The concern, as Clarke sees it, is not that the Chinese or whoever will, one day, out of the blue, set off the "logic bombs" that they've embedded throughout our computer-dependent electrical power grids, financial networks, and military communications systems, thus shutting us down as a modern economy and superpower—any more than the strategists of the 1950s and '60s thought that the Russians might, all of a sudden, launch a nuclear first strike.
The real issue is how potential foes might leverage their cyberwar assets to their advantage in a crisis—and what the United States needs to do, ahead of time, to nullify that advantage and to keep a cyberwar from severely damaging our economy or spilling over into a bombs-and-bullets war.
For instance, let's say China takes military action against Taiwan. Clarke asks, "What president would order the navy into the Taiwan Straits … if he or she thought that a power blackout that had just hit Chicago was a signal and that blackouts could spread to every major American city if we got involved?"
In this sort of crisis, the nuclear era's basic concept of "deterrence"—a threat of retaliation in kind—would have little effect, because America's power grid (like everything else electronic) is much more dependent on cyberspace and thus more vulnerable to a cyberattack.
What we need, Clarke writes, is "a credible defense," designed to cast doubt in the minds of potential attackers that their cyberattack will knock us out or paralyze the president with fear—at least enough doubt to dissuade them from launching the attack to begin with.
Taking our critical infrastructure offline is impossible at this point, but Clarke calls for a few reasonable steps. Among them: requiring the half-dozen largest Internet service providers to monitor traffic for logic bombs and other signs of intruders, tightening access to the power grid, and isolating Defense Department networks. These steps would involve federal regulations, which ISPs have resisted and all recent presidents (including, so far, Barack Obama) have eschewed.
He raises other intriguing possibilities: a no-first-use agreement on cyberattacks (at least for as long as a shooting war hasn't broken out); an extension of the Geneva Accords to ban attacks on purely civilian targets (such as power grids); and an international forum, similar to nuclear-arms-control talks, designed to reduce distrust, outlaw certain types of cyberattacks, and require "obligations to assist" in finding and punishing nations or private hackers who violate the code.
Meanwhile, Clarke calls on President Obama to find out what his Cyber Command generals are up to. In the early Cold War days, Gen. Curtis LeMay, the head of Strategic Air Command, had a plan to strike first if he saw the Soviets engaging in suspicious behavior, no matter what the president's policy might be. If Cyber Command is "preparing the battlefield" by laying logic traps all over the Chinese power grid, a step that Clarke thinks only eases the path to cyberwar in the event of tension (in the same way that German and French mobilization plans greased the skids to escalation in 1914), Obama should at least know about this, understand the implications, and stop the practice if he so desires.
When John F. Kennedy entered the White House in 1961, his secretary of defense, Robert McNamara, hired several RAND strategists as his assistants and had them prepare a memo to the Joint Chiefs of Staff, asking 96 questions about the nuclear-war plan. (The list became known as the "96 trombones.")
On the basis of the answers, he rewrote the SIOP in a way that tightened command-control procedures and, at least theoretically, allowed a president to avoid hitting cities and take "pauses" for possible negotiations to end the war. (Practically speaking, these efforts were probably chimerical, as McNamara and others eventually realized. Nukes are so destructive that it's a bit nuts to envision leaders calmly engaged in "controlled escalation" while megatons burst, fallout spreads, and communications links get zapped by an electromagnetic pulse. With cyberwarfare or, for that matter, conventional war, the idea of control isn't so loopy.)
Clarke, who knows very well about the 96 trombones, similarly asks 20 questions about cyberwar, among them: "What do we do if we wake up one day and find the western half of the U.S. without electrical power as the result of a cyber attack?" and "Do we envision the use of cyber war weapons only in response to the use of cyber war weapons against us?" and "How do we signal our intentions with regard to cyber weapons in peacetime and in crisis? Are they ways that we can use our possession of cyber weapons to deter an opponent?"
These are, as he notes, "pretty obvious questions," but, as he also admits, they're "not easy to answer," which might be why no American in a position of power has even begun to ask them. The big message of Cyber War is that it's time to start asking.