Thursday, May 3, 2018
Book Review: Cyber Strategy by Valeriano, Jensen, Maness
I give this book 0 stars out of 5. To be fair, I give the entire genre of books like this 0 stars of out 5. This is the worst kind of cyber policy writing. They've concocted some sort of database of information, culled mostly from news reports from what I can tell. Then they do some basic statistical analysis on it and somehow flesh that out into an entire book by pulling random quotes from other terrible parts of the cyber policy pantheon.
For example, here they both misspell "Regin" and then attribute it to the United States (for no reason).
In general the editing of the book itself was spotty - but this is something that concerns me more about the original dataset, which appears to attribute various efforts to various countries in ways I'm 90% sure are not the correct ones. If your data is wrong, then eventually your conclusions are essentially random, and your policy proscriptions are base opinion.
For example, the above simplistic argument against the use of exploits during cyber operations is one that you often see in policy-world but which nobody who has ever been involved in an operation takes seriously. Also, "Tomahawk" is a proper freakin' noun! I don't think anyone but me has even read this book, to be honest.
But to reiterate: IT IS HUGELY RARE TO SEE AN ADVERSARY USE YOUR ATTACKS AGAINST YOU. Everyone in their head is going to cite ETERNALBLUE but that was used only once the patch was out, as far as we know. The opsec reason for this is that USING a bug you caught from someone TELLS them you caught them! Likewise every group has their own concept of operations and other people's tools don't always fit yours.
I mean it was fascinating you didn't see the FLAME exploit turned around - it was reusable - but everyone just assumed it only fit in the FLAME toolchain. It's almost easier to find new bugs than do the research necessary to re-use old bugs.
Books like this always try to back up their arguments with copious quotes to other equally bad books:
On the face of it, Libicki is clearly wrong. But it's possible his quote was used out of context! I'll never know because the Kindle edition of that book is $66. I only have so much budget to spend reading this kind of thing.
Ok so in summary: Don't buy or read this book or books like it. We need NEW thoughts in cyber policy and this is not how you get them.