Richard Clarke on Patriot Act, WikiLeaks, privacy (Q&A)

Ten years after September 11, Americans are safer but would benefit from a civil liberties commission, former U.S. cybersecurity and counterterrorism advisor says.

Elinor Mills Former Staff Writer
Elinor Mills covers Internet security and privacy. She joined CNET News in 2005 after working as a foreign correspondent for Reuters in Portugal and writing for The Industry Standard, the IDG News Service and the Associated Press.
Elinor Mills
9 min read
Richard Clarke, former cyber security and counter-terrorism, author, and consultant.
Richard Clarke, cybersecurity and counterterrorism expert, author, and consultant. Good Harbor Consulting

In an increasingly digital world, the real threat to citizens' privacy is data collection by corporations and not the Patriot Act, said former U.S. cybersecurity and counterterrorism advisor Richard Clarke.

Clarke, who ruffled Bush administration feathers when he complained that U.S. officials ignored warnings about the al Qaeda threat before the attacks, says Americans are safer from terrorism now, partly because of the Patriot Act. Critics, however, have maintained that the law, enacted after September 11 to root out terrorists, has been interpreted broadly to include citizens with no links to terrorism.

U.S. companies, meanwhile, are facing more and more cyber-espionage threats from sophisticated and persistent attacks that make their way into corporations via innocent-looking e-mails that are designed to plant back doors in networks and steal sensitive information. Clarke, whose Good Harbor Consulting firm advises government and corporate clients on such security issues, was named to the board of security provider Bit9 today.

Clarke spoke to CNET in a phone interview on the eve of the announcement about the benefits of the Patriot Act, why President Obama should appoint a civil liberties commission, and how U.S. corporations and government agencies are susceptible to cyber espionage.

Q: The Patriot Act, has it worked, or was it overkill?
Clarke: A lot of people react negatively to the Patriot Act when the phrase is used because they associate things with the Patriot Act that frankly aren't in it, things that were abusive. And when you go back and look at the Patriot Act none of those things were justified by the act. There were a few minor things that needed adjustment in it. But overall I think it did help break down the wall between the FBI people working on criminal cases and the FBI people who were working on intelligence cases. That so-called Chinese wall that existed between the two was really detrimental.

So, have there been any abuses or overstepping of bounds?
Clarke: I haven't seen one. That's not to say there hasn't been any. I am aware there are some provisions where it was never specified that there had to be a terrorism-related predicate, and that's a tweak that should be made. There are some cases where, for example, national security letters were signed out originally by FBI officers who were mid-level supervisors and that's been changed so you have to have a senior officer sign them out. So there were minor problems. But I'm not aware of any really major problems that resulted from the Patriot Act. That's not to say there weren't abuses but they weren't authorized by the Patriot Act.

Do you think the Patriot Act should be amended to require a warrant for an agency to read someone's e-mail or track their location, say via cell phone GPS?
Clarke: Yes, I believe a warrant should be necessary for the government to access personal e-mail.

So, 10 years later, are we safer from terrorism?
Oh sure. We're safer. The question is, are there still things that we should do and are there things we're doing that are unnecessary? Overall you can certainly point to areas where we're safer such as passenger aviation.

Do you credit the fact that there haven't been any attacks on U.S. soil to the measures that have been taken since 9/11?
Clarke: Some. Part of it is that the terrorists found, for a number of years, that it was easier to attack us in Iraq, since we had moved half a million Americans over there to be targets. And now they're finding it easier to attack us in Afghanistan. That's part of it. Part of it is the belief on the part of potential terrorists that it's very hard to get into the U.S anymore and I'm glad they think that, but I'm not sure it's true.

Have you heard of the concept of "security theater," which basically refers to security measures designed to impress but that are actually ineffective and silly?
Clarke: I think there are probably a lot. Over the weekend in Washington and New York I saw a lot of police cars parked prominently around with their lights blinking. I think the blinking lights were supposed to scare away terrorists. I don't know. That seemed to me a prime example of security theater.

How much of our privacy has been given away online?
A lot to the private sector companies that accumulate data for commercial purposes. Very little to the government.

"The European standard is that you have to opt in to data collection by commercial companies and the American standard is you have to opt out. So commercial companies know an enormous amount about you."

So, is there an Echelon-type project going on that is monitoring everyone's phone conversations and tracking people's movements?
Clarke: No. But it makes for a good movie.

So was there ever an Echelon, or was that exaggerated?
Clarke: As I understand, the public use of the phrase "Echelon" refers to NSA's activities with several other countries to intercept communications abroad. And obviously NSA does intercept communications abroad and it does it in cooperation with some other countries. I think that's good. It saves lives.

So, what is the vision of the future for privacy and surveillance?
Clarke: I think we need to have in the federal government a civil liberties protection and privacy protection point in the White House. The 9/11 Commission recommended that and Congress authorized it. As far as I know President Obama has not even appointed the Civil Liberties Commission, unless I missed it. I think we need to have a bipartisan group that is reporting to the president that has top clearances and can see everything and have subpoena authority and can look at activity to see if anyone in the government is engaged in questionable activities that violate privacy rights or civil liberties. But we need a clear understanding first of what privacy rights are. In the U.S. those rights are not as clearly defined as they are in Europe, unfortunately. The European standard is that you have to opt in to data collection by commercial companies and the American standard is you have to opt out. So commercial companies know an enormous amount about you.

Should the standard be opt in?
Clarke: Absolutely.

What grade would you give President Obama on fighting terrorism?
Clarke: A very high grade. If you look at what he did from almost the day he took over in terms of revitalizing the U.S. campaign against al Qaeda, it was really night and day. If you look at what he's been able to do about destroying al Qaeda both in Afghanistan and Pakistan, it's really quite remarkable. And we could have been doing that all along.

What is the real or imagined threat of cyberterrorism at this point?
Clarke: I never use the term "cyberterrorism." I think it's a very misleading phrase. There is terrorism and there are cybersecurity issues but the two haven't really overlapped. And the term "cyberterrorism" conjures up al Qaeda taking out the power grid and they haven't done that. The real crimes in cyberspace are (financial) theft and espionage.

How big is the threat of espionage and advanced persistent threats or APTs, which are used in espionage sometimes?
Clarke: APT is a phrase that covers a multitude of attacks and what it really refers to are sophisticated attacks against companies or government ministries that are very hard to stop and maybe multi-vector. So if one attack technique doesn't work they try another one. Very few companies and government agencies are able to successfully stop attacks if the attacker really wants to get in. The reason I'm joining the Bit9 board is they have a technology that stops some of those attacks and has in the real world. But there's no silver bullet. No one company or product can save you from advanced persistent threat.

How prevalent is cyber-espionage?
Clarke: It's extremely prevalent. Secret Service and Verizon looked at 90 companies where a data breach has occurred and two-thirds didn't know they had a data breach until the Secret Service and Verizon talked to them. When you get CIOs off the record and ask how many of you have had a bad breach and lost terabytes of data, it's in every company and every sector. And it's both competitive and commercial information and when the government is the target it's the usual national security secrets like the design of a new fighter plane. But I'm worried much more about the loss of intellectual property and competitiveness because the United States does espionage too, but we don't hack our way into foreign companies, collect their secret sauce, and turn around and give it to America companies. That is a new problem and in a global marketplace, where there is international economic competition, if we spend taxpayer dollars or stockholder dollars on R&D and someone in China can come along and steal that R&D, how are we supposed to compete effectively?

"I think China is the largest culprit right now in terms of industrial espionage at the state level. Frankly, from their perspective why shouldn't they be since it appears to be no cost to doing it, they don't get punished for doing it?"

Is China the main culprit?
Clarke: I think China is the largest culprit right now in terms of industrial espionage at the state level. Frankly, from their perspective why shouldn't they be since it appears to be no cost to doing it, they don't get punished for doing it?

Should we ever consider a cyberattack an act of war as Deputy Secretary of Defense William Lynn has suggested?
Clarke: I think what he said has been exaggerated. What I read into what he said was if there is a level of damage, destruction, or disruption to the nation, that had it been done by a bomb or kinetic activity, it would have been an act of war. Then if done by a cyberattack it should be an act a war. In other words, the means, whether it's a bomb, a missile or a cyberattack, is not the determining factor. It's how much damage, disruption, or destruction was done.

What about a cyberattack against a treaty partner that binds us to respond in kind?
Clarke: Well NATO has already decided that after the Russian attack on Estonia. NATO decided that under the NATO rules Article 5 can be invoked if any nation is attacked and, once again, it's not a matter of how you do it, it's what you do. If you would consider something an attack if it took place with a bomb or missile, that same level of destruction occurs with a cyberattack, it's still an attack.

What effect, if any, has WikiLeaks played in exposing some of the gaffes by the Bush administration? What does it say about where we're going based on how President Obama has reacted to the release of those documents?
Clarke: I haven't had chance to read all 250,000 documents, obviously. But what is striking to me as a general tone, not to say that there aren't exceptions, but as a general tone I was pleased to see that what the U.S. government was saying in private to other governments was pretty much what it was saying in public. And I was pleased to see that the quality of analysis and reporting from the American foreign service officers around world was very high, certainly much higher than most media reports on the same subject. While I'm sure there were embarrassments from the WikiLeaks, overall I am unaware of any huge new scandal that was revealed that had been hidden from the American people until WikiLeaks came along.

Any other comments about privacy and surveillance in this day and age?
Clarke: One consideration is how people, by using Facebook, LinkedIn, and Plaxo, reveal information about themselves on a voluntary basis that allows them to be targeted in spear phishing attacks. One form of the advanced persistent threat is you get an e-mail at your company and it appears to be from someone else in your company and there's an attachment. Ninety-nine out of 100 people, if they get an e-mail from somebody else in the company, will open it. This is what happened with the RSA attack earlier in the year and numerous other places. It's just too much to expect an employee to pick up the phone every time they get an e-mail from a colleague. People are just going to open it. You can't deal with that problem through awareness and education. You have to use products like Bit9, which will prevent you from opening the attachment if it has something malicious in it. So there are ways in which we can use technology to defeat these APTs, but people are often unaware of the new technology that is available.