Before 1995, the Pentagon had designated four defensible domains of warfare: land, sea, air, and space. In the mid-1990s, however, it became evident that national safety could be compromised in a fifth, manmade domain: cyberspace.

Richard A. Clarke, America’s first cyber czar, spoke with Professor Karen J. Greenberg at Fordham Lincoln Center last Monday about his new book, The Fifth Domain: Defending Our Country, Our Companies, and Ourselves in the Age of Cyber Threats, published on July 16, 2019. (He co-authored the book with Robert K. Knake, with whom he also wrote Cyber War: The Next Threat to National Security and What to Do About It in 2010.)

Clarke has advised five presidents on intelligence and security, and he served as national coordinator for Security, Infrastructure Protection and Counterterrorism under Bill Clinton and George W. Bush. While introducing him, Greenberg noted how among all governmental officials serving at the time, Clarke alone issued an apology to the American people for the White House’s failure to prevent the catastrophic events of 9/11.

Greenberg then began the discussion with a blunt and urgent question: “Are we in a state of cyber war?”

Clarke and Knake, in their first book, define cyber war as “the destruction or damage of physical items—not ones and zeros—but items in the real world, by software.” Using that definition, Clarke did admit that the United States is more or less engaged in a low-grade cyber war with not only Russia, but China, Iran, and North Korea. He cited Iran’s shooting down of an American drone and the president’s decision to respond with a cyberattack to mitigate potential loss of life.

“War games in cyberspace tend to fall out of cyberspace and into the real world.”

“There’s this notion that it’s safe and clean, that no one will get hurt playing war games in cyberspace,” Clarke said. “But war games in cyberspace tend to fall out of cyberspace and into the real world.” This was certainly the case earlier this year, when the Israeli Defense Force, after falling victim to a Hamas cyberattack, retaliated by bombing and destroying Hamas’ cyber headquarters. It was the first known instance of a real-time physical response to a cyberattack.

Neither does a software-based counter-offense to a cyberattack necessarily work. He cited the United States’ response to Russia’s hacking of American power grids—hacking into Russia’s power grids, instead of strengthening the U.S.’s cyber defenses. He likened the action to both sides having the sword of Damocles hanging over their heads.

Clarke cautioned that the Cold War-era maxim of “mutually-assured destruction” does not apply in a cyber conflict. In the case of nuclear war, it is clear from whence weapons have been deployed, and the destruction those weapons cause is both understood and assured. In a cyberattack, it is not always immediately evident who is doing the attacking—many nation states steal or mimic one another’s technological weapons—and there is no guarantee that a cyberattack, once launched, will actually work as intended. There is the added issue that once technological weapons are tested, they are easily recognized and thwarted, thus rendering a hypothetical cyber “Manhattan Project” useless, even if such a project were necessary.

The way to achieve a state a little more like peace, Clarke suggested, is not only to build defensive, resilient systems, but to exercise cyber arms control, similar to how, during the Cold War, United States and Soviet officials would sit down together to negotiate a set of terms.

On a hopeful note, Clarke highlighted that we already possess the technology necessary to defend our country from cyber threats, but that it simply needs to be widely and consistently deployed. However, there are those who would prevent distribution of that defensive technology. In the case of electoral security, a pressing topic in the months leading up to November 2020, what prevents smaller localities from defending their voting software is lack of funding. A recent bill was passed in the House of Representatives to fund states’ and counties’ purchase of cybersecurity software to allow them to identify and defend against attacks. Despite bipartisan support in the Senate, the bill was blocked by Majority Leader Mitch McConnell.

Though much of the discussion focused on national cybersecurity, Clarke did touch on threats to individual and private sector cybersecurity. In the book, he and Knake advocate for cyber resilience—defensive systems that allow a company (or a government) to resist, withstand, or quickly recuperate from a cyberattack.

Audience members asked Clarke what he thought would be necessary to rouse the American public from complacency to action over the state of our cyber insecurity, if it would take the software equivalent of the 9/11 attacks. He did reply that we are making incremental progress, but likened Americans to the frog who sits too long in the slowly-heating water and does not know to jump out once it reaches a boil. “We can’t wait for the big event. The death of 1,000 cuts, in many ways, is already occurring.”