The Cybersecurity Canon: Cyber War

For the past decade, I have had this notion that there must be a Cybersecurity Canon: a list of must-read books where the content is timeless, genuinely represents an aspect of the community that is true and precise and that, if not read, leaves a hole in cybersecurity professional’s education. I’ll be presenting on this topic at RSA 2014, and between now and then, I’d like to discuss a few of my early candidates for inclusion. I love a good argument, so feel free to let me know what you think.

Cyber War: The Next Threat to National Security and What To Do About It (2010) by Richard Clarke and Robert Knake

This book covers a lot of ground. It’s essential to the cyber warrior who needs to understand the historical context around the evolution of defending any nation in cyber space. For international policy makers, it is a good place to start for a real discussion about substantive policies that the international community should consider.

For the commercial security folks, read this book if you want insight into how government policy makers frame the problem and what they would want to implement if they could. Even if you do not agree with the policies, you will come away with a better understanding of what they want. Richard Clarke and Robert Knake discuss the nature of cyber warfare, cyber espionage, cyber crime and cyber terrorism and provide specific examples of several.

In the last five years, we’ve seen a plethora of books on cyber warfare hit the market. I’ve read several, but I prioritized Clarke’s book because of his background. Before he retired from government service, he served three different US Presidents as the Special Assistant to the President for Global Affairs, the National Coordinator for Security and Counterterrorism and the Special Advisor to the President for Cybersecurity.

Clarke and Knake published “Cyber War” in April 2010, just months short of when the public became aware of STUXNET. Some of the things Clarke suggests could have used the context of STUXNET – it was a game-changing event in the security community – but for the most part, I like what Clarke brings to the table.

Because of his background, this book is about policy and not really about how a nation might deploy assets in a cyber war. Specifically, it is about what the US should consider adopting going forward when considering the implications of an all-out cyber war.

He starts with a history of cyber events to demonstrate why we need the policy. He covers the usual suspects, but in some instances, the events Clarke cites aren’t really about cyber warfare at all. Two of them, Moonlight Maze and Titan Rain, are specifically about cyber espionage, and Eligible Receiver is about computer network defense. Others, including Estonia and Georgia, see, barely to meet Clarke’s own definition of cyber warfare:

“[T]he term “cyber war” … refers to actions by a nation-state to penetrate another nation’s computers or networks for the purposes of causing damage or disruption.”

What all of these events have in common, however, is that they shaped Clarke’s thoughts on what to do about cyber warfare. Eligible Receiver proved that Department of Defense networks are vulnerable. Even after a decade, there’s still evidence to suggest that DOD networks are as porous today as they were back in 1997.

Moonlight Maze was the proverbial wake-up call, however. The dictionary definition of asymmetry is a “Disproportion between two or more like parts.” Clarke says that when a nation sits on the high end of that equation (the US for example), they have a high degree of “cyber dependence.” In other words, that nation depends greatly on cyber for it to function. If that is out of balance, an asymmetric advantage develops and cyber defense becomes more important than cyber offense. Another event in the last decade, Titan Rain, proved again how weak the DOD networks were and how successful Chinese cybercriminals had been in pursuing their asymmetric vision.

From there, Clarke describes examples of how various nation states have experimented with cyber warfare in the past, particularly the US, Russia, Israel and North Korea. With this history lesson complete, Clarke makes the case that the US defenses against these kinds of attacks are weak, both for government networks and for commercial networks, and spends the rest of the book talking about what should be done about it.

Clarke’s bottom line is that, painful as it might be, the US will require sweeping new laws, regulations and policy in order to protect the nation from this threat. He points out that Cyber Command is responsible for defending the DOD networks and that the Department of Homeland Security is responsible for protecting the non-DOD government networks.

Nobody is responsible for protecting the commercial side. That might seems short sighted when you lay it out like that, but in truth, is there much love lost between the commercial side and the U.S. government, whose track record on security isn’t all that good? The standoff between the US government and the commercial sector has been going on for well over a decade. Clarke’s point is that enough is enough. Tough decisions are required.

Clarke’s Proposition

Clarke’s proposition is the Defense Triad Strategy:

• Secure the US Backbone
• Secure the US Power Grid
• Install security best practices on all government networks (NIPRNET /SIPRNET /JWICS)

I totally agree with the first one. Today, the US Internet is a mix of commercial ISPs that interconnect with each other and the rest of the world based on business decisions. While all of the big ones cooperate with each other and with the US government, their first priority is to make money. If a large-scale attack on the financial system, for example, is launched from a foreign adversary, the US government has no first hand means to monitor the situation. They largely have to depend on the generosity of the commercial sector to share information.

Today, most of these commercial companies willingly share with the government, but the system is inefficient and will likely not prevent the first wave of attacks. Clarke’s point is that somebody from the government should be monitoring the US cyber perimeter. Privacy advocates will scream and detractors will point out that it is equally possible to launch an attack against the food system from within the US as it is from a foreign country. In his book, Clarke acknowledges those issues but advocates that just because they will be controversial does not mean we should not address them.

For Clarke’s second point, I was a little skeptical at first. Why single out power as the first priority among 18 different critical infrastructure sectors such as banking, and food? After further thought, though, it’s clear the reason the US is cyber dependent is because it has reliable power distributed across the entire nation. Take that out and the rest of the 18 critical infrastructure sectors come tumbling down after it.

For his last point, it is a little sad that in 2013 we have to suggest that the US Government should install basic best practice security measures (like need-to-know network segmentation, file encryption, and host-based intrusion detection technology) across all of its networks.

The fact that the government has not done this is a little scary, but it is my experience, having worked in and with federal government agencies for many years, that this is not an act of incompetence. It really comes down to cost. The US government networks are some of the largest in the world. To install all of that technology on every laptop and computer on three different networks is not cheap. In a world of limited resources, when you compare the trade-off between buying file encryption software to, say, buying body armor for deployed soldiers, file encryption is going to lose every time.

Clarke realizes that it is unlikely that any US leader will be able to push through these radical ideas from the start. In order to get there, he proposes six paths that the international community should work on in parallel:

• Broad public dialogue about cyber war
• Create the Defensive Triad
• International cooperation on Cyber Crime
• Cyber Arms Reduction beginning
• R&D for more secure networks
• President is required to make decision on Computer Network Attack (CNA)

Why Read It

I recommend this book, not least because of the debates it stokes. At the very least, an open and frank discussion of Clarke’s six parallel paths between international government leaders and commercial business leaders would not be a bad thing. Nothing can happen if we do not put everything on the table and discuss it. We can use a book like Clarke’s to get the conversation started.