Warnings for 2018

Warnings: Finding Cassandras to Stop Catastrophes

Richard A. Clarke

After the publication in 2017 of my book WARNINGS: Finding Cassandras to Stop Catastrophes, co-authored with R.P. Eddy, I have been often asked what my predictions are for possible trouble ahead. The point of the book was that there are recognized, data-driven experts who see things accurately before other experts, not that I am capable of seeing disasters coming.

Nonetheless, in response to several requests, I have examined the areas of my expertise and tried to see what current indicators might suggest. No doubt there will be positive advances in the year ahead, but there is limited downside to not seeing them coming. Not expecting crises, however, can have more significant and adverse consequences. So, here are the things that concern me which are not being given sufficient attention in the media or markets.

Iran’s Proxies, their Rockets, and Israel: Little noticed in the wake of the defeat of ISIS is the new strategic position that Iran has achieved. Tehran now has an unobstructed corridor through territory that it and its Shia militias control from Iran, through Iraq, across Syria, ending on the shores of the Mediterranean in Lebanon.

Using its political, economic, and military influence, Tehran, when it wants to, can dictate to the governments in Baghdad, Damascus, and Beirut, none of which can defy Iran without risking violence, replacement, or worse. Over the past six years Iran has recruited, mobilized, trained, deployed, and commanded tens of thousands of militia forces in Syria to help its ally in Damascus. U.S. National Security Adviser H.R. McMaster noted that "about 80 percent of [Syrian President] Assad’s fighters are Iranian proxies in Syria to establish a land bridge over into the Mediterranean.” These proxies come from Shia communities in Afghanistan, Bahrain, Iraq, and elsewhere. They have been trained by and fought in Syria along-side Iran’s special forces, the Quds Force of the Iranian Revolutionary Guard Command (IRGC). They now sit within driving distance of the Israeli border.

Iran has also provided Lebanese Hizballah with tens of thousands of rockets which have been deployed within range of Israel. Now, in addition, Iran is beginning to provide Hizballah with newer rockets which have higher degrees of accuracy and larger warheads.

Israel will not tolerate these two changes to the strategic equation in the region: first, the deployment of an Iranian controlled international army in Syria and second, the assembling of a force of thousands of rockets capable of taking out Israeli air bases and command facilities. In 2018, there is a significant risk that Israel will launch a pre-emptive attack against Iranian controlled militias and their rockets in both Lebanon and Syria. If it does, there is a risk of that war expanding into a broader regional conflict involving Iran, Saudi Arabia, and other nations, perhaps including the US.

Worsening Tragedy in Yemen: The multi-faction civil war continued throughout 2017 in Yemen with no immediate prospect of ending. Cholera spread in Houthi controlled areas around Sanaa, civilian casualties and suffering have been widespread, and infrastructure damage is extensive. In November 2017, Houthi fighters launched a missile that landed near the airport at Riyadh, Saudi Arabia. They threatened further missile strikes against cities in the Saudi-led coalition countries, reportedly including a planned attack against a nuclear reactor site in Abu Dhabi in the UAE.

US and Saudi officials have claimed that the missile that landed near Riyadh was not one that was in the Yemeni Army inventory captured by the Houthis, rather they claim that it was Iranian manufactured and smuggled in to Yemen. Further long range missile strikes into Saudi Arabia or the UAE may provoke the coalition partners to retaliate against Iran, either with Saudi missile strikes or UAE aircraft bombing. As with the tinder box along the Israeli border, there is the possibility of such an incident creating a wider war in the region, threatening oil and gas shipments from the Gulf.

ISIS or al Qaeda- Proof of Life: Two years ago the two major Sunni terrorist groups controlled cities in four countries. Then, in April 2016, al Qaeda was evicted from the city of Mukalla in Yemen by Yemeni and Emirati forces. In December 2016, Libyan militia and international advisors evicted ISIS from the city of Sirte. In 2017, Kurdish, Iraqi and US forces evicted ISIS from Mosul and other Iraqi cities. Later in Syria, a coalition led by Kurdish forces and US advisors evicted ISIS from its capital city, Raqqa. As the year came to an end ISIS was being driven from its last urban area, Abu Kamal on the Euphrates in southwestern Syria.

The US and its coalition allies have announced 30,000 air strikes against ISIS. General Raymond Thomas, the commander of US Special Operations Command, claimed that 60-70,000 ISIS fighters have been killed in the least three years. Even if that estimate were double the actual number, it would represent a significant number of ISIS supporters being killed. The casualties likely include most of the early leadership of the terrorist group.

Given all of this, one might erroneously conclude that there will be few problems from ISIS or al Qaeda in 2018. Both terrorist groups have, however, reverted to their earlier pattern of hiding in small cells in rural areas. Among the remaining cells may be the talented bomb makers who have been attempting to develop undetectable bombs for use on large passenger aircraft. In response to these efforts, American authorities have increased security measures on international flights entering the US. These two terrorist groups both have reason to attempt a “spectacular” terrorist attack in 2018 to prove they are still effective forces and to encourage their remaining supporters. Such an attack may focus on an airliner, perhaps one en route to the US.

Accidental War: Despite the beating of war drums by some US officials, I doubt for two reasons that the United States will launch a pre-emptive strike to eliminate North Korea’s missile and nuclear weapons capabilities in 2018.

First, American officials know that much of North Korea’s missile and nuclear weapons capabilities are dispersed, hidden, and located deep in well protected underground facilities. More than any other nation, North Korea has for over half a century been creating an extensive network of tunnels, bunkers, hollowed out mountains, and camouflaged facilities. No series of US strikes could find and destroy all of North Korea’s weaponry of concern, and what survived would certainly be immediately employed in retaliatory strikes on the US and/or South Korea.

Second, there is a math problem that deters US officials. Years ago, North Korea, using non-nuclear weapons, created a deterrent to prevent a US or South Korean attack. By placing over 20,000 artillery and multiple rocket launchers within range of South Korea’s capitol and major city, the North has the capability to level the Seoul metropolitan area block by block at a moment’s notice.

The math problem is that the rate at which the US and South Korea can destroy those artillery pieces with non-nuclear weapons, most of which are in hardened and protected revetments or caves, is slower than the ability of North Korea to eliminate Seoul. By the time the US and ROK air forces and artillery could stop the incoming fire, North Korea could have already killed tens or hundreds of thousands of Seoul residents.

If the US tried a pre-emptive strike to “take out” North Korea’s nuclear and missile forces, US officials believe that the North’s bombardment of Seoul would probably begin immediately, perhaps even without a direct order from the North Korean high command. The artillery commanders may have already been instructed to initiate fire if they learn that the US has engaged in a major attack. Thus, an attempt to pre-empt North Korea would likely result in the destruction of Seoul, the capital and major city of our treaty ally.

Those two facts are well known by Secretary of Defense Mattis, who would counsel President Trump strongly against a “take out” strike. Why, then, does it look like the US is taking all the preparatory steps necessary for exactly that kind of attack against the North?

Faced with limited options, the US appears to be trying to intimidate North Korea into coming to the bargaining table to give up, or more likely to freeze, its missile and nuclear programs. The combination of economic sanctions and the credible-looking threat of a US strike are intended to convince the North Korean leadership to talk and to reach a deal.

The problem with trying to make North Korea believe that we may attack is two-fold. First, our actions have to look a lot like we are actually going to attack. Second, if the North is convinced we will attack, their response might not be to go to the bargaining table. It may be to go to war. What if North Korea does not understand that the US sabre rattling is largely kabuki theater? What if North Korean forces are on a hair trigger alert waiting for a US attack? Forces cannot be kept on high levels of alert for long without their nerves fraying and their judgement diminishing. In this kind of situation, mistakes and miscalculations can occur. Forces can bump into one another in the skies near North Korea or the waters off the coast.

The US is trying to persuade North Korea that we may attack it soon. If we succeed in that attempt, North Korea may decide to pre-empt us, or it may misinterpret some US activity as the beginning of the US attack. During the long Cold War between the USSR and the US, leaders on both sides worried about the possibility of accidental war, accidental nuclear war. I worry about that possibility on the Korean peninsula in 2018.

Wipr World: Maersk and Merck sound alike and are both very large, international corporations. Maersk is a Copenhagen based global maritime company, worth $215 billion, best known for its container ships. Merck is a New Jersey based drugs manufacturer worth $150 billion. One day in 2017, both companies had a problem and it cost them each about $300 million. The problem was a piece of computer malware given the unlikely name of NotPetya, to distinguish it from a previous piece of attack software called, of course, Petya.

Neither Maersk nor Merck, nor many of the other large companies hit by NotPetya (including global law firm DLA-Piper) were likely the intended targets of the cyber attack. The problem for them appears to have been that they had local Ukrainian offices which were using a Kiev based accounting firm. That firm updated its software automatically, slipping its updates right through the firewalls of its customers. So when the Ukrainian accounting firm got hacked and the malware was installed in the update package, all of the accounting firm’s customers got a little added present in their software.

Instead of providing new auditing capabilities, the software appeared to encrypt everything on the customers’ networks in what at first looked like a ransomware attack targeted against Ukrainian companies (probably by Russians). Then two things became clear, two things that brought Maersk’s global container ports to a halt for days and stopped production of Merck’s drugs for weeks.

The malware was not really encrypting everything in an attempt to extort ransom (you pay me, I give you the key to unlock your own data), it was actually erasing all data on the network, turning servers into useless pieces of metal. And, once inside a company’s firewall, it was not stopping until it hit everything that was connected. So from the local offices in Kiev, the malware jumped through global corporate networks hitting company servers throughout the world.

NotPetya was NotRansom-ware. It was what cyber geeks call a Wipr, software that wipes other software from computer hard drives. A Wipr was what Iran had once used on Saudi Aramco and what North Korea had used on Sony Pictures Entertainment. It is the ultimate weapon in destructive hacking, leaving laptops, servers, IP phones, mobile devices, and mainframes completely dead.

Whether NotPetya was a dress rehearsal or an attempt at localized mischief that went global by mistake, it got a lot of people’s attention. What malicious actors, including nation-states, realized was that this kind of attack, properly designed, could take down much of a nation’s infrastructure and keep it down for an extended period of time. The bad guys also figured out that if they put a time delay on their Wipr, it would probably be “backed up” into the set of recent data that companies keep to restore software just in case something does go wrong and they lose some material from their network through a crash or an attack. By getting a copy of the Wipr into the back-up, if a company had its software wiped and then tried to mount the recovery disks, they would actually be re-mounting the Wipr, which would then destroy their only remaining copy of their data.

What Chief Information Security Officers (CISOs) in major Western companies have figured out is that this means if a Wipr makes it on to their networks, they cannot respond by using their disaster recovery data back-up tapes. Instead of that procedure, which might take several hours, they will have to somehow scan the back-up files slowly looking for the Wipr software. That process, if it could be done at all, could take days. Almost no company is prepared to do that, nor are many companies capable of scanning the automatic software updates they get from dozens of application vendors.

If the software update has the certificate proving it comes from its manufacturer, chances are it will get right through the corporate firewall. In other words, what happened with that Kiev accounting firm’s app could happen with scores of commonly used apps that regularly update automatically or without code scanning at the receiving end. (I have, for example, no way to scan the software updates my Tesla Model X frequently receives. If, one day, the Tesla update contains a Wipr, my shiny, high tech car will just sit there like a sculpture with gull wings.)

Now that malicious actors have realized the possibilities of wide-spread havoc that can be instigated by a smartly designed Wipr, what we saw in 2017 with NotPetya will likely be repeated on a much large scale in 2018. The fact that the governments of North Korea and Iran have already carried out a Wipr attack may mean that conflicts involving them could reach well into the US and give a slap down to networks the nation relies on to run the economy. That will bring cyber attacks to a new level of damage, well beyond the annoying loss of personal data that occurred in the notorious hacks of Yahoo, Equifax, and other sloppily maintained networks revealed in 2017.

So when you look ahead to what most experts are saying could go wrong in 2018, also consider these under reported possibilities. If they do happen, don’t say you weren’t given WARNINGS.




Excerpts from Richard A. Clarke's Complete Collection.


Pinnacle Event
Sting of theDrone
The Scorpion's Gate


Cyber War
Against All Enemies
Your Government Failed You