Customer Reviews

Cyber War: The Next Threat to National Security and What to Do About It

5 star:		(45)
4 star:		(29)
3 star:		(12)
2 star:		(7)
1 star:		(4)

 

 

I've been in the information security field just about my entire professional life, both in and out of government, and I've been hearing people sound the alarms about "cyber warfare" for at least the last 15 years. Most of the time their grasp of the technical aspects is limited, they don't have a clear idea about what they're talking about, their scenarios read like movie plots, and they're usually trying to win government contracts. Although this book does have some serious shortcomings, Clarke's book is without a doubt the clearest and best work I've seen on cyber warfare. I'll lay out his book and his thesis first, then I'll tell you where I thought he fell short and what I thought of it.

Clarke first gives an overview of all the instances to date where cyber attacks have been used by state actors. In all cases but one (The Estonia attacks in 2007), the cyber attack was used to enhance a conventional attack. This is actually the best such overview I've seen, included some examples I hadn't heard of before, and Clarke's analysis is spot on. The only thing he didn't include was the very recent "operation aurora" (Google it if you want details), which probably occurred after he finished writing the book.

The book then has a detailed discussion of American policy on cyber warfare, and Clarke details all the developments to date. Since Clarke worked for presidents Clinton, Bush, and Obama on national security issues, this book provides a front row seat to the ins and outs of the way our policies have developed. Clarke also details what is known about the cyber war capabilities of other countries, including China, Russia, and North Korea.

Only then does Clarke begin to go into the technical aspects of cyber attacks, but the technical stuff is very high level (the back cover description explicitly says that this book goes "beyond the geek talk"). He really is just trying to show the potential damage that can be done with cyber attacks. (In other words, this is the part of the book where he tries to scare you).

Clarke then discusses what he views as the primary reasons there has not been significant action in the area of defending against concerted cyber attacks. It is, in my opinion, a very realistic and fair analysis which avoids finger pointing. He then starts to lay out what he feels are reasonable defenses that the US must begin to take.

In the last part of the book he lays out a clear agenda for defending against cyber attacks which includes a mix of regulation (he admits it's a dirty word but thinks it's necessary), more technical controls at major network boundaries, and an expanded scope for DHS to protect the civilian infrastructure too. He also discusses international arms control treaties, and appears to be a big fan of some international cyber war treaties, which, like nuclear arms control treaties from a generation ago, could be used to create "rules of the game" for international war.

As I said, in the beginning, this is without a doubt the best piece on cyber war I've ever read. He really does an excellent job of covering everything from the history to the players to the regulations to the endless possibilities. The one place where I feel he misses the boat is in some of the technical aspects. He admits to not being a technical person, and does make a few technical errors, although they're all far too minor to be worth mentioning. My real issue is that in all his scenarios he starts with the assumption that every combatant (like, say, the USA and China) have successfully hacked into every network that the other side controls, and left backdoors to get back in. Further, none of these back doors have been discovered and removed. As someone who does this for a living, I can assure you it's not that simple. While I have no doubt that a government spending considerable resources could certainly gain access to many networks in a relatively short period of time, and if they left backdoors some might not be discovered, if someone left too many backdoors some would certainly be discovered. Breaking in is not as simple as just pushing a button like it is in the movies - in fact, recent studies have shown that the average security breach is the result of four separate mistakes. While mistakes are made all the time (which means that breaches occur all the time _somewhere_), it's much harder to cause breaches in every system you target all at once. In several places, Clarke's dire warnings fall into the trap of imitating movies more than real life. I will admit that as a technical person this is my bias showing, and I realize that this book is still largely intended to be a policy one, which is why I still give it a very positive rating. I would simply be remiss if I let this pass unmentioned.

Richard Clarke's credentials are well established, having been a national security advisor to presidents of both parties, his viewpoints are his own, not politically-driven ideology.

Clarke takes the time to go over the basics of the cyber-universe for those that are not especially net-savvy, and then gets into the meat of the what, who, where and how (the "when" is the big question of course) of potential cyber attacks against the US. He gives a bit of history on attacks that have already happened, and a few that have failed.

I say the information is a bit scary because, even with a degree in Computer Science, I did not know the extent to which the Internet connects and controls so many aspects of our daily lives; in business as well as in our personal lives. More and more machines and appliances are being built with the capability to "talk" to the manufacturers who make them, a legitimate and smart way to diagnose problems and download fixes.... but the idea that the new copy machine in my home office might be hacked, and ordered to malfunction to the point that it catches on fire, is unsettling to say the least.

This is a good book, a page turner, and delivers information every 21st Century American should know.

Clarke and Knake's book is important if for no other reason than, as they note, "there are few books on cyber war." Thus, their treatment of the issue will likely remain the most relevant text in the field for some time to come. They define cyber war as "actions by a nation-state to penetrate another nation's computers or networks for the purposes of causing damage or disruption" and they argue that such actions are on the rise. And they also claim that the U.S. has the most to lose if and when a major cyber war breaks out, since we are now so utterly dependent upon digital technologies and networks.

At their best, Clarke and Knake walk the reader through the mechanics of cyber war, who some of the key players and countries are who could engage in it, and identify what the costs of such of war would entail. Other times, however, the book suffers from a somewhat hysterical tone, as the authors are out here not just to describe cyber war, but to also issue a clarion call for regulatory action to combat it. A bigger problem with the book is the complete lack of reference material, footnotes, or even an index. If you're going to go around sounding like a couple of cyber-Jeremiahs, you really should include some reference material to back up your gloomy assertions of impending doom.

The authors go after ISPs and many other comapnies for supposedly not caring about cyber-security. In reality, those companies have powerful incentives to make sure their networks are relatively safe and secure to avoid costly attacks and retain customers who demand their online information and activities be trouble-free. And most ISPs take steps not just to guard against malware and other types of cyber attacks, but they also offer customers free (or cheap) security software as part of a growing suite of gratis services (anti-virus, parental controls, e-mail, etc).

Clarke and Knake would like to see government impose a fairly sweeping set of new rules on ISPs to better secure their networks against potential attacks. In true deputize-the-middleman fashion, they want ISPs to engage in a great deal more network monitoring (using deep-packet inspection techniques) under threat of legal sanction if things go wrong. They admit there are corresponding costs and privacy concerns, but largely dismiss them and essentially ask us to just get over those concerns in the name of a safer and more secure cyberspace. They do, however, say they would be willing to have a "Privacy and Civil Liberties Board" appointed "to ensure that neither the ISPs nor the government was illegal spying on us." I doubt that will soothe the fears of those who (like me) are fundamentally suspicious of government snooping.

Overall, Clarke and Knake have written a book that is worth reading, but suffers from hyperbolic rhetoric and a serious lack of documentation. Readers should also seek out other perspectives on cyber-security issues, which take a more reasoned approach to the issue.

I consider the term war to be extremely overused and that includes when it appears in the term "cyber war." I prefer the longer but more accurate term, "cyber component of national rivalries." War is an event between nations where the goal for each side is to kill as many citizens of the other side as quickly and efficiently as possible so that the other nation must accept their terms. In the cyber actions of one nation against another, most human casualties are consequential rather than a direct result of the action.
Few people can match the national security credentials of Richard Clarke and in this book he makes the case for national action to protect the U. S. infrastructure from substantial cyber attack carried out by another nation. Such attacks have already been executed; to date they have not made significant noise in the major news outlets, although most have appeared in the computing literature. Clarke uses the phrase kinetic weapons to refer to the "bombs and bullets" type of warfare, so he distinguishes between cyber attacks and real attacks.
Clarke also mentions several war games that have been carried out and the results are alarming, a great deal of the infrastructure of the United States is vulnerable to a concerted cyber attack if the malicious software entities have been properly placed and timely executed. Of course, he also admits that the United States is also capable of launching cyber attacks of its own.
The most interesting points in the book are when Clarke talks about nuclear weapons and how policies evolved and agreements were reached between the United States and the Soviet Union over how the weapons would be declared and their use specified. There is no question that these agreements helped keep the world safe and worked to defuse several potential crises that could have led to the threat of nuclear weapons being used. Clarke proposes similar guidelines of allowed and disallowed behaviors in the cyber component of national rivalries. Acts such as industrial espionage, spying and other data thefts would be considered acceptable but the destruction of financial data and power plants would be disallowed and considered the equivalent of an attack by kinetic weapons. Certain trial runs that only cause limited damage would result in harsh diplomatic rhetoric but not be considered the equivalent of a kinetic attack.
There is no question that in the modern world, low-level cyber attacks of one nation against another take place on a regular basis. Up to this point, even the most significant have been more in the category of significant annoyance rather than a crisis. However, the potential of a major attack is real and potentially devastating, so it is necessary for the United States to develop an effective strategy of defense and deterrence. Clarke sets down some sound principles for such a strategy while pointing out many of the current vulnerabilities. He does an excellent job in describing the new form of the execution of national rivalries and perhaps even how the next major kinetic war will begin.

Personal note: I have taught computer science at the collegiate level for over twenty years, including courses in encryption and computer security. I have also attended many conferences where at least one of the topics was computer security.

As a former Information Technology (IT) guy, I found Cyber War to be quite interesting. While I usually dislike the term "Cyber", I guess it's the best way to describe the topic so the majority of people know what Clarke is referring to. It may be a shock to many readers just how interconnected everything has become, and the author does a good job of explaining how some systems are not actually on the Internet, but can be accessed from another computer that is. While he primarily covers strategies in the book, he does present scenarios that may scare people. For example, if you thought the plane you were flying across the country on could fall out of the sky anytime due to a hacker, would you still fly?

My main concern with he book isn't really what he write about, but rather what he doesn't touch on. He spends a lot of time comparing a "cyber" strategy to the Cold War strategy. My complaint is that while he makes them sound very related, he forgets a very important difference. In the Cold War, only a powerful government could launch a nuclear missile. In a Cyber War, just because the U.S. government may decide to not take action, does not mean that a citizen will. If you are a skilled computer guy, or a "hacker" to use the authors term, you could decide to initiate or retaliate a response without the government even knowing it. I can only assume this wasn't covered in the book because it would just complicate the strategy even more than it already is.

While the book may be too technical for some and not technical enough for others, it does a good job of laying down the foundation for a national discussion. Considering the state of the economy, I think most of us realize how quickly things can go from bad to worse, and our financial markets are extremely susceptible to this new threat. I hope the book will get more people thinking about the issue, and I'm sure that was Clarke's primary objective in writing it.

"Cyber War" is a shocking revelation of a significant threat to our world. This expose details a vulnerability for the developed world that our government and international corporations simply must address.

I served in our military for twenty four years, so I am not feeling panic. We successfully stood up and protected our country and most of the world from nuclear attack. I knew the extent of our preparations and was confident of our tactics. Now, after being retired for nearly two decades, I no longer have access to secret military capabilities and strategies. Accordingly, I must trust that those who followed me protected our national interest. Unfortunately they may only be protecting our armed services.

Most experts agree that our military is so good that no enemy could hope to compete for several decades. With that in mind, an enemy may devise a strategy that avoids direct conflict with our forces. What will happen if an enemy decides to attack our civilian structure instead. If, for example, they were able to disrupt our financial institutions so that people lost access to their bank accounts and credit cards, what could our armed forces do? If they attacked our power supplies, already subject to black outs and brown outs, they may be hurting our military as well. "Cyber War" attempts to explain just such scenarios.

Early in the text Clark and Knake review several successful cyber attacks that have occurred in the last decade. Russia, in its campaign to control Estonia and later Georgia, managed to shut down all civilian and government systems and render each country powerless. Israel, possibly using technology developed in the United States, remotely shut down the defense system of Syria so they could bomb a threatening military facility.

Most of us began to realize the nature of war had changed when the Twin Towers were destroyed on 9-11. The United States and her allies have been fighting a war on terror for the last nine years. During that period, asymmetrical warfare has advanced and other nations, like Russia and China have been developing cyber tools to both protect themselves and attack their enemies. Are we?

Clark suggests six priority actions. First, we must initiate a dialogue with the people about cyber warfare. Universities, business, government and the public need to know about the possibility and the costs of cyber attacks. There has been too much secrecy.

Second, we need a "defensive triad. Internet Service Providers (ISPs) and power suppliers needs regulation (to protect themselves and us). The authors explain that the internet centers on a few "1st Tier" Internet Service Providers (ISPs), such as Verizon and Qwest. Those ISPs must be a part of any defense against Cyber War. We must protect our power grid. Shutting down the power grid will shut down the internet. We must mobilize the Department of Defense. Any nation that decides to attack us will likely have as an intended side effect damaging DOD.

Our third necessary action is to reduce the level of cyber crime. We need the laws, the investigative tools and the punishment. Some cyber criminals are developing abilities nearly as sophisticated as that of nations.

Fourth, CWLT - Cyber War Limitation Treaty. We need a global ban as exists with nuclear weapons. Considering that all developed nations are subject to cyber attack, negotiating a treaty to limit cyber warfare activity should be possible.

Fifth, sponsor research on more secure designs. The internet is over 40 years old. The bandwidth and capabilities have improved, but security is mostly unchanged. Security within the internet system has certainly not improved.

Sixth the President of the United States must be aware and approve the placement of "logic bombs" (software applications that ask a network to shut down or erase its own programming) and "trapdoors" (like a "Trojan horse" that allows an enemy to invade undetected by security). Such actions increase the likelihood of war, and our highest government officials must be aware of their use.

I highly recommend "Cyber War". This is a must read for anyone interested in our nations defense.

Written for the public at large, this is an easily readable book which addresses the topic of cyber attacks from pranksters, hackers, and serious spies which have the potential to threaten our individual freedom and our national security. The authors cover the precedence for cyber snooping and illustrate the weaknesses inherent in computer software which have allowed this type of activity to flourish in a theoretically secure environment. They also point to political reasons why government bigwigs have chosen to ignore or address security breaches gingerly.
Constructing a variety of scenarios for potential security problems, it takes very little imagination for the reader to become adequately uncomfortable at how many levels and ways our financial systems, powers grids, and national security can be potentially compromised. While the authors state that we may already be losing the battle re: cyber war due to our own national ineptitude, they suggest potential ways to raise our national conciousness and open public dialogue on solving this problem.
While I liked this book and found the topic more than a little threatening and creepy, it seems like an ideal read for anyone who is concerned with national and/or personal security or public affairs. It is probably also of interest to computer geeks and techie types.

With the current hearings on the elevation of General Keith Alexander from NSA Director to head the recently created U.S. Cyber Command this book is up to the minute news. Richard A. Clarke, has served as a counter terrorism advisor to Presidents Bush and Clinton. His research assistant in this endeavor, Robert Knake, is an able researcher in international security issues and is a graduate of Harvard's Kennedy School of Government and a Fellow of the Council on Foreign Relations. Like Colonel Billy Mitchell's prescient 1924 forecast of an air attack on Pearl Harbor's battleships they get some concepts head on and other's only approximately. While Colonel Mitchell's prediction of the Pearl Harbor attack was from land based aircraft (his specialty) rather than carrier based bombers, these national policy experts view of cyber warfare is heavily biased to government action rather than those of criminals or black-hat hackers only loosely encouraged by government. It is a most difficult task to inform the general public on policy issues which have a technological, or scientific component and these authors have done an admirable job. Unlike Jeffrey Carr's O Reilly book "Inside Cyber Warfare" they had
less benefit of an engineer's perspective (but that book may go somewhat beyond the capabilities of a non-technologist). In describing the scenarios and policy actions by governments likely to affect the outcome of Cyber Attacks they have been guided by their own experience in handling terrorism and national policy. But the sources of danger may include private and criminal elements as well as those of national policy.

All said this book is an excellent introduction to Cyber Warfare for the general public and those seeking public policy input. Such efforts in the future might best be reviewed by both a technological and policy team.


--Ira Laefsky
MSE/MBA It Consultant and Former Senior Consultant Arthur D. Little, Inc. and DIGITAL Equipment Corporation

This is a frightening book. It describes an unexpected form of warfare in which the United States is already behind China, Russia, and possibly terrorists. And worse for us, we have already lost initial battles. Richard Clarke is a former Assistant Secretary of State and a Washington insider, having served Presidents Reagan, George H.W. Bush, Clinton, and George W. Bush. He made headlines with his charges against the Bush-Cheney administration on getting this nation into a needless war in Iraq, and events proved him correct. Now, he and Robert Knake tell how our wonderfully-efficient, computerized systems that control our electric grids, transportation systems, defense against military attack, and much of our day-to-day life are open to attack, control, and destruction by hackers, terrorists, or enemy agents working to disable us before a massive attack by a foreign power. His call for rapid and powerful action to set up defenses is right on the money. I only hope that our nation's leaders heed the warning and act swiftly.

This review first appeared on the Justice League blog [..]

Turns out that Richard Clarke is a national security policy wonk. I guess that fact is not that surprising if you knew that Mr. Clarke was once an Assistant Secretary of State working on nuclear arms control issues during the Reagan years. The general public knows Dick best as a key figure in counter-terrorism who famously testified before the 9-11 commission and then became enmeshed in partisan battles. Those of us on the front lines cyber security know Dick best as one of the first political types to focus real attention on computer security. For that, we owe Dick a major thank you.

In his new book Cyber War, co-authored by foreign policy expert Robert Knake, Mr. Clarke confronts an important topic too often swept under the rug with the burgeoning pile of security FUD--the notion of cyber war. US citizens have every right to worry about cyber war given our risk exposure. The risks of cyber war and some of the potential consequences are impressively covered in the book and even include doomsday scenarios that are getting Dick into hot water with the hipsters at Wired. Consider how little North Korea depends on the Internet (ok, they are only barely scraping by as a society), then consider the same dependency in the US. See the problem?

One of the challenges of discussing computer security rationally in the Internet Age is that devastating consequences always seem hyperbolic, even when they're not. Turns out that taking down the power grid with a cyber attack is not outside the realm of possibility. I've been told by people who actually engineer and run the grid for a living that inflicting permanent damage taking years to fix is more than possible given current design. Nor is the notion of an Information Warfare attack preceding "kinetic" involvement with explosive chunks of metal some kind of idea from Mars. One of the coolest stories in the book involves the Israeli destruction of the ill-fated Syrian nuclear facility. Scary? Yes. Hyperbolic? Not so much.

There are a few technical nits to pick, of course. Calling out the Estonian dDOS attack (most likely perpetrated by the Russians) as some kind of major cyber attack is a bit over the top. dDOS attacks are the stuff of script kiddies and solutions that thwart them are over a decade old. Most problematic of all is the overemphasis on network security mechanisms and ISPs as proposed technical solutions to the problem. I know Ed Amoroso (CSO of AT&T) believes that security defenses and monitors need to be put in place in the tier1 ISPs, and it's very clear that he has convinced Dick of that. But as a computer security expert, I am skeptical of that solution. In my view, the only way we can properly address the cyber war problem is by attacking software security head on. Fortunately Dick says the right things about software vulnerability, demonstrating a nuanced understanding all too rare among politicals.

From a policy perspective, the ideas in Cyber War are fresh, new, and important. Dick's mastery of arms control strategy comes to the fore when he discusses various ideas about cyber war non-proliferation. I must confess that my knowledge of such things is rudimentary at best. I wonder, probably naïvely, how we can think of controlling something as invisible as cyber attack capability (not to mention Trojan Horses and logic bombs) when we can't even stop Iran from refining uranium like the complete nut-jobs that they are. But SALT II and START came from somewhere, and they have been a very good thing for the world.

Some of my foreign colleagues in computer security wonder why we are so obsessed with cyber war in the States. They are not sure why we are the only society openly discussing these things. Perhaps they hear the drums of war beating again as they did in the impressively-orchestrated and utterly-delusional run up to the Iraq war. More likely I think the answer to that question lies in understanding just how vulnerable we are in the States. We may not be the most wired country in the world from a consumer perspective, but we're the most wired country in the world from a critical infrastructure perspective. Cyber war is a serious problem that calls out for serious solutions.

In final analysis, I think it behooves every computer security person to read this book and think through its points carefully. Even if you disagree with some parts of the book (as I do), we must do what we can as technically adept citizens to involve ourselves in the political discourse around cyber war. Dick does an excellent job getting the conversation started.