Cybersecurity and Cyberwar: What Everyone Needs to Know

For commercial and government entities alike, cybersecurity has risen to a prominent position over the last several years. WikiLeaks, Stuxnet, Edward Snowden, Shamoon,and a host of other events and personalities punctuate a narrative that has grown almost impossible to ignore. The resignation of retailer Target's chief executive officer in the wake of a late-2013 data breach demonstrates as well that cybersecurity is far more than a niche technical issue or a national security problem. It is for this reason that Singer and Friedman's book should attract a wide audience. Riffing on the title,almost everyone does need to know something about this topic.

For years, colleagues have asked me for a general textbook on cyber warfare or conflict. Containing all of the ideas to understand the issues in a single text is a daunting task. Thinkers on cyber issues must grasp concepts from a variety of places. On one side, there are computing and information technology (IT), which are hard to explain to anyone who has not programmed or had other forms of hands on experience. On the other side, there are connection international security and politics, not to mention all sorts of organizational and process issues as well. For these reasons, cybersecurity is something both technical and political. Linking those areas is what represents the initial point from which thinking and scholarship on cybersecurity can advance.

Adhering to the format of Oxford University Press's What Everyone Needs to Know series, Singer and Friedman choose to educate in part 1, explain relevance in part 2, and share prescriptions in part 3. This is an arc that makes sense, although they might have gone into even further detail on the functional details of computing and networking in part 1, but there is no significant omission on the topic.

The authors' first section reads more like a brief history of the Internet, and they happily admit, "In just a few pages, we've summed up what it took decades of computer science to create." Some of cyberspace's creation story bleeds into other sections of the book. For instance, former Grateful Dead lyricist and Electronic Frontier Foundation cofounder John Perry Barlow's "Declaration of the Independence of Cyberspace," winds up in the prescriptive section of the book, but the necessary points are present and strung together well enough. Singer and Friedman also understand another point, the concept of cyberspace, something now considered a domain of conflict for the Department of Defense, emerged from a work of science fiction published little more than 30 years ago.

Trickier terrain is the "Why It Matters" section of the book. Descriptions of cyberattack and the attribution problem begin the section in fairly clinical language, but then the authors make the necessary case for why cybersecurity issues are important. Stuxnet, the first cyberattack known to have produced a significant kinetic effect, directed against the Iranian nuclear enrichment program, receives ample attention. Somewhat disappointing, however, is that Singer and Friedman miss another immensely important geopolitical cyber event: the 2012 Shamoon attack on Saudi Aramco. This omission is more than offset by an important inclusion: the mention of a cyber industrial complex that feeds upon hyperbole (e.g., Electronic Pearl Harbor). What Myriam Dunn Cavelty labeled cyber threat politics in 2007 has become a very real part of the US and international political landscapes. It is good then that Canadian professor Ronald Deibert's reminder of US Pres. Dwight D. Eisenhower's farewell address is presented here to temper fears of cyber Armageddon.

Concluding the book is its third major section, which asks what can be done. The authors make the convincing point that reengineering the Internet is not going to be a cure-all any time soon. While not explicitly stated, the authors recognize that solutions to cybersecurity issues do not generally fall in the areas of technology or policy alone but rather within some mixing of the two. Their inventory of major areas for possible mitigation of cybersecurity issues hits upon all of the significant topics, from Internet governance to information sharing initiatives. Additionally, they provide the correct summarizing point to close the section, stating that participants in the cyberspace digital ecosystem have responsibilities as well as rights. How those responsibilities scale across governments, commercial entities, and individuals is one of the truly difficult questions for the topic.

In introducing the text, Friedman and Singer assert, "no issue has emerged so rapidly in importance as cybersecurity." With this I agree. Cybersecurity issues have grown to become very important, very quickly. One of the contributing factors to the 2003 Northeast blackout was a software bug in energy management system at an Ohio utility. It should stand as a reminder that so much of the infrastructure upon which our society depends for economic life and social order is dependent upon networked computing technology. The trend of increasing reliance on computing technology should be a major concern, as should the idea that computing can solve many and any problem--a concept social theorist and critic Evgeny Morozov has labeled "solutionism."

With an IT solution potentially available for any problem, this should be ample inducement for any executive to give Cybersecurity and Cyberwar a read. There is often a gross disconnect in most organizations with which I meet on cybersecurity. Generally,the responses I hear on cybersecurity issues are in the vein of, "we have it in hand," or "the problem is well-managed." Ultimately, Singer and Friedman provide the opportunity to educate those interested in listening, and it is high time organizational leaders take note of cybersecurity issues. Senior management has had no problem figuring out how to wring productivity and profits through implementation of IT; now it is up to that same management to be acquainted with the attendant downside of that activity. More than any other reason, leaders should read this book to better understand the cybersecurity problem.