What do you think?
Rate this book
The Fifth Domain: Defending Our Country, Our Companies, and Ourselves in the Age of Cyber Threats
An urgent new warning from two bestselling security experts--and a gripping inside look at how governments, firms, and ordinary citizens can confront and contain the tyrants, hackers, and criminals bent on turning the digital realm into a war zone.
"In the battle raging between offense and defense in cyberspace, Clarke and Knake have some important ideas about how we can avoid cyberwar for our country, prevent cybercrime against our companies, and in doing so, reduce resentment, division, and instability at home and abroad."--Bill Clinton
There is much to fear in the dark corners of cyberspace. From well-covered stories like the Stuxnet attack which helped slow Iran's nuclear program, to lesser-known tales like EternalBlue, the 2017 cyber battle that closed hospitals in Britain and froze shipping crates in Germany in midair, we have entered an age in which online threats carry real-world consequences. But we do not have to let autocrats and criminals run amok in the digital realm. We now know a great deal about how to make cyberspace far less dangerous--and about how to defend our security, economy, democracy, and privacy from cyber attack.
This is a book about the realm in which nobody should ever want to fight a the fifth domain, the Pentagon's term for cyberspace. Our guides are two of America's top cybersecurity experts, seasoned practitioners who are as familiar with the White House Situation Room as they are with Fortune 500 boardrooms. Richard A. Clarke and Robert K. Knake offer a vivid, engrossing tour of the often unfamiliar terrain of cyberspace, introducing us to the scientists, executives, and public servants who have learned through hard experience how government agencies and private firms can fend off cyber threats.
Clarke and Knake take us inside quantum-computing labs racing to develop cyber superweapons; bring us into the boardrooms of the many firms that have been hacked and the few that have not; and walk us through the corridors of the U.S. intelligence community with officials working to defend America's elections from foreign malice. With a focus on solutions over scaremongering, they make a compelling case for "cyber resilience"--building systems that can resist most attacks, raising the costs on cyber criminals and the autocrats who often lurk behind them, and avoiding the trap of overreaction to digital attacks.
Above all, Clarke and Knake show us how to keep the fifth domain a humming engine of economic growth and human progress by not giving in to those who would turn it into a wasteland of conflict. Backed by decades of high-level experience in the White House and the private sector, The Fifth Domain delivers a riveting, agenda-setting insider look at what works in the struggle to avoid cyberwar.
"In the battle raging between offense and defense in cyberspace, Clarke and Knake have some important ideas about how we can avoid cyberwar for our country, prevent cybercrime against our companies, and in doing so, reduce resentment, division, and instability at home and abroad."--Bill Clinton
There is much to fear in the dark corners of cyberspace. From well-covered stories like the Stuxnet attack which helped slow Iran's nuclear program, to lesser-known tales like EternalBlue, the 2017 cyber battle that closed hospitals in Britain and froze shipping crates in Germany in midair, we have entered an age in which online threats carry real-world consequences. But we do not have to let autocrats and criminals run amok in the digital realm. We now know a great deal about how to make cyberspace far less dangerous--and about how to defend our security, economy, democracy, and privacy from cyber attack.
This is a book about the realm in which nobody should ever want to fight a the fifth domain, the Pentagon's term for cyberspace. Our guides are two of America's top cybersecurity experts, seasoned practitioners who are as familiar with the White House Situation Room as they are with Fortune 500 boardrooms. Richard A. Clarke and Robert K. Knake offer a vivid, engrossing tour of the often unfamiliar terrain of cyberspace, introducing us to the scientists, executives, and public servants who have learned through hard experience how government agencies and private firms can fend off cyber threats.
Clarke and Knake take us inside quantum-computing labs racing to develop cyber superweapons; bring us into the boardrooms of the many firms that have been hacked and the few that have not; and walk us through the corridors of the U.S. intelligence community with officials working to defend America's elections from foreign malice. With a focus on solutions over scaremongering, they make a compelling case for "cyber resilience"--building systems that can resist most attacks, raising the costs on cyber criminals and the autocrats who often lurk behind them, and avoiding the trap of overreaction to digital attacks.
Above all, Clarke and Knake show us how to keep the fifth domain a humming engine of economic growth and human progress by not giving in to those who would turn it into a wasteland of conflict. Backed by decades of high-level experience in the White House and the private sector, The Fifth Domain delivers a riveting, agenda-setting insider look at what works in the struggle to avoid cyberwar.
351 pages, Kindle Edition
First published July 16, 2019
347 people are currently reading
2507 people want to read
About the author
Richard A. Clarke
30 books234 followersLibrarian Note: There is more than one author by this name in the Goodreads database.
Richard Alan Clarke was a U.S. government employee for 30 years, 1973–2003. He worked for the State Department during the presidency of Ronald Reagan. In 1992, President George H.W. Bush appointed him to chair the Counter-terrorism Security Group and to a seat on the United States National Security Council. President Bill Clinton retained Clarke and in 1998 promoted him to be the National Coordinator for Security, Infrastructure Protection, and Counter-terrorism, the chief counter-terrorism adviser on the National Security Council. Under President George W. Bush, Clarke initially continued in the same position, but the position was no longer given cabinet-level access. He later became the Special Advisor to the President on cybersecurity, before leaving the Bush Administration in 2003.
Clarke came to widespread public attention for his role as counter-terrorism czar in the Clinton and Bush Administrations in March 2004, when he appeared on the 60 Minutes television news magazine, released his memoir about his service in government, Against All Enemies, and testified before the 9/11 Commission. In all three instances, Clarke was sharply critical of the Bush Administration's attitude toward counter-terrorism before the 9/11 terrorist attacks, and of the decision to go to war with Iraq. Following Clarke's strong criticisms of the Bush Administration, Bush administration officials and other Republicans attempted to discredit him or rebut his criticisms, making Clarke a controversial figure.
Richard Alan Clarke was a U.S. government employee for 30 years, 1973–2003. He worked for the State Department during the presidency of Ronald Reagan. In 1992, President George H.W. Bush appointed him to chair the Counter-terrorism Security Group and to a seat on the United States National Security Council. President Bill Clinton retained Clarke and in 1998 promoted him to be the National Coordinator for Security, Infrastructure Protection, and Counter-terrorism, the chief counter-terrorism adviser on the National Security Council. Under President George W. Bush, Clarke initially continued in the same position, but the position was no longer given cabinet-level access. He later became the Special Advisor to the President on cybersecurity, before leaving the Bush Administration in 2003.
Clarke came to widespread public attention for his role as counter-terrorism czar in the Clinton and Bush Administrations in March 2004, when he appeared on the 60 Minutes television news magazine, released his memoir about his service in government, Against All Enemies, and testified before the 9/11 Commission. In all three instances, Clarke was sharply critical of the Bush Administration's attitude toward counter-terrorism before the 9/11 terrorist attacks, and of the decision to go to war with Iraq. Following Clarke's strong criticisms of the Bush Administration, Bush administration officials and other Republicans attempted to discredit him or rebut his criticisms, making Clarke a controversial figure.
Ratings & Reviews
Friends & Following
Create a free account to discover what your friends think of this book!
Community Reviews
Displaying 1 - 30 of 92 reviews
December 1, 2019
The Fifth Domain, by Richard A. Clarke and Robert K. Knake is interesting for those who are in the cybersecurity industry and for any ordinary people. Unlike many other books written about the cybersecurity that paint the frightening landscape of cyber, this book being written by the insider also give a rare insight on how a government agency works, and how they tussle to control their domain. Written by the former National Coordinator for Security, Infrastructure Protection, and Counterterrorism for the U.S. National Security Council Richard A. Clarke and the former director for cybersecurity policy at the National Security Council, Robert K. Knake, they have a first eye view of what the country’s leadership go through to contain the cyber threat we face. In this book, they take the reader through the security issue we face and provide prescriptions to solve some of these threats.
This book tells some freighting stories, some of which are in the news. It covered stories of Stuxnet virus that infect the Iranian nuclear agency damaging their vital centrifuge setting back their nuclear program by two years to WannaCry ransomware that shut down many business all over Europe and North America.
The common theme on many stories is that even the well planned and executed malware attack may have unintended consequence. Stuxnet malware was designed in such a way that it spread using Microsoft’s zero day vulnerabilities that NSA knew but did not notify Microsoft. It spread targeting the Siemens SCADA systems that control nuclear power plant, but only damage the Iranian nuclear program’s SCADA. It used many zero day vulnerabilities which is very difficult to detect and defend against, and a lot of other techniques that only well financed and technically strong nation state is capable. Many information on the Stuxnet shows that it was probably designed by the Israel and the US who would want to damage or slow down the Iranian nuclear program for the political reasons. But, this malware was found in many other countries.
Another example of the attack it gives is the Russian attack to cripple Ukraine. It used the combinations of the media manipulation and the tools stolen from the NSA. In this attack, several Ukrainian ministries, banks, electric grid and metro systems were affected. Russian carried out the attack using the NSA’s EternalBlue exploit that was stolen earlier. NSA discovered the vulnerabilities on the Microsoft windows software, but did not notify them to fix it, rather developed a tool to get inside the adversaries. However, 20% of the infection happened in countries outside Ukraine including the Merck in the USA.
In Ukraine, Russia tested their offensive capabilities. The media manipulation they did in the Ukraine during the attack shows how and what they can do to influence the people’s perception. Russian also disrupted the Ukrainian power grid. But, they did not do the serious damage such as blowing up transformer which could have caused chaos and potentially take several months to years to repair. Perhaps Russian did not want to leave behind their trick on damaging electric grid with the fear that Ukrainian or other adversary may develop a defense for it. Russian used this lesson learned on the 2016 US election and helped to elect the person desirable for their national interest. Spending far fewer resources they were able to control arguably the most powerful country. And the scarier think is that the Russian are lurking in the American electric grid and have already demonstrated their ability in the Ukraine to damage the electric grid. And Chinese are probably in the US gas pipeline and have ability to disrupt it.
The book is not all gloom and doom. They give several solutions which are effective leadership, adequate resource allocation for the cyber, international cooperation, development of the resilient systems, and ways to make the cost of attacks higher and making the monetizing difficult.
They pointed out that perhaps the US problem is its politician, and an inability of different government agency to work together. They talk about the Trump administration’s steps that undermine American capability to work with the foreign countries and organizations by eliminating the point person handling the Cyber issue at the State Department. This allowed malicious foreign cyber threats acting with impunity fearing no consequences for the harm they do to the US interests. Trump also removed the Cyber czar at the White house, a position Richard Clarke held during the Bush and the Clinton administration. And the roadblock put by the Republican senator McConnell on the bill which would be helpful on securing the US voting systems. They also pointed out that security agency wanted to weaken the encryption so they can get in, which would have also allowed foreign Cyber actor to get in easily to the US systems.
Another problem they pointed out is the competing nature of the public and private company’s interest and the inadequate cooperation between them. If DoD and the NSA finds out the zero day vulnerabilities on the US vendor, is it a national best interest to withhold that information from the vendors and build the exploit which NSA potentially use against the foreign entity or let the vendor know so they develop a patch for it?
Perhaps their best recommendation is to use the Lockheed Martin’s concept of the Kill Chain. In their book published 10 years ago, authors like most in the industry believed that the defense is hard because the defender has to be right all the time and offense has to be right only once. But the authors now believes that the good defense is possible. They give examples of companies that are spending adequate resources, cooperating within the industry and defending their resources successfully. The concept of Kill chain is that to cause damage, the offensive cyber actor has to get in to the network, stay hidden, steal the information, exfiltrate and then monetize it. If we make any of these steps harder, then offense would be very hard. For example, financial industry worked together to bring the credit card with the chips on it. When most of the ATM and card reader were replaced with the chip reader, it becomes very difficult for the thief to steal the credit card from the point of sale. And with the wider use of the 2 Factor Authentication, it becomes difficult to use the stolen card online. So, the criminal has to work hard to steal the card and monetize it. As the barrier to monetize is raised, it raised their effort and the cost, so card thief may go down.
Overall, I enjoyed this book and the prescription it offers is very helpful.
This book tells some freighting stories, some of which are in the news. It covered stories of Stuxnet virus that infect the Iranian nuclear agency damaging their vital centrifuge setting back their nuclear program by two years to WannaCry ransomware that shut down many business all over Europe and North America.
The common theme on many stories is that even the well planned and executed malware attack may have unintended consequence. Stuxnet malware was designed in such a way that it spread using Microsoft’s zero day vulnerabilities that NSA knew but did not notify Microsoft. It spread targeting the Siemens SCADA systems that control nuclear power plant, but only damage the Iranian nuclear program’s SCADA. It used many zero day vulnerabilities which is very difficult to detect and defend against, and a lot of other techniques that only well financed and technically strong nation state is capable. Many information on the Stuxnet shows that it was probably designed by the Israel and the US who would want to damage or slow down the Iranian nuclear program for the political reasons. But, this malware was found in many other countries.
Another example of the attack it gives is the Russian attack to cripple Ukraine. It used the combinations of the media manipulation and the tools stolen from the NSA. In this attack, several Ukrainian ministries, banks, electric grid and metro systems were affected. Russian carried out the attack using the NSA’s EternalBlue exploit that was stolen earlier. NSA discovered the vulnerabilities on the Microsoft windows software, but did not notify them to fix it, rather developed a tool to get inside the adversaries. However, 20% of the infection happened in countries outside Ukraine including the Merck in the USA.
In Ukraine, Russia tested their offensive capabilities. The media manipulation they did in the Ukraine during the attack shows how and what they can do to influence the people’s perception. Russian also disrupted the Ukrainian power grid. But, they did not do the serious damage such as blowing up transformer which could have caused chaos and potentially take several months to years to repair. Perhaps Russian did not want to leave behind their trick on damaging electric grid with the fear that Ukrainian or other adversary may develop a defense for it. Russian used this lesson learned on the 2016 US election and helped to elect the person desirable for their national interest. Spending far fewer resources they were able to control arguably the most powerful country. And the scarier think is that the Russian are lurking in the American electric grid and have already demonstrated their ability in the Ukraine to damage the electric grid. And Chinese are probably in the US gas pipeline and have ability to disrupt it.
The book is not all gloom and doom. They give several solutions which are effective leadership, adequate resource allocation for the cyber, international cooperation, development of the resilient systems, and ways to make the cost of attacks higher and making the monetizing difficult.
They pointed out that perhaps the US problem is its politician, and an inability of different government agency to work together. They talk about the Trump administration’s steps that undermine American capability to work with the foreign countries and organizations by eliminating the point person handling the Cyber issue at the State Department. This allowed malicious foreign cyber threats acting with impunity fearing no consequences for the harm they do to the US interests. Trump also removed the Cyber czar at the White house, a position Richard Clarke held during the Bush and the Clinton administration. And the roadblock put by the Republican senator McConnell on the bill which would be helpful on securing the US voting systems. They also pointed out that security agency wanted to weaken the encryption so they can get in, which would have also allowed foreign Cyber actor to get in easily to the US systems.
Another problem they pointed out is the competing nature of the public and private company’s interest and the inadequate cooperation between them. If DoD and the NSA finds out the zero day vulnerabilities on the US vendor, is it a national best interest to withhold that information from the vendors and build the exploit which NSA potentially use against the foreign entity or let the vendor know so they develop a patch for it?
Perhaps their best recommendation is to use the Lockheed Martin’s concept of the Kill Chain. In their book published 10 years ago, authors like most in the industry believed that the defense is hard because the defender has to be right all the time and offense has to be right only once. But the authors now believes that the good defense is possible. They give examples of companies that are spending adequate resources, cooperating within the industry and defending their resources successfully. The concept of Kill chain is that to cause damage, the offensive cyber actor has to get in to the network, stay hidden, steal the information, exfiltrate and then monetize it. If we make any of these steps harder, then offense would be very hard. For example, financial industry worked together to bring the credit card with the chips on it. When most of the ATM and card reader were replaced with the chip reader, it becomes very difficult for the thief to steal the credit card from the point of sale. And with the wider use of the 2 Factor Authentication, it becomes difficult to use the stolen card online. So, the criminal has to work hard to steal the card and monetize it. As the barrier to monetize is raised, it raised their effort and the cost, so card thief may go down.
Overall, I enjoyed this book and the prescription it offers is very helpful.
August 24, 2020
The Cybersecurity Canon Committee selected this book, "The Fifth Domain: Defending Our Country, Our Companies, and Ourselves in the Age of Cyber Threats,” to be inducted into the Hall of Fame during the 2019-2020 season. They also inducted the authors, Richard Clarke and Robert Knake, into the Lifetime achievement category because this is their second book to be added to the Hall of Fame. The committee inducted their first book, "Cyberwar: The Next Threat to National Security & What to Do About It,” in the 2015-2016 season.
"The Fifth Domain” is the perfect Hall of Fame book. It is part history (See timeline below), part big ideas, part fanboy service to the cybersecurity industry’s biggest thought leaders, and finally, it is a look into the future with regard to near term technologies— such as 5G, quantum computing, and artificial intelligence—and how they might impact the security landscape and what the network defender community should be considering in order to influence how they are deployed.
One side note, I got the opportunity to interview the authors during Cybersecurity Canon Week at the Cyberwire’s network of podcasts. I teased both Dick and Rob that the best way to get people talking about their book was to write a paragraph or two about some of our industry’s thought leaders and thier pet projects like
: Bob Ackerman: on his notion that many startups are not a tool; merely a feature.
: Colonel Roger Schell : The original developer of the Rainbow manuals back in 1979.
: Gary Gagnon: Helped lead Mitre’s initial efforts on deception and the creation of the Mitre ATT&Ck framework.
: Jim Routh: The notion that "resiliency isn’t about avoiding a breach, it’s about preventing bad outcomes.”
: John Perry Barlow: The original author of the 1996 “A Declaration of the Independence of Cyberspace.”
: Rohan Amin: One of the co-authors to the original intrusion chain paper by Lockheed Martin.
: Steve Lipner: The developer of the original Microsoft Software Development Life Cycle
: Sounil Yu: On his Cyber Defense Matrix
: Todd Inskeep: The notion that you can actually defend your enterprise with the right strategy and enough resources.
And many more. Of course, they mentioned my pet project, the Cyber Threat Alliance, and they came on my show to talk about my other pet project, the Cybersecurity Canon, so you know I was going to write about their book. It would be bad form if I didn’t.
In terms of history, they focused on a theme that has been covered from different angles in other Cybersecurity Canon books too this past year: David Sanger’s "The Perfect Weapon: How the Cyber Arms Race Set the World Afire” and Andy Greenburg’s "Sandworm: A New Era of Cyberwar and the Hunt for the Kremlin's Most Dangerous Hackers.” That theme is the continuous low level cyber conflict that has been going on between and by key nation states like the United States, Russia, China, Iran, and North Korea for the past decade or more.
For big ideas, they have a sack of them:
* Resilience should be out focus, not blocking technical things like malware and zero days. Build systems so that most attacks cause no harm.
* Make the bad guy spend resources to keep up with the defenders, not the other way around.
* Adopt cybersecurity first principle thinking by getting leadership to think holistically about the nature of the cybersecurity
* Adopt outcome based regulation, regulation that requires entities to fund the costs associated with a breach. Ideas include Bonds to cover PII Loss and fines for companies that pay ransomware.
* Breach Disclosure has not had the intended effect that we thought.
* The industry’s Personnel Shortage Problem is not at the entry level but at the senior level.
* The United States electrical power grid is owned. We are not arguing that any more. To fix it, they recommend to put someone in charge and give them real authority. They should immediately launch a major program using the best private-sector threat hunter firms to find and remove foreign implants, backdoors, and remote access to the industrial control systems (ICS) and supervisory control and data acquisition systems (SCADA) on the grid. Next, they should put in place that combination of state-of-the-art cybersecurity best practices that have achieved success in America’s most secure corporations. And lastly, they should prepare for the worst: how to maintain society once the grid goes down for a long time. A longer range strategy would be to get away from the current out-dated power distribution system and move towards thousands of heterogeneous sources of electricity generation and storage that would not be tied to any of the three big national Interconnects, or even the regional subnetworks.
* Emphasize the CyberCorps scholarship for Service program funded by the National Science Foundation, administered by the infamous Office of Personnel Management, and advised by the NSA and DHS. This is an already created program. We just need to step on the gas.
* Create a Federal Service Program whose only customer is state, city, and country governments that need computer science services, network management, data storage, and, cybersecurity. Make it cheap.
* Focus the military on defending their own networks that includes protecting the corporations in the defense industrial base (DIB) and guarding the private-sector infrastructure that the military needs to do its job. Give them the specific mission to ensure the integrity of U.S. weapons once they are deployed. Finally, give them the green light to be to go on the offensive to degrade potential enemies’ militaries in part through cyber operations.
* The internet will be balkanized. Instead of begging with authoritarian states to play by our utopian fantasy rules, we should set the terms under which they get to have unfettered access tour most valued public assets.
* The responsibility of protecting elections, at least federal elections, should be the federal government. The feds should establish minimum cybersecurity standards for voting devices, databases, and networks and provide funding to make that happen. We should also perhaps give the military authority to defend this operation.
For technology, they lay out the case for why 5G, quantum computing, and artificial intelligence will each be a game changer in its own right. From my perspective, once 5G is available everywhere, everything will be connected to the internet at very high speeds. And I mean everything. It will no longer be a joke that your toaster is connected to the internet. It will be and in the next decade, we will forget why we thought that was funny in that yesteryear of 2020. But, the big one-two punch of near-future technology is quantum and AI. We are probably within a decade of having an affordable quantum computer that that operate on 128 qubits. The NSA math nerds are already so afraid of this because of the implications of breaking all of their cryptographic cyphers that they are hard at work developing the next generation of cyphers that can withstand a quantum computer speed. Form my science fiction side though, once we hit 128 qubits in quantum computing, the artificial intelligence singularity will not be far behind, that moment when a computer algorithm becomes aware of itself. With a quantum computer, this will no longer be just past our reach.
As I said, the Cybersecurity Canon Canon Committee has already selected this book for the Hall of Fame. It is already a must read. But do yourself a favor. Put this on top of your reading queue. This one is important.
Timeline
1956:
Birth of AI at the Dartmouth Summer Research Project on Artificial Intelligence
1998:
Richard Clarke instigated Presidential Decision Directive 63 that led to the first information sharing and analysis centers (ISACs).
2007:
Russia launches cyber attack against Estonia.
2008:
: Russia launches cyber attack in parallel to the physical attack against Georgia.
: Russia gains access to the Pentagon’s secret-level SIPRNet system.
2010:
: the US and Israel launch Stuxnet
: Pfc. Bradley Manning steals classified information and releases it to the public.
2012:
The Iranian Revolutionary Guard Command (IRGC)
: Shutdown the the eight largest U.S. banks
: Penetrated the U.S. Navy Marine Corps Intranet and defied U.S. efforts to evict them for more than two years.
: Attacked the Sands Casino in Las Vegas.
: Criples Saudi Aramco by wiping software off thousands of machines.
January 2013:
President Obama signs PPD 20 restricting offensive cyber to only his approval.
May 2013:
Snowden
2013:
: Speculation: Russia (The GRU) hacked an NSA staging server to get Eternal Blue. Software released by the Shadow Brokers before NotPetya.
: The Iranian Revolutionary Guard Command (IRGC) took control of networks running systems as diverse as a water system dam in New York State and
2015:
: Russia (The GRU) operating under the false flag name of Sandworm, attacked the Ukrainian power grid in 2015 and again in 2016.
: Russia (The GRU) operating under the false flag name of Cyber Caliphate shut down a French television network, TV5Monde.
: Russia (The GRU) attempted to interfere in the investigations of the Russian assassination attempt in Bristol, England, Russian doping of Olympic athletes, and the Russian downing of Malaysia Airlines Flight 17.
4 February 2015:
Anthem Breach (second-largest health insurer in the country), lost all of its subscriber data (some 78 million records)
2016:
: Speculation: Harold Martin’s cache of TAO offensive tools, including Eternal Blue, likely stolen through supply chain backdoor of Kaspersky software on his home computer.
: North Korea compromised a classified network and stole the U.S.–South Korean combined operations plan to attack the North and kill its leadership.
March 2017
Joshua Schulte leaks CIA documents (Vault 7) to WikiLeaks; including zero-day exploits of widely used software.
And CIA Program UMBRAGE (using attack tools that it had stolen from other governments in order to leave a misleading trail and cause investigators to believe attacks done by the CIA were, in fact, done by others.)
May 2016:
Petya uses the National Security Agency’s EternalBlue weapon.
Fall of 2016
Operation Glowing Symphony: TF Ares launched mission to knock ISIS’s media network off the internet
May 2017: WannaCry
North Korea (Lazarus Group) launches WannaCry:
June 2017: NotPetya
Russian GRU (Main Directorate of the General Staff) or Fancy Bear launch notPetya
2017:
Iran penetration of the Triconex safety-instrumented system of a petrochemical plant in Saudi Arabia, an attack apparently intended to prevent alarms going off during a planned lethal chemical leak in the future.
2018
: A Navy Contractor who worked for the Naval Undersea Warfare Center in Rhode Island stole Classified data about highly sensitive programs .
: Separately, the government discovered another Navy technician be a criminal hacker.
: Department of Defense Cyber Strategy, Secretary of Defense James Mattis had ordered Cyber Command to “defend forward” by joining with the intelligence community in attempting to identify potential enemy cyber systems, penetrate them, and in some cases, stop incoming attacks.
: The National Security Agency and U.S. Cyber Command created the “Russia Small Group” to conduct operations to counter Russian cyber-related interference in that year’s Congressional elections.
Summer 2018:
: the head of the U.S. intelligence community publicly warned that the power grid had in fact already been successfully penetrated by Russia.
September 2018:
President Trump rescinds President Obama’s PPD 20 (2013)
2018:
Intrusion Truth began to regularly disclose the hacks, tools, and people involved in Chinese hacking groups known as APT 3 and APT 10. It is not yet generally agreed upon among the cyber-expert community who Intrusion Truth is, but it is clear that they are revealing the secret activity of the Chinese government.
End of 2018
The Cybersecurity and Infrastructure Security Agency (CISA) created within the Department of Homeland Security, on a par with other agencies in the department such as the Secret Service, Coast Guard, and Federal Emergency Management Agency (FEMA).
2019
The heads of all seventeen U.S. intelligence agencies deliver annual threat assessment to Congress that Russia had the ability to disrupt the U.S. power grid and that China had the capability to disrupt the U.S. natural gas pipeline system
Sources
"Book Review: “The Perfect Weapon”” by John Davis, Cybersecurity Canon Project, 3 March 2020.
"Intelligence-Driven Computer Network Defense Informed by Analysis of Adversary Campaigns and Intrusion Kill Chains,” by Eric Hutchins, Michael Cloppert, Rohan Amin, Lockheed Martin Corporation, 2010, Last Visited 30 April 2020.
"Patch Exchange already, will ya? GoldenSpy lurks in tax software Chinese banks prefer their foreign clients to use. Magecart gets cleverer. Another unsecured AWS S3 bucket, and this one’s not funny,” The Daily Podcast, The Cyberwire, interview with Richard Clarke and Robert Knake, Minute 9:40, 6 June 2020.
"Sandworm: A New Era of Cyberwar and the Hunt for the Kremlin's Most Dangerous Hackers,” by Andy Greenberg, Doubleday, 7 May 2019.
"The 2018 DOD Cyber Strategy: Understanding 'Defense Forward' in Light of the NDAA and PPD-20 Changes,” Bobby Chesney, Lawfare Blog, 25 September 2018.
"The Perfect Weapon: How the Cyber Arms Race Set the World Afire,” by David E. Sanger, Crown, 19 June 19th 2018.
"The Fifth Domain: Defending Our Country, Our Companies, and Ourselves in the Age of Cyber Threats,” by Richard Clarke and Robert Knake, Published July 16th 2019 by Penguin Press
"The Fifth Domain” is the perfect Hall of Fame book. It is part history (See timeline below), part big ideas, part fanboy service to the cybersecurity industry’s biggest thought leaders, and finally, it is a look into the future with regard to near term technologies— such as 5G, quantum computing, and artificial intelligence—and how they might impact the security landscape and what the network defender community should be considering in order to influence how they are deployed.
One side note, I got the opportunity to interview the authors during Cybersecurity Canon Week at the Cyberwire’s network of podcasts. I teased both Dick and Rob that the best way to get people talking about their book was to write a paragraph or two about some of our industry’s thought leaders and thier pet projects like
: Bob Ackerman: on his notion that many startups are not a tool; merely a feature.
: Colonel Roger Schell : The original developer of the Rainbow manuals back in 1979.
: Gary Gagnon: Helped lead Mitre’s initial efforts on deception and the creation of the Mitre ATT&Ck framework.
: Jim Routh: The notion that "resiliency isn’t about avoiding a breach, it’s about preventing bad outcomes.”
: John Perry Barlow: The original author of the 1996 “A Declaration of the Independence of Cyberspace.”
: Rohan Amin: One of the co-authors to the original intrusion chain paper by Lockheed Martin.
: Steve Lipner: The developer of the original Microsoft Software Development Life Cycle
: Sounil Yu: On his Cyber Defense Matrix
: Todd Inskeep: The notion that you can actually defend your enterprise with the right strategy and enough resources.
And many more. Of course, they mentioned my pet project, the Cyber Threat Alliance, and they came on my show to talk about my other pet project, the Cybersecurity Canon, so you know I was going to write about their book. It would be bad form if I didn’t.
In terms of history, they focused on a theme that has been covered from different angles in other Cybersecurity Canon books too this past year: David Sanger’s "The Perfect Weapon: How the Cyber Arms Race Set the World Afire” and Andy Greenburg’s "Sandworm: A New Era of Cyberwar and the Hunt for the Kremlin's Most Dangerous Hackers.” That theme is the continuous low level cyber conflict that has been going on between and by key nation states like the United States, Russia, China, Iran, and North Korea for the past decade or more.
For big ideas, they have a sack of them:
* Resilience should be out focus, not blocking technical things like malware and zero days. Build systems so that most attacks cause no harm.
* Make the bad guy spend resources to keep up with the defenders, not the other way around.
* Adopt cybersecurity first principle thinking by getting leadership to think holistically about the nature of the cybersecurity
* Adopt outcome based regulation, regulation that requires entities to fund the costs associated with a breach. Ideas include Bonds to cover PII Loss and fines for companies that pay ransomware.
* Breach Disclosure has not had the intended effect that we thought.
* The industry’s Personnel Shortage Problem is not at the entry level but at the senior level.
* The United States electrical power grid is owned. We are not arguing that any more. To fix it, they recommend to put someone in charge and give them real authority. They should immediately launch a major program using the best private-sector threat hunter firms to find and remove foreign implants, backdoors, and remote access to the industrial control systems (ICS) and supervisory control and data acquisition systems (SCADA) on the grid. Next, they should put in place that combination of state-of-the-art cybersecurity best practices that have achieved success in America’s most secure corporations. And lastly, they should prepare for the worst: how to maintain society once the grid goes down for a long time. A longer range strategy would be to get away from the current out-dated power distribution system and move towards thousands of heterogeneous sources of electricity generation and storage that would not be tied to any of the three big national Interconnects, or even the regional subnetworks.
* Emphasize the CyberCorps scholarship for Service program funded by the National Science Foundation, administered by the infamous Office of Personnel Management, and advised by the NSA and DHS. This is an already created program. We just need to step on the gas.
* Create a Federal Service Program whose only customer is state, city, and country governments that need computer science services, network management, data storage, and, cybersecurity. Make it cheap.
* Focus the military on defending their own networks that includes protecting the corporations in the defense industrial base (DIB) and guarding the private-sector infrastructure that the military needs to do its job. Give them the specific mission to ensure the integrity of U.S. weapons once they are deployed. Finally, give them the green light to be to go on the offensive to degrade potential enemies’ militaries in part through cyber operations.
* The internet will be balkanized. Instead of begging with authoritarian states to play by our utopian fantasy rules, we should set the terms under which they get to have unfettered access tour most valued public assets.
* The responsibility of protecting elections, at least federal elections, should be the federal government. The feds should establish minimum cybersecurity standards for voting devices, databases, and networks and provide funding to make that happen. We should also perhaps give the military authority to defend this operation.
For technology, they lay out the case for why 5G, quantum computing, and artificial intelligence will each be a game changer in its own right. From my perspective, once 5G is available everywhere, everything will be connected to the internet at very high speeds. And I mean everything. It will no longer be a joke that your toaster is connected to the internet. It will be and in the next decade, we will forget why we thought that was funny in that yesteryear of 2020. But, the big one-two punch of near-future technology is quantum and AI. We are probably within a decade of having an affordable quantum computer that that operate on 128 qubits. The NSA math nerds are already so afraid of this because of the implications of breaking all of their cryptographic cyphers that they are hard at work developing the next generation of cyphers that can withstand a quantum computer speed. Form my science fiction side though, once we hit 128 qubits in quantum computing, the artificial intelligence singularity will not be far behind, that moment when a computer algorithm becomes aware of itself. With a quantum computer, this will no longer be just past our reach.
As I said, the Cybersecurity Canon Canon Committee has already selected this book for the Hall of Fame. It is already a must read. But do yourself a favor. Put this on top of your reading queue. This one is important.
Timeline
1956:
Birth of AI at the Dartmouth Summer Research Project on Artificial Intelligence
1998:
Richard Clarke instigated Presidential Decision Directive 63 that led to the first information sharing and analysis centers (ISACs).
2007:
Russia launches cyber attack against Estonia.
2008:
: Russia launches cyber attack in parallel to the physical attack against Georgia.
: Russia gains access to the Pentagon’s secret-level SIPRNet system.
2010:
: the US and Israel launch Stuxnet
: Pfc. Bradley Manning steals classified information and releases it to the public.
2012:
The Iranian Revolutionary Guard Command (IRGC)
: Shutdown the the eight largest U.S. banks
: Penetrated the U.S. Navy Marine Corps Intranet and defied U.S. efforts to evict them for more than two years.
: Attacked the Sands Casino in Las Vegas.
: Criples Saudi Aramco by wiping software off thousands of machines.
January 2013:
President Obama signs PPD 20 restricting offensive cyber to only his approval.
May 2013:
Snowden
2013:
: Speculation: Russia (The GRU) hacked an NSA staging server to get Eternal Blue. Software released by the Shadow Brokers before NotPetya.
: The Iranian Revolutionary Guard Command (IRGC) took control of networks running systems as diverse as a water system dam in New York State and
2015:
: Russia (The GRU) operating under the false flag name of Sandworm, attacked the Ukrainian power grid in 2015 and again in 2016.
: Russia (The GRU) operating under the false flag name of Cyber Caliphate shut down a French television network, TV5Monde.
: Russia (The GRU) attempted to interfere in the investigations of the Russian assassination attempt in Bristol, England, Russian doping of Olympic athletes, and the Russian downing of Malaysia Airlines Flight 17.
4 February 2015:
Anthem Breach (second-largest health insurer in the country), lost all of its subscriber data (some 78 million records)
2016:
: Speculation: Harold Martin’s cache of TAO offensive tools, including Eternal Blue, likely stolen through supply chain backdoor of Kaspersky software on his home computer.
: North Korea compromised a classified network and stole the U.S.–South Korean combined operations plan to attack the North and kill its leadership.
March 2017
Joshua Schulte leaks CIA documents (Vault 7) to WikiLeaks; including zero-day exploits of widely used software.
And CIA Program UMBRAGE (using attack tools that it had stolen from other governments in order to leave a misleading trail and cause investigators to believe attacks done by the CIA were, in fact, done by others.)
May 2016:
Petya uses the National Security Agency’s EternalBlue weapon.
Fall of 2016
Operation Glowing Symphony: TF Ares launched mission to knock ISIS’s media network off the internet
May 2017: WannaCry
North Korea (Lazarus Group) launches WannaCry:
June 2017: NotPetya
Russian GRU (Main Directorate of the General Staff) or Fancy Bear launch notPetya
2017:
Iran penetration of the Triconex safety-instrumented system of a petrochemical plant in Saudi Arabia, an attack apparently intended to prevent alarms going off during a planned lethal chemical leak in the future.
2018
: A Navy Contractor who worked for the Naval Undersea Warfare Center in Rhode Island stole Classified data about highly sensitive programs .
: Separately, the government discovered another Navy technician be a criminal hacker.
: Department of Defense Cyber Strategy, Secretary of Defense James Mattis had ordered Cyber Command to “defend forward” by joining with the intelligence community in attempting to identify potential enemy cyber systems, penetrate them, and in some cases, stop incoming attacks.
: The National Security Agency and U.S. Cyber Command created the “Russia Small Group” to conduct operations to counter Russian cyber-related interference in that year’s Congressional elections.
Summer 2018:
: the head of the U.S. intelligence community publicly warned that the power grid had in fact already been successfully penetrated by Russia.
September 2018:
President Trump rescinds President Obama’s PPD 20 (2013)
2018:
Intrusion Truth began to regularly disclose the hacks, tools, and people involved in Chinese hacking groups known as APT 3 and APT 10. It is not yet generally agreed upon among the cyber-expert community who Intrusion Truth is, but it is clear that they are revealing the secret activity of the Chinese government.
End of 2018
The Cybersecurity and Infrastructure Security Agency (CISA) created within the Department of Homeland Security, on a par with other agencies in the department such as the Secret Service, Coast Guard, and Federal Emergency Management Agency (FEMA).
2019
The heads of all seventeen U.S. intelligence agencies deliver annual threat assessment to Congress that Russia had the ability to disrupt the U.S. power grid and that China had the capability to disrupt the U.S. natural gas pipeline system
Sources
"Book Review: “The Perfect Weapon”” by John Davis, Cybersecurity Canon Project, 3 March 2020.
"Intelligence-Driven Computer Network Defense Informed by Analysis of Adversary Campaigns and Intrusion Kill Chains,” by Eric Hutchins, Michael Cloppert, Rohan Amin, Lockheed Martin Corporation, 2010, Last Visited 30 April 2020.
"Patch Exchange already, will ya? GoldenSpy lurks in tax software Chinese banks prefer their foreign clients to use. Magecart gets cleverer. Another unsecured AWS S3 bucket, and this one’s not funny,” The Daily Podcast, The Cyberwire, interview with Richard Clarke and Robert Knake, Minute 9:40, 6 June 2020.
"Sandworm: A New Era of Cyberwar and the Hunt for the Kremlin's Most Dangerous Hackers,” by Andy Greenberg, Doubleday, 7 May 2019.
"The 2018 DOD Cyber Strategy: Understanding 'Defense Forward' in Light of the NDAA and PPD-20 Changes,” Bobby Chesney, Lawfare Blog, 25 September 2018.
"The Perfect Weapon: How the Cyber Arms Race Set the World Afire,” by David E. Sanger, Crown, 19 June 19th 2018.
"The Fifth Domain: Defending Our Country, Our Companies, and Ourselves in the Age of Cyber Threats,” by Richard Clarke and Robert Knake, Published July 16th 2019 by Penguin Press
April 10, 2021
Great surface level and summary of cyberspace for people with very little background. It included several good policy options and recommendations, as well as individual actions. Covered many topics relate to cyberspace, such as industry, infrastructure, social media, defense, state actors, and state sovereignty. Past and current trends were not projected far into the future, so left this book quite believable and useful.
March 2, 2020
Great book about cyber security. I am in the business and can see the author(s) are well versed on nuances of that industry. The authors however, make their political biases known to the reader. Although I DO read political books and expect the political biases, I hate when authors, actors, musicians, etc try to use a platform to spew their political views when the content is not political. It is not overwhelming to the point that it is not readable, but it is palpable.
Authors cover many of the concerns I and others have to deal with. They have different views and proposed solutions than mine. I tend to not want government involved, however the authors seem to be pro-Big Government. This is strange to see in InfoSec since you have a majority of people in this group are usually libertarian leaning weather that is left-leaning or right-leaning libertarian.
It is a good book. I recommend it.
Authors cover many of the concerns I and others have to deal with. They have different views and proposed solutions than mine. I tend to not want government involved, however the authors seem to be pro-Big Government. This is strange to see in InfoSec since you have a majority of people in this group are usually libertarian leaning weather that is left-leaning or right-leaning libertarian.
It is a good book. I recommend it.
November 18, 2024
This book is a good primer for current challenges and issues in the cybersecurity field and an overall entertaining read if you have any interest in the topic. Both authors have significant experience as policy makers in the federal government for cybersecurity. They do a great job of explaining the challenging private/public nature of cybersecurity issues and also explore how Artificial Intelligence and quantum computing will impact cybersecurity.
My only critique of the book is that the authors lean into their own opinions a little too heavily at times in the “recommendations” portions of the book. Obviously they come from the federal policy community, but their tone when describing their opposition was unnecessarily derisive (essentially the military/cybercom leaders are irresponsible, the corporate leaders are lazy/cheap, the state/local officials are incompetent, and Republican congressmen are all troglodytes). Their tone definitely made me wonder whether they had made straw man arguments for these rival stakeholders.
My only critique of the book is that the authors lean into their own opinions a little too heavily at times in the “recommendations” portions of the book. Obviously they come from the federal policy community, but their tone when describing their opposition was unnecessarily derisive (essentially the military/cybercom leaders are irresponsible, the corporate leaders are lazy/cheap, the state/local officials are incompetent, and Republican congressmen are all troglodytes). Their tone definitely made me wonder whether they had made straw man arguments for these rival stakeholders.
March 25, 2022
An interesting policy-oriented take on addressing threats in cyberspace which fall below the threshold of conventional response. With the exception of the section on quantum physics, a well-considered argument for resilience as the next face of defense.
May 1, 2023
Well, this is a pretty terrifying book. Good awareness and call to action.
October 10, 2024
Interesting read, covering many aspects of cybersecurity, such as IoT, military defense, and offense, not to mention the history of massive cyber attacks. A bit old though, but still relevant.
May 15, 2022
I really enjoyed reading this book, I picked up a lot of info and good ideas. I have an IT background so this book was very relevant, intriguing and meaningful. For people reading this with only basic or no IT knowledge I suspect the book may be more challenging, but worth the read. For the most part the book was very well written by an author that is obviously well versed in the subject.
October 5, 2019
This might be something I need to buy. It was a little frightening, but in a alert, cautious way, and if you know anything about my reading habits as it is, I do love non-fiction that's terrifying like a dystopian. Coming off of a summer cohort in Cybersecurity, this delved deeper into what actual entities, public and private, are doing to combat the seemingly harmless things users are running into as they careen around the "open" internet. On a personal level, I've had credit cards replaced several times and had to establish a passphrase to talk to my bank because information was compromised in the huge Equifax situation. This is becoming a normal part of our lives, and it really shows that the average person needs to flex some cyber hygiene if they're able.
There are people far more prudent than I and this book did reassure me -a little- that people are working to combat at least parts of this. The prevailing attitude for most is that government is always slow to develop strategies against the cutting-edge and new. (I think of law, cloud, and the internet as mainstay examples.) What did baffle me, even having an idea of it after my studies, is the pathetic security of all of our national infrastructure. It's mind-boggling. Not an expert on military spending, but god, where is it all going if we're not allocating enough to this? Specialization and experience are a delicate see-saw, in my view; you want it on your team but you need to have teams that can pull back and see the other issues. Not unlike the structure of many legacy corporations, top-heavy people with cloud sweep issues under the rug and believe solely and stubbornly in their own expertise. It's bordering on dangerous tunnel vision and we need to shake up this paradigm and reset our concepts of the internet, attack surfaces, warfare, and also the cultural tangles that are embedded in how we deal with the changes.
Every single chapter of this was fascinating. The discussion of segmenting the internet gave me a little tinge of physical revulsion; why is that? Is there something cultural about borders that comes from me growing up in America, or am I in a place of privilege to be able to feel that way? That's a complicated question that should be untangled outside of the scope of this book. Maybe it's because I remember getting dial-up internet, sitting in a family / computer room while something so novel opened itself up. At a formative age, nonetheless. It forms your experiences in a way that's difficult to describe to those older or younger than you, because you remember the catalyst, the divide you were witnessing.
Since government (and in my world, aviation hell) is full of acronyms, I had to keep a running list of things to research separately after finishing the book. Summarily, I'd like to read it again because it presented fantastic strategy for addressing these things, and even where I disagreed (not an expert, though, obviously), presented a way forward that I hope those with more power are considering.
There are people far more prudent than I and this book did reassure me -a little- that people are working to combat at least parts of this. The prevailing attitude for most is that government is always slow to develop strategies against the cutting-edge and new. (I think of law, cloud, and the internet as mainstay examples.) What did baffle me, even having an idea of it after my studies, is the pathetic security of all of our national infrastructure. It's mind-boggling. Not an expert on military spending, but god, where is it all going if we're not allocating enough to this? Specialization and experience are a delicate see-saw, in my view; you want it on your team but you need to have teams that can pull back and see the other issues. Not unlike the structure of many legacy corporations, top-heavy people with cloud sweep issues under the rug and believe solely and stubbornly in their own expertise. It's bordering on dangerous tunnel vision and we need to shake up this paradigm and reset our concepts of the internet, attack surfaces, warfare, and also the cultural tangles that are embedded in how we deal with the changes.
Every single chapter of this was fascinating. The discussion of segmenting the internet gave me a little tinge of physical revulsion; why is that? Is there something cultural about borders that comes from me growing up in America, or am I in a place of privilege to be able to feel that way? That's a complicated question that should be untangled outside of the scope of this book. Maybe it's because I remember getting dial-up internet, sitting in a family / computer room while something so novel opened itself up. At a formative age, nonetheless. It forms your experiences in a way that's difficult to describe to those older or younger than you, because you remember the catalyst, the divide you were witnessing.
Since government (and in my world, aviation hell) is full of acronyms, I had to keep a running list of things to research separately after finishing the book. Summarily, I'd like to read it again because it presented fantastic strategy for addressing these things, and even where I disagreed (not an expert, though, obviously), presented a way forward that I hope those with more power are considering.
April 23, 2021
Very eye-opening; both crushing that some of the cyber problems defenders space have been ubiquitous from the start, and gratifying that we understand much of it, at the strategic level.
August 15, 2023
The book is quite informative, however at some stage author tries to push specific agenda or suggest solutions in a field where their experience is quite obviously very limited. It paints the scary picture of poor online security and then provides increased government monitoring and privacy intrusion as an solution.
The parts where author focuses on describing history and current state of things are quite good, but once author tries to push their agenda, opinions and solutions it goes downhill fast. It's almost as if the book was written by two different persons.
I'd recommend reading Sandworm: A New Era of Cyberwar and the Hunt for the Kremlin's Most Dangerous Hackers and The Lazarus Heist instead. These are way more factual, don't push any obvious agenda and go into more technical details. Both of these books are also less politically oriented and as a result more relevant for non-US readers.
The parts where author focuses on describing history and current state of things are quite good, but once author tries to push their agenda, opinions and solutions it goes downhill fast. It's almost as if the book was written by two different persons.
I'd recommend reading Sandworm: A New Era of Cyberwar and the Hunt for the Kremlin's Most Dangerous Hackers and The Lazarus Heist instead. These are way more factual, don't push any obvious agenda and go into more technical details. Both of these books are also less politically oriented and as a result more relevant for non-US readers.
September 23, 2020
Two cyber policy wonks write about, well, cyber policy. For me, this was a great read; I'm middle aged and a computer geek but not a security person, so the last time I formally studied security was in the Dark Ages, and much has changed since then.
A simple example: the authors point out that the typical large corporation now has three to six *dozen* security products in their portfolio. I could have started with firewall, anti-virus, intrusion detection, AI-based log processor, but I'd run out of gas long before getting to a dozen vendors, and there are attack surfaces and defense points I've never thought of.
Clarke and Knake don't focus on the technology, but instead cover the whole range of goals of the adversaries, from attacks on corporations for stealing IP; electricity generation, gas pipelines, military weapons and information systems; to elections, finishing with a good chapter on IoT and a mostly not completely wrong chapter on quantum.
If there's one word they recommend, it's Resilience, at both technical and organizational levels. You should be asking not only, "How do I keep something bad from happening?" but also, "When something bad happens, how do I minimize damage and keep my company moving?" They also point out that the assumption has long been that the attacker has the advantage, but they show how the balance of power, and thinking, has shifted to the defense in the last decade or so.
The book isn't intended to be a catalog of security incidents over the last couple of decades; such a book would be a tome in and of itself. Instead, a few events are used to make specific points about both vulnerabilities and about defenses, although I learned about various incidents that hadn't crossed my transom.
At one point, they state pretty clearly that they think the FCC should be doing more via regulation to ensure the security of the Internet, and that it already has the statutory authority to do so. I'm not sure all of my Internet policy wonk friends would agree with that.
If the book has a flaw, it's that a lot of the technical jargon is tossed around without much introduction. The individual acronyms are expanded the first time they're used, but not all of the technical vocabulary is defined in line, though there is a decent glossary if you're smart enough to check that out before diving in. For some of the book's audience, I suspect this drawback will slow down their understanding and potentially their buy-in on the ideas.
I suppose a second flaw is the inherent US focus and pro-US point of view, but then, they are former US government diplomats. There is some discussion of the international nature of business and conflicting regulatory domains, which is done well. But more here would have been appreciated from my personal point of view.
I work in quantum computing and quantum networking, and quantum key distribution (QKD) has been commercialized since the very early 2000s, and yet it hasn't taken the world by storm as a replacement for technology such as Diffie-Hellman. There are technical reasons for that (limitations on distance, specialized implementation resulting in expensive boxes and expensive deployment), but I think one reason is that most of the physicists and CS theorists working in QKD don't understand how CISOs and CEOs think about security. The word encryption comes up very rarely in this book. One reason is that the mathematics underlying encryption is rarely on the radar of security-conscious network and system managers, let alone their bosses who okay the purchasing decisions. Perhaps QKD has been ahead of its time, and indeed I think traction for the technology has grown quite a bit in the last few years, but it's certainly true that the QKD folks need to learn how the whole gestalt of security happens, and from there how to become one of the several dozen security vendors entrusted by C-suite folks with one facet of the overall problem. Everyone in QKD (and more broadly those in quantum computing, as well) should read either this book or another in the same area. Indeed, everyone in computing systems, not just those with an interest in policy, should read multiple books in this area, at regular intervals throughout their careers. (I'm feeling negligent in that this is the first such book I've read in a while, myself, though if you've been following what I've been up to you know that I'm working more directly on encryption these days, and doing some reading (e.g. The Codebreakers: The Comprehensive History of Secret Communication from Ancient Times to the Internet).)
Clarke and Knake view cyber threats from the policy side: what role should the government have, what role should corporations and individuals have, how do we keep Chinese and Russian activities in check, etc. Their concerns run as high as, how do we stop a cat-and-mouse hacking game from escalating to a shooting war and ultimately even nuclear war. It's deadly serious stuff.
The authors have spanned multiple administrations and are mostly circumspect about politics, but they clearly believe Obama should have acted more vigorously in responding to some threats and incidents, and that Congress's failure to act in many cases, including election security, is a serious breach of responsibility. Published in 2019, they also had time to assess not only Trump's election but also his policies and actions, and clearly dislike what they see.
A recommended read, though it might keep you from sleeping at night.
A simple example: the authors point out that the typical large corporation now has three to six *dozen* security products in their portfolio. I could have started with firewall, anti-virus, intrusion detection, AI-based log processor, but I'd run out of gas long before getting to a dozen vendors, and there are attack surfaces and defense points I've never thought of.
Clarke and Knake don't focus on the technology, but instead cover the whole range of goals of the adversaries, from attacks on corporations for stealing IP; electricity generation, gas pipelines, military weapons and information systems; to elections, finishing with a good chapter on IoT and a mostly not completely wrong chapter on quantum.
If there's one word they recommend, it's Resilience, at both technical and organizational levels. You should be asking not only, "How do I keep something bad from happening?" but also, "When something bad happens, how do I minimize damage and keep my company moving?" They also point out that the assumption has long been that the attacker has the advantage, but they show how the balance of power, and thinking, has shifted to the defense in the last decade or so.
The book isn't intended to be a catalog of security incidents over the last couple of decades; such a book would be a tome in and of itself. Instead, a few events are used to make specific points about both vulnerabilities and about defenses, although I learned about various incidents that hadn't crossed my transom.
At one point, they state pretty clearly that they think the FCC should be doing more via regulation to ensure the security of the Internet, and that it already has the statutory authority to do so. I'm not sure all of my Internet policy wonk friends would agree with that.
If the book has a flaw, it's that a lot of the technical jargon is tossed around without much introduction. The individual acronyms are expanded the first time they're used, but not all of the technical vocabulary is defined in line, though there is a decent glossary if you're smart enough to check that out before diving in. For some of the book's audience, I suspect this drawback will slow down their understanding and potentially their buy-in on the ideas.
I suppose a second flaw is the inherent US focus and pro-US point of view, but then, they are former US government diplomats. There is some discussion of the international nature of business and conflicting regulatory domains, which is done well. But more here would have been appreciated from my personal point of view.
I work in quantum computing and quantum networking, and quantum key distribution (QKD) has been commercialized since the very early 2000s, and yet it hasn't taken the world by storm as a replacement for technology such as Diffie-Hellman. There are technical reasons for that (limitations on distance, specialized implementation resulting in expensive boxes and expensive deployment), but I think one reason is that most of the physicists and CS theorists working in QKD don't understand how CISOs and CEOs think about security. The word encryption comes up very rarely in this book. One reason is that the mathematics underlying encryption is rarely on the radar of security-conscious network and system managers, let alone their bosses who okay the purchasing decisions. Perhaps QKD has been ahead of its time, and indeed I think traction for the technology has grown quite a bit in the last few years, but it's certainly true that the QKD folks need to learn how the whole gestalt of security happens, and from there how to become one of the several dozen security vendors entrusted by C-suite folks with one facet of the overall problem. Everyone in QKD (and more broadly those in quantum computing, as well) should read either this book or another in the same area. Indeed, everyone in computing systems, not just those with an interest in policy, should read multiple books in this area, at regular intervals throughout their careers. (I'm feeling negligent in that this is the first such book I've read in a while, myself, though if you've been following what I've been up to you know that I'm working more directly on encryption these days, and doing some reading (e.g. The Codebreakers: The Comprehensive History of Secret Communication from Ancient Times to the Internet).)
Clarke and Knake view cyber threats from the policy side: what role should the government have, what role should corporations and individuals have, how do we keep Chinese and Russian activities in check, etc. Their concerns run as high as, how do we stop a cat-and-mouse hacking game from escalating to a shooting war and ultimately even nuclear war. It's deadly serious stuff.
The authors have spanned multiple administrations and are mostly circumspect about politics, but they clearly believe Obama should have acted more vigorously in responding to some threats and incidents, and that Congress's failure to act in many cases, including election security, is a serious breach of responsibility. Published in 2019, they also had time to assess not only Trump's election but also his policies and actions, and clearly dislike what they see.
A recommended read, though it might keep you from sleeping at night.
November 15, 2019
Bureaucrats feeding on fear. Your fear tightens their grip around your neck. They can't do anything against "foreign" threats, but they certainly do a lot of damage to the people "to protect them".
October 16, 2020
It's ok. It's mostly a lobby for centralization.
September 6, 2022
Overall, I really enjoyed the book.
I think Dick and Robert have some great ideas for different policies that can be implemented at the government level to help nudge our cyber infrastructure towards improved security. Ironically, the internet, which was initially thought to be borderless and free from constraint, is becoming increasingly divided as governments try to gain control over narrative and influence as well as security and protection. The debate of globalism in the material world exists in the cyber realm as well. How much globalism is optimal for the most efficient trade to support growing economies without sacrificing border security and jobs at home? The parallel question for the cyber domain is how open should our internet infrastructure be so that we can efficiently share information across the globe but not be at risk from cyber attacks?
The difference here is that cyber attacks have the potential to be much more dangerous. If nation-states can effectively and covertly enter our power grid, shut down our supply chains, and cause real infrastructure damage it is a serious issue that needs to be addressed. As seen in the documentary Zero Days, the capabilities already exist where one nation can gain access deep within the power grids of other countries that could completely shut them down. That's a huge implication.
Dick and Robert do a great job of wrestling through these various questions of cyber security, its importance, and outlining various solutions to these issues. Their experience in these areas is significant and they raise plenty of interesting ideas. I cannot overly critique since I do not have the same experience, but I think a lot of the ideas can be built upon. At times the magnitude of topics may be a bit hyperbolic. Some AI capabilities are not as far along as they say. It is certainly possible that China and Russia have huge effects on our social media propaganda but I'm not entirely sure I need to be alarmist from a personal everyday living standpoint. I'm going to enjoy the internet for all its worth and hope that my passwords don't get stolen. I also wouldn't go so far to say that there was such an influence that the 2016 elections were stolen as is suggested in the book. Just as I wouldn't go so far to say that the 2020 elections were stolen either.
Otherwise, this is a great read filled with knowledge in the cyber realm that I thoroughly enjoyed. I would recommend this book to anyone that has an interest in cyber, as well as someone that would like to understand more about cyber policy, how the private and public sectors work together on these issues, and the role of the military and alphabet agencies in cyber warfare/cyber defense.
I think Dick and Robert have some great ideas for different policies that can be implemented at the government level to help nudge our cyber infrastructure towards improved security. Ironically, the internet, which was initially thought to be borderless and free from constraint, is becoming increasingly divided as governments try to gain control over narrative and influence as well as security and protection. The debate of globalism in the material world exists in the cyber realm as well. How much globalism is optimal for the most efficient trade to support growing economies without sacrificing border security and jobs at home? The parallel question for the cyber domain is how open should our internet infrastructure be so that we can efficiently share information across the globe but not be at risk from cyber attacks?
The difference here is that cyber attacks have the potential to be much more dangerous. If nation-states can effectively and covertly enter our power grid, shut down our supply chains, and cause real infrastructure damage it is a serious issue that needs to be addressed. As seen in the documentary Zero Days, the capabilities already exist where one nation can gain access deep within the power grids of other countries that could completely shut them down. That's a huge implication.
Dick and Robert do a great job of wrestling through these various questions of cyber security, its importance, and outlining various solutions to these issues. Their experience in these areas is significant and they raise plenty of interesting ideas. I cannot overly critique since I do not have the same experience, but I think a lot of the ideas can be built upon. At times the magnitude of topics may be a bit hyperbolic. Some AI capabilities are not as far along as they say. It is certainly possible that China and Russia have huge effects on our social media propaganda but I'm not entirely sure I need to be alarmist from a personal everyday living standpoint. I'm going to enjoy the internet for all its worth and hope that my passwords don't get stolen. I also wouldn't go so far to say that there was such an influence that the 2016 elections were stolen as is suggested in the book. Just as I wouldn't go so far to say that the 2020 elections were stolen either.
Otherwise, this is a great read filled with knowledge in the cyber realm that I thoroughly enjoyed. I would recommend this book to anyone that has an interest in cyber, as well as someone that would like to understand more about cyber policy, how the private and public sectors work together on these issues, and the role of the military and alphabet agencies in cyber warfare/cyber defense.
July 19, 2019
This was an enjoyable book, which is all the more complementary considering the amount of policy discussion it covers. The authors do a good job throughout by offering a clear framework through which to understand the current state of the "Fifth Domain" as it pertains to our national, corporate and individual interests.
This is a great book for legislators and elected officials to read for a quick, firm grasp on the issues they should at least understand if they'll be legislating on matters that have consequence to our posture in the Fifth Domain. This is a good book for executives, both in and out of IT. I can already see some poo-pooing their policy and partnership proposals as unworkable or otherwise, but such dismissals are of no consequence unless they have something better to offer instead. This is the closest thing we have to a coherent strategy to deal with the Fifth Domain across public and private sectors.
The discussion on new technologies (quantum computing, AI ML, IoT, 5g) toward the end of the book was also interesting. The pace at which some of these technologies are developing is as impressive as the tech itself.
Though not free from the tinge of FUD (fear, uncertainty, doubt) common to the genre, it actually may be appropriate given the context and call to action -- after all, the authors aren't exactly a couple of CEOs hawking their trendy new AI tool for market dominance. (though they offered no disclosure as to working or beneficial relationships with any of the companies referenced, I have not personally checked into the matter)
On the whole, my rating shades to the plus side of 4 stars. I appreciated the book's clear writing and organization. The content was thoughtful and, consequently, oriented to action. The authors did an admirable job marrying legislative, military, and business considerations into a highly readable and comprehensive work on the current challenges (and suggesting possible solutions) facing us in "The Fifth Domain".
This is a great book for legislators and elected officials to read for a quick, firm grasp on the issues they should at least understand if they'll be legislating on matters that have consequence to our posture in the Fifth Domain. This is a good book for executives, both in and out of IT. I can already see some poo-pooing their policy and partnership proposals as unworkable or otherwise, but such dismissals are of no consequence unless they have something better to offer instead. This is the closest thing we have to a coherent strategy to deal with the Fifth Domain across public and private sectors.
The discussion on new technologies (quantum computing, AI ML, IoT, 5g) toward the end of the book was also interesting. The pace at which some of these technologies are developing is as impressive as the tech itself.
Though not free from the tinge of FUD (fear, uncertainty, doubt) common to the genre, it actually may be appropriate given the context and call to action -- after all, the authors aren't exactly a couple of CEOs hawking their trendy new AI tool for market dominance. (though they offered no disclosure as to working or beneficial relationships with any of the companies referenced, I have not personally checked into the matter)
On the whole, my rating shades to the plus side of 4 stars. I appreciated the book's clear writing and organization. The content was thoughtful and, consequently, oriented to action. The authors did an admirable job marrying legislative, military, and business considerations into a highly readable and comprehensive work on the current challenges (and suggesting possible solutions) facing us in "The Fifth Domain".
April 20, 2021
This book taught me quite a bit about the current landscape and potential futures of cyber fighting and warfare. I got a sense of the scale and strategies behind some of the main actors in the domain. The argument for the role of government (or the lack of a role in some cases) was very compelling and felt inclined to defer to the authors of the book who are themselves steeped in the last decades of policy around cyber defense.
I am a software engineer and I came away having more hope for the potential outcomes for personal security because of how underrated a lot of the defense capabilities are. I got a solid sense that the power grid, voting systems, and government agencies still are weak links from a cyber defense perspective, and that the solutions seemed to be either a) private corporations should be more accountable for protecting against state-supported cyber threats or b) a push to centralize security efforts into a cyber division that would be contracted out to various agencies. But overall, we're going to be okay
Security needs to be baked into the design of everything that will be networked, even if we think it won't live on the public internet and I couldn't agree more. Two-factor authentication is a small price to pay for the gains in security it brings, and other relatively simple concepts, if implemented in a deep way, can defray a lot of the risk that we take on when we are on the internet.
However, I also gained a deeper appreciation for the threat leveled at us at the national scale from our rivals worldwide. Asking what the military's role in this is a good one, if it should even play one at all, because conventional warfare it is not. Basically we need better and better walls, not better weapons against these threats because there's few good ways to strike back effectively in the current global climate.
I am a software engineer and I came away having more hope for the potential outcomes for personal security because of how underrated a lot of the defense capabilities are. I got a solid sense that the power grid, voting systems, and government agencies still are weak links from a cyber defense perspective, and that the solutions seemed to be either a) private corporations should be more accountable for protecting against state-supported cyber threats or b) a push to centralize security efforts into a cyber division that would be contracted out to various agencies. But overall, we're going to be okay
Security needs to be baked into the design of everything that will be networked, even if we think it won't live on the public internet and I couldn't agree more. Two-factor authentication is a small price to pay for the gains in security it brings, and other relatively simple concepts, if implemented in a deep way, can defray a lot of the risk that we take on when we are on the internet.
However, I also gained a deeper appreciation for the threat leveled at us at the national scale from our rivals worldwide. Asking what the military's role in this is a good one, if it should even play one at all, because conventional warfare it is not. Basically we need better and better walls, not better weapons against these threats because there's few good ways to strike back effectively in the current global climate.
December 16, 2019
Simply put, Mr. Clarke, the consummate bureaucrat, advocates for additional regulation to address the cyber threats that face our country. All while he gives many examples of government's failure in this area. He makes excuses for the hacks of government systems, but expects the private sector to follow guidelines from agencies that couldn't protect their own systems. I could be convinced more regulation is needed, but would have preferred a more nuanced and innovative approach. I suspect Clarke endorsed Gov. McAullife's carte blanche actions against local election officials, but I don't think his solutions fully contemplate all the challenges of essentially federalizing elections. This theme of just forcing a solution on unwilling participants, suits the Beltway wizards, but does little to protect our civil society. I should point out that Clarke's preference for a big government solution isn't surprising considering who he worked for and whose endorsements appears on the book's back cover. (My political bias should be obvious, however I did approach this book with an open mind) Overall, the military chapter is good, as are the descriptions of hacking incidents. His discussion of the cyber landscape is clear, as is the discussion on potential changes new technology will have on that landscape. I give the book a poor review to balance the unquestioning positive reviews thus far, I can't ignore the serious bias in his observations and suggestions about recent political controversies.
September 3, 2023
Longing to become more acquainted with the language of cybersecurity for a new job, I checked out this book from the library! I was shocked by how the book kept my attention every chapter.
Not only did I meet my personal goal of understanding more about cybersecurity, but I gained knowledge of the tools which we use to ensure it (encryption, multi-factor authentication, etc.) alongside the roles in the field (analysts, CISO, CEO's, tech giants), and predictions about the future of cybersecurity with the advent of Machine Learning (ML), Artificial Intelligence (AI), Quantum Computing plus how all these programs might work together (Project QuAIl) and much more.
I highly recommend this book to someone who wants to learn more about cybersecurity. The authors make extremely complex topics much easier to understand and grasp. I was particularly wowed by the section on quantum mechanics and general theory. As much I've heard words like superposition, qubits, and Schrödinger's cat, I felt like this was the first time I actually began to understand the concept of really really tiny particles not abiding by the law of physics we've assumed.
I'm referring specifically to one experiment they referenced where one particle being changed over 700 miles away from its partner particle still effected the position of its partner particle- even at an extreme distance. I'd like to understand more about these complex concepts and perhaps I will find more about this in another read.
All that to say, this was a brilliant book and a wonderful read! Riveting and accessible!
Not only did I meet my personal goal of understanding more about cybersecurity, but I gained knowledge of the tools which we use to ensure it (encryption, multi-factor authentication, etc.) alongside the roles in the field (analysts, CISO, CEO's, tech giants), and predictions about the future of cybersecurity with the advent of Machine Learning (ML), Artificial Intelligence (AI), Quantum Computing plus how all these programs might work together (Project QuAIl) and much more.
I highly recommend this book to someone who wants to learn more about cybersecurity. The authors make extremely complex topics much easier to understand and grasp. I was particularly wowed by the section on quantum mechanics and general theory. As much I've heard words like superposition, qubits, and Schrödinger's cat, I felt like this was the first time I actually began to understand the concept of really really tiny particles not abiding by the law of physics we've assumed.
I'm referring specifically to one experiment they referenced where one particle being changed over 700 miles away from its partner particle still effected the position of its partner particle- even at an extreme distance. I'd like to understand more about these complex concepts and perhaps I will find more about this in another read.
All that to say, this was a brilliant book and a wonderful read! Riveting and accessible!
February 24, 2024
Fantastic book, just wait until the bits on foreign hackers and quantum computing, stuff is crazy! Did you know Russia could already access our power grid, and China our gas? Like- there are actual federal reports saying it’s happened, we’re just not sure their on level of infiltration and our senators are too old and dumb to check. But ya, this stuff matters, unfortunately.
And honestly, this book is a bit dry through the first half. It explains everything in great detail, but when that’s just proposed policy it’s pretty boring. But then you get into the part about actual viruses and hacks, and it’s golden from there. The quantum computing stuff is amazing. Good for the layman like me, just make it through the first half and understand the authors are doing it for a reason- trying to properly explain where governments/businesses have failed, what they should do about it, because here are the results, currently.
Also, props to the authors for being low-key funny at times. Just very blunt and unapologetic. Whoever is to blame, they’ll put it in writing, kind of refreshing. I don’t agree with ‘em on everything, but I prefer their honesty to an author trying to subtly influence your opinion.
And honestly, this book is a bit dry through the first half. It explains everything in great detail, but when that’s just proposed policy it’s pretty boring. But then you get into the part about actual viruses and hacks, and it’s golden from there. The quantum computing stuff is amazing. Good for the layman like me, just make it through the first half and understand the authors are doing it for a reason- trying to properly explain where governments/businesses have failed, what they should do about it, because here are the results, currently.
Also, props to the authors for being low-key funny at times. Just very blunt and unapologetic. Whoever is to blame, they’ll put it in writing, kind of refreshing. I don’t agree with ‘em on everything, but I prefer their honesty to an author trying to subtly influence your opinion.
March 11, 2020
I was recommended this book by a client as I am their cyber insurance broker. There is some interesting information in here and some ideas about how the challenge of security can be met in the future.
But, it is not very well-written. There are times when this reads like an inter-office memo.
Dick Clarke is the consummate DC-insider so there should be no surprise that he often sees a major role for government in overseeing cyber security.
But the biggest issue I had with the book was about 1/3 of the way in when the authors touched upon the damage to Mondelez from NotPetya and noted that their cyber policy declined to pay damages. Problem is Mondelez did not have a cyber policy. Mondelez filed the claim from the damages against their property policy. Had they had a cyber policy, damages would most likely have been paid.
They then criticized cyber policies in general. But their source knew very little about cyber policies.
So as they got two things I know better than they do very wrong, I can only wonder how many things I do not know that they got wrong as well.
But, it is not very well-written. There are times when this reads like an inter-office memo.
Dick Clarke is the consummate DC-insider so there should be no surprise that he often sees a major role for government in overseeing cyber security.
But the biggest issue I had with the book was about 1/3 of the way in when the authors touched upon the damage to Mondelez from NotPetya and noted that their cyber policy declined to pay damages. Problem is Mondelez did not have a cyber policy. Mondelez filed the claim from the damages against their property policy. Had they had a cyber policy, damages would most likely have been paid.
They then criticized cyber policies in general. But their source knew very little about cyber policies.
So as they got two things I know better than they do very wrong, I can only wonder how many things I do not know that they got wrong as well.
June 2, 2021
For the past decades Clarke and Knake argue that offense was the dominate and winning strategy but with the introduction of new technology and management, the defense is on the rise and will be ascendant. Using real life examples and drawing from their experience in government, Clarke and Knake make the case for making things difficult (to impossible) for computer attackers.
Why I started this book: Professional Reading title ready to download.
Why I finished it: First IT book that I enjoyed and agreed with, and I'm not sure if it was the optimism leavened with realism or if it was just the opinions spanning several US presidential administrations. Glad that it was on the Professional Reading list, because after Cyber War: The Next Threat to National Security and What to Do About It I wasn't keen on picking up another book by these authors.
Why I started this book: Professional Reading title ready to download.
Why I finished it: First IT book that I enjoyed and agreed with, and I'm not sure if it was the optimism leavened with realism or if it was just the opinions spanning several US presidential administrations. Glad that it was on the Professional Reading list, because after Cyber War: The Next Threat to National Security and What to Do About It I wasn't keen on picking up another book by these authors.
January 12, 2022
It starts slow, but if you persist, this book brings home some good points.
The main problem with cyber security is to prove that there is problem. "Won't happen to me" mentality, in a way, so large part of this book goes to prove that this is topic we should be taken seriously.
When it's done with that, it deals with big and old problem (which exists not only regarding this topic) - whose responsibility is this? Should companies do the digital equivalent of placing AA batteries on their roofs, "every man for himself", or should the government come and take care of everything, guarding borders with The Great Firewall of [country], and watch every email and every attachment we open? Surely we don't want either of these extremes, but where is this line in sand, question remains.
One downside I could point out to non-USA readers, is that it talks about US political system quite a lot, with examples and committees. Though problems are the same everywhere, I guess, most of those names and their relation to everything else was all Greek to me.
The main problem with cyber security is to prove that there is problem. "Won't happen to me" mentality, in a way, so large part of this book goes to prove that this is topic we should be taken seriously.
When it's done with that, it deals with big and old problem (which exists not only regarding this topic) - whose responsibility is this? Should companies do the digital equivalent of placing AA batteries on their roofs, "every man for himself", or should the government come and take care of everything, guarding borders with The Great Firewall of [country], and watch every email and every attachment we open? Surely we don't want either of these extremes, but where is this line in sand, question remains.
One downside I could point out to non-USA readers, is that it talks about US political system quite a lot, with examples and committees. Though problems are the same everywhere, I guess, most of those names and their relation to everything else was all Greek to me.
February 21, 2021
Wow. This book just touches on everything in cyberspace. The stories, the accounts are great and it touches on areas of cyber that I hadn't given much thought. This book aims to promote some of the ideas that we need to implement to secure the cyber domain and many of the sectors it touches. While I can't say I agree with all of the proposals, they are presented in a very convincing manner and I am glad for the perspective. If there is any book to read in order to quickly get a grasp on all of the important discussions with regard to cyber today, this is the one. The only disappointing part was then I got to 87% complete on kindle and realized that was the end of the book. That said, I also really do like the definitions of important acronyms and concepts in the back, mostly because they aren't just a copy-paste of what you can find online. - Great read, it's moving to the top of my cyber reading list, if ever anyone asks me for one.
July 24, 2021
This is a solid overview of the risks and remedies associated with cybersecurity. Messrs. Clarke and Knake are credible given their background, and they provide a clear-eyed view of what is at stake and what it will take to build resilience into our on-line lives, as it relates to governments, businesses and individuals.
Although I give the authors a quasi-pass given their previous role in government (and thus politics), I am fatigued by all of the "non-fiction" I have been reading of late in which the author succumbs to the burning desire to virtue signal by introducing their political points of view. It is especially annoying when it is not necessary to advance a point relevant to the topic covered in the book. Messrs. Clarke and Knake must have made someone happy with railing against President Trump, climate deniers, etc. Not me; I really don't care about their political views and did not pick up the book for that reason.
Although I give the authors a quasi-pass given their previous role in government (and thus politics), I am fatigued by all of the "non-fiction" I have been reading of late in which the author succumbs to the burning desire to virtue signal by introducing their political points of view. It is especially annoying when it is not necessary to advance a point relevant to the topic covered in the book. Messrs. Clarke and Knake must have made someone happy with railing against President Trump, climate deniers, etc. Not me; I really don't care about their political views and did not pick up the book for that reason.
October 17, 2023
The awareness of cyber security was not brought up for 20 years until after the internet boom and crash in 2000s. Privacy became an issue during US 2016 election, and US government could not admit the fact of Russian interruption during the election. That chaos was the alarm for all the tech companies to begin investing in cyber security and network security. The fifth domain could come from any sources to the US technology world. After reading Chip War, the next threat came from China with the Huawei company run under Chinese government that violates all the privacies law in US. Even though technology develops into AI, ML, and IoT, privacy compliance is the most challenging question among all the technology companies.
I take the message from the author is that technology customers should have 20 different passwords with different characters. Social media is the source of all the password breaking on the internet especially birthday password type users.
I take the message from the author is that technology customers should have 20 different passwords with different characters. Social media is the source of all the password breaking on the internet especially birthday password type users.
November 23, 2020
Richard Clarke and Rob Knake are acknowledged beltway cyber experts. This statement does not make for a good book. More often than not, such government experts write for the Politico opinion pages where they dutifully lay out the problem, provide a 30k foot solution, and then leave the reader without actionable solutions. Such is not the case for Clarke and Knake.
This is one of the few cyber policy books that lays out well thought solutions to each problem set. Not all are actionable in this political climate. Not all will solve all elements of the problem. But they provide a real solution policy makers can build off of in the coming years.
It is a smart book that should be required reading for anyone working in the national defense, national security, or broader cybersecurity enterprises. Good job.
This is one of the few cyber policy books that lays out well thought solutions to each problem set. Not all are actionable in this political climate. Not all will solve all elements of the problem. But they provide a real solution policy makers can build off of in the coming years.
It is a smart book that should be required reading for anyone working in the national defense, national security, or broader cybersecurity enterprises. Good job.
March 21, 2024
This is an interesting overview of the challenges faced to companies and government on how to collaborate and solve the major cybersecurity challenges seen at the time of writing, particularly in the United States who are the target of many countries around the world. The last chapter says the hard part is coding the answers once the policies are decided upon, which ultimately proves to be the more difficult part. Implementation can also generally lead to changes in policies too, as limitations are found. I'd suggest to someone working in the industry to focus on learning technologies in more detail, rather than read these type of policy books, unless they are working directly with cybersecurity policies in general. None the less, there is some interesting topics that raise general awareness in this book and make you consider difficult questions.
October 21, 2019
One of my current favorite cyber security reads. Clarke and Knake tell an incredibly raw and blunt tale of the current state of the cyber landscape. They make very good suggestions on how the government, private companies, and individuals can better their cybersecurity practices. Through smart government intervention and execution, corporations will be forced to innovate and stay on-top of cybersecurity, which will benefit all people across the world. This intervention will help shift the mindset to a more defensive advantage, which is very much needed in today's world. The world is already equipped with most of the knowledge it needs to remain secure, now it is a matter of applying that knowledge.
Displaying 1 - 30 of 92 reviews