listen, learn, and enjoy!
Please Scroll Down for Featured Resources and Transcript!
Please note that some of the links on this page (books, movies, music, etc.) lead to affiliate programs for which The Jordan Harbinger Show receives compensation. It’s just one of the ways we keep the lights on around here. Thank you for your support!
Sign up for Six-Minute Networking — our free networking and relationship development mini course — at jordanharbinger.com/course!
Smart Passive Income with Pat Flynn is the podcast where it’s all about working hard now so you can sit back and reap the benefits later. Give it a listen here!
THANKS, RICHARD CLARKE!
If you enjoyed this session with Richard Clarke, let him know by clicking on the link below and sending him a quick shout out at Twitter:
Click here to thank Richard Clarke at Twitter!
Click here to let Jordan know about your number one takeaway from this episode!
And if you want us to answer your questions on one of our upcoming weekly Feedback Friday episodes, drop us a line at friday@jordanharbinger.com.
Resources from This Episode:
- The Fifth Domain: Defending Our Country, Our Companies, and Ourselves in the Age of Cyber Threats by Richard A. Clarke and Robert K. Knake
- Future State Podcast
- Richard Clarke’s Website
- Richard Clarke at Twitter
- Cyber War: The Next Threat to National Security and What to Do About It by Richard A. Clarke and Robert K. Knake
- Six Live Cyber Attack Maps, Secureworld
- United States Cyber Command
- Russian Hackers Meddling with US Power Grid Poses Huge Threat to National Security, CPO Magazine
- US Escalates Online Attacks on Russia’s Power Grid, The New York Times
- US Carried Out Cyberattacks on Iran, The New York Times
- Ash Carter: Behind the Plan to Defeat ISIS, The Atlantic
- Inside the Five-Sided Box: Lessons from a Lifetime of Leadership in the Pentagon by Ash Carter
- Iran Hacked the Sands Hotel Earlier This Year, Causing over $40 Million in Damage, The Verge
- 7 Iranians Indicted for DDoS Attacks Against US Banks, Bank Info Security
- US Attacks Iran with Cyber Not Missiles — a Game Changer, Not a Backtrack, Forbes
- A Cyberattack in Saudi Arabia Had a Deadly Goal. Experts Fear Another Try. The New York Times
- CrowdStrike
- FireEye
- Hacking Group Names, Ranked, Vice
- North Korea’s Counterfeit Benjamins Have Vanished, Vice
- The Diplomatic Pouch: A Hands-Off Exception to Border Inspection, Stratfor Worldview
- Booz Allen Hamilton
- NSA Files: Decoded, The Guardian
- NSA Launches Cybersecurity Arm to Defend The US from Foreign Adversaries, Forbes
- Strikes on Iran Approved by Trump, Then Abruptly Pulled Back, The New York Times
- Defcon
- An Introduction to SCADA Systems, All About Circuits
- Information Technologies (IT) Vs. Operational Technologies (OT), Randed
- Inside the Cunning, Unprecedented Hack of Ukraine’s Power Grid, Wired
- Timeline: How Stuxnet Attacked a Nuclear Plant, BBC
- The 2003 Northeast Blackout — Five Years Later, Scientific American
- Long-Term Power Outage: There Is No Plan, Michael Mabee
- Zero Days
- Massachusetts Gas Leaks Set Off Series of Explosions, All Things Considered, NPR
- A Transatlantic Alliance Is Crucial in an Era of Cyberwarfare by Keith Alexander, Financial Times
- What Is Netbus? Techopedia
- Schrödinger’s Cat: A Thought Experiment in Quantum Mechanics by Chad Orzel, TED-Ed
- Quantum Computing for the Qubit Curious, Cosmos
- Rigetti Computing
- Quantum Supremacy Explained, Domain of Science
- “Science First” — the Best Path to Quantum Supremacy, Los Alamos National Lab
- Post-Quantum Cryptography Standardization, NIST
- The Origin of the Quote “There Are Two Types of Companies” TaoSecurity
- Dmitri Alperovitch at Twitter
- The 18 Biggest Data Breaches of the 21st Century, CSO
- Palantir
- Computer Fraud and Abuse Act (CFAA), NACDL
- Deconfliction, Schneier on Security
- Lawmakers Want the Pentagon’s Red Team Hackers to Be More Like China and Iran, Defense One
- Israel Bombing ‘Cyber Operatives’ Isn’t Cyber War, It’s Just War, Vice
- How Are 4G and 5G Different? Lifewire
- A Year Later, Giant Chinese Security Camera Company’s Products Are Still a Security Dumpster Fire, BoingBoing
- How to Thwart Nanny Cam Hackers, ABC News
- A Guide to 5G Network Security, Ericsson
- Why Is Mitch McConnell Blocking Election Security Bills? Good Question. The Washington Post
- Congress Is Running out of Time to Secure the 2020 Elections: And Mitch McConnell Is Standing in the Way, The Verge
- Mitch McConnell Received Donations from Voting Machine Lobbyists Before Blocking Election Security Bills, Newsweek
- Republicans Are Still Blocking Election Security Bills after Mueller’s Testimony, Vox
Transcript for Richard Clarke | Defending Ourselves in the Age of Cyber Threats (Episode 240)
Jordan Harbinger: [00:00:03] Welcome to the show. I'm Jordan Harbinger as always, I'm here with my producer Jason DeFillippo. On The Jordan Harbinger Show, we decode the stories, secrets, and skills of the world's most brilliant and interesting people. We turned their wisdom into practical advice that you can use to impact your own life and those around you.
[00:00:20] A lot of people think cyberwar is just stolen information or inconveniences like the Internet slowing down for a few hours, but these systems can impact our economy and our lives much more deeply and result in absolutely catastrophic failure of our infrastructure or worse. Today on the show, Richard Clarke, former National Coordinator for Security Infrastructure Protection and Counter-Terrorism for the United States, under both Bush and Clinton by the way, explains how where you're in constant low-grade cyber conflict with Russia, China, and Iran, and how vulnerable our systems, infrastructure, and country are to these attacks. We'll also discuss why protecting ourselves isn't as simple as installing better software or enhancing our own capabilities. It's not just our data, it's not just our elections. In a terrifying twist, we'll also uncover why cyberwar is very likely to lead to conventional war and loss of life, potentially even large-scale conflict.
[00:01:16] If you want to know how we get this guest roster. Well, it's not just about my business relationships. I've got killer personal relationships that I manage with hundreds, thousands of people. I use systems and tiny habits and I want to show you how to do this. This has been very impactful for my life, for my business, for the show. Check out our course, Six-Minute Networking. It's free, not enter-your-credit-card free, just free-free. Go to Jordan harbinger.com/course. By the way, most of the guests that you hear on the show, they also subscribe to the course and the newsletter, so you're going to be in great company, lots of smart people in there. I'd love to have you join us. All right, here's Richard Clarke.
[00:01:52] What surprised me about the book when I first picked it up was that we're in low-grade cyber conflict with Russia, China, and Iran. I guess that wasn't a shock because you hear about cyberattacks. I didn't really realize that this was kind of an ongoing thing. And my friend showed me this, I'm sure you've seen this, this live kind of map of the little lines that look like little missiles lobbying over and this, these are supposed to be cyber-attack maps. I'm pretty sure it's not quite how it works.
Richard Clarke: [00:02:20] It thinks that a PR map. Yeah, yeah. No, but I think we are in a low-grade cyberwar with Iran and Russia. I mean, shots are being fired. Let's go over Russia and Iran and what we know publicly and we can assume there’s a lot we don't know. Sure. So just before the congressional election in the US, US Cyber Command did some sort of cyberattack against the Internet Research Agency in St. Petersburg. I've heard that we sent messages to intelligence officers working there by name saying, “We know who you are and don't mess up. Our election will come after you.” I have heard that we screwed up their network as well. I don't know the truth. We did something, but the US Army or the US Military, US Cyber Command attacked something in St. Petersburg. Then you go forward in March of this year, Dan Coats, the Director of National Intelligence, in his annual threat briefing to the Congress, says the Russians are in the controls of our power grid.
Jordan Harbinger: [00:03:35] We'll get to that. That's mildly terrifying.
Richard Clarke: [00:03:38] And then a few months later, the White House has an official leak that, “Oh, we're in the control of their power grid.” So, we hit their intelligence front organization in St. Petersburg. We've apparently gotten into their power grid. With the Iranians, we know the US admits more or less that we did in the attack on their nuclear facility at the Natanz [00:04:03] and blew up their centrifuges using software. Now, after they shot down our drone, Trump tweeted that he launched a cyberattack in a way of retaliation against their missiles and intelligence along the Strait of Hormuz. I don’t know exactly what he had, but he had something.
Jordan Harbinger: [00:04:25] Yeah, they made a statement today. I've read this on the way here. Of course, Iran, as most countries would do say, “Oh, it didn't do anything,” which is the only answer you can really give to cyberattacks.
Richard Clarke: [00:04:37] And it's very hard to have a satellite fly overhead and look at the damage and say, “Oh no, look, it was serious.” But for years we had Cyber Command --I think it's 11 years old as an organization-- and it didn't seem to be on the offensive very much. We knew that the Secretary of Defense, Ash Carter, in the Obama administration, ordered Cyber Command to go after the terrorist group ISIS. We know now from his book that just came out, Inside the Five-Sided Box, he was terribly disappointed at the results that Cyber Command didn't do very much to ISIS. Well, you can understand that they're not a nation state, [indiscernible] [00:05:19] but the Cyber Command has apparently attacked Russia. It's apparently attacked Iran. And we know what the Russians have been doing to our election and to other nations, democratic processes. We know that Iran has attacked in the US they've gone after Sheldon Adelson's casinos in Las Vegas oddly. They've gone after the major banks in New York with a denial of service attack. They went after the Saudi oil company, Aramco, and wiped all the software off their network. When we wrote the book, Cyberwar, 10 years ago and said all stuff was going to happen, people said, “Oh, that's fanciful. You've been reading too many Clancy novels.
Jordan Harbinger: [00:06:04] But it wasn't even back then.
Richard Clarke: [00:06:06] No.
Jordan Harbinger: [00:06:07] Because I remember when I was probably man 13 or 14 and I was messing around on the Internet with hackers and stuff like that. MCI used to be a telecom company that you probably have heard of and they had a bunch of phone lines in Iraq and I should say, a large group of guys and I, we shut down a lot of their international telecoms capabilities by…Again, I'm 13, I'm not a genius with computers. It was actually just not that hard. It was like dial into their modems, flip a couple of things around you needed to know the country code for Iraq and then some other things that were social engineering in nature, which is where my skills were lying at the time was more like, “Oh hey, we're going to need to do something with this fiber pipe. And they're like, ‘Okay, no problem.’ ‘You're gonna run a test.’ ‘Yeah, I'm okay. It's going to last five hours.’ ‘Okay, well, you know, throttle traffic for five hours.’ “ And then you just jam it all up to the point where they're going, “What the hell happened there?” And it takes them three weeks to undo the damage or three days. And that's exactly what we did. That was basically how you could shut down a whole countries phone system.
Richard Clarke: [00:07:13] This is exactly the change that's happened, 10 years ago, 15 years ago, it was 13-year-old boys. I remember we had an attack on a whole series of US Air Force Bases when I was in the White House and the Air Force got all upset. This is the early days of this kind of thing happening and we're trying to figure out who did it. Was it Russia? Was it Iraq? There was a big debate about that. And I said, “Well, let's not try to guess. Let's wait for the forensics to come back.” When the forensics came back and there were two 13-year-old boys, they were in Israel. But so, what's new 10 years on from our first book, Cyberwar, is that the things that we worry about now are not 13-year-old boys. They’re nation states and their armies. So, if you look at the major attacks that are occurring now, it's Russia's GRU, which is military intelligence. It's a number unit of the People's Liberation Army of China, unit 52189. They were into numbers, not names. But, of course, US cyber companies can't stand that. They can stand the enemies 59812 or whatever the number is and so they make up funny names for them.
Jordan Harbinger: [00:08:42] Like Russia had…What was it like? The Bear or something.
Richard Clarke: [00:08:44] They’re Bear. So, the company, CrowdStrike, great company, just went public, now were $13 billion. They broke down the various Russian threat actors and instead of calling them advanced persistent threat groups one, two, three, which is what another US company called FireEye had done. They started giving them names. So, there's a Fancy Bear and various other bears, and then they started calling me Iranian threat actors various forms of kitten, this kitten, that kitten, but they're all military organizations. You can give them sweet little kitty names but we're talking about the Russian Military, the Iranian Revolutionary Guards, the North Korean Military, the Chinese People's Liberation Army. That's who's attacking not only us but other nations around the world. A lot of what happens overseas is the US Military, Cyber Command, NSA, and CIA. It's changed. It's now the big boys. It's now big military organizations that are doing most of the serious damage.
Jordan Harbinger: [00:10:08] They're well-funded now I assume because two 13-year-old boys in Israel, not super well-funded and usually their allowance only goes so far. They're using their parents' computers. I mean even me at that age working with these other guys, we’re using Internet relay chat to talk. Most of those guys --I think I mean we didn't really know each other-- were in college, somewhere probably beyond college, system administrator, and Hewlett Packard something like that, but there was no Cyber Command, nobody was in the army, definitely none of them were in law enforcement. I mean we were just a bunch of nerds on computers that thought like, “Wouldn't it be helpful if we shut this down? Probably. Well, it sounds fun and we're probably going to get away with it, so let's do it.” That was the consensus.
[00:10:52] We see crime going up in this area too. Not just the attacks from China and Russia, but cyber crime. I was telling you before the show that on the way here, cyber crime is something like a $600-billion industry and that might count solving cyber crime, but it looks like we're taking a dent to the tune of one percent of global GDP as of 2018.
Richard Clarke: [00:11:15] Well, that's interesting. Part of the cyber crime is nation state related and in two different ways. The North Korean Army, when it goes out in those cyber activity, is stealing money for the state. That's how they support the North Korean Government. How the North Korean Government pays the bills is they steal. This has always been true. They were using the diplomatic pouch for years to carry counterfeit money. They made an almost perfect US $100 bill.
Jordan Harbinger: [00:11:50] It's called the super dollar.
Richard Clarke: [00:11:51] Super note. They also use the diplomatic pouch for years to carry on narcotics. So now they're making money in a criminal way through cyberattack. All right, so that's one way the states are involved in crime. The other way is there's pretty good reason to believe that in Russia and in China, people go home after an eight hours shift, working five days a week, in the military cyber unit, and do a little work at night on their own or with criminal cartels, do a little work on the weekends. It also looks like China and Russia seemed to be following the US model. That the military is supported by contractors. So now there are Russian contractors and Chinese contractors, and there are private companies owned by individuals, not owned by the state, and they get contracts from the government to go hack something.
Jordan Harbinger: [00:12:57] So there's like a Chinese version of what might look like CrowdStrike here.
Richard Clarke: [00:13:01] Or Booz Allen.
Jordan Harbinger: [00:13:02] Booz Allen, yeah.
Richard Clarke: [00:13:03] Booz Allen is the one I always think of because whenever someone is arrested for stealing NSA's material and it seems to me it's often a Booz Allen employee.
Jordan Harbinger: [00:13:16] Or if they escape to Moscow.
Richard Clarke: [00:13:18] Or if they escaped to Moscow, they’re Booz Allen employee, rather than an NSA employee. NSA is always quick to say, “It's not us. It's our contractor.”
Jordan Harbinger: [00:13:28] Right. Edward Snowden worked for Booz Allen for people who don't know.
Richard Clarke: [00:13:31] And a few other guys who have been charged. I didn't mean to pick on Booz Allen. Anyway, the point is there is now a Russian equivalent of that, as the Chinese equivalent of that, and it's pretty clear that they're using attack tools in their day job to do intelligence collection, and then they go home, and work with some other friends, and make a little money on the side.
Jordan Harbinger: [00:14:00] It seems like countries are, according to your work, they're more likely to go cyber. They're more likely to go unconventional first in conflict. Why is that? Why do people start off with hacking and cyberattacks?
Richard Clarke: [00:14:14] We have a good example of that just recently with Trump. Trump wants to retaliate because our unmanned vehicle got shot then. We thought the point of having an unmanned vehicle was that it could be shot down. Frankly, I'm serious about that, when we started using drones, I was a big advocate, and one of the reasons why is there's never going to be a US pilot taken hostage. No US pilots ever going to be tortured and killed again. No, John McCain has ever had to go to spend six years in the cell because his plane was shot down. We're going to use drones and if they shoot a drone down, the pilot's going to go home to her husband--
Jordan Harbinger: [00:15:03] Right.
Richard Clarke: [00:15:04] –that night.
Jordan Harbinger: [00:15:05] Say I lost a really expensive piece of equipment; I might get in trouble.
Richard Clarke: [00:15:07] Yeah, let's have dinner. I thought that was compelling.
Jordan Harbinger: [00:15:12] Yeah.
Richard Clarke: [00:15:12] But anyway a drone got shot down. Trump got mad, and apparently John Bolton, the National Security Advisor, gave him plans to launch missiles and bombers and go after Iran. And then that great national security expert, Tucker Carlson, apparently said, “Gee, that's not a good idea.” And the president wondered why and was informed that 150 Iranian military people will probably die if we do this. And he thought, “Well, gee, they didn't kill any of our guys, maybe we should do something neater and cleaner, with nobody bags involved. Let's do a cyberattack.” I think that's typical. People think cyberattacks are not dirty, they're not lethal. There are no body bags. It's somehow exercising state power for some purpose or other but in some sort of sanitized way. And I think that's dangerous thinking.
Jordan Harbinger: [00:16:20] Yeah. You mentioned that, and I've seen this at DEFCON and other hacker conferences, people game this stuff out and there are a lot of real-world issues that can happen here. Let me, let me scroll down in my notes here because I know that especially when you're attacking power systems or people think it's just going to be, “Oh well a bunch of people lost their iCloud accounts. What a bummer,” or “Oh man, I hope you had that word document backed up because your server's down.” But when you're looking at SCADA systems, which are these, what does that stand for? Some sort of command system for power--
Richard Clarke: [00:16:52] Supervisory Control And Data Acquisition.
Jordan Harbinger: [00:16:55] Okay. Yeah, you pass that quiz, I guess I couldn't remember. But these are systems that are used to control power grids. I think water treatment plants, stuff like that there.
Richard Clarke: [00:17:06] So we think of IT as computer networks. The SCADA systems are called OT, operations technology. It's a different software environment, and what I didn't realize until I got into this a little deeper as there are two different worlds that don't like each other. Two different people, two different sets of conferences, and that's how you really know. It's like, “Did you go to the OT conference in Miami?” “No, I was at the IT conference in Boston.” That’s two different worlds, and that's a problem. It turns out that the OT world of the SCADA of the control system for the power grid, for manufacturing, for pipelines, all those operational softwares. It doesn't interact well with regular old IT. Nonetheless, people are running around connecting that works all the time because they want data from one to get to the other, and that creates a huge vulnerability.
Jordan Harbinger: [00:18:11] Yeah, but I get it though, right? Like if I work at this wastewater treatment plant and I go, “You know, if I just plug this windows machine into this, I can log in from home and I don’t need to show up on Sunday.” [00:18:20]
Richard Clarke: [00:18:21] You got it. You got it. That's exactly right. I have an old war story about that. I went to Houston when I was just learning this stuff. I go around the country and say, “Hey, I'm from the White House. Can you, can you brief me?” And they'd always say, “Yes.” And so, I went down to Houston, I went to a pipeline company, who will be nameless, and they said, “Oh man, we're glad to brief you because we got security. We got it knocked down.” And then we drove to a golf course. I'm like, “Okay, why are we the golf course?” And we went to a bunker, not a golf bunker, but a bunker-bunker and there was staircase down and underneath the golf course, they had built a command center, to run their national pipeline network and they had done this during the Cold War because they thought they might be a nuclear war. And so, the command center was designed to survive a nuclear war, and they could run all the pipeline pumps all over the country from there. And then I said, “What if there's like a weather event and you can't get here?” “Oh, that happened. You know, we had that hurricane two years ago. Not a problem. We worked from home.” “How'd you work from home?” “Well, we take our laptops and we just got a VPN line and we plug right into the controls,” when in fact we do that all the time now.
Jordan Harbinger: [00:19:48] Nobody comes down here anymore. We just log in from home and we use the same password that we use on AOL and Gmail for all of our accounts and we have six employees over the last six months that don't work here anymore. Their accounts are all still active and we write the passwords on Post-it notes in the room, just in case somebody new goes in.
Richard Clarke: [00:20:08] What could possibly go wrong.
Jordan Harbinger: [00:20:09] Right, yeah, I can imagine.
Jason DeFillippo: [00:20:14] You're listening to The Jordan Harbinger Show with our guest, Richard Clarke. We'll be right back.
Jordan Harbinger: [00:20:18] This episode is sponsored in part by HostGator.
Jason DeFillippo: [00:20:21] We've had numerous guests on the show from Jaron Lanier to Cal Newport to Daniel Goleman, extol the benefits of ditching or at least cutting back on social media, but after relying on it for so long, you might be wondering how you could possibly stay in touch with friends, family, and colleagues you've made over the years without it. Sure, you could write letters by hand, make telephone calls, send singing telegrams like people did in the olden times, but we've got a better idea. Build your own website. Sound daunting, complicated, expensive. Don't worry. HostGator ensures you don't have to have a degree in programming, an eye for design, or the bank account of a Rockefeller to make it happen. In just minutes, you can pick an appealing domain name with the help of HostGator's intuitive interface. Get your website running and share it with the people in your life. You really want to stay in touch. HostGator's 99.9 percent uptime guarantee and around-the-clock support ensures your website is available to the eyes of the world every day and night of the year. Got a tight budget. No worries. As long as you're a new user, you get to try any HostGator package for up to 62 percent off the normal price, just for hearing the sound of my voice, and if you're not completely satisfied with everything HostGator has to offer, you've got 45 days to cancel for a refund of every last penny. Check out hostgator.com/jordan right now to sign up. That's hostgator.com/jordan.
Jordan Harbinger: [00:21:37] This episode is also sponsored by KiwiCo. Now, this is a great idea. I know we're all drowning in subscription boxes, but this isn't a food box, it's not a wellness box, it's not some sort of trendy thing. This is for the kids and it's educational and helps them develop creative confidence, which I love. My kid is three weeks old. He doesn't have his own subscription boxes yet. I need like a poopy diaper box. I mean, we could supply poopy diapers subscription boxes to endless, endless amounts of families across the world if that were in demand. But what KiwiCo does with that I love is they build something. It's hands-on projects for kids to make something, Science, Technology, Engineering, Art, and Math. It's designed by experts and then tested by kids. You don't have to worry about going to get batteries, you don't have to go and get glue and all that stuff. They have seven different lines for kids from zero to 16. They have different like tadpole, the doodle box, the tinker box. So, you're not going to give your eight-year-old something for four-year-old and he's like, “Are you kidding me?” And you're also not going to have your kid choke on some parts because it's for like an older kid. Because I'm always worried about that stuff. Like people go, “Oh, it's for a little bit of an older kid,” and I'm like, “Yeah.” It's for that age where they know not to swallow a plastic right, aka 20, or in my case 34 but these are nice toys. They're designed well. Each month the kid in your life gets this new fun project and it comes with all the supplies, detailed instructions, that are written for kids so they're not going to run over and be like, “Daddy, can you build a fuselage?” Which is what I was building. “What's a fuselage?” There's a magazine so the kids could learn more about the crate’s theme and it's fun to do together. So, I think these are a great idea. You're not out buying the latest made in China plastic, injection-molded thing. You're building it together. Jason, tell him what deal got for them.
Jason DeFillippo: [00:23:39] KiwiCo is a convenient, affordable way to encourage your children to be anything they want to be and there’s no commitment. You can cancel at any time. The monthly option starts in $19.95 a month including shipping which is a great deal. For our listeners, go to kiwico.com/jordan to get your first month free. Every day counts when it comes to making a difference, so don't miss out on this amazing opportunity. Again, go to kiwico.com/jordan and get your first month free. That’s K-I-W-I-C-O kiwico.com/jordan.
[00:24:08] Thanks for listening and supporting the show and to learn more and get links to all the great discounts you just heard from our amazing sponsors, visit jordanharbinger.com/deals. Don't forget we have a worksheet for today's episode so you can make sure you solidify your understanding of the key takeaways from Richard Clarke. That link is in the show notes at jordanharbinger.com/podcast. If you'd like some tips on how to subscribe to the show, just go to jordanharbinger.com/subscribe. Subscribing to the show is absolutely free. It just means you get all the latest episodes downloaded automatically to your podcast player so you don't miss a single thing. Now back to our show with Richard Clarke.
Jordan Harbinger: [00:24:43] It's crazy to me because when I see these Russia and Ukraine conflict and you see the power grid being taken down in Ukraine or you see ransomware attacks and looking at things like SCADA systems, you've got this whole system that can't really be fixed without a total redesign from the ground up. I think that’s one of your points. But what really freaked me out was the sensors and things like Stuxnet. And I want to hear about that in a second, but I was going over the scenarios in my head here and I thought, all right, power going down. That's a problem especially if it's really hot or really cold. People need heat and things like that. Gas plants, water filtration systems, I mean once you start thinking what happens if I tweak this in a malicious way, imagine sensors telling us that water is clean and when it's dirty and hasn't been treated at all, or they just dump a ton of a chemical instead of a little bit and then they dumped that out into the water system and people drink this.
Richard Clarke: [00:25:40] There are systematic dependencies the most of us don't know about. In 2003, a tree fell over in Ohio. Tree falls over all the time.
Jordan Harbinger: [00:25:53] It does happen.
Richard Clarke: [00:25:54] Particularly in my yard for some reason, but a tree fell in Ohio that knocked down electrical line and there was a hot day, and the power grid was at peak production and a series of trips and cascading failures occurred, and pretty soon a quarter of the country had no electricity, including New York, Boston, Philadelphia.
Jordan Harbinger: [00:26:21] There was a cascade.
Richard Clarke: [00:26:22] Cleveland, yeah.
Jordan Harbinger: [00:26:23] Brownout or whatever it's called.
Richard Clarke: [00:26:25] Blackout and up into Canada. It happened like that and they blamed it on a tree., maybe it was a tree, but things happened that people didn't know. So, I think it was Cleveland, or it may have been, may have been Detroit, some midwestern city, discovered that without electricity it didn't have water.
Jordan Harbinger: [00:26:51] Oh wow.
Richard Clarke: [00:26:52] That's not true in most cities, but it was true in this one city. A number of cities discovered without electricity. They don't treat sewage and get discharged into lakes and rivers, so exactly what you're talking about. There are not only cascading failures within an electrical system, but then because of these dependencies, cascading failures of other kinds of systems, and until recently, people weren't planning for that kind of thing. Now they are. People now take seriously because as you said the Russians have attacked another country and turned off the power grid of Ukraine twice.
Jordan Harbinger: [00:27:38] Twice. Yeah.
Richard Clarke: [00:27:39] People now, I think, they're out of the denial they were in for the first part of the century. And they're actually planning FEMA, the Federal Emergency Management Agency, held a test and exercise recently where the scenario was power's going to be out for three months because the cyberattack in the exercise destroyed transformers, destroyed generators. They didn't just shut them off.
Jordan Harbinger: [00:28:11] Yeah. Let's talk about that a little because one of the most famous cyberattacks of all time, I think is Stuxnet. And you mentioned this before when we destroyed, or whoever it was, I don't know, Israel, US, some combination, destroyed the centrifuges in Iran. I watched a documentary about this, which is on Netflix, by the way. I don't know if you've seen it. It's really interesting.
Richard Clarke: [00:28:33] Zero Days?
Jordan Harbinger: [00:28:34] It might be that, yeah. They kind of outline how all of this went down. And what I didn't realize was for almost every computer in the world has the Stuxnet virus on it. That's how they got it there. I thought, “Wow, how did they target this computer system?” And the answer is, give it to everyone. It's like, herpes, you're going to find you. It's going to get in there somehow. They got it onto there and viruses, might be on your computer right now or your phone, but it only attacks Siemens made centrifuges that have this certain combination of parts that just happened to be. And of course, this was very deliberate, the exact configuration that they were using at the one place.
Richard Clarke: [00:29:17] Apparently, it has to be this Siemens SCADA system tied to a program logic controller from Finland or Iran, and pretty much the only place in the world where those precise things occur was the Natanz Nuclear Enrichment Facility. So yeah, as a piece of software, it's over 50,000 lines of code. It's a really, really complex piece of software and uses four different zero-day attack types that had never been used before in the wild. If one didn't work and use the other, it was going to get into the network and once it gets in the network, it spread. Then it checked. Essentially, you’re asking, am I in Natanz? And if I'm not, it shuts down. So, yeah, it is on a lot of the people's computers around the world in part because, after the attack, it somehow got out from Natanz even though Natanz wasn't connected to the Internet. There's only so much you can discuss publicly about how that might have happened.
Jordan Harbinger: [00:30:27] Yeah, I mean, my theory based on no real information is if you target enough people and they'll put something in an air gap to the machine at some point and find it or it gets transmitted in some way that isn't really that well known.
Richard Clarke: [00:30:41] But, but the thing that struck people after the fact was most people hadn't accepted that this could happen or hadn't thought that this could happen. Software destroys hardware. Software can make a machine kill itself. I always talk before Stuxnet, for a decade before Stuxnet, I talked about a cyberattack is a virtual arm reaching out of cyberspace into physical space and blowing something up as sure as it was a missile or a bomb blowing it up. And my metaphor, no one ever got it, or they thought I was crazy or I'd read too much science fiction, after Stuxnet and people went, “Oh, I see. You can really cause things to blow up.”
Jordan Harbinger: [00:31:35] Yeah. People don't really get it and I understand why, but the way you wrote about it in the book made perfect sense, which is it's largely about the sensors. So if you're running something at a red line speed and you tell that sensor to say, “Hey, we're only at half the speed,” and people keep turning it up or the hardware controller keeps turning it up way past what it safely can operate at because it's causing your speedometer to lie to you. You don't know that you're going 140 miles an hour.
Richard Clarke: [00:32:03] Exactly if you can get in between the device itself and the signal, the sensor, control panel. Think about that as a car and the car is reading 60 and it's doing a hundred. All that results in this is you're getting a ticket from the state police. But if that's a gas pipeline, then the gas pipeline blows up. We talked in the book about a town in Massachusetts called Lawrence, Massachusetts. And one night in Lawrence, and in three other towns surrounding it, suddenly houses were blowing up and the three little fire departments in these three little towns were getting flooded with calls. The house next door just blew up, the house next door just blew up. And suddenly they had more fires than they had fire trucks. And it looked like the German Air Force, the Luftwaffe, had flown over and dropped incendiary bombs or something. It looked like London in 1941. What was going on? What was going on was that the gas pipelines going into these houses, the houses were all heated with gas. The pipelines had a massive overpressure, 10 times the amount of gas that should have been going into the houses was being pumped into the houses. And what happens, in that case, is the pump breaks, the basement fills up with gas and any little source of friction will cause it to explode.
Jordan Harbinger: [00:33:40] Like a pilot light from a furnace.
Richard Clarke: [00:33:42] Exactly. And so, bang, bang, bang, bang houses somewhat randomly. It looked like it wasn't random. It was houses that had gas was blowing up. Now the reason for that was a maintenance company working for the gas company was doing some work on the gas line and have the wrong setting. It was off by a factor of 10. There's no reason to believe that was a cyberattack, but we talk about that in the book to demonstrate what can happen if you can get control and you can online, digitally. You can get control of something that regulates how much pressure goes into a line. Things explode.
Jordan Harbinger: [00:34:29] It is wild to see how vulnerable these things are. And of course, the problem is companies go, “Well, I'm not going to protect against Russia. That's the government's job.” And the government says, “Why are we going to go in and custom design a solution for your particular cell phone companies, IT software that we have to update every time you have a system upgrade? It doesn’t make any sense.
Richard Clarke: [00:34:52] We talk about this argument a lot in the book and we begin by saying what General Keith Alexander, the former head of Cyber Command likes to say publicly, and that's a very appealing argument. He says, “If a Russian bomber flies overhead and drops a bomb on your plant, you expect the United States Air Force because you pay taxes. You expect, as they say, Air Force, to go out and shoot down that bomber and deal with the Russian threat. But if the same damage to your plant is done by a Russian cyber unit, Russian military, that both Russian military one's a bomber or one's a cyber unit, they both had the same effect. Your plant doesn't work anymore, destroyed. What's the difference? Why? Why should the government save you when it's a bomber and the government doesn't do anything to save you whether it's a cyberattack?” I'm a taxpayer. I expect the Pentagon to save me from the Russian military. That's a very appealing argument. It's wrong. It's just wrong. Because if he tried to think about, all right, let's, let's, let's agree with that. Let's be able to stop these attacks. You can't do it. What are we going to do? Ask Cyber Command to figure out how bank networks run, how gas pipeline networks run, how electric power grid…They don't know. Cyber Command is having a hard time defending itself and the US military and they're not doing a very good job of defending themselves or the US military. Why do we think they would be able to defend the bank network?
Jordan Harbinger: [00:36:38] And who's more important? Chase Bank or the water company in New York.
Richard Clarke: [00:36:43] Or J.P. Morgan because it's a big wealthy bank or the neighborhood bank down the street. J.P. Morgan did tell us what they spent for the book and it was $700 million every year defending their network. Bank of America did not tell us. We have subsequently learned from an inside source that it's more like 1,000,000,003 at bank of America. Every year they're spending 1,000,000,003, they're employing thousands of people. Why do we think that the US Military could do that any better? It can't. They don't have the legal authority. They don't have the expertise. They don't have the number of people necessary. Basically, you know, the government can do some things and we enumerate in the book what the government should do, but it can't defend your network for you. As appealing as that analogy with the bomber is, it's not a true analogy.
Jordan Harbinger: [00:37:46] Also though, companies, if I'm graduating from the University of Michigan or MIT and I'm a computer genius, the odds of me going, I'm going to take a government paycheck versus going to work for CrowdStrike. It's pretty low.
Richard Clarke: [00:38:01] It's even worse than that. So, you're right. But if I'm a computer genius, which I'm not by the way, and graduating from MIT, chances are I'm getting an undergraduate degree. Let's say, chances are I've never taken a single semester course in cybersecurity because at MIT, and I went to MIT like still true. It’s true when I went there, and it's true now. You can get a computer science degree without any course in cybersecurity.
Jordan Harbinger: [00:38:35] Oh, I believe that. I studied ECON and Commerce and a lot of my friends who were in Computer Engineering at Michigan, they would walk into my dorm room and they go, “Whoa, what kind of computer is that?” And I go, “Oh, I just, I made it. I built it,” which is actually not hard. It's like putting together Legos made out of circuit boards. And they would go, “Wow, I'm a senior in Computer Engineering and there's no way I could build my own computer.” And I go, ”I guarantee you could figure this out in one Saturday afternoon.” And one of my friends actually switched to French as a major because he just went, “Okay, if you can do this and I can't, I'm done, I'm done.” But it reminded me like, wait a minute, these guys, they don't even know how I'm opening up their CD ROM tray remotely on the local network, which is like using a simple Trojan. That back then was called the Netbus. I mean these are really, really basic like click on this dancing bear email attachment and I control your whole machine and they had no clue how this stuff works.
Richard Clarke: [00:39:31] So let's come back to the computer genius kid. Computer genius kids are taught by their computer science department to look down their nose at cybersecurity like its carpentry or taking out the garbage. Whereas if you're a computer genius, you have to be working on advanced neural network machine learning or quantum computing state of the art. Stanford isn't a place where we get computer security people. MIT is not, there's a real kind of society thing here, kind of tiering. So, where do I look for the best cybersecurity people? Idaho State, Tulsa University, Carnegie Mellon--
Jordan Harbinger: [00:40:27] That makes sense.
Richard Clarke: [00:40:28] a lot of them are from places that you would not think of. They're not household names. You know, Tulsa university is not a household name. They produce some of the best cybersecurity people in the country.
Jordan Harbinger: [00:40:40] Yeah. If I didn't know, you could've just made that up right now, the name of that university and I would have no idea. The quantum computing is an interesting phenomenon. You just kind of mentioned this and I want to get to that in a second, but the idea that this domain moves so fast is a little scary and surprising. I mean, when I look at things like warplanes, every decade or two there's an advancement where you go, “Wow, that's, so that's our new plane. That's amazing.” But when you look at cyberattacks, you come up with things like zero-days, that we call them zero-days as you mentioned, the exploits that are not public yet. And these are weapons that are soon as you find out what it is, you can block it, you can patch it, you can fix it. So, it's kind of like, what was the analogy you gave in the book? It's like being able to go in and change the atmosphere so that bombs no longer fall downward when they're dropped off a plane. And you can just fix that in a couple of days or if you've got a real crack team on it and it's really obvious zero-day exploit, you can patch it in a few hours.
Richard Clarke: [00:41:41] You can. There's a use it once kind of phenomenon against the hard target. Because a hard target is going to have all sorts of sensors and eventually, they'll figure out what happened, and they'll, as you say, patch it, block it. They'll be somebody five years later who still hasn't patched it. This is what happened with the famous Petya attack of the Russian attack on Ukraine. They were going after a vulnerability in Microsoft that had been reported publicly by Microsoft, and Microsoft had said, “This is how you fix it,” months before, months before. And you would think everybody would say, “Oh, that's a critical patch. Let's run out and stop the zero-day. Let's apply that patch.” Hundreds of companies didn't.
Jordan Harbinger: [00:42:39] Well we've all been to a place like an office and you go, “Man, this is the computer you work on. Is that Windows 98?” And then they're laughing and they're like, “Well actually this is Windows XP Professional Edition, but this is a computer that controls our lighting system. We don't really care if we don't worry about this.”
Richard Clarke: [00:42:56] In hospitals until recently and still are in many places, the worst defender and there was a reason. You joke about windows 98. There were a lot of medical devices in this country, probably some still are, as late as last year when we were looking into this for the book, lots of medical devices running Windows XP and Windows 98. Why? Because the government forced them to the food and drug administration in its old incarnation. It's changed in the last year. But FDA used to say, we certified that software for that machine. You cannot change anything and people would say, but Microsoft is no longer servicing that operating system. There are known vulnerabilities in that operating system. There are millions of exploits. Nope. You can't change anything.
Jordan Harbinger: [00:43:53] Right, because you'd have to submit the medical device for re-certifications.
Richard Clarke: [00:43:58] Yeah, a lot of money in a long time. Now the FDA has come around, but for years they didn't and so you had heart-lung machines and the IV drip machines and all sorts of life-sustaining machines in hospitals that were filled, riddled with vulnerabilities.
Jason DeFillippo: [00:44:18] You’re listening to The Jordan Harbinger Show with our guest, Richard Clarke. We'll be right back after this.
Jordan Harbinger: [00:44:23] This episode is sponsored in part by Dashlane. If you're like pretty much everyone else, you're using the same password, maybe not everywhere online, but a lot of people, a lot of places, and this is a terrible idea because if somebody hacks one site, you're screwed. You've got to change all your passwords or if you accidentally enter your iTunes password because you get a fake email, which happens to a lot of folks, especially recently. Now you've got to change all your passwords and Dashlane is the only one-stop-shop security app that secures every aspect of your online life. You don't have to remember any passwords. You don't have to type any passwords on logging pages. Dashlane keeps track and automatically enters the passwords, protects your sensitive info, securely auto-fills all those forms. Once you download the app, you basically have a digital bodyguard. You get a VPN. If you don't know what that is, don't worry about it. Breach alerts in case something has been hacked that you're using. Dark web monitoring to make sure your data are not being bought and sold on the web, which it might be. I've got Dashlane, all my passwords are in an encrypted area in the app. I don't have to worry about opening up like, oh my god, I don't even want to say who this is, but somebody showed me their notes app on their iPhone and all their passwords were written in one of those notes.
Jason DeFillippo: [00:45:34] Oh god, I know so many people that do that. It's so dumb.
Jordan Harbinger: [00:45:37] Yeah, it was just like, Oh my gosh, who told you to do this? So Dashlane has this Rockstar status in the app store with 4.7 stars and is being used by over 10 million people. This should be built into the computer, but since it's not, it's not built into the OS. You need to go and grab Dashlane and I know we got a deal for you. Jason.
Jason DeFillippo: [00:45:57] Take control of your online info this summer and join them right now. Go to dashlane.com/jordan for a 30-day free trial of Dashlane premium, and this summer only you'll get 10 percent off when you sign up. That's a 30-day free trial and 10 percent off Dashlane premium at dashlane.com/jordan. Once more dashlane.com/jordan
Jordan Harbinger: [00:46:18] This episode is also sponsored by Progressive
Jason DeFillippo: [00:46:21] Saving money on your car. Insurance is easy with progressive. It's an average savings of $699 a year for customers who switch and save. In fact, customers can qualify for an average of six discounts on their auto policy when they switched to Progressive. Discounts for just starting a quote online or owning multiple vehicles. Get your quote online at progressive.com and see how much you could be saving discounts not available in all states and situations.
Jordan Harbinger: [00:46:45] This episode is also sponsored in part by the National Highway Traffic Safety Administration. I know that's a random sponsor, but it's important because everyone knows about the risks of driving drunk. You can get in a crash. People get hurt; people get killed. Let's look at some stats here. Just to scare the pants off you. Almost 29 people in the US die every day in alcohol-impaired vehicle crashes. That's such a waste of human life. That's one person every 50 minutes. And even though drunk driving fatalities have fallen by a third in the last 30 years, because now it's not socially acceptable to do it and if you do it, you're simply put a trash, trash ass person. I hope they don't mind that. I'm adlibbing the copy here a little. Drunk-driving crashes still claim more than 10,000 lives each year. And drunk driving has a big impact on your wallet too as well. You can get arrested. Huge legal expenses. You can lose your job because I don't know about you, Jason, but I don't really want to work with somebody who thinks it's okay to drive around wasted and risk everyone's life.
Jason DeFillippo: [00:47:41] Especially if you've got like a security clearance or something like that. You get booted immediately.
Jordan Harbinger: [00:47:47] There's nothing that says I'm a dumb ass then like driving drunk. So, what can you do to prevent drunk driving? Plan a safe ride home before you start drinking. Designated sober driver. Call a taxi. If someone you know been drinking, take their damn keys. Arrange for them to get a sober ride home. Open up one of those apps that were never allowed to mention, even though everyone knows what I'm talking about and pay for it yourself, trust me, they'll, they'll love you. We all know the consequences of driving drunk, but one thing is for sure you are wrong, if you don't think it's a big deal, so drive sober or get pulled over.
Jason DeFillippo: [00:48:16] Thank you for listening and supporting the show. Your support of our advertisers keeps us on the air. To learn more and get links to all the great discounts you just heard so you can check out those amazing sponsors, visit jordanharbinger.com/deals. Don't forget the worksheet for today's episode. That link is in the show notes at jordanharbinger.com/podcast, and if you're listening to us on the Overcast player, please click those little stars next to the episode. They really help us out. Now for the conclusion of our episode with Richard Clarke.
Jordan Harbinger: [00:48:44] Quantum computing seems like this is something. That's a whole show, but it's a whole phenomenon that we don't know when it's coming. A lot of people don't even know exactly what it is. And are you able to explain it in sort of a simplified way?
Richard Clarke: [00:49:02] I tried really hard in the book. I did a chapter on it and I'll tell you when I first heard about quantum computing, quite a long time ago, people have been trying to get this for a long time. And I called out to NSA and said, “Send me some experts on quantum computing because I don't know anything about this.” And again, when you were in the White House and I asked people to send me experts, they always did. It was great. Well, the only perk of being in the White House--
Jordan Harbinger: [00:49:32] That can't be the only perk, but okay.
Richard Clarke: [00:49:34] There were, there weren't many.
Jordan Harbinger: [00:49:36] They've got good ice cream. I've heard.
Richard Clarke: [00:49:37] They do. They do have good ice cream. So, they send these guys down and they began by talking about a German physicist from the early 20th century named Schrodinger and the analogy of his cat.
Jordan Harbinger: [00:49:54] Schrodinger's cat, yeah.
Richard Clarke: [00:49:55] And for those of you who haven't heard this. This is the explanation that everybody uses for quantum computing. The cat is alive, it's in the box, it is alive, it is also dead at the same time, and it is also alive and dead. And this is the worst possible way of explaining quantum computers.
Jordan Harbinger: [00:50:18] Right, because people don't understand Schrodinger's cat in the first place. Now you're adding a variable.
Richard Clarke: [00:50:22] And cats and boxes and it's alive and dead at the same, but then it’s alive and dead. Schrodinger guy, stop it. He was not good at teaching. He may have been a great physicist. This was a really bad analogy and that we've perpetuated it for a century. I can’t stand it. So, let's put all that aside.
Jordan Harbinger: [00:50:45] Sure.
Richard Clarke: [00:50:47] What quantum computing is about is using the phenomenon that occur at the subatomic level. We can't physically see at the subatomic level. All of the rules of physics that we observe and that we learned about in high school physics. None of those rules seem to apply at the subatomic level. It's a different world down there, and we don't fully understand why things happen the way they do down there. But we're beginning to understand what…If not why and certainly what they do. And some people in computer science learning about this said, “Oh, wow, we could use the phenomenon, the strangeness of what goes on at the subatomic level to run a different kind of computer. And there would be a real advantage to that in terms, if we could make it work, dealing with really hard number-crunching exercises.” So, there are some problems that you can run a computer, the best computer, supercomputer we have, you can run it for months, and it may solve the equation, but there may not and encryption is one of these problems. You can get an enemy's code and put it into a supercomputer and literally walk away for months and have that supercomputer trying to break the encryption, and it usually doesn't. That's the secret story. It usually doesn't.
Jordan Harbinger: [00:52:29] The secret is it doesn't work.
Richard Clarke: [00:52:30] The secret is it doesn't work. So, what's the magic that occurs at the subatomic level? The subatomic particle, we call a qubit, now a bit but a qubit, and it does simultaneously have ones and zeros.
Jordan Harbinger: [00:52:52] Right, so binary is like one or zero.
Richard Clarke: [00:52:55] Binary, which is conventional computing as one and zero. The subatomic level, it's both at the same time and states in between. Now, if you can manipulate those qubits and use them in a computer instead of regular bits, you have an exponential power of calculation. So, you can have eight, 16, 56 qubits are able to do increasingly exponentially higher amounts of calculations because they have this ability not just to be a one or a zero, but to be a lot of different values.
Jordan Harbinger: [00:53:40] Right, so something that might take a supercomputer a month of time could take a few seconds.
Richard Clarke: [00:53:46] A few seconds. The question is, you know, when are we going to have supercomputing? When are we going to have quantum computing? We already do and everybody is saying, “Well, here's the definition of when we have it.” Well some of the definitions that were around 10 years ago, we already have it. There are quantum computers operating. When I went to write the book, I went over here to Rigetti Computing across the bay in Berkeley. They've got one. It works.
Jordan Harbinger: [00:54:18] Cool. It's a huge?
Richard Clarke: [00:54:20] No. It looks like somebody bizarre combination of an espresso machine and a pot roaster.
Jordan Harbinger: [00:54:29] Is it radioactive like what's going on?
Richard Clarke: [00:54:30] There's like steam coming out of it literally. The reason for all of those pipes and wires is that you can really best manipulate these subatomic particles at absolute zero. They're more stable at absolute zero. Even that more stable, they only exist for a second or two. Is that giving, if you can get them to exist for a second, that's pretty good.
Jordan Harbinger: [00:54:59] So the other like elements that we're creating in some sort of high pressure, super-cold chamber.
Richard Clarke: [00:55:05] They’re super cold chambers with absolute zero. This is not a quantum computer. It’s not going to be a laptop.
Jordan Harbinger: [00:55:12] Not yet.
Richard Clarke: [00:55:13] Not yet. Not in a long time, but you might be able to VPN into the quantum computer from your laptop. They use this term and it's another terrible term, quantum supremacy, and it sounds like, “Oh, is China going to get quantum supremacy before us?”
Jordan Harbinger: [00:55:34] That's kind of where I was going.
Richard Clarke: [00:55:35] “And then will they be quantum supreme?” Well, quantum supremacy means is something very different from what it sounds like. What it means is the first time a quantum computer can successfully do a calculation that has never been successfully done before. So, there are algorithms, there are equations we've never been able to solve, but we think in theory they should be ones that can be solved. With a supercomputer, it takes infinite time. With a quantum computer, we think they can be solved. And when one of these is solved for the first time in the equation, that's never been solved before. A problem has never been solved before by a computer. When a quantum computer does that, that is quantum supremacy. It's supremacy not over China. A supremacy over a regular could be a regular computer. And there's a debate about when that'll happen. And I think you could get odds. I think it's going to happen a lot faster than the general public believes.
Jordan Harbinger: [00:56:49] That's great.
Richard Clarke: [00:56:50] There's a whole community out there writing machine learning algorithms on the assumption that we're going to get a quantum computer to work.
Jordan Harbinger: [00:57:01] So, there are people writing code for something and they're like this program would take an infinite time to run, so that's not super useful right now. But eventually I'll be able to plug this into some Rosetti [00:57:11] computer and it will run. And what it will do is simulate the wetter weather pattern on the entire planet over the earth
Richard Clarke: [00:57:19] Or you know, something is done in a biotech lab, a wet lab, that costs millions of dollars to build the PL4 Wet Lab [00:57:29] and repeatedly do these experiments until you've got a combination that works, just simulate it on the quantum computer and in a matter of minutes, get the result that would otherwise take years in a wet lab.
Jordan Harbinger: [00:57:46] Like I said, this is probably a whole show because I'm imagining drug trials and things being simulated.
Richard Clarke: [00:57:52] That’s exactly right now. Where does this affect security? Well, a lot of people believe that these quantum computers will be able to break the encryption that we use today. They probably will. Is that the end of the world? No, because we've seen this coming and the encryption whizzes of the world have started writing quantum-resistant computing algorithms, and some people are already using quantum-resistant algorithms. The government through the National Institute of Standards has a public, unclassified open program where they're asking people from all over the world to participate in creating standards for quantum-resistant algorithms for encryption. Now they want the NIST, the standards people want to have this done by 2024. I think 2024 may be too late. We need to probably walk that deadline back a little because I think the work that's going on at IBM and Google and Rigetti and elsewhere is a lot further along than people tend to think it is.
Jordan Harbinger: [00:59:03] You’ve heard treaties between let's say China and the United States that are like, “All right, let's agree not to hack each other left and right,” but you said there's two types of companies, those who have been hacked and know it and those that have been hacked and don't know it. I mean, even my small company back, I don't know, three, four years ago we got hacked and people put malware on our whole website. And so, whenever anyone logged in at like ask them to download something and install it on their machine. And a lot of people did because it was our learning software and they thought, “Oh, it's an update for my learning software.” And so, a ton of people got infected. It was really embarrassing for us. But what's the point of these treaties if everyone's just going to violate it? I mean, I guess I don't understand. Or is it like we're sort of following this? I mean, what do people, why bother?
Richard Clarke: [00:59:46] Before I answer your question on treaties. I've got to give credit where credit is due. So, Dmitri Alperovitch from CrowdStrike was the guy who invented that line. There are two kinds of companies. Those have been hacked and know it and those have been hacked and don't know it. And what we say in the book, and we asked Dmitri this whether he agreed and he said he does now agree that there are three kinds of companies. And the third kind of company is the company that cannot be hacked or that is resilient from hacking. That third kind of company didn't exist 10 years ago. It exists now. We can all list companies that have been hacked--Equifax, Marriott, Sony, Target. Then we could go on all day. One of the ones that didn't get hacked and you list them. There's a list. You can come up with it, you can derive it. Now, some of them actually were hacked and didn't tell anybody, even though you're supposed to under the law for. And if you're a publicly-traded company, some of them skirt that long. That's a different subject. Talk about that all day. But there are companies and we've talked to them, that in the last five years haven't been hacked or the hack got in and was quickly isolated and did a little damage to the network and the network was quickly restored. We call those companies resilient companies and they don't want us saying who they are because they don't want to dare, I mean, right. Yeah. I know for a fact that these companies are safe, maybe tomorrow they'll be hacked. But they've had like a five or more-year record and their targets, they are attempt all the time.
Jordan Harbinger: [01:01:37] Sure. I'm imagining like Palantir, you're probably on the front end.
Richard Clarke: [01:01:41] The interesting thing about this is it's because of the technology that's come out in the last few years, like Endpoint Detection & Response, EDR, like some cloud computing applications. But it's not anyone technology. It's stringing together dozens, dozens of applications and technologies to make this work. That's the big surprise for us writing the book that this is the dog that doesn't bark. This is the new story. Nothing happened today. You don't hear it. But it's more important in some respects than all the stories about who got hacked because it means that there has been the big shift in the offense-defense relationship and that through this moment in time, at least if you know what you're doing and you have a nice checkbook, you can defend yourself.
Jordan Harbinger: [01:02:35] There's a lot of companies now have these sort of hacking back policies. I don’t know if this is still a thing, but there's a lot of companies that go, “Oh, well we're going to find the source of this and go back after them.” What do you think of that? Because that sounds like, that sounds like somebody's little brother gets picked on and they punched the guy in the nose. And then what happens when they go back and they hack Iran, then what? Then, they have to tap on the shoulder of their big brother, the US Army and say, “Hey, we pissed off Iran because they came and shut down our ATM thing and then we went and screwed with them.”
Richard Clarke: [01:03:07] It's a really bad idea.
Jordan Harbinger: [01:03:08] Yeah, it seems like a bad idea.
Richard Clarke: [01:03:10] And I'll tell you, there's a couple of reasons why I think it's a bad idea. One is, what the hell difference does it make who hacked you. If you're a company, you're a corporation, you really care whether it was the Iranian Revolutionary Guards or the North Korean Army, I mean, you got hacked, fix it and make sure it can’t happen again. Figure out how it happened. That's what you should be doing. Figuring out how it happened. Make sure it can't happen again. You cannot legally attack the guy who hacked you. It's a class A felony. It may feel good, sure to say, “Oh, the Iranians hacked me and I went back and I fried the Iranian computer.” You can be arrested for that.
Jordan Harbinger: [01:03:56] It's not self-defense. You're not stopping someone from punching in the face. You're burning down their house because they burnt your house down.
Richard Clarke: [01:04:03] And that’s illegal under the computer fraud to be exact. So, that's one reason, but that's an appeal of law. How about an appeal to reason, why shouldn't you do it? Well, one of the jobs we had in the government, of Rob and I, was to talk to all the agencies who might be hacking and to do something called deconfliction. So, the FBI might be hacking, the CIA might be hacking, NSA might be hacking, Cyber Command might be hacking. Maybe [indiscernible] [01:04:42]. Maybe the Australians are. If everybody goes after the same target, there's going to be a lot too much noise and somebody is going to be picked up by a detection system, and the attack, the hacking won't work. You want to be very, very careful to only have people who know what they're doing with the most sophisticated capabilities around doing the hacking, and you don't want a lot of other people in the network making noise. Or you do sometimes, you know, want to make noise intentionally over here to distract people while you attack over here. But having the random American company decide to be a vigilante and get into this mess and not be deconflicted, all that's going to do is put in jeopardy US Intelligence and military and law enforcement activities that are probably occurring on that target network. In other words, let the pros go after the bad guys. If somebody has done something, don't get your gun and go after them. Call the SWAT team.
Jordan Harbinger: [01:06:00] Yeah, that makes sense. That makes sense. I hate using hyperbole like this, but forgive me is, are we expecting any sort of like cyber 9/11-type scenario? I mean, what would that look like? Is there a scenario in which damages are so bad that insurance companies can't cover it?
Richard Clarke: [01:06:19] The insurance companies are worried about that and that is why insurance companies are writing relatively small coverage policies. I've talked to state insurance regulators because insurance for some reason is not regulated at the federal level. Healthcare is, but property, casualty, insurance, continuity, business continuity, insurance, all that kind of stuff is regulated at the state level. And I have talked to the state regulators about this and their concern that chief concern is that the companies are going to write cyber policies that are too big, and then there's some big huge attack that comes in and wipes everybody out, and that'll wipe out the insurance companies. Given that concern, that regulatory concern, the insurance companies are writing small policies. What would the big 9/11 attack look like? I guess it's a matter of definition. I say in the book that in some ways the Russian attack on our democracy in 2016 was kind of like 9/11. It was a big attack that caught us flat-footed. It's succeeded and we didn't even know it was coming, and we did nothing to stop it. It had a pretty profound effect. It was attacking the very substance of the center of who we are as a country, our electoral process, our democracy.
Jordan Harbinger: [01:07:53] A lot of the attacks right now are kind of relegated to the ones we hear about are relegated to ransomware. We see police departments, hospitals and businesses getting, getting their computers locked up or encrypted and they have to pay Bitcoin to somebody to unlock it. Ransomware and things like that. Coming from North Korea, some of which was, I guess meant for Ukraine, but it does seem dangerous if we're not prepared for this. And you've made this point in your book, and I had never thought about this, if we can't really fend for ourselves in the cyber domain, this is problematic, not just because we're a little bit defenseless, but because then our next option is not, “Oh we'll call the pros and they'll really handle this.“ It's, “Well, I guess we can go blow up something because that's what we're really good at.” So, you don't have this kind of incremental escalation you have, well, shoot, we can't respond in kind, so now we've got to sink a boat or destroy an airport.
Richard Clarke: [01:08:47] No, I think that's right. Yeah. I think people coming back to our earlier point about how people think cyber is safe and not lethal and therefore it's okay to use. You get to some level of damage with a cyberattack and somebody is going to say, “I'm not just going to respond in kind, I'm going to go bomb them.” And in fact, that somebody is the Pentagon, the Pentagon's public policy is if there is a level of damage, they won't define it, but then they will know it when we see it. If there's a low, some level of damage to the US by a cyberattack, we feel that we have the right to respond, not just with another cyberattack against you, but by bombing and sending missiles against you. And that's our policy. So, a war in cyberspace ain't going to stay in cyberspace. And everybody who thinks, well we can find a neat, clean antiseptic war. No, you can’t.
Jordan Harbinger: [01:09:47] No, it doesn't make sense especially because if we can't get them to stop attacking, what you do is you take out the office building where they all work. Right?
Richard Clarke: [01:09:54] So Israel just did this.
Jordan Harbinger: [01:09:55] Oh really?
Richard Clarke: [01:09:56] Yeah. They said there was an office building in Gaza, where all the Hamas cyber unit was and they were doing whenever they could to make Israel's life miserable. Israel is pretty good about their cyber defense, but nonetheless, and the Israelis thought about it for a while. Like these people are a pain in the ass, we have to spend a lot of time defending against this Hamas cyber unit get an F16 and they blew it up. They called in an F16; they dropped the bomb on the cyber unit in Gaza. I think that's a metaphor share for a much larger kind of operation that could occur.
Jordan Harbinger: [01:10:40] It is a little surprising if you're not used to it because of course, you do think, “Oh, well if somebody hacks us then we're going to hack back. Good, I'm glad we're in low-level cyber conflict with Russia and Iran and China instead of in conventional conflict.” But it's, it's kind of just a matter of time at that rate. This might be a silly question, but why are countries like Russia, Iran, so heavily involved in cyberwar against the USA? Is it because they can't match us conventionally? I mean, what's going?
Richard Clarke: [01:11:09] Yeah in the case of Russia and Iran I think it is like they can't match us conventionally and there's a low barrier to entry. It's not zero, but there is a low barrier to entry. Even North Korea for heaven’s sake. North Korea can barely, you know--
Jordan Harbinger: [01:11:25] I mean they can't even keep the lights on literally, in the capital cities.
Richard Clarke: [01:11:27] Yeah, they can't do anything. You can't feed their people, but they have a cyber unit.
Jordan Harbinger: [01:11:32] That, that country is a whole, a whole mystery. I wonder how people attribute attacks to them because…Don't they have to use proxies in China?
Richard Clarke: [01:11:40] They do. They use facilities in China. At one point I knew that particular floor of a particular hotel, in a particular city. And if I knew that the North Koreans were attacking from the third floor of a hotel in Dalian, China, the Chinese must've known that too.
Jordan Harbinger: [01:11:58] Oh, I'm sure. I mean you can't even have if you're going to run that kind of attack. I mean it doesn't necessarily have to be a lot of traffic, but if you know what you're looking for and you can find people signaling bot networks or running a distributed denial-of-service attack. And speaking of that 5G the Internet of things, this is going to change the way cyberattacks are, and it's going to change the whole world, of course, but can you tell us what 5G is and why this is going to magnify this problem even further?
Richard Clarke: [01:12:25] So 5G is the fifth generation of cellular phone service and recently we went from 3G to 4G. You probably didn't notice.
Jordan Harbinger: [01:12:35] No. It just seems like faster Internet on your phone.
Richard Clarke: [01:12:37] Maybe it seemed like faster to you. I didn't know this. The only thing I know was somewhere on my phone that said 4G instead of saying 3G. I couldn't tell the difference in terms of speed. 5G you'll notice there's going to be like a hundred times faster.
Jordan Harbinger: [01:12:52] We have fake 5G now.
Richard Clarke: [01:12:53] It is fake. It is fake.
Jordan Harbinger: [01:12:54] Your phone says are 5GE and it's like that might as well be 5G asterisk and then it says not 5G.
Richard Clarke: [01:12:59] Right. But when that happens, which will be next year, probably in most places the international standard for 5G is the ability to do a hundred times faster bandwidth, over the year with a million devices per square kilometer connecting simultaneously.
Jordan Harbinger: [01:13:19] It's a hard number to wrap your head around.
Richard Clarke: [01:13:23] The notion is that everything could be talking on the Internet at the same time and doing it at high bandwidth and high speed with 5G. 5G is not going to be everywhere. It doesn't work well through walls. They can be a lot of repeaters, a lot of transmitters. You're not going to have rural 5G but in cities, you're going to have it. And it'll allow things like autonomous cars because autonomous cars, the cars each have to talk to each other. And so, one car may have to be talking to six other cars at the same time. So that they can keep pace, keep separation. One guy knows where the other guy's going to break and the other one's going to go, that sort of thing. So, you need high speed and you need high capacity. 5G will provide that. Great! It will also allow all sorts of devices in the house and the office space to go straight to the Internet without going through a router or firewall.
Jordan Harbinger: [01:14:25] Oh, okay. See, I didn't know that. I thought I've got a nest; I've got a ring doorbell. What's the big deal? Is it just going to be a bunch of those types of things? I didn't realize. It doesn't then have to go through a router.
Richard Clarke: [01:14:35] It doesn’t have to do. Now, you'd be wise to put it through a router. You'd be wise to put it through a firewall by, they won't have to, and so I think it'll be much easier for people. There'll be more devices to hack and the more devices you have to hack, the more likely you are to succeed in hacking one of them.
Jordan Harbinger: [01:14:53] And let me guess, the cheapest ones will be the ones that have no security built-in. They're not protected and they go straight to the Internet.
Richard Clarke: [01:14:59] Right. Yeah. And there will be millions of them. Uh, so the attack surface will develop and feels like, “Oh, well, who cares?” Well, we already saw a case where a Chinese surveillance camera, nanny cams, a little cheapy Chinese cameras that you can put up anywhere, where hundreds of thousands of them got hacked because they were so easy to hack. And then they were used as jumping-off points for a denial of service attack. So, all the little Chinese cameras lit up and simultaneously when after one site, bang, and took that site down. The more devices there are out there and they get to the Internet and unsecure, the more there will be a denial of service attacks that take down things that we care about.
Jordan Harbinger: [01:15:50] And these will be in large parts, unfortunately, it seems like China, Huawei, they've got a lot of contracts for 5G internationally, and we already get worried about little chips and little firmware in there that's spying on sniffing the traffic, sending data and metadata back to China or wherever for use or misuse. So that's a little scary. And it's funny to hear all of this. I mean you've studied this for a long time do you ever think, wow, how far cyber has really come? Because I think the biggest worry that I had a few years ago, aside from denial of service attacks against my web servers and things like that was, “Oh, I need to put some tape over my webcam on my computer because I went to DEFCON and I saw my hacker friends turn the camera on in about three minutes, you know, without me installing anything. And I thought, okay if that's easy, I still put stickers and tape over the cameras on mine. And when I went to North Korea, they took our phones at the airport and you get it back later, you go to China and a business delegation, they take your phone and scarily they bring it back to you 20 minutes later. I mean, in North Korea, I thought they just didn't want me to use the phone. In China, they give it back to you. It's clear that I just wanted to dump the contents of my phone onto a server somewhere.
Richard Clarke: [01:17:08] And they do.
Jordan Harbinger: [01:17:10] It's just amazing how far all of this is coming. It seems almost hopelessly complicated and yet 95 percent of cyberattacks are very preventable by just like installing the damn windows update.
Richard Clarke: [01:17:24] A lot of cyberattacks are preventable. That's why we do now have companies that are succeeding in preventing them.
Jordan Harbinger: [01:17:32] Well, is there anything else that you want to leave us with that I haven't asked?
Richard Clarke: [01:17:36] Well, the one thing I'm concerned with, is the 2020 election and we know the Russians penetrated the 39 States voter databases. We don't know what they did because they weren't automated. They weren't instrumented. They're going to do that again. They're going to have fake personas and social media, microtargeting voters, very skillfully, telling people who are concerned about the environment to vote for the green party, drawing votes away from the Democrats, telling African-Americans that the white candidate Hillary Clinton doesn't really like blacks doing that in a convincing way with convincing text that draws just enough the blacks away, and so they didn't vote in rather specific places, like Philadelphia. They're going to do all this again. They're going to determine the outcome of the next election unless we do something about it. We need to improve the security of the election infrastructure. We need to help the states and the counties with cybersecurity, the money to do that has passed the house and is being held up in the Senate, by the Republicans. Now the cynic will say the Republicans don't want that money spent because they like the Russians getting involved in our elections because the last time, they did that, they were pro-Republican. Well, I got news for you. You can't be sure that next time it will be pro-Republican again. They may be pro-Democrat; they are the Republicans may get Russian support. Maybe the Chinese will get involved this time on the side of the Democrats. I don't want foreigners picking our president or our senators or our congressman, and I don't think any American does. And so, what we really need to do is bang the drum here to pass the bill in the Senate over Mitch McConnell, objections to get aid to the states and counties so that they can defend their networks and have some cybersecurity for the election system.
Jordan Harbinger: [01:19:58] Yeah. That type of thing should keep everyone up at night because no matter who you favor, the idea that this could happen so easily and a lot of people will say it never happened. This is not something that ever happened. Even, even if that's the case, and I think it's all pretty convincing that there's something happened with regardless, even if that's the case, it's so easy when you see someone. If you’re not able to wrap your head around this, but you are interested in this, I should say, go to DEFCON in Vegas and just go look at the guys doing demonstrations on voting machines.
Richard Clarke: [01:20:32] A 13-year-old girl haggling the voting machine in the three minutes.
Jordan Harbinger: [01:20:34] Yeah, it's true. It's incredible. I was working there at the social engineering village a long, long time ago and Keith Alexander, the former head, I think at the time of the NSA, he stopped by with him, secret service agents. It was really cool and you will see, you'll see a guy that, a couple of talks, the voting machine one was really interesting. There was a guy who showed us the SCADA systems. It was a simulation because of course, you can't really hack into Detroit power and energy or whatever and not get that get in trouble. He also did a demonstration where he showed air traffic control and the way that you say that you're a plane flying is you just tell air traffic control that you're a plane flying. And he said, “So I just put fake planes in flight patterns and other planes have to move out of the way.” And he goes, “What would have happened if I put 70 or 80 fake planes right over Washington DC and put them in a restricted airspace. They don't have to be there. They just have to say that they're there. People will go absolutely crazy and this is really easy and these are like unencrypted publicly open systems that a 20-year-old with an antenna and a computer can start messing with.
Richard Clarke: [01:21:43] I learned a long time ago you have to go to the hack packer conferences like Black Hat and DEFCON and you have to believe what you see because there are a lot of the big companies out there and big government agencies that will tell you, “Oh that could never be done.” Sure. You go there, you see it being done and then a year later, unfortunately, it gets done in the real world.
Jordan Harbinger: [01:22:07] Thank you so much. This has been great.
Richard Clarke: [01:22:09] Great conversation.
Jordan Harbinger: [01:22:13] Great big. Thank you to Richard Clark. The book is called The Fifth Domain: Defending Our Country, Our Companies, and Ourselves in the Age of Cyber Threats. There's a video of this interview on our YouTube channel as well at jordanharbinger.com/youtube.
[01:22:27] I'm teaching you how to connect with great people like Richard Clarke and manage relationships. I managed hundreds if not thousands of relationships of course via email, text. I'm teaching you how to do this in a course in a very scalable way. Our course is called Six-Minute Networking and it's free, not enter-your-credit-card free, just free-free. I think I said that earlier in the show. That's at jordanharbinger.com/course. You got to start now. Procrastination leads to stagnation when it comes to personal and business relationships. In other words, you cannot make up for lost time. When it comes to relationships and networking. You have to dig the well before you get thirsty. Once you need relationships, now you're coming out of left field, “Hey old buddy old pal. I need something not going to work.” The drills take a few minutes a day. That's why we call it Six-Minute Networking. It's probably even less than that. I wish I knew this stuff 20 years ago. This has just been crucial and a deciding factor in my success, of the show here, and in my personal life as well. Again, all for free at jordanharbinger.com/course. By the way, most of the guests on the show, they subscribe to the course and the newsletter, so come join us, join a bunch of smart people and improving themselves, yourself included. I would love to have you in there and I take questions of course. Speaking of building relationships, you can always reach out and/or follow me on social. I'm at @JordanHarbinger on both Twitter and Instagram.
[01:23:41] This show is produced in association with PodcastOne and this episode was co-produced by Jason DeFillippo and Jen Harbinger, show notes, and worksheets by Robert Fogarty, music by Evan Viola, and I'm your host, Jordan Harbinger. Our advice and opinions and those of our guests are their own, and yes, I am a lawyer but I am not your lawyer. So do your research before implementing anything you hear on the show. And remember, we rise by lifting others. The fee for the show is that you share it with friends when you find something useful, which should be in every episode. So please share the show with those you love and even those you don't. In the meantime, do your best to apply what you hear on the show, so you can live what you listen, and we'll see you next time.
[01:24:22] A lot of people ask me which shows I listened to and recommend and one of those is Smart Passive Income with my friend Pat Flynn, who I've known for a long time. Pat, I got to admit, when I first heard the title of your show, I was like, “Oh, it's one of those make money online. Like, come on.” And then I got to know you and I was like, “Oh, this is like the one guy who cares about his customers and audience.” And really is focused on helping them grow and you did a recent episode that I thought was interesting, SPI 375, The State of Podcasting in 2019. A lot of people have opinions on this, but I'm curious what you, what you guys discussed.
Pat Flynn: [01:24:55] Yeah, I mean, did you know there's over 500 million active YouTube channels, 500 million blogs, and less than 1 million podcasts. Do you know that?
Jordan Harbinger: [01:25:03] I did not know that. I knew that there were 700 or 750,000 podcasts, but I had no idea where we stacked up in relation to blogging and YouTube channels.
Pat Flynn: [01:25:16] Even though podcasting's been around for a while, it is just getting started and we really wanted to nail down in this episode. Matt, who joined me, who's my COO, we're actually going to be going pretty all in on podcasting moving forward and we just wanted to be open about why and you know, a lot of you listening to this. Now you are a listener of a podcast and maybe you want to listen to more or understand how it's going change in terms of discoverability, but also maybe you want to start a podcast one day. Either way, we kind of go all out and discuss sort of where the industry is headed. Certain companies like Spotify have just acquired some large companies, media companies, and tools to help further this. Google is actually on its way to its goal of doubling the amount of podcast listeners by 2020 using the search algorithm. If you look up, you know, your show or my show on Google right now, you can actually play the episodes through the search results now. So, there's just so many cool things happening in that, and so if you're at all interested and want to get a little geeked out about podcasting and where it's going, uh, hopefully, you can come on over to Smart Passive Income and listen to episode 375.
Jordan Harbinger: [01:26:16] Yup. 375 we'll link to that in the show notes here. Smart Passive Income with Pat Flynn, and of course, you can find that anywhere you listen to podcasts. Thanks, Pat.
Sign up to receive email updates
Enter your name and email address below and I'll send you periodic updates about the podcast.