The Register on October 14, 2010 reports that Richard Clarke told the RSA conference in London:
"These countries are international cyber-sanctuaries for crime," Clarke said.
"Local governments tolerate hacking where attacks occur outside the country. Hackers, who pay local police kickbacks, can be used to work for the government, in cases where they need plausible deniability."
Clarke said "renegade" countries need to be pressured into acting on cyber-criminals through a process akin to the way in which countries who tolerated the laundering of drug profits through their banking system were brought into line.
"There ought to be consequences for scofflaw nations who do not live up to international norms," Clarke said. "We can limit traffic in and out of renegades by applying filtering and monitoring."
"At the moment none of that is going on," he added.
This is an argument also contained in his 2010 book and to which we have referred in class as "imputed responsibility." The problem, as members of our seminar have argued, is that the United States likely would not want to be held responsible for some of things emanating from servers in the U.S.
According to the article, he also called for a new Internet protocol specifically designed for security. This, also, has been discussed in our seminar,, and it is the specifc topic of one of our students' research paper.
The former counter-terrorism and cyber-security advisor to four US administrations argued that a fundamental rethink on internet architectures was needed in order to limit cybercrime and related problems, such as economic espionage.
* * *
"Spending more money on firewalls, anti-virus and intrusion prevention is just throwing more good money after bad," he said.
"The money spent to develop the next version of the X-box would be better spent on the next protocol for the internet. With respect to Vint Cerf and the engineers who created the internet we ought to think about developing a network that's more secure."
"The cost of the R&D would be a mere fraction of cost of R&D for the crap that doesn't work," he concluded.
The Register article, Former White House advisor wants cybercrime haven crackdown, can be read in full at this link.
Rick Bennett
One of Clarke’s assertions is that we need to stop playing defense and go on the offense. One of my own flights of fancy (okay, I’m a novelist with the beginnings of an idea) is that pursuant to US Constitution Article 1 Section 8 the Congress authorize bonded cyber privateers and make security really profitable (see http://www.TheMorganDoctrine.com). The idea is still rough, so don’t throw out the baby with the bath water, but privateers substantially financed and won the Revolutionary War. Maybe this is a piece of the equation Mr. Clarke should consider.
William Snyder
Indeed, Mr. Bennett, I do not think that your idea should be summarily dismissed. Just last Monday during our seminar at Syracuse University, the idea of “Letters of Marque and Reprisal” came up. Earlier in the term, a student suggested deputizing large corporations with significant IT capabilities in order to allow them to “hack back” against cyber attacks, in order to use the private sector’s considerable capacity while avoiding the criminal prohibitions of the Computer Fraud and Abuse Act against accessing a protected computer without authorization. Also, deputization would allow for some government oversight of the private actor’s response. Still, the problem of a lack of predictablity of outcomes in a networked environment remains a serious cause for pause before authorizing any kind of cyber reprisal or “hack back.” Thanks for the input.