Cyber War: The Next Threat to National Security and What to Do about It

I've been in the information security field just about my entire professional life, both in and out of government, and I've been hearing people sound the alarms about "cyber warfare" for at least the last 15 years. Most of the time their grasp of the technical aspects is limited, they don't have a clear idea about what they're talking about, their scenarios read like movie plots, and they're usually trying to win government contracts. Although this book does have some serious shortcomings, Clarke's book is without a doubt the clearest and best work I've seen on cyber warfare. I'll lay out his book and his thesis first, then I'll tell you where I thought he fell short and what I thought of it. Clarke first gives an overview of all the instances to date where cyber attacks have been used by state actors. In all cases but one (The Estonia attacks in 2007), the cyber attack was used to enhance a conventional attack. This is actually the best such overview I've seen, included some examples I hadn't heard of before, and Clarke's analysis is spot on. The only thing he didn't include was the very recent "operation aurora" (Google it if you want details), which probably occurred after he finished writing the book. The book then has a detailed discussion of American policy on cyber warfare, and Clarke details all the developments to date. Since Clarke worked for presidents Clinton, Bush, and Obama on national security issues, this book provides a front row seat to the ins and outs of the way our policies have developed. Clarke also details what is known about the cyber war capabilities of other countries, including China, Russia, and North Korea. Only then does Clarke begin to go into the technical aspects of cyber attacks, but the technical stuff is very high level (the back cover description explicitly says that this book goes "beyond the geek talk"). He really is just trying to show the potential damage that can be done with cyber attacks. (In other words, this is the part of the book where he tries to scare you). Clarke then discusses what he views as the primary reasons there has not been significant action in the area of defending against concerted cyber attacks. It is, in my opinion, a very realistic and fair analysis which avoids finger pointing. He then starts to lay out what he feels are reasonable defenses that the US must begin to take. In the last part of the book he lays out a clear agenda for defending against cyber attacks which includes a mix of regulation (he admits it's a dirty word but thinks it's necessary), more technical controls at major network boundaries, and an expanded scope for DHS to protect the civilian infrastructure too. He also discusses international arms control treaties, and appears to be a big fan of some international cyber war treaties, which, like nuclear arms control treaties from a generation ago, could be used to create "rules of the game" for international war. As I said, in the beginning, this is without

Richard Clarke's credentials are well established, having been a national security advisor to presidents of both parties, his viewpoints are his own, not politically-driven ideology. Clarke takes the time to go over the basics of the cyber-universe for those that are not especially net-savvy, and then gets into the meat of the what, who, where and how (the "when" is the big question of course) of potential cyber attacks against the US. He gives a bit of history on attacks that have already happened, and a few that have failed. I say the information is a bit scary because, even with a degree in Computer Science, I did not know the extent to which the Internet connects and controls so many aspects of our daily lives; in business as well as in our personal lives. More and more machines and appliances are being built with the capability to "talk" to the manufacturers who make them, a legitimate and smart way to diagnose problems and download fixes.... but the idea that the new copy machine in my home office might be hacked, and ordered to malfunction to the point that it catches on fire, is unsettling to say the least. This is a good book, a page turner, and delivers information every 21st Century American should know.

The title, and the phrase "cyber war", which has been over-hyped of late, might seem over-wrought -- but for the author, and for the compelling case he makes. This is a field in which an entire industry has had to come into being to stop the avalanche of hacks, worms, viruses, botnets and trojan horses that bedevil the Internet every day. It turns out that the potential for a much greater, overwhelming hit is far greater. The cyber-invasions of Estonia and Georgia are already a matter of record. Mr. Clarke walks us through a number of different scenarios and different dark alleys of the Internet -- and if even one of these scenarios comes true, it will be bad. He also makes the point that our defenses are weak: at best, he says, Dept of Defense might protect the dot-mil sites, Homeland Security might protect the dot-gov sites. Apparently our utility systems, our communications, our transportation networks, our banks -- to name a few -- are wide open but for private net-security software and personnel. It's as if, during the Cold War, he asserts, that private industry would have had to provide its own Nike batteries against Soviet attack. He also makes the point, the important point, that even absent a catastrophic attack, our intellectual properties are in peril and that may quietly produce, over years rather than milliseconds, our decline. A creeping cyber-espionage, a quiet theft of our trade secrets, research and patents, may, he says, be just as destructive in the long run. This is an important book, among few in this subject area, that deserves pondering. Even if it merely sparks a national discussion, even if only a small portion of this threat, as he describes it, turns out to be potent, then this work will have been a boon. Highly recommend.

I consider the term war to be extremely overused and that includes when it appears in the term "cyber war." I prefer the longer but more accurate term, "cyber component of national rivalries." War is an event between nations where the goal for each side is to kill as many citizens of the other side as quickly and efficiently as possible so that the other nation must accept their terms. In the cyber actions of one nation against another, most human casualties are consequential rather than a direct result of the action. Few people can match the national security credentials of Richard Clarke and in this book he makes the case for national action to protect the U. S. infrastructure from substantial cyber attack carried out by another nation. Such attacks have already been executed; to date they have not made significant noise in the major news outlets, although most have appeared in the computing literature. Clarke uses the phrase kinetic weapons to refer to the "bombs and bullets" type of warfare, so he distinguishes between cyber attacks and real attacks. Clarke also mentions several war games that have been carried out and the results are alarming, a great deal of the infrastructure of the United States is vulnerable to a concerted cyber attack if the malicious software entities have been properly placed and timely executed. Of course, he also admits that the United States is also capable of launching cyber attacks of its own. The most interesting points in the book are when Clarke talks about nuclear weapons and how policies evolved and agreements were reached between the United States and the Soviet Union over how the weapons would be declared and their use specified. There is no question that these agreements helped keep the world safe and worked to defuse several potential crises that could have led to the threat of nuclear weapons being used. Clarke proposes similar guidelines of allowed and disallowed behaviors in the cyber component of national rivalries. Acts such as industrial espionage, spying and other data thefts would be considered acceptable but the destruction of financial data and power plants would be disallowed and considered the equivalent of an attack by kinetic weapons. Certain trial runs that only cause limited damage would result in harsh diplomatic rhetoric but not be considered the equivalent of a kinetic attack. There is no question that in the modern world, low-level cyber attacks of one nation against another take place on a regular basis. Up to this point, even the most significant have been more in the category of significant annoyance rather than a crisis. However, the potential of a major attack is real and potentially devastating, so it is necessary for the United States to develop an effective strategy of defense and deterrence. Clarke sets down some sound principles for such a strategy while pointing out many of the current vulnerabilities. He does an excellent job in describing the new form of the exec

This is a frightening book. It describes an unexpected form of warfare in which the United States is already behind China, Russia, and possibly terrorists. And worse for us, we have already lost initial battles. Richard Clarke is a former Assistant Secretary of State and a Washington insider, having served Presidents Reagan, George H.W. Bush, Clinton, and George W. Bush. He made headlines with his charges against the Bush-Cheney administration on getting this nation into a needless war in Iraq, and events proved him correct. Now, he and Robert Knake tell how our wonderfully-efficient, computerized systems that control our electric grids, transportation systems, defense against military attack, and much of our day-to-day life are open to attack, control, and destruction by hackers, terrorists, or enemy agents working to disable us before a massive attack by a foreign power. His call for rapid and powerful action to set up defenses is right on the money. I only hope that our nation's leaders heed the warning and act swiftly.