If our leaders don’t even use email, can we trust them to make decisions about our brave new e-world? In a book released a few days ago—Cybersecurity and Cyberwar: What Everyone Needs to Know—we are immediately struck by how unprepared we really are as a society:
As late as 2001, the Director of the FBI did not have a computer in his office, while the U.S. Secretary of Defense would have his assistant print out e-mails to him, write his response in pen, and then have the assistant type them back in. This sounds outlandish, except that a full decade later the Secretary of Homeland Security, in charge of protecting the nation from cyber threats, told us at a 2012 conference, “Don’t laugh, but I just don’t use e-mail at all” … And in 2013, Justice Elena Kagan revealed the same was true of eight out of nine of the United States Supreme Court justices, the very people who would ultimately decide what was legal or not in this space.
Scary. Or is this a strategic choice to opt out of technology, given online threats every day in the news?
As breathless headlines on cyber dangers reach a fever pitch, the new book by Peter Singer and Allan Friedman comes right on time to help cut through the hysteria and wake up the oblivious. It’s an impressive tour de force, as was Singer’s 2009 bestseller Wired for War on military robots. But the subject of this new book is technically more complex, and it demands a different, more approachable treatment. To that end, Singer and Friedman have written a book that is as accessible as it is complete: the discussion follows a question-and-answer format—digestible bites to choose from, as you like—and the prose is as entertaining as nonfiction can be, with pop-culture references and current events sprinkled throughout.
In this review, I will walk through the main parts of the book, pointing out areas of interest. As an overview, the book is sensibly organized in three parts: the first part “How It All Works” explains in simple language the technology behind cybersecurity and cyberwar; the second part “Why It Matters” draws out the legal, policy, and social implications; and the third part “What Can We Do?” examines possible solutions to this complex puzzle. So there’s something for everybody, and only a relative few people in the world today have a holistic grasp of all these moving parts.
As with Wired for War, readers will appreciate the storytelling around what could have been a dry subject. This is in part due to the many interviews the authors conducted with key players in cybersecurity and cyberwarfare—weaving in human stories, firsthand reports, and important history lessons into their narrative. Offhand remarks also make for a fun read, like references to Shark Week, Members Only jackets, Gangnam Style, RickRolling, and cat videos. But the book also has serious academic chops: Written by two PhDs from the famed Brookings Institution, it engages the latest news related to cyber and is meticulously researched, as seen from the sheer number of sources in nearly 600 endnotes.
Part 1: How It All Works
Cybersecurity and Cyberwar is careful to ground the discussion in real computer science and engineering, not in popular misconceptions. To know how cyber threats work and defend against them, we first need to know how computer networks operate, and this means starting with ARPANet, precursor of the modern Internet.
So in this section of the book, we’re introduced to packet-switching, DNS, ICAAN, firewalls, advanced persistent threats, SQL injections, DDoD attacks, certificate authorities, cryptography, and other basic concepts. A lot of this alphabet soup can be intimidating to the layperson; however, the discussion proceeds in plain, relatable language:
The last line of defense is akin to the strategy that nuns use to police Catholic school dances. The nuns often stuffed balloons between teenagers dancing too closely, creating an “air gap” to ensure nothing sneaky happens. In cybersecurity terms, an air gap is a physical separation between the network and critical systems … The problem with air gaps, much like the abstinence the nuns try to enforce, is that it often doesn’t work in practice … maintaining an air gap is often unrealistic, as the Iranians discovered when their supposedly air-gapped systems still got infected by the Stuxnet virus.
Not just the technical details, but the book also offers obscure trivia to make history come to life. For instance, the first word ever transmitted across a computer network (ARPANet) was “Lo” in 1969…as a mistake; the network crashed on UCLA researchers before they could finish typing “Log” to log into a computer at Stanford Research Institute (now SRI). More recent trivia: just a few months after computer-security experts cleaned the network of a major U.S. trade association, a thermostat and printer in its building were caught sending messages to a computer in China—betrayed by its own appliances.
These stories and technical concepts are framed by the primary goals of information security: confidentiality, integrity, and availability (also known as the “CIA triad”). Confidentiality is about keeping data private; integrity is about ensuring that the system and data weren’t tampered with; and availability is about the ability to use a computer system as anticipated.
The biggest virtue of this section, however, isn’t in its obvious technical expertise. What separates it from other soulless primers is its masterful use of stories—real events—to help readers “get it”, such as: when Pakistan accidentally “broke the Internet” by redirecting YouTube traffic through its servers in an effort to censor content; how a Carnegie Mellon professor could guess the social security number of a face online, with uncanny accuracy; and how game-changers, such as WikiLeaks, Bradley Manning, and Edward Snowden, were able to do what they did.
Again, in plain, engaging language:
In 2008, a U.S. soldier was walking through a parking lot outside of a U.S. military base in the Middle East when he spotted an unwrapped candy bar lying on the ground. Without knowing who had left it or how long the candy had been on the ground, he decided to take the bar inside the base and eat it for lunch. Sounds absurd and even a bit disgusting, right? Well, substitute a USB flash drive for that candy bar, and you have the story of what started Buckshot Yankee, one of the largest cyber breaches in U.S. military history.
The human, apparently, is one of the weakest links in cybersecurity. Other anecdotes support this claim, such as this one, inside the minds of cyberattackers:
The reconnaissance and preparations can take months. The teams are not just trying to understand the organization of the target but also its key concerns and even tendencies. One [advanced persistent threat], for example, was casing a major technology firm headquartered in Minnesota. Team members eventually figured out that the best way to crack the system was to wait until a major blizzard. Then they sent a fake e-mail about the firm changing its snow day policy; in Minnesota, this was something that everyone from the CEO on down cared about. Another effort, which American national security officials have blamed on Chinese intelligence and military units, gathered details not only on targets’ key friends and associates but even what farewell they typically used to sign off their e-mails (e.g., “All the best” vs. “Best regards” vs. “Keep on Trucking”) to mimic it for a spear phishing attack vector.
The sections here have helpful, self-explanatory titles, offering the reader a menu from which to pick and choose; the book doesn’t need to be read from start to finish or in order. The framing questions include: How does the Internet actually work? Who runs it? What are the threats? How do we trust in cyberspace? How do we keep the bad guys out? And more.
Part 2: Why It Matters
This next part is the largest of the book’s three parts—so I’ll give it a longer look here—and it makes a convincing case for why we need to pay attention to cyber. Many of us have been on the receiving end of a cyber threat, whether a victim of malware, email scams, or hackers intent on stealing our personal information and credit card numbers from stores. More than nuisances, there’s a real cost attached to cleaning our infected computers as well as identity theft, such as a damaged credit report that prevents you from getting a loan or mortgage. On cybercrime, the book cover a full range of misdeeds, including Nigerian scams, the Stranded Traveler con, fake charities, typosquatting, and more.