Cyber War: The Next Threat to National Security and What to Do About It
By Richard A. Clarke and Robert K. Knake
Published by Harper Collins, 2010
This is a deeply disturbing book on several levels:
On the first level, it postulates a serious security concern facing the United States that, it says throughout, the nation is ill-prepared to deal with.
Secondly, it presents lots of “facts” about that problem without any substantiating citations to support them.
Thirdly, it dabbles in the US political domain and tries very hard to seem relatively non-partisan -- not always with success!
So, what have we here? A book written largely by an American who has represented security concerns in both Republican and Democratic administrations over the past several decades. A book about what it calls Cyber War, a war fought not on traditional battlefields but in cyberspace, using techniques often attributed to hackers. And in that war, it discusses the fear that the US, although prepared to deal with such a war offensively, has taken almost no steps to fight that same war from a defensive point of view.
Let’s start with a bit about the author(s). Richard A. Clarke served as advisor to Presidents Ronald Reagan, both George Bushes, Bill Clinton, and Barack Obama. Although the book is frequently written in the first person, Clarke has a co-author (as noted above), and because of that when the book speaks of “I” it is at first difficult to be sure who is speaking. Because those discussions tend to be about government matters, and ones that involved the first author, it becomes clear after awhile that it is Clarke who is speaking.
Secondly, let’s talk about the War. Clarke’s concern is largely about other-nation-sponsored hackers who want to do destructive things to the cyber capabilities of the US, mostly denial of service attacks to disable such things as the US banking system, the US power grid, or even US military capabilities. He sees such governments as Russia, China, and North Korea being behind most such attacks, even when the attacks appear to be from private citizens operating out of other countries. And he even provides a ranking of world nations on what he calls “Overall Cyber War Strength,” doing a rudimentary rating system that sees North Korea, Russia, China, Iran, and the US (in that order) when rated on offensive cyber war capability, defensive capability, and dependence on cyber systems (a country such as North Korea that has little dependence on cyber systems is particularly strong -- invulnerable, even -- in that category).
Thirdly, there’s that whole political domain thing. Basically, this book seems to be Clarke’s appeal to the public for support for concerns that none of the presidents for whom he served were willing to do anything about. Much of the book is spent telling of his battles to convince various administrations that something needed to be done to beef up our Cyber defenses. In a purely non-partisan statement, he says, “Many of the things that have to be done to reduce America’s vulnerability to Cyber War are anathema to one or the other end of the political spectrum” (he notes that some of those things would require government regulation, and others would require some violations of privacy). But sometimes his pent-up partisan anger boils over, as when he notes a particularly offensive opponent of his ideas and says, “Cheney, I’m thinking of you here!”
About the lack of citations. As someone used to reading material written by academics, I have come to appreciate their writing style, where if you state a “fact” you must substantiate if with a citation to some source that allows you to state that fact with some confidence. Now there are, of course, a couple of occasions in which that approach does not work -- when no one has written about this particular subject previously (it represents original thinking), and when the source of the facts is the author himself or herself. And, to give the author of this book his due, both of those criteria could explain the lack of citations here. After all, much of what this author is discussing emerges from his time as a presidential advisor, where what was being discussed was quite likely being discussed both for the first time and by the author and his colleagues themselves.
The early parts of the book are mostly about anecdotes of Cyber War attacks, and I found myself experiencing both of those disturbing reactions I mentioned at the beginning of this review -- these are really deeply scary stories, and, since they go un-cited, are they really true? As the book went on, I overcame for the most part both of those early reactions, especially when I came to realize that much of the book is autobiographical.
There are some oddities in the book:
- In a chapter that begins with stories of US “Cyber Warriors,” the book veers off to spend much of the chapter instead discussing China’s capabilities in this area and then concludes by saying that “the Russians are definitely better” about these approaches, without spending much time on specific Russian stories at all.
- The author is clearly anti-Microsoft, pro open-source, and less knowledgeable about software creation than he should be. He tells stories of Bill Gates signing an agreement with the Chinese that would allow them to see and modify Windows operating system code (why would he, and why would China care?) Noting that errors in software leave open too many possibilities for Cyber War attacks, he concludes that we should produce error-free software and suggests achieving that by (a) using artificial intelligence to write such code and (b) using open source software people (he obviously thinks open sourcers are superior to other programmers).
Where does the danger in Cyber War lie? The book mentions things like “stealing information, sending out instructions that could result in moving money, spilling oil, venting gases, blowing up generators, crashing trains and airplanes, and causing missiles to detonate.” He then elaborates on such doomsday scenarios.What should we do about this? As a first level of defense, the author advocates
- protecting the Internet backbone (there is no need to protect any individual computers if the backbone is secure)
- protecting the power grid
- protecting DoD networks and systems
...And then the book presents the scenario for a Cyber war game between the US and China that relies on those approaches to de-escalate the conflict.
The book ends with another oddity: It proposes two US presidential speeches: one to the US military academies at commencement time, announcing a new doctrine of Cyber Equivalence, and then another to the United Nations advocating and in fact announcing a Cyber Network security plan.
I cannot recall ever reading another book that suggested what the US president ought to say on a particular subject in a speech and to whom it should be said.
Now, is this book important, and should you read it? In spite of its flaws, and my reactions to those flaws, I think the correct answers here are “yes” and “yes.”
(Note that this book and this review are written from a US point of view. What I identify here as “scary” might not be scary to someone from another country.)