If our leaders don’t even use email, can we trust them to make decisions about our brave new e-world? In a book released a few days ago—Cybersecurity and Cyberwar: What Everyone Needs to Know—we are immediately struck by how unprepared we really are as a society:
As late as 2001, the Director of the FBI did not have a computer in his office, while the U.S. Secretary of Defense would have his assistant print out e-mails to him, write his response in pen, and then have the assistant type them back in. This sounds outlandish, except that a full decade later the Secretary of Homeland Security, in charge of protecting the nation from cyber threats, told us at a 2012 conference, “Don’t laugh, but I just don’t use e-mail at all” … And in 2013, Justice Elena Kagan revealed the same was true of eight out of nine of the United States Supreme Court justices, the very people who would ultimately decide what was legal or not in this space.
Scary. Or is this a strategic choice to opt out of technology, given online threats every day in the news?
As breathless headlines on cyber dangers reach a fever pitch, the new book by Peter Singer and Allan Friedman comes right on time to help cut through the hysteria and wake up the oblivious. It’s an impressive tour de force, as was Singer’s 2009 bestseller Wired for War on military robots. But the subject of this new book is technically more complex, and it demands a different, more approachable treatment. To that end, Singer and Friedman have written a book that is as accessible as it is complete: the discussion follows a question-and-answer format—digestible bites to choose from, as you like—and the prose is as entertaining as nonfiction can be, with pop-culture references and current events sprinkled throughout.
In this review, I will walk through the main parts of the book, pointing out areas of interest. As an overview, the book is sensibly organized in three parts: the first part “How It All Works” explains in simple language the technology behind cybersecurity and cyberwar; the second part “Why It Matters” draws out the legal, policy, and social implications; and the third part “What Can We Do?” examines possible solutions to this complex puzzle. So there’s something for everybody, and only a relative few people in the world today have a holistic grasp of all these moving parts.
As with Wired for War, readers will appreciate the storytelling around what could have been a dry subject. This is in part due to the many interviews the authors conducted with key players in cybersecurity and cyberwarfare—weaving in human stories, firsthand reports, and important history lessons into their narrative. Offhand remarks also make for a fun read, like references to Shark Week, Members Only jackets, Gangnam Style, RickRolling, and cat videos. But the book also has serious academic chops: Written by two PhDs from the famed Brookings Institution, it engages the latest news related to cyber and is meticulously researched, as seen from the sheer number of sources in nearly 600 endnotes.
Part 1: How It All Works
Cybersecurity and Cyberwar is careful to ground the discussion in real computer science and engineering, not in popular misconceptions. To know how cyber threats work and defend against them, we first need to know how computer networks operate, and this means starting with ARPANet, precursor of the modern Internet.
So in this section of the book, we’re introduced to packet-switching, DNS, ICAAN, firewalls, advanced persistent threats, SQL injections, DDoD attacks, certificate authorities, cryptography, and other basic concepts. A lot of this alphabet soup can be intimidating to the layperson; however, the discussion proceeds in plain, relatable language:
The last line of defense is akin to the strategy that nuns use to police Catholic school dances. The nuns often stuffed balloons between teenagers dancing too closely, creating an “air gap” to ensure nothing sneaky happens. In cybersecurity terms, an air gap is a physical separation between the network and critical systems … The problem with air gaps, much like the abstinence the nuns try to enforce, is that it often doesn’t work in practice … maintaining an air gap is often unrealistic, as the Iranians discovered when their supposedly air-gapped systems still got infected by the Stuxnet virus.
Not just the technical details, but the book also offers obscure trivia to make history come to life. For instance, the first word ever transmitted across a computer network (ARPANet) was “Lo” in 1969…as a mistake; the network crashed on UCLA researchers before they could finish typing “Log” to log into a computer at Stanford Research Institute (now SRI). More recent trivia: just a few months after computer-security experts cleaned the network of a major U.S. trade association, a thermostat and printer in its building were caught sending messages to a computer in China—betrayed by its own appliances.
These stories and technical concepts are framed by the primary goals of information security: confidentiality, integrity, and availability (also known as the “CIA triad”). Confidentiality is about keeping data private; integrity is about ensuring that the system and data weren’t tampered with; and availability is about the ability to use a computer system as anticipated.