We modeled the Cybersecurity Canon after the Baseball Hall of Fame and the Rock & Roll Hall of Fame, except it’s a canon for cybersecurity books. We have more than 25 books on the initial candidate list, but we are soliciting help from the cybersecurity community to increase the number. Please write a review and nominate your favorite.
The Cybersecurity Canon is a real thing for our community. We have designed it so that you can directly participate in the process. Please do so!
Executive Summary
Cyber-War attempts to demystify technical concepts surrounding the study of cyber threats and, in particular, the likelihood and possibility of a cyber war. It does so by focusing on certain key debates within government and academic circles and bringing a plain-language approach to them. He does this through examinations of the hyperbole and generalizations that often accompany such debates. In doing so, the author, Julian Richards, largely accomplishes his goal, which is not one of resolving debate but rather encouraging a standard framework for that debate.
While the approach Richards uses in Cyber-War is a valid one, his examples and conclusions suffer a bit from the passage of time and the accompanying increased understanding and visibility of the strategic cyber threats facing the U.S. For this reason, I am not recommending it for inclusion in the Cyber Canon.
Review
Cyber-War’s author, Julian Richards is the Co-Director of the Centre for Security and Intelligence Studies at the University of Buckingham, U.K. He spent 17 years working in security and intelligence for the U.K. government. But despite being written by a U.K. security expert, Cyber-War is remarkably U.S.-centric in its analysis, perhaps owing to the relative wealth of cyber incidents affecting, or publicized in, the U.S.
Richards begins with the premise that we can’t really have an honest discussion about the real risk posed by cyber attacks and whether those attacks rise to the level of cyber war because of two impediments to analysis: 1) Cyber is an inherently technical realm, which in essence makes it difficult for non-techies to understand and assess; and 2) Discussion of the potential for cyber war is framed more in terms of science fiction rather than fact. Cyber-War sets out to “cut through some of the myth and hyperbole surrounding the cyber debate.” Richards doesn’t really seek to resolve or settle any debate (although he admits to having his own views), but instead to lay out a clearer playing field for those debates. To that extent, Cyber-War is relatively successful.
Richards begins his book by bringing up some of the major cyber events from preceding years. He highlights the fact that often, the initial knee-jerk response to these events was to assign blame to actors in accordance with developing norms of the time, e.g., to assign blame to Russia for a SCADA attack when in fact it was a simple error by an employee. Having lived through the response to that “attack,” and witnessing firsthand the speed with which a conclusion was reached, I recognize and appreciate his point. However, Richards does have a clear “the cyber Pearl Harbor attack isn’t likely” bias (one to which he admits) that may lean too far in the other direction.
Through its six chapters, Cyber-War brings out some issues surrounding the overall debate about the likelihood, and indeed the very definition, of cyber war. For example:
- Are cyber attacks the archetypal modern asymmetric technique, or are they simply a new way of conducting or supplementing warfare as it’s been conducted throughout history? As part of this discussion, Richards brings up the very real catch-22 of U.S. technological superiority: It makes us both the beneficiary and likely victim of the asymmetric cyber threat.
- Do even the most egregious cyber attacks by nation states constitute an act of war in the traditional sense of the term? The discussion of this point is relatively simplistic considering the various international-law, national-security, and military-doctrine overlays inherent in any such analysis. This question alone can be, and has been, the basis for an entire book.
- Are China and Russia developing military-grade capabilities for use in a future wartime conflict? Or is the analysis of those countries’ activities a reflection of an antiquated “Cold War mentality” in the U.S.? The author leans toward the U.S. position being driven more by hyperbole than fact with respect to this question — a position I don’t find all that convincing, especially when informed by developments since the book was published.
- How should states develop counterthreat strategies in the contemporary era, especially in light of the mutual dependencies of the private and government sectors and the privacy considerations they engender? The author shies away from the common consideration of cyber war as analogous to a nuclear attack and suggests that an analogy to biological/chemical attacks is more fitting.
- Is the general three-tier categorization of cyber warfare threats (cyber-enabled traditional information operations, which can happen both during conflict and in peacetime scenarios; cyber attack activities, which enable battle in the physical realm; and cyber attacks, which cause real physical death and destruction) appropriate, and does it facilitate defining when cyber war exists? Richards appears to dismiss the last of these as unlikely due to political and practical factors.
Conclusion
Cyber-War is an interesting read for those who are in the earlier stages of educating themselves about the cyber threat and when it slides into the realm of cyber war, as well as what could be done when that shift occurs. It is, however, hampered by its relative age. Although not an old book by most standards, it doesn’t benefit from the events of the last 4 years. Those events, including chiefly the rise in hacks of huge government and private sector systems, as well as the disclosure of cyber-facilitated information manipulation in the 2016 election, paint a different background for today’s analysts.
Cyber-War’s continued value is in its promotion of careful analysis and common vocabularies as necessities for a productive discussion of the cyber threat. It guides the reader toward a healthy skepticism of some accepted “truths” about cyber threats.