Æther-ASOR

Cyber Security: Threats and Responses for Government and Business

  • Published

Cyber Security: Threats and Responses for Government and Business by Jack Caravelli and Nigel Jones. Praeger Security International, 2019, 245 pp.

Finding the right vector to begin any comprehensive cybersecurity practices and policy discussion can seem an Augean task. Jack Caravelli and Nigel Jones make signifi­cant headway toward those ends as Cyber Security: Threats and Responses for Government and Business excellently captures high-level aspects likely to influence the next 10 to 20 years of cybersecurity implementations. The technical descriptions run a little light, al­though the overall text handily summarizes difficult topics into useful references for those wanting to increase their own background knowledge. Chapters by the individual authors comprise about half the book, with two chapters written as combined works. Further, the text recaptures a previously published Information Assurance Advisory Council report discussing the expanding Internet of Things (IoT) implications. Cyber Security is a well-referenced, effectively sourced text that also includes many useful dia­grams. It is targeted toward mid-level cyber policy professionals looking to grow their overall knowledge base.

One gap, common with similar coauthored works, is the lack of any unifying theme or thesis beyond the central cybersecurity theme. Frequent mentions occur of a chapter’s place as part of the larger text, but each chapter stands independently. Caravelli tackles the international relations piece through a first section focusing on terrorism, crime, and espionage topics. The two authors together then explore a single chapter on advanced technical topics including quantum computing, artificial intelligence, and big data. Fi­nally, Jones brings in several case study chapters examining how states use innovation and what policies currently exist and summarizing changes in United Kingdom cyber strategy over the past 10 years. As a rough outline, the first section comprises three chapters con­centrating on offensive cyber usage, the middle section discusses technological innova­tion over four chapters, and the final section’s three chapters explore state-based policy response to the aforementioned changes.

Evaluating recent cybercriminal and terrorist high-level impacts serves only to repeat areas already explored in other material for the well-read expert. However, as a basic cy­bersecurity approach, describing foundations from the historical perspective serves as a solid practice. Some of the best parts of the book surround the detailed descriptions of the Islamic State of Iraq and Syria’s (ISIS) cyber-associated Middle East terrorism and the Obama administration’s challenges dealing with Chinese intellectual property theft. When recounting geopolitical issues, Caravelli extensively discusses challenging relations between Russia and the United States over the past 10 years, including the 2016 election controversy. He also strikes a home run with his inclusion of a full callout box discussing Gen Valery Gerasimov’s policies on information war and full-spectrum conflict. Russia’s chief of the General Staff is considered the father of Russian nonlinear doctrine. The section adequately covers most recent highlights—with the noted excellent exceptions—while avoiding overly technical details.

The second section includes more technical detail about upcoming innovative changes while remaining focused on the policy perspective. As mentioned, the two authors re­frame an IoT report before using their own research to study quantum computing, big data, and artificial intelligence. The section considers what cyber solutions may appear through these innovations. One must wonder why the IoT piece’s report format was chosen as the material clearly is visually and stylistically different from the remainder of the book. The report emphasizes policy aspects for mitigating IoT threats without ever really discussing the independent technological challenges. The author’s recommenda­tions for overall solutions again roll out suggestions for resilient systems, security from the start, and partnerships but also advocate clearly unwieldy decisions such as returning to paper ballots across the US rather than risk hack-prone voting machines (154).

The third section mirrors the first while considering events from a state perspective rather than from each individual attack. When discussing innovation practices, Jones uniquely uses an SC Magazine–based award program to highlight a security practice migration from hardware to software and app-based practices. Later, the chapter steps back from evaluating innovative cyber practices to providing solutions that encourage innovation in any company or organization. The final two chapters have national case studies summarizing how various nations and regions—including the US, China, Russia, NATO, and the Gulf Cooperation Council—have dealt with cyber. Although the studies are expertly presented and contain useful information, they remain somewhat discon­nected in execution from the earlier topics.

References abound throughout the work to uncover new material discussing cyberse­curity, but one of the more frustrating points deals with no items being sourced through either endnotes or footnotes. Some of the discussed items are either controversial or so intriguing one would like to examine the original source material. For example, the text claims that the average starting salary for an information technology worker in the United States is $116,000 a year; however, a quick Google search suggests $55,000–$66,000 a year—less than half of the claimed amount. Also, the innovation chapter could have been expanded and better explained at some points. It implies that merely using cyber qualifies as innovation and then seeks further innovation types inside those models. Each refer­enced area is split into cyber innovation types—including vulnerability management and firewall implementation—rather than focusing on an innovation’s business value, such as improved security, faster deployment, or coordinated value streams. The cybersecurity practice known as DevSecOps (development, security, and operations) incorporates tech­nology from initial development to final delivery and has proved a profitable business area. Caravelli and Jones likely missed a critical discussion area through not evaluating how improved cyber practices benefit more than just basic cybersecurity outcomes.

Overall, Cyber Security strikes all the required notes for an introductory volume in this genre. The comprehensive collection reads easily, covers all the basic areas, and suggests multiple locations for more advanced research. For those approaching this work from any policy standpoint, the text provides an exceptional introduction. As a minor complaint, while the threats and historical responses get detailed coverage, I was looking forward to more discussion about future potential actions as suggested by the two experienced au­thors. While not sufficiently structured to make a useful desk reference, the book could work as core material for a larger cybersecurity course or for those looking to expand their own knowledge. For the most part, those pursuing cybersecurity policy issues for either business or government purposes should find this a useful addition to their own library.

Dr. Mark T. Peters II, USAF, Retired

"The views expressed are those of the author(s) and do not reflect the official policy or position of the US government or the Department of Defense."