Book Review: "The Perfect Weapon"

Cybersecurity Canon Candidate Book Review: “The Perfect Weapon: War, Sabotage and Fear in the Cyber Age” by David Sanger (Published June 19, 2018)

Book reviewed by: U.S. Army Major General (Retired) John Davis, CSO (Federal), Palo Alto Networks.

Bottom Line: I recommend this book for the Cybersecurity Canon Hall of Fame.

I recommend "The Perfect Weapon" for average citizens who have little to no sophisticated understanding of the digital age in which we live but who are interested in what’s going on in the often mysterious, even ominous, world of cyber. I had a special interest in reviewing this book because I lived through most of the events that David Sanger, the author, wrote about; first as a senior U.S. military officer who spent the last decade of my career in cyber related assignments from 2006-2015, and then as the federal Chief Security Officer for one of the world’s largest enterprise cybersecurity companies from 2015 until present. While I may disagree with some of the details in his book because of my personal experiences, I believe that Sanger’s description is “close enough” to paint an accurate overall picture of what’s been happening in the cyber world for at least a decade and a half. More importantly, I believe that Sanger brings to life in a very powerful way many of the key challenges that we all face. 

These challenges include the issues we face as a nation, as an international community of responsible nations, as an international industrial community that’s transforming into a totally digital model, and as people who are becoming increasingly dependent on (and vulnerable to) a world where everything and everyone are increasingly connected. These issues touch on our collective national and economic security as well as our public safety and welfare. Nothing is more important than understanding that the promise and opportunity of the digital age has a counterbalance in threats and dangers that can be existential if left unmanaged. "The Perfect Weapon" helps bring to light a better understanding of the technology race between cyber for good and evil, which until recently has been largely contained in the shadows.

“The Perfect Weapon” provides us with a substantial level of detail regarding most of the major cyber and cyber related events in recent history. It is a good summary for anyone wanting to understand what’s been happening in the shadows of the cyber world. This includes the activities of Russia, China, Iran and North Korea over the past decade plus. It also provides unique insight into the development of cyber programs in the U.S. military as well as other nations such as Israel. Furthermore, it discusses major events that intersect the public and private sectors, like the ones Snowden disclosed, and resulted in a rift between the U.S. government and various corporate entities. 

There are four themes in "The Perfect Weapon" that I found especially useful and illuminating. The first theme focuses on identifying the appropriate level of increasing transparency from governments about what’s going on in cyberspace. This includes giving perspective on emerging threats as well as what governments are doing about them. The second theme is about the role of offensive and defensive cyber activities and how that is changing in today’s environment due to innovation in automation and software-based advanced analytics. The third theme is about cyber activities potentially escaping the “grey zone” through escalated actions and subsequently entering the traditional world via the use of force to trigger an armed conflict. Finally, the last theme touches on the need for a strategic partnership between government and industry in order to achieve a more effective way to leverage the benefits of the digital age, while still managing the serious risks that are growing by the day.

The first theme about the need for greater transparency is well past due in my opinion, but there has been progress recently. There should be no expectation of total transparency, but there must be greater transparency than ever before. A lack of transparency breeds uncertainty and increases the chance of misinterpretation, miscalculations and mistakes that can lead to escalation. More transparency leads to better stability, increased trust and the chance for cooperation, as has been the case for non-proliferation, countering terrorism, anti-piracy and other examples of international efforts of mutual interest, even with countries like Russia and China. 

The second theme about the changing role between cyber offense and defense is a fairly new one. Historically, offense had the advantage over defense (although that is not the case in just about every other form of warfare). It has been said that in cyber the defender has to be right everywhere and all the time while the attacker only has to be right once to break through and succeed. Innovation in technology is changing that argument. Sanger is absolutely right in how he addresses this issue, explaining the foolishness of going on offense without a good defense as a precondition. However, I disagree with his characterization that it will take another decade to achieve a good defense. It is available with today’s technology. 

On the offensive side of this theme, while I do agree that a good defense should be priority number one for any responsible nation, I disagree with the book’s cautionary tale about using offense as a tool for persistent engagement with cyber adversaries and defending forward instead of waiting to respond to something after the fact. Here’s a little secret that’s not in "The Perfect Weapon:" While it’s true that cyber adversaries such as Russia, China, Iran and North Korea are catching up to the offensive capabilities of the U.S. and its allies, guess whose cyber defenses are much worse than the U.S.? All of them, and the U.S. has only recently begun to leverage this situation to its advantage in disrupting or undermining its adversaries’ ability to use their cyber offense against it. 

I consider the third theme the most worrisome of all the cyber threats. This theme is about escalation control and the risk of cyber activities escaping the “grey zone” and entering the traditional world of use of force and triggering armed conflict. Sanger does an excellent job describing how this festering form of persistent warfare is being played out in the realm that stays beneath the historical red line that would trigger an armed response. Having personally experienced the world of managing cyber escalation at senior governmental levels, I can tell you the risks are a very real concern and require some new and innovative approaches (for which Sanger advocates). 

Of personal concern about the risk of escalation, I believe there is a real and growing danger. The use of loosely controlled third party actors and organizations (e.g. “research” companies, surrogates, “patriotic” hackers, front companies, criminal organizations, etc.) to do a nation’s cyber bidding is on the rise in nations like Russia, China, Iran and even non-state terrorist organizations. This is a recipe for disaster and increases the chance of a miscalculation or misinterpretation in response. It even risks a mistake that escalates the situation out of the “grey zone” where the traditional triggers for use of force and armed response are vague and largely undefined, and into the realm of physical conflict. Use of these third parties is also dangerous because of the lack of clarity about their technical skills and their possibly suspicious motivations. 

Finally, the last theme is one of the most important in terms of what to do about the dangers going forward. This theme is about the requirement for a strategic partnership between government and industry in order to achieve a more effective way to leverage the benefits of the digital age while managing the serious risks that are growing by the day. I share Sanger’s view that the best relationship to have between responsible nations and the industry that supports cyber activities in those nations, directly or indirectly, is one of a strategic partnership. This enables both partners to leverage the innovation that is increasingly industry-led.

Unfortunately, Sanger points out that building these kinds of strategic partnerships is becoming more and more difficult because of both historical (Snowden) and current (Google/Microsoft and others’ cultural anti-government movements) trends. In fact, I wouldn’t find it surprising to discover that adversaries like Russia, China, Iran and North Korea have learned from the 2016 U.S. election interference activities (weaponizing stolen information and using deceptive techniques) and are already exploiting these two trends in order to exacerbate the divide between government and industry. They are likely already using social media platforms to further accelerate the separation in order to slow U.S. and allied technology innovation and create an opportunity for their own innovation to catch up to and surpass the U.S. and its partners.

To summarize, this is THE book that best explains what has happened in the fast-moving and complex cyber age over the past decade and a half. It gives us uniquely clear insight, using understandable, plain language, about the enormous challenges the human race now faces regarding the cyber activities of governments, industry, criminal organizations, other cyber actors and, increasingly, a blurry mixture of each of these groups.

We modeled the Cybersecurity Canon after the Baseball or Rock & Roll Hall-of-Fame, except for cybersecurity books. We have more than 25 books on the initial candidate list, but we are soliciting help from the cybersecurity community to increase the number to be much more than that. Please write a review and nominate your favorite. 

The Cybersecurity Canon is a real thing for our community. We have designed it so that you can directly participate in the process. Please do so!