What to Read on Cybersecurity

In August 2012, hackers attacked the networks of Saudi Aramco, destroying data on some 30,000 of the company’s computers. Then in November, Chevron revealed that it had been infected by Stuxnet, the malware the United States and Israel had allegedly designed to slow Iran’s nuclear program. Some U.S. policymakers and analysts have suggested that the attacks originated in Iran as retribution for the sabotage campaign. Those who claimed responsibility said that they are a hacking collective, with no ties to Iran, angry about an anti-Islam film posted on YouTube. The United States’ options for dealing with the breach differ depending on whether the attack on Saudi Aramco was the work of political hackers or state-directed and part of an escalating cyberconflict. Crafting such policy will not be possible without conceptual clarity, and the works below strive to define actors and interests, means and methods in cybersecurity.

The Cuckoo's Egg: Tracking a Spy Through the Maze of Computer Espionage. By Cliff Stoll. Doubleday, 1989.
Purchase at Amazon.com | Purchase at B&N.com

In 1986, Stoll, a systems administrator at Lawrence Berkeley National Lab, was asked to resolve what looked like an accounting error of 75 cents. He found that the anomaly was created by a hacker who had used nine seconds of computer time without paying, and he eventually tracked the incident back to a group of German citizens who were stealing information on the Strategic Defense Initiative and other sensitive projects and selling it to the KGB. Besides being a gripping thriller, his book lays out most of the issues that define cybersecurity today: incident response, the problem of attribution, overlapping investigative and legal authorities, public-private partnerships, and the necessity of international cooperation.

"Cyberwar Is Coming!" By John Arquilla and David Ronfeldt. Comparative Strategy, Vol. 12, No. 2, Spring 1993, pp. 141-165.
Read

In this article, Arquilla and Ronfeldt do much to shift focus away from just technology to the social implications of the information technology revolution. They were among the first to point out what is now common wisdom: that communication technologies erode hierarchies, collapse time and distance, and empower networks. They also make the point, expanded on in later works such as In Athena's Camp (1997) and Networks and Netwars (2001), that cyberattacks are about the control, distribution, and safety of information -- "a strategic resource that may prove as valuable and influential in the post-industrial era as capital and labor have been in the industrial age." 

Information Warfare and Security. By Dorothy Denning. AddisonWesley Professional, 1998.
Purchase at Amazon.com | Purchase at B&N.com

There is an unfortunate tendency among journalists and politicians to call every breach in computer security an act of cyberwar, when, in fact, the vast majority of incidents have little to do with war, and many are conducted by nonstate actors. The Chinese threat to the United States, for example, is primarily cyberespionage, and the attackers appear to be a mix of state actors and proxies. Different types of attack require different policy tools, and domestic and international responses. For her part, Denning identifies three -- crime, deception, and sabotage -- and gives real-world examples of how the risk of each can be mediated. 

"World War 3.0." By Michael Joseph Gross. Vanity Fair, May 2012.
Read

It is now a rather stale insight that cybersecurity involves tradeoffs; many understand that one easy way to improve security is to reduce the anonymity and free access that make the Internet so innovative. The idea of the hoodie-wearing teenage hacker sitting in his parent's basement has also long passed into cliché. In his essay for Vanity Fair, however, Gross manages to bring these ideas, and the battle for control over the Internet, to life. His stories center on Vint Cerf, Jeff Moss, Joshua Corman, and Dan Kaminsky -- all part of what he calls the "forces of Organized Chaos" -- who work to manage the balance between privacy and stability, to "ensure integrity of the Internet itself as a reliable, independent, and open structure." 

Strategic Warfare in Cyberspace. By Greg Rattray. MIT press, 2001. 
Purchase at Amazon.com | Purchase at B&N.com
Conquest in Cyberspace: National Security and Information Warfare. By Martin Libicki. Cambridge University Press, 2007.
Purchase at Amazon.com | Purchase at B&N.com

For many, cyberattacks represent a strategic game changer -- shadowy, long-range strikes occur at "net speed" and knock an adversary out before the fighting even begins. They are the distillation of Sun Tzu's axiom that "The supreme art of war is to subdue the enemy without fighting." Rattray and Libicki are skeptical. They believe that cyberattacks have tactical and operational implications, but do not have strategic ones (at least not yet). Someday, they might lead to widespread damage and destruction but, for now, they are most effective in distorting and manipulating the perceptions of decisionmakers. In short, Rattray and Libicki do not see virtual conflict as being completely distinct from physical conflict and they remind readers that, to be successful, cyberattacks have to serve political goals. 

Cyberpower and National Security. Edited by Franklin Kramer, Stuart Starr, and Larry Wentz. Potomac Books, 2009.
Purchase at Amazon.com | Purchase at B&N.com
Cyberspace and the State: Toward a Strategy for Cyber-Power. By David Betz and Tim Stevens. The International Institute for Strategic Studies, 2011. 
Purchase at Amazon.com | Purchase at B&N.com

In an October 2012 speech to the Business Executives for National Security group, U.S. Defense Secretary Leon Panetta highlighted the risk of a "cyber Pearl Harbor" and raised the possibility that United States would carry out pre-emptive strikes on potential cyberattackers. His remarks were the latest in a series of public announcements and policy documents to indicate the military's evolving thinking about power and cyberspace. Although the Pentagon has been thinking through cyber as a military domain for at least two decades, in 2006, while undertaking the Quadrennial Defense Review, officials realized that they still lacked a coherent framework for cybersecurity. They tasked the National Defense University with developing one. The result was the Kramer volume. Essays in the book raise questions about deterrence, offensive operations, terrorism, and international law -- questions the government is now finally answering. Betz and Stevens also look into the relationship between state and cyber, grounding cyber in political and military history, as well as in international relations. But the authors reach a conclusion that will be hard for the Pentagon to swallow: a coherent strategy will require states to adapt to and share power and sovereignty with international and domestic networks.

"Arms Control in Cyberspace: Challenges and Opportunities." By Herbert Lin. World Politics Review, March 6, 2012.
Read

No state will be able to address the cybersecurity threat alone. But the barriers to any international agreement, especially something resembling traditional arms control, are high. Verification is extremely difficult because of the attribution problem. It can be almost impossible to determine the source of an attack. Signatories to an agreement could relatively easily mask attacks, undermining trust in any accord. Moreover, the technologies used in most attacks are widely available and easy to conceal: laptop computers, Internet connections, and programming tools. Lin is clear-eyed about all of these obstacles, but nevertheless explores how greater transparency and confidence-building measures could reduce the likelihood and cost of cyberconflict. He ends on a note of relative optimism: we should "not foreclose the possibility that new technologies -- or new ideas! -- will emerge as enablers for as-yet-unimagined possibilities for arms control in cyberspace."