Hoan Ton-That interviews Richard Clarke, Former National Coordinator for Counter-terrorism, Former Deputy Assistant Secretary State Department
By Hoan Ton-That INTERVIEWS
When our friend Lee Wolosky introduced us, he said you were already writing a futuristic novel about facial recognition. What is it called, and what got you interested in the topic? And, will Bill Clinton be getting a copy of the book?
Artificial Intelligencia will be published in March, 2022. It's the story of a Chinese detective who is an expert in facial recognition and AI. He discovers that somebody has invented thousands of fake personas, all of whom are getting paid as employees of big companies. When he tries to find out who did this and why, things get complicated and risky. I have always had a fascination with the use and misuse of technology for personal identification. My novels try to show the near future and highlight issues we should be addressing, while providing a fun read. President Clinton loves a good thriller, so I will definitely be sending him a copy.
You have been consistently at least 5 to 10 years ahead of the curve when it comes to big threats: terrorism, cybersecurity and China. In the next 10 years, what do you think are some of the potential threats that people do not pay enough attention to?
Some people are always paying attention to the next big things, but often not the decision-makers. We wrote about this phenomenon in the book Warnings: Finding Cassandras to Stop Catastrophes. The elephant in the room is the financial and societal impact of climate change. There are no good financial models of what the effect on the economy will be from sea level rise, desertification, movement of growing areas, seafood depletion, refugee resettlement etc. It is possible that those costs will do profoundly severe damage to the U.S. and global economy.
Cyber Weapons are getting more sophisticated and harder to detect. Technical solutions for prevention and detection will never be perfect, and it seems that more 0-days are being found everyday. Do you think there is a workable political solution for cyber arms control?
We know what to do. Form a group of Like Minded Nations, create cybersecurity cooperation standards and practices, and then tell the cyber sanctuary nations to shape up or face serious sanctions. The U.S. would have to lead and right now it's not a priority for the Administration.
When you wrote your first cybersecurity book, some reviewers said that: “file it under fiction, this will never happen”, and 10 years later, many of these things, like hackers shutting down real world infrastructure, happened. Is this why you write fiction? What is the difference between writing fiction and non-fiction, and which do you prefer?
I have written five novels and five non-fiction books. The tag line on my first novel was “sometimes you can tell more truth through fiction.” The fiction is easier to write because it requires no footnoting, but it does take research. My fiction tries to make tech-related issues and near futures come alive in a way that a non-fiction book never can. I try to let the reader see how things might play out and affect regular people.
One surprise you mentioned is how businesses actually could improve their cybersecurity over the years and many have adopted a lot more best practices. What was the catalyst for corporate organizations taking it more seriously in the last 10 years?
The Financial Services sector led the way a) because they were being targeted so much and it was getting costly, and b) the U.S. government started regulating their cybersecurity. For most companies the motivator is that they were attacked successfully or a company like them was recently hit. CEOs get religion when they realize that the cost of doing cybersecurity well is less than the cost of being hit.
You were raising the alarm about Chinese cyber espionage in 2012, and now it seems that the consensus in Washington is that it is a major problem for the U.S.. China has been able to catch up and in some areas surpass American technology. The U.S. is an open society while China is not. What is the best way, in your opinion, to solve this asymmetry while keeping our society open?
Intelligence collection is a necessary activity of major powers. Intellectual property theft, especially when it is widespread and government controlled, is unacceptable. The Obama-Xi cyber agreement drew that distinction. Unfortunately, China broke the agreement after a year or two and there was no real government-to-government discussion of those violations, nor any specific sanctioning designed to reinstate the agreement.
Another trend you picked early, is the fact that cybercrime can be done by criminals in completely different jurisdictions, especially financial fraud. COVID-19 has accelerated this trend, and we see it from our customers in law enforcement, who are able to identify financial criminals with help from our facial recognition technology and database. How big of an impact do you think facial recognition technology could play in the reduction of financial fraud and identity theft in the future?
Well, we know that cameras and the use of FR have dramatically reduced street crime in neighborhoods where it has been utilized. FR as part of multi-factor authentication (MFA) can significantly reduce on-line theft, but FR will need to continuously improve to discern when a static picture is being used in conjunction with algorithms to make them seem alive. FR needs to be seen as a part of an overall cybersecurity strategy for enterprises, which would also include Identity Access Management, Privileged Access Management, micro-segmentation, zero trust architectures, and digital rights management.
Attribution of cyberattacks has previously been a hard thing to do, since there is an easy availability of IP proxies and other ways to disguise attacks. How have forensic tools for attribution improved since you have been in the field?
Attribution is difficult except when the investigator is a state actor with advanced cyber capabilities. A state actor may be able to watch attacks in real time or near real time, then conduct trace backs. A state actor may be able to identify “staging servers” from which particular malicious entities conduct their activities. A state actor may be able to use Human Intelligence to penetrate criminal gangs or even nation-state organizations. Embedding beacons and self executing wiper ware in honey pots and sensitive files may also assist the defender in identifying or deterring attackers.
Ransomware has been getting more attention now, since the development of cryptocurrency as a method to anonymously transact. Previous ransomware criminals were using the VISA/Mastercard credit card network, which have now successfully shut them out. With cryptocurrencies, this is a lot harder to do. What is the best way to help solve this problem, and do you think companies should be paying ransom at all to cybercriminals?
As long as cyber insurance will pay the ransoms, criminals will attack networks. About 94% of ransoms paid by U.S. companies were covered by insurance. The U.S. government is sanctioning crypto exchanges that facilitate ransomware, thereby making it illegal to use them. Most enterprises hit by ransomware are now choosing not to pay. The problem is if the entity that was attacked is a vital service (e.g. hospital) and needs to get back up very quickly. Policy-makers need to address how to assist such institutions so that they too can refuse to pay.
How do you think Clearview AI will change the world?
I am excited by Clearview AI because it offers us a near-term tool to reduce crime and to ease the process of proving who we are for access purposes. In the very near future, we will all be accessing buildings and airline flights with FR, buying goods with FR in stores without going through check-outs, etc. For those systems to work with minimum fraud and security risks, we are going to have to know not just who that person says they are, but who they really are. Clearview AI can make that possible: greater safety and security, less loss to fraud, less impunity for criminals whether they are child molesters, insurrectionists, muggers, car jackers, home invaders, or financial fraudsters.
___