- Security TWENTY
- Women in Security Awards
Author Richard Clarke and Robert Knake
ISBN No 9780525561965 - hardcover
Review date 15/08/2022
No of pages 333
Publisher Penguin Random House
Publisher URL https://fifthdomainbook.com/
Year of publication 28/02/2020
Cyber defence is closing the gap, by taking advantage of new technologies, becoming better organised, and beginning to understand the value of what is at stake, argue Richard Clarke and Robert Knake.
Their book The Fifth Domain begins by placing the reader as close to the centre of power as is possible. It's January 1999, and one of the two authors, Richard Clarke is sitting in an armoured vehicle that's carrying the then President of the United States, Bill Clinton. Clarke tells how Clinton was about to give a speech on cyber. A generation later, Clinton was the joint author of a cyber-oriented suspense thriller set in the White House. Clarke uses the story to introduce his and fellow author Robert Knake's book's theme; of cyber defence and offence.
For cyber is the fifth domain of the title, land and sea being the first two, then joined by air, and cyberspace making the more recent fourth. Not to be confused with The Fifth Element, the visually beautiful but confused film of that name in 1997. The authors squarely plant cyber in military theory; 'offensive advantage or offensive preference'. Whether applying to corporate offices, or central governments, 'the conventional wisdom in the fields of computer science, information technology, and networking is that there is an enormous offensive preference. That might not have been a big deal to most people, except that in the last 25 years, we have also made almost everything dependent upon computer networks. In fact, because the offence is thought to have the advantage right now, in a crisis situation of possible conventional warfare, there is likely to be an inclination to go first with a cyberattack'.
Despite all the headlines of recent years, of hacks and attempts to subvert elections, utilities and money flows, the Ukrainian power grid and a French tv network; despite (when the authors were writing in early 2019) what they term 'a low-grade, simmering cyber conflict with Russia, China, and Iran', they go on to argue that 'the balance between offence and defence is changing'. They offer the prospect that can 'set us on the path to stability'. While Silicon Valley tends to be upbeat about whatever they do or hope to do, the authors point to the chief information security officer (CISO) of an (unnamed) major bank who speaks of being (largely) immune to cyberattacks in five years, thanks to a change from legacy systems, 'inherently insecure', to systems secure by design.
The authors, sensibly, do not have blind faith in the next big things in cyber - such as blockchain, automation and artificial intelligence. They say, rather, that these 'technology trends could shift the balance in either direction'. That's welcome for it offers human agency - 'we have a choice to make about the future we want in cyberspace'. We, whether public or private sector, whatever size of business, are not necessarily helpless, whether against corner-cutting developers or the bad guys seeking to use those same tools such as AI.
While, worryingly, the authors say that they have 'faith' that the world will come up with 'workable solutions' for cyberspace, at least they set out the reality that people in the field will work by 'trial and error', whether government helping the private sector to help itself ('a shared responsibility'); or Silicon Valley appreciating and acting on the evidence that its tools can do harm as well as good. Indeed, the authors say that the likes of Microsoft, Apple, and Google are investing in cybersecurity with the 'zelatory of the converted'.
As for the likely future, they warn that 'there will be blood', whether hackers derail trains, or cause aircraft to crash. And they predict that the 'next major war the United States enters will be provoked by a cyberattack', even if the attack is not intentional. While, as that suggests, like so many books by American authors it is US-centric, it does mention the Wannacry ransomware as it affected the UK's National Health Service in 2017; and the Maersk loss of its IT also due to ransomware, as featured in the February 2020 print edition of Professional Security magazine.
The authors do make the point that cyber is not just technical, but economic. They also show, from their experience, how cyber is about humans, who are liable to error. For example, they admit that every CEO would like to view a cyber-attack on them as a national security crisis, in other words in the hope that US federal government will scramble the cyber equivalent of jet planes or missiles. That is, the authors argue, 'deeply flawed'; yet suggests business would rather not take responsibility. The authors argue for cyber resilience, when confidentiality, integrity, and availability are compromised; yet besides resilience, you must have security fundamentals. Turn to this book, then, to read of why some businesses are more cyber-secure than others, even though just about all are subject to hacking attack.