ALEX WONG/Getty Images

Cyberwarrior: The real cyberthreat, Richard A. Clarke warns, is that “all of our information is being stolen.”

Foreign Policy: Last year, a Pentagon computer network serving Defense Secretary Robert M. Gates was hacked into, allegedly by the Chinese military. Do you think the Chinese military was behind the attacks, and if so, what was it trying to accomplish with these attacks?

Richard A. Clarke: I think the Chinese government has been behind many, many attacks—penetrations. “Attacks” sounds like they’re destroying something. They’re penetrations; they’re unauthorized penetrations. And what they are trying to do is espionage. They’re engaged in massive espionage, not only in the U.S. government, in the U.S. private sector as well, but also around the world. The British security service, MI5, sent a note to the 300 largest corporations in England a few months ago, telling them that the Chinese government had probably penetrated their networks.

FP: How vulnerable do you think the U.S. government is to a cyberattack or cyberpenetration? How seriously should this threat be taken?

RC: Well, I think it’s being taken very seriously. President Bush signed a National Security Presidential Directive on the 8th of January redirecting billions of dollars into protection against it. I think it should be taken very seriously. The United States government and private corporations are quite vulnerable even though they think they’re not.

FP: What’s the worst-case scenario from a cyberpenetration of the U.S. government’s computer network? Are we talking about things like remotely attacking nuclear power plants and things on that scale?

RC: Well, people tend to think about, sort of, attacks that change things—turn off power grids, or whatever. And while that’s possible, what is happening every day is quite devastating, even though it doesn’t have a kinetic impact and there are no body bags. What’s happening every day is that all of our information is being stolen. So, we pay billions of dollars for research and development, both in the government and the private sector, for engineering, for pharmaceuticals, for bioengineering, genetic stuff—all sorts of proprietary, valuable information that is the result of spending a lot of money on R&D—and all that information gets stolen for one one-thousandth of the cost that it took to develop it.

FP: Both China and Russia have received attention as cyberthreats. Which country do you think is more of a threat, and are there other countries, or nonstate actors, to be worried about also?

RC: I think nonstate actors could develop capabilities rivaling that of nation-states because this is the classic case of asymmetrical warfare where small numbers of highly skilled people could have the same effect as could a nation-state.

FP: What do you expect the capabilities of the new Air Force Cyber Command to be?

RC: I think they’re probably both offensive and defensive. But on the defensive side, all they can do is defend the Air Force or perhaps other DOD [U.S. Department of Defense], or maybe even other federal government, entities. And the problem is that much of what we need to protect is not in the U.S. government; it’s in our private companies and our private networks.

There should be a White House senior person who has oversight of all government programs in the area of cyberdefense. There hasn’t really been someone since I left, and I think they need to re-create that position.

FP: You mentioned both the defensive and offensive capabilities of the Air Force Cyber Command. What kind of offensive cybercapabilities should the United States ideally have?

RC: Highly classified ones.

FP: You mentioned earlier in discussing the Air Force Cyber Command that it’s not just cyberpenetrations of government computers that we should be concerned about, but also private industry. So, are you concerned about cyberpenetrations by foreign governments against U.S.-based defense contractors?

RC: Well, yeah. I’m also concerned about penetrations of U.S. research-and-development firms, everything from pharmaceuticals to genetics to aerospace engineering—all the things we have to sell in our knowledge-based economy. We are a post-industrial, knowledge-based society. That’s what we sell to the world. If other people can steal it readily, then we won’t have much of a margin.

There’s been a lot of talk about a cyber Pearl Harbor. People say that I coined the phrase, and I’m afraid I actually didn’t. But, if we wait for that—just as we waited for 9/11 to do something about al Qaeda—if we wait for a cyber Pearl Harbor to do something about cyber[security], it may never come. But we will, nonetheless, be losing huge amounts of valuable information to our competitors and to cybercriminals who cost our society billions of dollars a year. Just because we haven’t had the big attack doesn’t mean that we should wait to act.

Richard Clarke is chairman of Good Harbor Consulting. He was formerly the principal counterterrorism advisor on the U.S. National Security Council under presidents Bill Clinton and George W. Bush.