While on vacation last week, I finished up a few new cyber-policy books and one of them was Cyber War: The Next Threat to National Security and What to Do About It by Richard A. Clarke and Robert K. Knake. The two men certainly possess the right qualifications for a review of the subject. Clarke was National Coordinator for Security, Infrastructure Protection, and Counterterrorism during the Clinton years and also served in the Reagan and two Bush administrations. Knake is an international affairs fellow at the Council on Foreign Relations where he specializes in cybersecurity.
Clarke and Knake’s book is important if for no other reason than, as they note, “there are few books on cyber war.” (p. 261) Thus, their treatment of the issue will likely remain the most relevant text in the field for some time to come.
They define cyber war as “actions by a nation-state to penetrate another nation’s computers or networks for the purposes of causing damage or disruption” (p. 6) and they argue that such actions are on the rise. And they also claim that the U.S. has the most to lose if and when a major cyber war breaks out, since we are now so utterly dependent upon digital technologies and networks.
At their best, Clarke and Knake walk the reader through the mechanics of cyber war, who some of the key players and countries are who could engage in it, and identify what the costs of such of war would entail. Other times, however, the book suffers from a somewhat hysterical tone, as the authors are out here not just to describe cyber war, but to also issue a clarion call for regulatory action to combat it. Ryan Singel of Wired, for example, has taken issue with the book’s “doomsday scenario that stretches credulity” and claims that “Like most cyberwar pundits, Clarke puts a shine on his fear mongering by regurgitating long-ago debunked hacker horror stories.” Bruce Schneier and Jim Harper have raised similar concerns elsewhere.
There’s certainly some Chicken Little-ism at work in the book. But that’s not as big of a problem as the book’s complete lack of reference material, footnotes, or even an index! To be taken seriously as a scholar, I believe the minimal call of duty is to properly attribute and reference supposedly factual content / anecdotes. Clarke and Knake have not done so here and their failure to do so had me constantly wondering whether I could trust many of their assertions or findings.
Nonetheless, the authors are certainly correct in noting that the Net’s very nature — open, highly interconnected, decentralized, and largely unsecured / unencrypted — makes cyberspace more vulnerable to various forms of attacks. As my old colleague Wayne Crews used to always tell me, if you’re looking for a completely secure network, the Internet is not the network for you. Clarke and Knake note that “While the protocols that were developed [to ensure the Net worked] allowed for massive growth in networking and creation of the Internet as we know it today, they also sowed the seeds for the security problem. The writers of these ground rules did not imagine that anyone other than well-meaning academics and government scientists would use the Internet.” (p. 83) That much is true, but their incessant lament about our more interconnected world of networks and devices grows tiresome after awhile since they seemingly would like to roll back the clock on cyber-progress. They complain, for example, that “President Obama’s ‘Smart Grid’ initiative will cause the electric grid to become even more wired, even more dependent upon computer network technology.” They regard that as problematic but fail to fully explore the potential benefits of a more connected grid.
In terms of communications industry regulation, Clarke and Knake would like to see government impose a fairly sweeping set of new rules on ISPs to better secure their networks against potential attacks. In true deputize-the-middleman fashion, they want ISPs to engage in a great deal more network monitoring (using deep-packet inspection techniques) under threat of legal sanction if things go wrong. They admit there are corresponding costs and privacy concerns, but largely dismiss them and essentially ask us to just get over those concerns in the name of a safer and more secure cyberspace. They do, however, say they would be willing to have a “Privacy and Civil Liberties Board” appointed “to ensure that neither the ISPs nor the government was illegal spying on us.” (p. 162) I doubt that will soothe the fears of those who (like me) are fundamentally suspicious of government snooping.
They also incorrectly assert that “most ISPs do not take even the most basic steps to keep bad traffic from getting to your computer.” (p. 81) In reality, most ISPs take steps not just to guard against malware and other types of cyber attacks, but they also offer customers free (or cheap) security software as part of a growing suite of gratis services (anti-virus, parental controls, e-mail, etc). Clarke and Knake make it sound like ISPs don’t give a hoot about cyber-security when, in reality, those companies have powerful incentives to make sure their networks are relatively safe and secure to avoid costly attacks and retain customers who demand their online information and activities be trouble-free. Of course, perfect security is impossible, and any attempt to achieve it would sacrifice far too much in terms of both speech and economic liberties.
Toward the end of the book, the authors also toy will more sweeping proposals, such as replacing the Internet’s “sacred” TCP/IP protocols with a “new Military Protocol [that] would allow for authentication of who sent every packet [and] would permit prioritization of the packets… [and] might even encrypt the content.” (p. 274) They acknowledge that this proposal, if pursued, will lead to an epic battle about the future of the Internet since it raises some profound questions and upends the way things have worked for decades. Clarke and Knake say this is mostly just about the “open Internet people” who “strongly believe that information should be free and freely disseminated.” (p. 275) But it’s about more than that. It’s also about who will even be given the authority to make that decision, and how will they go about doing so? It’s as if the authors want us to believe there’s some big magical switch in the sky that can be thrown and make such sweeping changes overnight. In reality, the way everything happens online would change — and radically so — because of their proposals. We are, after all, talking about a fundamental reconstruction of the Internet’s underlying architecture.
I am more sympathetic, however, to their question: “But does that mean that everything should be done on one big anonymous, open-to-everyone network?” Not necessarily. They propose a “Govnet,” for example, that would be “a private network for the internal working of federal agencies that would deny access to those who could not prove who they were.” (p. 275) I don’t think there’s anything wrong with what would essentially be a massive intranet for the government (don’t they already have one?!) as many companies and institutions already employ them to intentionally avoid the security problems that accompany the occasional Wild West that is the Internet. But when it comes to the private sector and individuals, these choices should be made in voluntary, bottom-up fashion and not forced upon them from above.
Overall, Clarke and Knake have written a book that is worth reading, but with a very large grain of salt. They clearly feel The Cyber End Times are near, but their calls for sweeping remedial steps are often hard to take seriously when couched in cyber-Jeremiah, prophet-of-doom-like terms and, worse yet, often unsupported by any reference material whatsoever.
Other Thoughts on “Cyber War”:
- the official page for the book
- a review by Glenn Harlan Reynolds that appeared in the Wall Street Journal
- a rather scathing review by Ryan Singel of Wired
- a review by Jeff Stein in The Washington Post
- thoughts from Jim Harper of Cato
- Bruce Schneier says that “The Threat of Cyberwar Has Been Grossly Exaggerated“
- and videos of Richard Clarke on “The Rachel Maddow Show” and “Good Morning America” follow down below
[as always, you can find all my cyber-policy book reviews here]