Sunday, October 9, 2016

Book Review: Cyber War vs Cyber Realities

Book Review of the Day! 

Cyber War vs Cyber Realities
by Brandon Valeriano  (Author), Ryan C. Maness (Author)

Brandon Valeriano is Senior Lecturer in the Department of Politics and Global Security at the University of Glasgow.

Ryan C. Maness is Visiting Fellow of Security and Resilience Studies at Northeastern University.

Ok, so I want to start by saying that the advantage of giving a book like this some time is that you can see if the predictions made by the authors came true or if the way they did NOT come true shows a flaw in the strategic argument made by the book. This book is from August 2015, and already the predictions made are demonstrably far off.

And here's why:
This is clearly where the book demonstrates it is about advocacy and not strategic analysis.
What happens in the academic world is that people get SCARED of cyber war. This is especially true of people with no experience in it. When people say they are not "technical" but still want to write about cyber war you always wonder how they know they are not just babbling gibberish? What they end up doing, as in the image above, is wishing the whole cyber war thing would "Just go away" and finding rationalizations to that point. This book is a 600 page rationalization but I read all these things because I find that they have a tendency to otherwise go unchallenged.

This for example, is an example of what happens when the authors are simply quoting random sections from the same five papers instead of applying technical understanding. You cannot deface websites with cross-site-scripting!

The crux of their argument is that the behavior of cyber weapons is too uncertain to be used. This is a direct reflection of their failure to be comfortable with the technical details of the subject matter. They then argue that because of this (and not the thousand other factors involved) States have been quite restrained in their use of cyber war technologies. They have a database of various statistics on various cyber conflicts. The weakness here is that it's nearly impossible to create a database of cyber conflict. Open Source information in this area is spotty, at best. And even when available, without a deep technical and geopolitical background, it's hard to interpret.

To quote them: "Restraint dominates because of fears of blowback, the normative taboo against civilian harm, and the problem that, once used, a cyber weapon is rendered usable by others." (p. 111)

This is a false analysis. "Fear of blowback" is always an issue when going offensive, but countries seem to think it's not a problem (c.f. current Russian activities against US GOP/DNC) when doing almost every part of what they do in cyber.

Likewise, it's a common misconception in academia that once used a cyber weapon can be turned against you. Stuxnet is the clear counter-example! And while "civilian harm" is one thing in the laws of war, the norm is clearly established that countries can hack civilian institutions without regard to consequences, and when they make mistakes and, say, break a countries main gateway router, that's ok too.

The terms you don't read about in academic books like this one are "CNE/CNA". And CNA is a line that governments cross only sometimes. But the prep-work for CNA is done constantly. That's the clear norm!

The driver that is not behind this book is following the money trail of cyber war. There is no analysis of how much these efforts cost, and how those costs and OPSEC risks are interlinked. You just can't do that analysis without deep technical understanding and without that factor, the strategic analysis of this book is useless.

As a side note: SHAMOON WAS MOST LIKELY NOT A REACTION TO STUXNET. (But more likely to an attack on the Iranian Oil Ministry, which would make a lot of sense, right?) When the book talks about this attack it also says: "Yet we see that the impact was not as dramatic as was initially thought." But Shamoon was a message to Saudi Arabia that their oil capacity was at risk. It was not designed to take the oil capacity offline, although likely Iran could have done that. This is another example of the book going off into the weeds, to be honest.

Advocacy rears its ugly head here:

Why would they state that the Government probably knew about Heartbleed? The Government explicitly said it did not and there is NO evidence, from Snowden or otherwise, that it did. This kind of statement conclusively demonstrates the aim of the book beyond what I would consider a reasonable doubt.

This is a book of fear. I will close with a snapshot from the conclusion, which is a classically Trumpian argument against listening to the experts in a field:

Thanks for reading! :)


More screenshots and notes:
Real peer review should have caught a lot of things in this book, but the first thing that needs to happen is if you are writing a book about cyber war you cannot be confused about what Cross Site Scripting is and then blame it on being a "Security Researcher, not a tech professional".

XSS cannot be used to deface websites.

"Intrusions need to be added to software" is gibberish.

Yeah, that's not true.

Cyber methods are clear and evident? Most would...disagree. 
This is hilariously wrong.

Definitely false.

Jesus, this is just not true.


... arg.

No comments:

Post a Comment