[Infowarrior] - Schneier Reviews Clarke's 'Cyberwar'

[Richard Forno]

Book Review: Cyber War

Cyber War: The Next Threat to National Security and What to do About It 
by Richard Clarke and Robert Knake, HarperCollins, 2010.

http://www.schneier.com/blog/archives/2010/12/book_review_cyb.html

Cyber War is a fast and enjoyable read. This means you could give the book to your non-techy friends, and they'd understand most of it, enjoy all of it, and learn a lot from it. Unfortunately, while there's a lot of smart discussion and good information in the book, there's also a lot of fear-mongering and hyperbole as well. Since there's no easy way to tell someone what parts of the book to pay attention to and what parts to take with a grain of salt, I can't recommend it for that purpose. This is a pity, because parts of the book really need to be widely read and discussed.

The fear-mongering and hyperbole is mostly in the beginning. There, the authors describe the cyberwar of novels. Hackers disable air traffic control, delete money from bank accounts, cause widespread blackouts, release chlorine gas from chemical plants, and -- this is my favorite -- remotely cause your printer to catch on fire. It's exciting and scary stuff, but not terribly realistic. Even their discussions of previous "cyber wars" -- Estonia, Georgia, attacks against U.S. and South Korea on July 4, 2009 -- are full of hyperbole. A lot of what they write is unproven speculation, but they don't say that.

Better is the historical discussion of the formation of the U.S. Cyber Command, but there are important omissions. There’s nothing about the cyberwar fear stoked that accompanied this: by the NSA's General Keith Alexander -- who became the first head of the command -- or by the NSA's former director, current military contractor, by Mike McConnell, who’s Senior Vice President at Booz Allen Hamilton, and by others. By hyping the threat, the former has amassed a lot of power, and the latter a lot of money. Cyberwar is the new cash cow of the military-industrial complex, and any political discussion of cyberwar should include this as well.

Also interesting is the discussion of the asymmetric nature of the threat. A country like the United States, which is heavily dependent on the Internet and information technology, is much more vulnerable to cyber-attacks than a less-developed country like North Korea. This means that a country like North Korea would benefit from a cyberwar exchange: they'd inflict far more damage than they'd incur. This also means that, in this hypothetical cyberwar, there would be pressure on the U.S. to move the war to another theater: air and ground, for example. Definitely worth thinking about.

Most important is the section on treaties. Clarke and Knake have a lot of experience with nuclear treaties, and have done considerable thinking about how to apply that experience to cyberspace. The parallel isn't perfect, but there's a lot to learn about what worked and what didn't, and -- more importantly -- how things worked and didn't. The authors discuss treaties banning cyberwar entirely (unlikely), banning attacks against civilians, limiting what is allowed in peacetime, stipulating no first use of cyber weapons, and so on. They discuss cyberwar inspections, and how these treaties might be enforced. Since cyberwar would be likely to result in a new worldwide arms race, one with a more precarious trigger than the nuclear arms race, this part should be read and discussed far and wide. Sadly, it gets lost in the rest of the book. And, since the book lacks an index, it can be hard to find any particular section after you're done reading it.

In the last chapter, the authors lay out their agenda for the future, which largely I agree with.

	• We need to start talking publicly about cyber war. This is certainly true. The threat of cyberwar is going to consume the sorts of resources we shoveled into the nuclear threat half a century ago, and a realistic discussion of the threats, risks, countermeasures, and policy choices is essential. We need more universities offering degrees in cyber security, because we need more expertise for the entire gamut of threats.
	• We need to better defend our military networks, the high-level ISPs, and our national power grid. Clarke and Knake call this the "Defensive Triad." The authors and I disagree strongly on how this should be done, but there is no doubt that it should be done. The two parts of that triad currently in commercial hands are simply too central to our nation, and too vulnerable, to be left insecure. And their value is far greater to the nation than it is to the corporations that own it, which means the market will not naturally secure it. I agree with the authors that regulation is necessary.
	• We need to reduce cyber crime. Even without the cyber warriors bit, we need to do that. Cybercrime is bad, and it's continuing to get worse. Yes, it's hard. But it's important.
	• We need international cyberwar treaties. I couldn't agree more about this. We do. We need to start thinking about them, talking about them, and negotiating them now, before the cyberwar arms race takes off. There are all kind of issues with cyberwar treaties, and the book talks about a lot of them. However full of loopholes they might be, their existence will do more good than harm.
	• We need more research on secure network designs. Again, even without the cyberwar bit, this is essential. We need more research in cybersecurity, a lot more.
	• We need decisions about cyberwar -- what weapons to build, what offensive actions to take, who to target -- to be made as far up the command structure as possible. Clarke and Knake want the president to personally approve all of this, and I agree. Because of its nature, it can be easy to launch a small-scale cyber attack, and it can be easy for a small-scale attack to get out of hand and turn into a  large-scale attack. We need the president to make the decisions, not some low-level military officer ensconced in a computer-filled bunker late one night.
This is great stuff, and a fine starting place for a national policy discussion on cybersecurity, whether it be against a military, espionage, or criminal threat. Unfortunately, for readers to get there, they have to wade through the rest of the book. And unless their bullshit detectors are already well-calibrated on this topic, I don't  want them reading all the hyperbole and fear-mongering that comes before, no matter how readable the book.

Note: I read Cyber War in April, when it first came out. I wanted to write a review then, but found that while my Kindle is great for reading, it’s terrible for flipping back and forth looking for bits and pieces to write about in a review. So I let the review languish. Finally, I borrowed a paper copy from my local library.