Review: Cyber War

Bruce Schneier reviewed the new Richard Clarke and Robert Knake book. As I would expect from Clarke it tends towards sensationalism, but has enough good bits to be worth a library hold (not to buy). Here’s Bruce:

Cyber War is a fast and enjoyable read. This means you could give the book to your non-techy friends, and they’d understand most of it, enjoy all of it, and learn a lot from it. Unfortunately, while there’s a lot of smart discussion and good information in the book, there’s also a lot of fear-mongering and hyperbole as well. Since there’s no easy way to tell someone what parts of the book to pay attention to and what parts to take with a grain of salt, I can’t recommend it for that purpose. This is a pity, because parts of the book really need to be widely read and discussed.

The fear-mongering and hyperbole is mostly in the beginning. There, the authors describe the cyberwar of novels. Hackers disable air traffic control, delete money from bank accounts, cause widespread blackouts, release chlorine gas from chemical plants, and — this is my favorite — remotely cause your printer to catch on fire. It’s exciting and scary stuff, but not terribly realistic. Even their discussions of previous “cyber wars” — Estonia, Georgia, attacks against U.S. and South Korea on July 4, 2009 — are full of hyperbole. A lot of what they write is unproven speculation, but they don’t say that.

(…) In the last chapter, the authors lay out their agenda for the future, which largely I agree with.

(…) We need more research on secure network designs. Again, even without the cyberwar bit, this is essential. We need more research in cybersecurity, a lot more.

We need decisions about cyberwar — what weapons to build, what offensive actions to take, who to target — to be made as far up the command structure as possible. Clarke and Knake want the president to personally approve all of this, and I agree. Because of its nature, it can be easy to launch a small-scale cyber attack, and it can be easy for a small-scale attack to get out of hand and turn into a large-scale attack. We need the president to make the decisions, not some low-level military officer ensconced in a computer-filled bunker late one night.

This is great stuff, and a fine starting place for a national policy discussion on cybersecurity, whether it be against a military, espionage, or criminal threat. Unfortunately, for readers to get there, they have to wade through the rest of the book. And unless their bullshit detectors are already well-calibrated on this topic, I don’t want them reading all the hyperbole and fear-mongering that comes before, no matter how readable the book.

One of the Amazon reviewers, Ari Elias Bachrach, clearly knows the topic. His review begins:

I’ve been in the information security field just about my entire professional life, both in and out of government, and I’ve been hearing people sound the alarms about “cyber warfare” for at least the last 15 years. Most of the time their grasp of the technical aspects is limited, they don’t have a clear idea about what they’re talking about, their scenarios read like movie plots, and they’re usually trying to win government contracts. Although this book does have some serious shortcomings, Clarke’s book is without a doubt the clearest and best work I’ve seen on cyber warfare. I’ll lay out his book and his thesis first, then I’ll tell you where I thought he fell short and what I thought of it.