We modeled the Cybersecurity Canon after the Baseball Hall of Fame and the Rock & Roll Hall of Fame, except it’s a canon for cybersecurity books. We have more than 25 books on the initial candidate list, but we are soliciting help from the cybersecurity community to increase the number. Please write a review and nominate your favorite.
The Cybersecurity Canon is a real thing for our community. We have designed it so that you can directly participate in the process. Please do so!
Cyber-War attempts to demystify technical concepts surrounding the study of cyber threats and, in particular, the likelihood and possibility of a cyber war. It does so by focusing on certain key debates within government and academic circles and bringing a plain-language approach to them. He does this through examinations of the hyperbole and generalizations that often accompany such debates. In doing so, the author, Julian Richards, largely accomplishes his goal, which is not one of resolving debate but rather encouraging a standard framework for that debate.
While the approach Richards uses in Cyber-War is a valid one, his examples and conclusions suffer a bit from the passage of time and the accompanying increased understanding and visibility of the strategic cyber threats facing the U.S. For this reason, I am not recommending it for inclusion in the Cyber Canon.
Cyber-War’s author, Julian Richards is the Co-Director of the Centre for Security and Intelligence Studies at the University of Buckingham, U.K. He spent 17 years working in security and intelligence for the U.K. government. But despite being written by a U.K. security expert, Cyber-War is remarkably U.S.-centric in its analysis, perhaps owing to the relative wealth of cyber incidents affecting, or publicized in, the U.S.
Richards begins with the premise that we can’t really have an honest discussion about the real risk posed by cyber attacks and whether those attacks rise to the level of cyber war because of two impediments to analysis: 1) Cyber is an inherently technical realm, which in essence makes it difficult for non-techies to understand and assess; and 2) Discussion of the potential for cyber war is framed more in terms of science fiction rather than fact. Cyber-War sets out to “cut through some of the myth and hyperbole surrounding the cyber debate.” Richards doesn’t really seek to resolve or settle any debate (although he admits to having his own views), but instead to lay out a clearer playing field for those debates. To that extent, Cyber-War is relatively successful.
Richards begins his book by bringing up some of the major cyber events from preceding years. He highlights the fact that often, the initial knee-jerk response to these events was to assign blame to actors in accordance with developing norms of the time, e.g., to assign blame to Russia for a SCADA attack when in fact it was a simple error by an employee. Having lived through the response to that “attack,” and witnessing firsthand the speed with which a conclusion was reached, I recognize and appreciate his point. However, Richards does have a clear “the cyber Pearl Harbor attack isn’t likely” bias (one to which he admits) that may lean too far in the other direction.
Through its six chapters, Cyber-War brings out some issues surrounding the overall debate about the likelihood, and indeed the very definition, of cyber war. For example:
Cyber-War is an interesting read for those who are in the earlier stages of educating themselves about the cyber threat and when it slides into the realm of cyber war, as well as what could be done when that shift occurs. It is, however, hampered by its relative age. Although not an old book by most standards, it doesn’t benefit from the events of the last 4 years. Those events, including chiefly the rise in hacks of huge government and private sector systems, as well as the disclosure of cyber-facilitated information manipulation in the 2016 election, paint a different background for today’s analysts.
Cyber-War’s continued value is in its promotion of careful analysis and common vocabularies as necessities for a productive discussion of the cyber threat. It guides the reader toward a healthy skepticism of some accepted “truths” about cyber threats.