Cyber Canon Book Review: "Click Here to Kill Everybody: Security and Survival in a Hyper-connected World" (2018), by Bruce Schneier.
Book reviewed by: U.S. Army Major General (Retired) John Davis, CSO (Federal), Palo Alto Networks.
Bottom Line: I recommend this book for the Cybersecurity Canon Hall of Fame.
“Click Here to Kill Everybody: Security and Survival in a Hyper-connected World” is Schneier’s best book to date. I recommend that every cybersecurity professional read it.
Schneier begins this book with the premise that everything is becoming a computer, and computers are increasingly connected to and affect one another in ways that provide exponential opportunities for personal convenience and market leverage. This dynamic also provides governments and militaries around the world with unique opportunities to gain advantage against their adversaries or potential adversaries.
As we become more and more dependent on this interconnected system of machines and software, we are simultaneously being put at increasing risk from a personal, societal, national and international perspective. This risk comes from the inherent technical vulnerabilities that an increasing number of cyberthreat actors and organizations are exploiting for a variety of purposes. These threat entities include the categories of criminal, espionage, military, activist and terrorist. And here’s the kicker: The vulnerable system of interconnected machines increasingly includes devices and infrastructure we are dependent on for our national and economic security, and even our personal life-sustaining functions. The consequences of a disabling attack on these critical systems or the destruction of our trust in the digital environment could be catastrophic, putting our security and safety in the middle of a truly worst-case scenario where people’s livelihoods and even their lives are at stake.
The author lays out his case very clearly, using amazingly simple language that even a non-technical audience can understand. The first part of the book describes where we stand today in terms of the state of cybersecurity and how the technical, political and economic forces drove us in this direction.
Here’s a brief rundown of the chapters in the first part of the book, which the author previews in more detail in the book’s introduction:
Chapter 1 provides the technical reasons behind the insecurity of the internet.
Chapter 2 is about the process used for decades to maintain the security of our systems and why this process is completely inadequate as we continue down the path toward what Schneier calls the “Internet+.” The process is known as patching vulnerabilities after they are discovered.
Chapter 3 is about the concept of identity as it applies to the internet. The author gives a very good description of why the ability to both prove who you are and hide on the internet are double-edged swords that complicate solutions for improving internet (and Internet+) security.
Chapter 4 builds on many of the author’s previous works and provides an explanation of the reasons that governments and industry tip the scales toward insecurity when it comes to our digital environment. These reasons include concepts called “surveillance capitalism, cybercrime, cyberwar – and the more invasive corporate and government practices that feed off insecurity” (page 8).
Chapter 5 gets to the meat of the book’s title. The author describes why the risks are getting worse in terms of scope and scale, and how the risk of catastrophic consequences as a result of the direction is practically inevitable unless we do something to change direction and better balance the opportunities with security.
In the second part of the book, Schneier lays out a fairly comprehensive set of policy changes that he believes are required in order to secure the Internet+. He does this to provide some potential solutions that may help us more effectively manage the risks associated with our growing computer connectivity. Because everything is becoming a computer, our growing dependence on that connectivity for everything we do means we must better manage the threats to our critical functions of national security, economic prosperity and even personal safety.
Here’s a brief description of the chapters in the second part of the book, again laid out in more detail by the author in the book’s introduction:
Chapters 6 and 7 discuss the author’s view of improving Internet+ security. He describes what improving security means, how it can be most effectively accomplished, and specific roles and responsibilities for making this happen.
Chapter 8 suggests a controversial idea about the role of government in all this. Schneier considers the role risky but essential, since no other entity can accomplish what is required. He proposes the formulation of a new U.S. government agency to coordinate across government in order to advise on Internet+ policy and technology, an existing void he considers essential to fill. The basic idea isn’t novel and other countries have already implemented similar bodies (such as the U.K. GCHQ and its subordinate NCSC), but his idea of how this would work in the U.S. is different from other proposals I’ve heard in the past. I have long been of the mind that adding yet another U.S. government agency to deal with cyber-related issues is wrong for several reasons.
First, there are already seven major U.S. government entities that deal with separate but overlapping cyber roles and responsibilities. Adding another would just muddy an already “hard to manage” set of players. Second, putting too much power and authority in one central agency will lead others to either wipe their hands of their own cyber responsibilities or fight the new kid on the block to protect their authorities and responsibilities. Cybersecurity is fundamentally a distributed set of roles and responsibilities because the digital environment is fundamentally distributed across all makes and models of public and private sector organizations. Centralization is not the answer. It takes a team approach to make cybersecurity work effectively at scale. Finally, there are limited resources (including our most valuable resource, the people with the skills and experience required for effective outcomes), so creation of yet another agency means that existing agencies will have to fork over some of their talent (likely not their best, either) to run the new agency. Having said all that, I think Schneier’s proposal is worth discussing because his idea of how this new agency would do its job addresses many of my historical concerns. It’s worth looking at.
Chapter 9 was a difficult section for me, mostly because of my background in military cyber operations, strategy and policy. Schneier proposes that because we’re in such a fundamentally different risk posture today and especially into the near future, it’s time for government to prioritize defense over offense. I simply can’t see the U.S., or any responsible nation for that matter, abandoning its responsibility to defend its vital national security interests using the most modern technology available. However, I do see the need for change and believe that there’s a growing appetite among responsible nations for the development of better “rules of the road” for cyberspace activities.
This desire for change is based on the need to increase transparency and cooperation on threats of common interest (like cybercrime), reduce uncertainty and the risks of escalation, and come to a better understanding of why some of today’s current practices (such as the use of loosely controlled third-party cyber actors and organizations on behalf of government objectives) are a recipe for disaster. I will agree with the author that it’s time for a serious international conversation about this, at a minimum.
Chapter 10 finds Schneier admitting that the above proposals aren’t likely to succeed in the near term, so he provides a more realistic and practical view of what is more likely to happen and the responses that the U.S. and other countries can make.
Chapter 11 is a fascinating read and addresses the critical aspect of what not to do when it comes to what we see being proposed as policy today. These are the things that will actually undermine Internet+ security. One of my favorite parts of this chapter is about the concept of private sector “hack back” and why that’s a terribly dangerous idea.
Chapter 12 takes us on a journey of a future Internet+ and how we can create it such that trust, resilience and peace are the dominant qualities. The aspect of a predominantly peaceful digital environment is hard for me to fathom anytime soon, based on the dual nature of opportunity and risk that I believe will always coexist. However, the author’s ideas about trust and resilience are very powerful and attractive from my perspective. I also believe they are practical proposals that we have the chance to influence as a cybersecurity community.
Perhaps my favorite portion of the book is at the end in Schneier’s “call to action.” It makes a very strong case that there are two separate communities of leaders that are vital to all of the solutions Schneier proposes – and they are often talking past one another. The digital age has produced a very technical environment, yet most of our policymakers are making policies without a sufficient understanding of the increasingly technical world in which we live. On the other hand, those who understand what’s happening at a technology level have great difficulty explaining this sufficiently to those making policy decisions. Schneier argues that, “We need policy makers who understand technology, and we need to get technologists involved in policy” (page 10). I simply couldn’t agree more.
In my experience, the most effective cybersecurity leaders in today’s world hone this translation skill so that they are talking to their boards and C-suite leaders using language that enables their leadership to make better decisions about risk management and business outcomes. They are not using geek speak about what’s happening at a technical level, but they understand what’s happening at that level and are translating it into the language of the business. This trend must continue. At the same time, cybersecurity leaders have a responsibility to educate non-technical leaders so that the latter are better aware of technology and can make wise decisions based on a more detailed knowledge of the actual environment on which their business depends.
We modeled the Cybersecurity Canon after the Baseball Hall of Fame and the Rock & Roll Hall of Fame, except it’s a canon for cybersecurity books. We have more than 25 books on the initial candidate list, but we are soliciting help from the cybersecurity community to increase the number. Please write a review and nominate your favorite.
The Cybersecurity Canon is a real thing for our community. We have designed it so that you can directly participate in the process. Please do so!