Monday, January 21, 2013

Book Review: “Cyber War: The Next Threat to National Security and What to Do about It (2010)” by Richard Clarke and Robert Knake

Executive Summary

I recommend this book. It is essential to the cyber warrior who needs to understand the historical context around the evolution of defending any nation in cyber space. For international policy makers, it is a good place to start for a real discussion about substantive policies that the international community should consider. For the commercial security folks, read this book if you want insight into how government policy makers frame the problem and what they would want to implement if they could. Even if you do not agree with the policies, you will understand what they want. Clarke and Knake discusses the nature of cyber warfare, cyber espionage, cyber crime and cyber terrorism and provide specific examples of cyber warfare and cyber espionage.


Review

Since 2009, a plethora of books have hit the market that discuss the issue of cyber warfare. Here are just a few:
  • Apr 2009: Cyberpower and National Security (National Defense University) by Franklin D. Kramer, Stuart H. Starr and Larry Wentz 
  • Nov, 2009: Cyberdeterrence and Cyberwar by Martin C. Libicki 
  • Jan, 2010: Inside Cyber Warfare: Mapping the Cyber Underworld by Jeffrey Carr 
  • Apr, 2010: Cyber War: The Next Threat to National Security and What to Do About It by Richard A. Clarke and Robert Knake 
  • Jul, 2010: Surviving Cyberwar by Richard Stiennon 
  • Jun, 2011: Cyber Warfare: Techniques, Tactics and Tools for Security Practitioners by Jason Andress and Steve Winterfeld 
  • Sep, 2011: America the Vulnerable: Inside the New Threat Matrix of Digital Espionage, Crime, and Warfare by Joel Brenner 
I have read two (Winterfeld’s and now Clarke’s) and I am working my way down the list, but I wanted to read this one sooner than later because of Clarke’s background. Before he retired from government service, he served three different US Presidents: the Special Assistant to the President for Global Affairs, the National Coordinator for Security and Counterterrorism and the Special Advisor to the President for Cyber Security [1]. Besides, I just finished reading his novel “Breakpoint,” about a significant cyber threat to the US and thought he got most of the technical stuff right [2]. I figured he might have something smart to say about Cyber War.

Clarke and Knake published this in April 2010, just months short of when the public became aware of STUXNET [3]. Some of the things he suggests for ways forward suffer because of that game changing event, but for the most part, I like what he brings to the table. But because of his background, this book is about policy and not really about how a nation might deploy assets in a cyber war. Specifically, it is about what the US should consider adopting going forward when considering the implications of an all-out cyber war.

He starts with a history of cyber events to demonstrate why we need the policy. He covers the usual suspects and adds one or two for which I had not previously heard: 
  • (1997) CND: Eligible Receiver: US Red Team exercise that showed how vulnerable the DOD is to cyber attack [4]. 
  • (1998) Espionage: Moonlight Maze: Massive government and government-contractor data exfiltration traced back to a Russian mainframe; attribution: likely Russian government [5][6]. 
  • (1999) Warfare: “Unrestricted Warfare” Book by Chinese military leaders that crystalizes China’s thoughts on asymmetric warfare [7]. 
  • (2003) Espionage: Titan Rain: Widespread compromise and data exfiltration of US government and US-government-contractor systems; attribution: likely Chinese government [8]. 
  • (2003) Warfare: US Compromise of Iraq Email System prior to launch of 2d Iraq War [9]. 
  • (2007) Warfare: DDOS attack against Estonia; attribution: likely Russian government [7]. 
  • (2007) Warfare: US-Israeli DOS attack against Syrian Air Defense Systems [10]. 
  • (2008) Warfare: DDOS attack against Georgia; attribution: likely Russian government [7]. 
  • (2009) Warfare: DDOS attack against US and South Korean targets; attribution: likely North Korean government [11]. 
Notice that some of these events are not really about cyber warfare at all. Two are strictly cyber espionage related (Moonlight Maze and Titan Rain). One is purely Computer Network Defense (Eligible Receiver). Some (Estonia and Georgia) just barely meet Clarke’s cyber warfare definition:
“[T]he term “cyber war” … refers to actions by a nation-state to penetrate another nation’s computers or networks for the purposes of causing damage or disruption.”
But all of these events have shaped Clarke’s thoughts on what to do about cyber warfare. “Eligible Receiver” proved that DOD networks are vulnerable. Even after a decade, you could make the case that DOD networks are as porous today as they were back in 1997 [12][13]. “Moonlight Maze” was the proverbial wake-up call though. A year before the Chinese figured out what Asymmetry is, somebody from Russia broke into a large number of government systems and stole truckloads of data. This was a decade after the Cuckoo's Egg spy ring was caught and attributed to the Russians too. A year later, the Chinese crystallized their thoughts about how useful asymmetry might be in a coming conflict with the US.

The Chinese watched how successful the Americans were in the first Iraq war but also how dependent on technology the US Army was in its efforts. Chinese military leaders believed that a nation that was not as strong militarily (China) could leverage an existing asymmetry by concentrating on defeating the technology first and not the tanks, air craft carriers and fighter jets that they were no match for. According to dictionary.com, Asymmetry means a “Disproportion between two or more like parts [14].” Clarke says that when a nation sits on the high end of that equation (the US for example), they have a high degree of “cyber dependence.” In other words, that nation depends greatly on cyber for it to function. If that is out of balance, an asymmetric advantage develops and cyber defense is more important than cyber offense.

The Chinese wanted to take advantage of that and published their first thoughts about the idea in that “Unrestricted Warfare” book. Four years later, “Titan Rain” proved again how weak the DOD networks were and how successful the Chinese had been in pursuing their asymmetric vision.

From there, Clarke describes examples of how various nation states have experimented with Cyber Warfare in the past: US, Russia, Israel and North Korea. With this history lesson complete, Clarke makes the case that the US defenses against these kinds of attacks are weak, both for government networks and for commercial networks, and spends the rest of the book talking about what should be done about it.

Clarke’s bottom line is that, painful as it might be, the US will require sweeping new laws, regulations and policy in order to protect the nation from this threat. He points out that Cyber Command is responsible for defending the DOD networks and that the Department of Homeland Security is responsible for protecting the non-DOD government networks. Nobody is responsible for protecting the commercial side. That seems short sighted when you lay it out like that, but in truth, the commercial side really wants no part of US government help when it comes to defending their own networks. Let’s face it, the government’s track record is not that good. About the only thing the commercial side wants from the government is their intelligence feed. This stand-off between the US government and the commercial sector has been going on for well over a decade. Clarke’s point is that enough is enough. Tough decisions are required. He proposes the Defense Triad Strategy:
  1. Secure the US Backbone 
  2. Secure the US Power Grid 
  3. Install security best practices on all government networks (NIPRNET /SIPRNET /JWICS) 
I totally agree with the first one. Today, the US internet is a conglomeration of commercial ISPs who interconnect with each other as the business need demands. Their connections to each other and to the rest of the world are based on business decisions. While all of the big ones cooperate with each other and with the US government, their first priority is to make money. If a large scale attack on the financial system, for example, is launched from a foreign adversary, the US government has no first hand means to monitor the situation. They have to depend on the generosity of the commercial sector to share information. Today, most of these commercial companies willingly share with the government, but the system is inefficient and will likely not prevent the first wave of attacks. Clarke’s point is that somebody from the government should be monitoring the US cyber perimeter. Privacy advocates will scream and detractors will point out that it is equally possible to launch an attack against the food system from within the US as it is from a foreign country. Clarke acknowledges those issues but advocates that just because they will be controversial does not mean we should not address them.

For Clarke’s second point, I was a little skeptical at first. Why single out power as the first priority among 18 different critical infrastructure sectors such as banking, and food. After a little thought though, it is clear that power is the lynchpin for the entire shooting match. The reason the US is cyber dependent is because it has reliable power distributed across the entire nation. Take that out and the rest of the 18 critical infrastructure sectors come tumbling down after it.

For his last point, it is a little sad that we have to say this. The US Government should install basic best practice security measures (like need-to-know network segmentation, file encryption, and host-based intrusion detection technology) across all of its networks. The fact that the government has not done this is a little scary, but it is my experience that this is not an act of incompetence. It really comes down to cost. The US government networks are some of the largest in the world. To install all of that technology on every laptop and computer on three different networks is not cheap. In a world of limited resources, when you compare the trade-off between buying file encryption software to, say, buying body armor for deployed soldiers, file encryption is going to lose every time.

Clarke realizes that it is unlikely that any US leader will be able to push through these radical ideas from the start. In order to get there, he proposes six paths that the international community should work in parallel:
  1. Broad public dialog about cyber war 
  2. Create the Defensive Triad 
  3. International cooperation on Cyber Crime 
  4. Cyber Arms Reduction beginning 
  5. R&D for more secure networks 
  6. President is required to make decision on Computer Network Attack (CNA) 
Number three is a no-brainer. Why does the world tolerate things like spamming organizations and botnets? In my naive fantasy world, I can see world leaders, perhaps sitting around the negotiating table at the UN, deciding that these kinds of things will not exist and whenever one is discovered, every nation pitches in to dismantle them. OK, so this might not be realistic, but I think there is a lot more common ground here then there is disagreement.

For cyber arms reduction, Clarke comes from the nuclear world and it makes sense that he would try to apply the successes that world has achieved in the cyber space arena. I am not quite sure what would come of those discussions especially since the US has decided that Computer Network Attack (See Stuxnet [3]) is a viable middle ground to influencing nations in the middle east as compared to deploying troops or dropping bombs, but perhaps the international community can agree on big ticket items like not attacking each other’s power grids. But, by all means, let’s bring the leaders to the table and see what comes of it.

For number three (Cyber arms reduction) and number four (presidential decision making), this is where Clarke did not benefit from knowing about Stuxnet prior to publishing his book. For the attacks against the Iranian uranium enrichment facility, President Bush moved the operation under Title 50 authority; the intelligence channels. Using something called Presidential Findings, the US President is authorized to approve covert missions. These cyber operations fall loosely into the same legal category as drone operations in the Middle East and the assassination of Osama Bin Laden in Pakistan. A Presidential Finding is a written description of a covert action that must be shared with the appropriate intelligence committees in Congress. They describe influence actions against political, economic or military objectives [15]. The good news is that one of the six parallel paths on Clarke’s list is already done.

I have one side note to discuss before I finish this review. Clarke describes how the US Air Force, Navy and Army have progressed in the cyber arena since “Moonlight Maze.” He was not kind to the US Army: "If the Army sounds like the least organized of the services to fight cyber war, that is because it is." Some of you may know that my last job in Army was running the Army Computer Emergency Response Center (ACERT) right around the Titan Rain time-frame  My job was to coordinate actions across the cyber spectrum: Defense, Exploitation and Attack. When I was there, we were breaking new ground trying to figure out how to operate in this new space. General Alexander, now the NSA Director and the commander of Cyber Command, was my senior rater. Some of the things he is doing at the national level at Cyber Command, he experimented first as the INSCOM Commander in charge of the ACERT. I admit that hearing that the Army has fallen so far behind the other services in this arena stings a bit. To be fair though, the Army has been fighting two land wars in the Middle East for the past decade. Their leadership may have had one or two other pressing issues to worry about then developing their cyber capability.

Conclusion

I recommend this book. At the very least, an open and frank discussion of Clarke’s six parallel paths between international government leaders and commercial business leaders would not be a bad thing. Nothing can happen if we do not put everything on the table and discuss it. We can use Clarke’s book to get the conversation started.

Note: 


Cyber War: The Next Threat to National Security and What to Do about It is a Cybersecurity Canon Candidate. Please visit the official page sponsored by Palo Alto Networks to read all the books from the Canon project.





Sources


[1] “Bio: Richard A. Clarke,” Cyber War by Richard A. Clarke and Robert K. Knake, Last Visited: 1 January 2013
http://www.richardaclarke.net/bio.php

[2] “Book Review: “Breakpoint (2007)” by Richard Clarke,” By Rick Howard, Terebrate, 1 Jan 2013, Last Visited 21 January 2013
http://terebrate.blogspot.com/2013/01/book-review-breakpoint-2007-by-richard.html

[3] “A Declaration of Cyber-War” by Michael Gross, Vanity Fair, April 2011, Last visited 20 January
http://www.vanityfair.com/culture/features/2011/04/stuxnet-201104

[4] “Cyberwar Timeline,” By Mark Clayton, The Christian Science Monitor, 7 March 2011, Last Visited 19 January 2013
http://www.csmonitor.com/USA/2011/0307/Cyberwar-timeline

[5] “Cyberattack [Moonlight Maze] Reveals Cracks in U.S. Defense,” By Elinor Abreu, PCWworld, 9 May 2001, Last Visited 20 January 2013
http://www.pcworld.com/article/49563/article.html
[6] “Cyberwar [Timeline],” By Frontline, 24 April 2003, Last Visited 20 January 2013
http://www.pbs.org/wgbh/pages/frontline/shows/cyberwar/warnings/

[7] “Establishing a Cyber Warfare Doctrine,” By Adrew Colarik and Lech Janczewski, Journal of Strategic Security, Volume 5, Issue 1, pg 31-48, 2012, Last Visited 19 January 2013
http://scholarcommons.usf.edu/cgi/viewcontent.cgi?article=1123&context=jss

[8] “Inside the Chinese Hack Attack [Titan Rain],” By Nathan Thornburgh, Time Magazine, 25 August 2005, Last Visited 20 January 2013
http://www.time.com/time/nation/article/0,8599,1098371,00.html

[9] Note: I could find no other sources corroborating this fact

[10] “Israeli sky-hack switched off Syrian radars countrywide Backdoors penetrated without violence.” By Lewis Page, The Register, 22 November 2007
http://www.theregister.co.uk/2007/11/22/israel_air_raid_syria_hack_network_vuln_intrusion/

[11] “North Korea launched cyber attacks, says south,” By Associated Press, theGuardian, 11 July 2009
http://www.guardian.co.uk/world/2009/jul/11/south-korea-blames-north-korea-cyber-attacks

[12] “Computer Spies Breach Fighter-Jet Project [F-35],” By Siobahn Gorman, The Wall Street Journal, 21 April 2009, Last Visited 20 January 2013
http://www.darkreading.com/security/news/222700786

[13] “Chinese Hackers Stole Plans for America's New Joint Strike Fighter Plane [F-35], Says Investigations Subcommittee Chair,” By Christopher Groins and Pete Winn, The Wall Street Journal, 25 April 2012, Last Visited 20 January 2013
http://cnsnews.com/news/article/chinese-hackers-stole-plans-americas-new-joint-strike-fighter-plane-says-investigations

[14] “Asymmetry,” By Dictionary.com, Last Viewed January 2013
http://dictionary.reference.com/browse/asymmetry

[15] Note: I got this information from an interview I conducted with a military lawyer in the fall of 2012. That lawyer wishes to be an anonymous source.

4 comments:

  1. This book is actually a huge part of a Masters level National Security course I'm going through, and I appreciate your review on it. I think it provides great background on the issues, not just a "This is frightening and we should pay attention," type of publication, but a well rounded look at successes, failures, and opportunities for the future. Another thing which I appreciate in this book is it's smoothness in transitioning from topic to topic. I'm currently reading "Cyber Warfare: Techniques, Tactics and Tools for Security Practitioners", and I find it quite choppy. Perhaps it is because its broken down into chapters, sub-chapters, and sections, but the transition doesn't seem as smooth, which can hinder understanding.

    ReplyDelete
  2. I wrote a review of "Cyber Warfare: Techniques, Tactics and Tools for Security Practitioners" for Slashdot back in 2011. I will re-post it here later today, but if you can't wait, here is the link: http://bit.ly/10Os8Uu.

    As I implied in my review, Clarke's book is a discussion about policy written by an experienced national-level policy maker. Winterfeld's book is a discussion about the cyber security environment written by a military practitioner with years of domain experience. I think I would attribute the choppiness you highlight to a military writing style. As I said in my Slashdot review, the first three chapters in the Winterfeld book have a lot of good information.

    ReplyDelete
  3. I don't disagree that it has some great information. I agree, it might just be a different writing style. Clarke is quite narrative in style, and I feel like his book is much more aimed towards the more casual reader, while "Cyber Warfare" was written for a slightly more informed and invested audience.

    ReplyDelete