Review: Cybersecurity and Cyberwar: What Everyone Needs to Know by P.W. Singer and Allan Friedman

Singer and Friedman argue that cyber knowledge needs to be a requirement in schools. All the kids are now in cyberspace yet there is little formal education about the insecurity of simple passwords, the importance of OS updates, and problems inherent in social networking as a mechanism to reveal personal information. Most common password="password" and the 2nd most common is "123456". Common words are easily hack-able. One high level executive told his IT people he only wanted a one letter password, that he was too busy to be bothered to type in a long one. By the end of the day he had labelled himself to everyone in the corporation as a really stupid person and one who didn't care about security.

With complexity comes vulnerability. BMW had designed a high tech car and when authorities in Paris couldn't figure out why only a certain new model of BMW was being stolen they reviewed CCTV cameras and discovered how the thieves could hack into the car's software, unlock the doors, reprogram a blank key and just drive off, all in the pace of five minutes. Terrorists use social networking to get their word out and often with the unwilling connivance of the West. One terrorist cell was using a web hosting company located in Texas to promote their campaign. The hosting company had sixteen million web pages, had not seen the offending pages, and did nothing until someone happened to point out to them what they were doing.

Humans are often the weak link in the chain. In a famous "candy drop" attack, malevolent actors left flash drives around a military base. Sure enough, a soldier picked one up and inserted it in his machine to see what was on it. It took the Army 14 months to clean up the damage to all its machines. People will often just give out their passwords to official sounding individuals who may or may not be really who they say they are. In another example, some soldiers in Iraq took pictures inside their helicopters and posted them to a picture website. There was nothing classified in the pictures but each picture contained locational information in the meta-data and terrorist were able to destroy the helicopters in a mortar attack by knowing their exact location. Emails, pictures, virtually everything that moves on the Internet has meta-data attached to it and just a routine search of social sites can reveal all sorts of information about people they would rather not have known

Just defining what is or is not an attack can be problematic. The authors identify several types. What the response should be may depend on the severity or the result. Often even experts can't agree on what constitutes an attack. How about denial of service attacks. If it simply interferes with gamers ability to finish a game it's not as serious as preventing banks from interacting with their customers or delivering a utility. Is stealing someone's identity in a confidentiality attack just as serious as stealing the plans of a new fighter jet? In one war game sponsored by the U.S. the opposition team changed the shipping labels on shipments intended for troops and they received toilet paper instead of ammunition and MREs.

NSA surveillance practices have caused tension throughout the world. In one instance, the Dutch, were about to refuse any access to cloud services in the Netherlands to U.S. companies. Some foreign countries have now begun to institutionalize the Internet as a basic human right. Authoritarian regimes, on the other hand, see internet freedom as a threat to their governments. Censorship is seen as a tool for stability. In Thailand it's against the law to defame the monarch; in Britain it's a hobby. Cultural differences abound. Internet governance is still up for grabs.

A really interesting book, aimed at the informed layperson. The problem with books of such currency is that they really lack timelessness because of the speed with which the technology changes so the reader has to assume the possibilities have advanced far beyond what the author has explained.