We modeled the Cybersecurity Canon after the Baseball or Rock & Roll Hall-of-Fame, except for cybersecurity books. We have more than 25 books on the initial candidate list, but we are soliciting help from the cybersecurity community to increase the number to be much more than that. Please write a review and nominate your favorite.
The Cybersecurity Canon is a real thing for our community. We have designed it so that you can directly participate in the process. Please do so!
Book Review by Canon Committee Member, Ben Rothke: Lights Out: A Cyberattack, A Nation Unprepared, Surviving the Aftermath (2015) by Ted Koppel
One of the most successful television commercials in history was for the financial firm E. F. Hutton, based around the catchphrase, “When E. F. Hutton talks, people listen.”
In the world of broadcast journalism, when Ted Koppel speaks, people listen. And when he writes, people read. And read indeed, as his new book Lights Out: A Cyberattack, A Nation Unprepared, Surviving the Aftermath is in the Amazon top 200.
Yet, with his over 50 years of journalistic experience, this book shows that, just because you are a world-renowned reporter, that doesn’t mean you always get the story right.
In the superb, Canon-worthy book Threat Modeling: Designing for Security, author Adam Shostack shows how to use threat modeling to enhance software security. By applying threat modeling, information security can be enhanced. Shostack’s book offers a structured, methodical framework, and a model for determining a threat and its entire lifecycle, such that each of the key elements are identified and adequately assessed.
The problem with Koppel’s book is that his approach to the topic is anything but structured and methodical. He sets up a straw man question, never fully identifies the threats facing the power grid, and never gives specific weights to those threats, such that the reader is left with Chicken Little meets the power grid. The book’s premise is that a major and devastating cyberattack on America’s power grid is imminent. While it’s a disturbing hypothesis, never once does Koppel detail how such an attack would actually take place.
Throughout the book, Koppel sets up his straw man and uses terms such as imagine, may, could and similar, tenuous phrases. While these doomsday and worst-case scenarios are indeed terrifying, never does the book detail the specific how. Much of the book contains details of Koppel’s travels and narratives of the people he meets. From preppers in Montana, to leaders of the Mormon Church, whose doctrines include planning for cataclysmic events, and more. This is a detail of Ted’s great adventure.
One of the more disturbing interviews is with Jeh Johnson, Secretary of the Department of Homeland Security. Johnson comes across somewhat clueless of the energy sector cyberthreat, about which Koppel noted that, while Johnson’s answer to Koppel’s question lasted 13 minutes, he never addressed the question, and it was an area in which Johnson conceded that he had little expertise.
Koppel admits that he is not proficient in the complicated energy sector. To help him navigate through the arcane world of grid reliance standards and the evolving relationship between power industry groups and federal regulators, Koppel engaged the services of Dr. Ryan Ellis of the Cyber Security Project at Harvard University. Koppel notes that he sent transcripts of key interviews and rough drafts of relevant chapters to Dr. Ellis for his review and comments. Incredulously and disconcertingly, Koppel states that he didn’t always follow the advice of Dr. Ellis.
What Koppel did is speak to a lot of very senior people and put what he gleaned into writing. What’s conspicuously missing is his speaking to any cybersecurity expert with experience in SCADA, malware or related areas. In an interview for CSO Online, Koppel was asked if he interviewed penetration testers who have experience in the electric generation and transmission sector. Incredulously, he said “no.” I don’t think Koppel understands the significance of that exclusion, and therein is the fundamental problem with this book.
There are indeed threats to the power grid. But, if you want to know about those – the real threats and how they can be dealt with – this is not your book.