The Cybersecurity Canon: Cybersecurity: Geopolitics, Law, and Policy

We modeled the Cybersecurity Canon after the Baseball or Rock & Roll Hall-of-Fame, except for cybersecurity books. We have more than 25 books on the initial candidate list, but we are soliciting help from the cybersecurity community to increase the number to be much more than that. Please write a review and nominate your favorite. 

The Cybersecurity Canon is a real thing for our community. We have designed it so that you can directly participate in the process. Please do so!

Executive Summary

Guiora’s book Cybersecurity: Geopolitics, Law, and Policy takes a broad, strategic view of cybersecurity. It may serve as a general education for newcomers to the world of cybersecurity, but it is likely of little educational value to those already familiar with operating in the cyber realm. Its consistent identification of cybersecurity as a “risk” may both distract and confuse readers, detracting from the overall value of the book.

Review

Cybersecurity: Geopolitics, Law, and Policy begins with a “shock and awe” chapter, apparently intended to jolt the reader into wanting to know more about the broad nature of the cyberthreat. It then enters into a summary of the chapters to follow, which is a good idea in that it prepares the reader for the ideas to come in the later, substantive chapters. The substantive chapters cover topics such as the definition of cybersecurity, geopolitics, policy, and corporate, individual, and law enforcement responses to the cyberthreat.

In his substantive chapters, Guiora brings up a number of important concepts that drive cybersecurity at a very high strategic level. These include the tension or balance between privacy, individual rights and liberties, and cybersecurity; the need for cooperation in the federal, state, local and international arenas; and the impossibility of 100 percent prevention of cyberattacks. Unfortunately, the chapters themselves tend to be very broad and bleed into each other, rather than addressing the discrete topic of the chapter headings. There is a strong reliance on single interactions with professionals and other experts in the field as a basis for broad conclusions about the current state of cybersecurity efforts. While the book does a good job of identifying things that should be done to improve cybersecurity at the corporate, policy, law enforcement and individual levels, it has little specific guidance about how to implement those suggestions through current organizations and processes.

Throughout his book, Guiora addresses cybersecurity as a risk or danger to be mitigated. This is confusing, as cybersecurity isn’t a risk or danger to anyone except maybe malicious cyber actors, such as hackers. The consistent treatment of cybersecurity as something that needs to be stopped or mitigated, including a final chapter about how law enforcement “mitigate[s] cybersecurity,” detracts from the valid ideas in the book. From the start of his book, Guiora tells the reader that his background is most heavily focused on the threat of conventional terrorism. While he accurately notes that there are solid parallels between terrorism, cyberterrorism, and cybercrime, the three ideas and terms tend to be used interchangeably throughout the book, which can be confusing. In the end, Cybersecurity: Geopolitics, Law, and Policy looks like a book written about terrorism, adapted to cyberterrorism, and then adapted to cybercrime.

Conclusion

Cybersecurity: Geopolitics, Law, and Policy  offers broad coverage of strategic aspects of cybersecurity in the modern age. It identifies the key topics that dominate cybersecurity today. However, the continued treatment of cybersecurity as a risk, problem or threat is a confusing message for newcomers to the cybersecurity arena.