Book Review: Cybersecurity and Cyberwar

Book Review: Cybersecurity and Cyberwar
Author: P. W. Singer and Allan Friedman | Reviewed by Larry Marks, CISA
Date Published: 1 January 2015

Cybersecurity and Cyberwar: What Everyone Needs to KnowCybersecurity and Cyberwar: What Everyone Needs to Know is one of the few books that is completely up-to-date and analyzes the importance of cybersecurity beyond the realm of the Internet. There is a growing sense of vulnerability as a result of new vectors of cyberattack. This book defines cybersecurity, discusses the basic issues of cybersecurity about which everyone should be aware and supplies the reader with tools to address these threats.

The authors, who are fellows at the Brookings Institute, do not have a specific background in IT or cybersecurity. They do not perform vulnerability assessments or teach cybersecurity or computer science courses. Rather, they wrote this book by researching and identifying key questions that a professional or layman would want answered. They scientifically validated and then narrowly fine-tuned the questions using workshops and seminars at the Brookings Institute. The result is a series of topics addressing questions readers may want answered, specifically: How does cybersecurity work? What can one do? Why does it matter?

The book does a very good job asking and answering the questions that need to be asked such as: How can people trust in cyberspace? How come a new, more secure Internet cannot be built? How can users protect themselves (and the Internet)? With new technologies introducing new vulnerabilities, a book or reference is needed to summarize a baseline of the general information that is commonly known and what is unknown.

Cybersecurity and Cyberwar reviews the facts around the computer worm Stuxnet and how terrorists use the Internet. On a high level, it describes how the Internet works from a user-friendly and not overly technical point of view. It highlights the current issues facing corporations and government agencies: the need for more skilled resources in computer science and cybersecurity; the need for a better definition or consistent definition of cybersecurity; and the need for a greater partnership between the federal government and corporations regarding the sharing of the occurrence of data security breaches, methods of attack and the need for a common approach for remediation. For economies of scale, the authors request that corporations trust that the government will not leak their data security privacy gaps and incidents and that governments trust that corporations will disclose any incidents. Greater sharing can also result in greater prosecutions and a federal effort to strengthen the national infrastructure.

The book describes the lack of effort by the US Congress to enact legislation to strengthen the US’s cybersecurity infrastructure. However, the book does not mention the reasons for this lack of effort or the initiatives to foster and elevate the need for legislation and a greater partnership. It does reference US Executive Order 13636, one of many first steps by the US government to improve the critical network infrastructure.

This book is recommended for anyone interested in cybersecurity because it emphasizes the necessity of understanding risk. As the authors put it: “We must accept and manage the risks of the world—both online and real—because of all that can be achieved in it. And that really is what everyone needs to know.”

Reviewed by Larry Marks, CISA, a professional with experience in the fields of security, privacy, risk, governance and program/ project management. He is based in Piscataway, New Jersey, USA, and works for IBM. He can be reached at marksl@us.ibm.com.