Cryptologic Bytes Articles

MANY thanks to NCMF Member Terry L. Thompson for providing this book review. Terry is a frequent contributor of content for the NCMF website.

Terry L. Thompson is a lecturer in cyber policy at the Johns Hopkins University. He transitioned to teaching after a forty-five-year professional career that included thirty years with the federal government and fifteen years at Booz Allen Hamilton, where he engaged in cybersecurity policy development for governments in the United States and six other countries.

In addition to the book review below, you can learn more about "The Fifth Element" via this YouTube video during which the authors discuss their book.

The Fifth Domain: Defending Our Country, Our Companies, and Ourselves in the Age of Cyber Threats
By Richard A. Clarke and Robert K. Knake
Penguin Books, 2019; includes notes and a glossary

Reviewed by Terry L. Thompson

Have you ever wondered…

· Why the U.S. Government has not been more aggressive in responding to foreign cyber attacks?

· Why doesn’t government provide more cyber defenses for the private sector?

· What is “the best bad idea” to prevent data losses in the event of a cyber attack?

· What successful companies are doing about protecting their critical cyber assets?

· Whether companies should engage in cyber counterattacks when they are attacked by hackers from a foreign government?

If so, then you’ll want to read this book. Longtime cyber policy warriors Dick Clarke and Rob Knake have collaborated again to discuss the many policy challenges in cyberspace. They have worked on cyber policy since the topic first became a national security issue when both were in the NSC in the George W. Bush administration and wrote the first U.S. national cybersecurity strategy in 2003. Focusing on cyber threats to national security and what to do about them, Clarke and Knake continue the themes in their first book, Cyber War (2010). Their perspectives on cyber threats and personal expertise give their policy recommendations added weight for consideration by policymakers and practitioners alike.

The title of the book comes from the Defense Department lexicon. Cyberspace is the “fifth domain” that, like air, ground, the sea, and space, can be dominated by the military. The thinking is that by disrupting ongoing conflict in cyberspace, the possibility of more serious conflict can be reduced or avoided. Clarke and Knake take exception to this concept and pose the reasonable question, “Can an organization designed for war contribute to the lowering of tensions and a reduction in the likelihood of conflict?” Their implied answer is “no” for a variety of reasons. Instead, they suggest that more effective cyber defenses, especially by U.S. companies, can mitigate the worst effects of foreign cyber attacks.

Clarke and Knake offer surprising insights about cyber defense. For example, in contrast to the conventional wisdom that the offense has the advantage over the defense, some companies are effectively managing cyber defense, eliminating many attack vectors used by foreign adversaries. They do this by consistently patching and segmenting their networks, by constantly monitoring the threat environment, and by applying adequate resources to defend their enterprises. Most important, understanding that security is never perfect, the best companies promote cyber resilience – “the best bad idea” – so they can quickly resume operations after a breach of their systems. An added benefit is that a consistent focus on resilience reduces the overall vulnerability of these companies to a serious cyber attack or data breach.

Several examples of best practices by commercial companies are discussed. JPMorgan and other major banks spend more than $500 million a year to protect their cyber assets. Aetna applies more than 600 information security controls to protect its networks. Companies like Boeing, Ericsson, Siemens and others that consistently focus on cyber defense were not affected by the massive 2017 NotPetya attacks that resulted in major losses for other global corporations. But, as Clarke and Knake point out, it is not necessary to spend huge amounts to secure cyber assets. Successful enterprises employ tools like MITRE’s ATT&CK (Adversarial Tactics, Techniques, and Common Knowledge) based on the cyber “kill chain” model developed by Lockheed Martin. The ATT&CK framework identifies 11 specific areas and over 200 tactics used by sophisticated hackers, creating a useful foundation companies can use to shore up their defenses. Cyber defenses are bolstered by information sharing about threats and vulnerabilities through organizations like the Cyber Threat Alliance and sector specific ISACs (Information Sharing and Analysis Centers) that were introduced in the 2003 national strategy. Consultants have sometimes led the way. Two of my former Booz Allen colleagues, Todd Inskeep and Sounil Yu, are cited for their innovative thinking and practical approaches to deploying security controls.

Despite the availability of tools and expertise, effective cyber defense in the private sector is still too rare. Many companies think they have solved the problem by outsourcing their cybersecurity to one or more of 3,000 U.S. cyber companies. Many of these companies focus too much on “narrow solutions” such as securing the endpoint devices in a network, however, and ignore more comprehensive technology solutions and security controls that encompass the human dimension, an area that remains vulnerable to phishing attacks and is subject to complacency and negligence. As a result, the United States is highly vulnerable to nation-state, APT (Advanced Persistent Threat) attacks, (demonstrated after the book was published in the software supply chain attacks on the SolarWinds network management company.)

These challenges do not suggest, however, that companies should take matters into their own hands and conduct cyber counterattacks against foreign adversaries. Such actions would be illegal and could “create the likelihood that they will start a war that the United States military will have to finish.”

Many corporate CEOs and some former senior government officials believe the government should be doing more to defend the private sector. As former senior officials themselves, you might expect Clarke and Knake to support this view. But, perhaps surprisingly, they believe government’s role is only to “nudge,” suggest, and share information with the private sector. They have reached these conclusions because of the fragmentation of the government’s cyber defense organization, restrictive U.S. laws governing the intelligence and defense communities, and failed attempts to regulate cybersecurity by the federal government due to fears that “regulation is anathema to innovation.” (The authors counter the last point with examples of how effective, targeted regulation can spur innovation, adding that in any case states are already enacting regulations in the absence of a coordinated national approach.)

In their critique of government, Clarke and Knake summarize the evolution of U.S. cyber policy from the first national cybersecurity strategy in 2003 through the Bush, Obama, and Trump administrations. They correctly characterize the Obama administration approach as one based on persuasion instead of meaningful deterrence. Documents like the International Strategy for Cyberspace and the ”visionary” National Strategy for Trusted Identities in Cyberspace, both published in 2011, were intended to persuade foreign policy makers and U.S. industry, respectively, but did not lead to significant new policies. Adding to this problem, presidential restrictions were placed on offensive cyber actions after Stuxnet was exposed as a U.S. operation. Clarke and Knake endorse the more aggressive approach taken by the Trump administration and Congress in enabling offensive cyber operations as an important deterrent to foreign cyber aggression.

The Fifth Domain is more than a catalogue of challenges. The book includes several suggestions for improving cyber defense, including a “Schengen Accord for the Internet.” Modeled on the European Union’s open-borders agreement, a similar agreement for cyberspace would protect a free-and-open Internet for participating countries and prevent the continuing “disintegration” of the Internet characterized by governments blocking access in China, Russia, and a growing number of other nations.

To improve the U.S. Government’s approach to cyber defense, Clarke and Knake propose “seven steps for stability,” including establishing unity of command, clarifying mission responsibilities for DoD and DHS, and supporting diplomatic engagement to reduce tensions and build cyber alliances. Similarly, they propose five steps to improving cyber defenses of the U.S. power grid including deployment of a “segmented, diverse-sourced microgrid” architecture. They endorse an overhauled and improved regulatory regime and recommend a robust and structured response to foreign disinformation efforts to disrupt elections. To address the chronic shortfall of cybersecurity specialists, they support expanding the Cyber Corps Scholarship for Service program that was created in 2000 by Clarke and former DHS Secretary Janet Reno. These are all worthwhile policy recommendations.

The last section of the book includes brief discussions about artificial intelligence, quantum computing, 5G, and an exploding Internet of Things. The effort here is focused on the impacts and challenges of these technologies, particularly the potential effect quantum computing may have in neutralizing current encryption techniques.

Dick Clarke and Robert Knake have done a service to remind policymakers of the complexities of cyber policy and its many dimensions. While sounding the alarm about current dangers and the need to urgently address U.S. cyber defense “to reduce the risk of cyber war” and prevent “highly destructive cyberattacks that could cripple modern societies and escalate into the kind of Great Power conflict we have not seen in more than seventy-five years,” they sound a positive note at the end of the book. In their words, “Securing our countries, our businesses, and ourselves in cyberspace is far from hopeless. We have the strategy. We have the tools. Now we just need to do the hard work. What is missing is national consensus, will, and priority-setting.” We can only hope that their ideas and suggestions gain traction soon.