I've read a fair amount of cybersecurity books across a wide spectrum of topics – early hackers, cybercrime, hacktivists, nation state activity, etc. A few years ago, new books on this topic were few and far between, but that is no longer the case. I recently posted a blog/book report on Kim Zetter's fantastic book, Countdown to Zero Day. Allow me to recommend another good one, @War: The Rise of the Military-Internet Complex, by Shane Harris.
Harris's book is especially relevant given President Obama's recent cybersecurity initiatives described during his State of the Union address and the cybersecurity summit at Stanford last month. After all, the President is trumpeting a new federal law enforcement nexus – the National Cybersecurity and Communications Integration Center (NCCIC) – private/public security intelligence sharing, a national breach notification law, and an overhaul of law enforcement authorities to combat cybercrime.
Given this flurry of federal activity, it's only natural that U.S. citizens would ask questions about the history of federal cybersecurity initiatives in the past. What types of programs came out of Washington? Were they military/intelligence-focused or civilian agency-focused? Were they successful or wasteful?
If you are at all interested in the answers to these questions, @War should be high on your reading list. The book looks across federal cybersecurity in detail as it covers:
- Cybersecurity and its use in the Iraq war. The book describes how the U.S. Military and the NSA built a cooperative program to identify and disrupt insurgents during the Iraq war. Cybersecurity operations played a key role here, resulting in a 90% reduction in IED attacks.
- Cybersecurity in the White House. Harris describes the genesis and maturation of certain cybersecurity programs at the highest level of government. For example, the book outlines how former Director of National Intelligence Mike McConnell influenced President Bush's Comprehensive National Cybersecurity Initiative (CNCI) and persuaded Presidents Bush and Obama to pursue offensive cyber operations which resulted in an initiative called Olympic Games and ultimately the Stuxnet malware.
- NSA participation. Harris builds upon James Bamford's NSA depictions, with a focus on cybersecurity. The book looks at NSA cybersecurity skills and describes elite units such as Tailored Access Operations (TAO) and the Remote Operations Center (ROC). Harris also weaves in NSA personalities like General Keith Alexander, examines NSA politics, and provides specific examples where the NSA over-promises and under-delivers.
- Private/public cybersecurity cooperation. This has been the cybersecurity mantra of several past administrations and is still a high priority in President Obama's plan. Harris sheds light on where coordination works and where it got bogged down by federal bureaucratic processes and corporate profitability motives. The book also builds upon other books by providing rich details about U.S. corporate participation in an assortment of NSA surveillance programs.
The book also takes a hard look at critical industry vulnerabilities to cyber-attacks and describes a number of ways the feds have tried to address and even coopt this area. Once again, Harris provides a range of examples from useful federal aid to bloated Washington hyperbole.
Clearly, the U.S. government will play a bigger role in cybersecurity moving forward, but the structure and limits of this role remain nebulous. Given this amorphous situation, cybersecurity professionals, lobbyists, and legislators would be wise to read @War. Perusing this book may actually help them gain a better understanding of what's worked (and hasn't worked) in the past and then apply these lessons to a pragmatic federal cybersecurity strategy moving forward.