Cybersecurity and Cyber War - What Everyone Needs to Know - A Book Review

Posted on July 9, 2020 • 8 minutes • 1556 words

Table of contents

The Book and the Authors
Citations and My Points of Interest from the Book

The Book and the Authors

Cyber Security and Cyber War: What Everyone Needs to Know® is written by P. W. Singer and Allan Friedman and published in 2014 by Oxford University Press . The official page of the book is here .
Peter Warren Singer is a strategist at New America think-tank organization and a Professor at Arizona State University.
Alan Friedman , PhD is the Director of Cybersecurity Initiatives at National Telecommunications and Information Administration in the US Department of Commerce.

My overall point about the book is, as seen on the cover “what everyone needs to know.” The Internet all over the world connects whole countries and cultures beyond the borders. Everyone needs to know what kind of threats it contains.

It has three main parts: At the first one, they define the concepts and the field. In the second part, they answer that “why it matters” for every aspect of life, and in the last part the pro-active measures are detailed. I argue that the last part should be a crucial part of the book because it contains examples and tips for personal cyberdefense for everyone.

Citations and My Points of Interest from the Book

If users begin to lose confidence in the safety and security of the Internet, they will retreat from cyberspace. (Joseph Nye, page 3)

Unless people do not read what kind of privacy policies they accept while accessing services, how should classify that which personal information they share? Moreover, when people “begin to lose safe and security confidence in cyberspace” there may not be a possible way to delete all digital footprints. The governments or international organizations, e.g. European Union, try to regulate the information gathering of its citizens but when users upload or send the information, there is not a %100 certain way to undone. Even they are sent with self-expiring, service provider’s servers may continue to host data and at least meta-data. Because of that, people should make sure which services they use.

There’s no such thing as absolute security. (page 36)

Some parents start social media accounts for their children, even before their birth. When they grow up, many types of personal information has already been shared before the children’s consent. The parents do not have the right to expose children’s personal information online. That kind of action has a huge potential for privacy issues for the next generations. Parents need to understand and respect their children’s privacy rights.

An attack that exploits a previously unknown vulnerability is known as a “zero day.” (page 42. Related with the subject, Zero Days Documentary of Alex Gibney

The developers write thousands of lines for simple software. There are always weaknesses in the lines of codes that can be exploited. If nobody knows that vulnerability, it names as “zero-day” exploit.

The Stuxnet case is a kind of new generation of cyberattacks in 2009 and 2010s. It wasn’t looking for any computer in cyberspace. It was looking for a specific computer or software that runs Siemens’s WinCC/PCS 7 SCADA (Supervisory Control and Data Acquisition: For more information. ) systems. Those industrial control systems designed to run nuclear centrifuges. That specific system was in Natanz.

- Natanz Nuclear Enrichment Facility, Iran

Stuxnet was looking for SCADA systems particularly in Natanz. (page 98, 116) How did it implement to facility’s systems remains unclear. That kind of critical infrastructure is designed as air-gapped. That means it is not connected to ordinary internet or World Wide Web. It has its inter-network.

How could even trust those screens anymore?

According to rumors, the virus injected by subcontractors of the facility with a portable drive. After that, it collects enough data of those days to show personnel that everything is normal when it exploits them. Till the crush, the personnel couldn’t know that there is a problem. Because the screens have shown everything is normal.

In the last days, the same nuclear site had “an incident.” According to the spokesman for the Atomic Energy Organization of Iran, a fire “caused significant financial damage.” A building to product advanced centrifuges and measuring equipment and instruments were damaged and destroyed. (July 6, 2020. NBC News Article )

As the incident shows, our dependence on digital systems means that increasingly we face the question of how we can trust them. (page 46)

One type of current attacks in the last years is ransomware. It is a malicious software which encrypts system files and asks to user ransom to decrypt files. There is no guarantee to get back files. The best way is to protect from ransomware attacks is by backing up regularly. Even the ransomware encrypts files, a loss will be minimized. Otherwise, the loss may influence the user much more.

…a thermostat and printer in its building were caught sending messages to a server located in China. (page 60)

The dependency on “smart” devices day by day makes our life much more comfortable. Meanwhile, there is a side effect. In an American company, there was a cyber incident and they decided to “clean” their networks and systems. A “Pentagon-qualified” security firm gave the service and complete the “clean”. However, after a couple of months, they caught a thermostat and a printer. Let’s make them today’s smartwatches, headphones, VR glasses, etc. If we have suspicions about that kind of internet-connected devices, there should be security checks by experts.

CIA triad: Confidentiality, Integrity, and Availability

Confidentiality means protecting data from any unauthorized access. To keep information safe in a digitized world; data encryption, internal and/or international regulations are some of the basic principles. Integrity is being sure the data have not been altered or changed without proper authorization. And availability is the operational circumstances of information systems. When the user needs to access, the system has to answer his/her request even under extraordinary situations, natural disasters, blackouts, etc.

The attackers gained access as the F-35 was literally in the midst of a test flight! (page 93. The F-35 Joint Strike Fighter program had/has some “bugs”: Defense One Article )

There may be some technical details about defending any kind of device. But we should never forget the “human factor” in every issue. If a 21st-century model fighter jet can be compromised with a laptop, the results will not be as simple as a laptop. Because of that, the defense side should be advanced as much as the offense.

…Soldiers didn’t realize the photos also included “geotags” (page 102)

The human factor is undeniable in the defense aspect. In 2007, some soldiers “gave” their location coordinates to the enemies. In today, almost every smartphone has the same geotags in meta-data of photos if they are not disabled. If that kind of photo uploaded to the internet, the website/server will have those location parameters.

War is not an independent phenomenon, but the continuation of politics by different means. (Carl von Clausewitz, page 126)

According to a military professional, “Politics is the continuation of war by different means.” Two concepts are interchangeable in terms of conflict. However, there is a need for a common understanding of them and we have international law. According to the UN Charter, aggression to declare war is defined as a “use of force against the territorial integrity … of a state.” The question is how could we determine the border in cyberspace?

Destroy, deny, degrade, disrupt, [and] deceive. (The USAF’s description of cyberwar. page 128)

Those aspects have two sides. They can also be used by adversaries. While making a move on the chessboard, players have to know how to protect themselves from the same kind of attacks. the U.S. Military has a specific Cyber Command domain. Its mission is defending the military’s networks, supporting mission troops in the ground, and protection of critical infrastructure. (page 135)

The attacker has to take a number of steps. But a defender can stop the attack at any step.

The personal, industrial, or national levels of cyber-attacks have some similarities. The Attacker has to know about their target, find a proper weapon/tool, deliver it, and pull data from the target. However, simple 2FA (Two Factor Authentication) may break the attack chain.(page 155)

One more such victory and we shall be utterly ruined.

In the Asculum battle, King Pyrrhus of Epirus defeated Romans in 280 BC but he had lost most of his forces. After the battle when one of his officers was congratulating him, he gave that famous answer and coined the term 'Pyrrhic victory' (page 156)

Personal Protection To-Do list

Using different and strong Passwords for different services
Updating them regularly + using Multi-Factor Authentication
On public networks, using trusted VPN services, e.g. ProtonVPN
“Trust, but verify.” every email, message, text, etc.
Updating every software and OS’s you’re using regularly.
Checking and configuring privacy settings of your platforms. e.g. Facebook’s, Twitter’s settings, Google’s My Activity, etc.
“A good rule is that if you can’t bear to lose it, then prepare to lose it.” (page 245)

Overall Evaluation of the Book

It has a clear and understandable language for non-technical readers. It can be an introduction to the cybersecurity field for researchers and readers. Even it might be published in 2014, it still has answers for current issues. To be up-to-date daily or weekly regular subscriptions are required. Tomorrow of the field will always have “unexpected consequences.”