The Fifth Domain by Richard A. Clarke & Robert K. Knake - A Book Review
Posted on March 29, 2024 • 26 minutes • 5417 words
Table of contents
The Book
Richard A. Clarke served under three US Presidents (Bush, Clinton, and Bush (43.)) in the US Government. He consolidates the countries’ perspective on cyberspace as the fifth warfare domain after land, navy, air, and space forces in his book, The Fifth Domain, with Robert K. Knake.
Their book gives a short historical perspective on cyberspace and events like Stuxnet and EternalBlue. After that, they focus on the roles and responsibilities of private industries. If a private company works as a vendor for government institutions, it becomes critical for national security, not just for stakeholders’ financial expectations. They also focus on the government’s supporting role in providing security intelligence to private companies. Regulations and coordinator state institutions are necessary to organize a cohesive approach between public and private industry for joint national cybersecurity.
They also propose a “Schengen Accord” for the internet that may provide a collaborative defensive approach to cyberspace. Artificial intelligence technologies’ rise and impact on cybersecurity have been a hot topic recently. Internet of Things and 5th Generation (5G) telecommunication technology is another driving force for both attacker and defender’s changing situation. Because it is no longer a theory to use IoT devices for DDoS attacks, I’d like to refer to some citations from the book in that text.
Citations
“When the offense has the advantage because of some combination of technological superiority or cost, military theorists write, there will be conflict. When the reverse is true, when it costs more to attack, or when the chances of an attack defeating the defenses is low, greater stability will prevail” (p.9)
“The Pentagon has long identified four primary domains of conflict: land, sea, air, and space. In recent years, cyberspace has come to be known as the “fifth domain.”” (p.10)
“Eventually, businesses will come around to recognizing the value they get from being globally connected and will start investing appropriately to secure that value” (p.12)
“In the field of psychology, where the concept of resilience has been more fully developed than in any of the other fields that use the term, there is a built-in acknowledgment that resilience is not about returning to a previous state after an individual experiences trauma, but about adapting to that trauma.” (p.20)
“Harold Martin, was apparently walking out of NSA facilities with highly classified papers and software on a regular basis, according to the charges brought against him by the Justice Department after the FBI arrested him in” (p.26)
“By 2018, the outing of one another’s cyber tools and personnel was picking up speed. An anonymous group calling itself Intrusion Truth began to regularly disclose the hacks, tools, and people involved in Chinese hacking groups known as APT 3 and APT 10. It is not yet generally agreed upon among the cyber-expert community who Intrusion Truth is, but it is clear that they are revealing the secret activity of the Chinese government” (p.28)
“Famously, the Russian GRU penetrated the Democratic National Committee (which admittedly required little skill) as one part of a multifaceted campaign to affect the outcome of the U.S. presidential election. And of course, there was the most damaging cyberattack in history to date, NotPetya, about which the White House issued a rare public statement of attribution regarding a cyberattack” (p.29)
“According to Dutch police, the Russian military personnel were in possession of taxi receipts from GRU headquarters to Moscow airport, thus proving that business expenses are the bane of every organization, even cyber-war units” (p.32)
“Most significant hacking used to be done by non-state actors, individuals, or clubs. Now, major attacks are usually the work of some nation’s military” (p.32)
“The U.S. military, for example, has said that it reserves the right to respond to cyberattacks with any weapon in its arsenal” (p.32)
“We risk highly destructive cyberattacks that could cripple modern societies and escalate into the kind of Great Power conflict we have not seen in more than seventy-five years” (p.32)
“A hacker’s goal is to steal information, hold a company’s data hostage for payment (ransomware), permanently delete all the software from the devices on a network (wiper), or flood a network to the point where it cannot operate (a distributed denial-of-service attack, or DDoS), the cost of such an attack against a poorly defended network is shockingly low.” (p.39)
“The defenders will usually not attack, because they can’t. If they are corporations, by law they are not allowed to” (p.40)
“Today, the sophisticated attackers are well masked, but if they are identified, they often have little to fear because they are operating remotely from a country that will not cooperate with law-enforcement requests from the United States or Western European countries.” (p.40)
“It’s spending half a billion dollars to protect many trillions of assets from more than two hundred advanced persistent threat groups. By one estimate, there are seventy-seven Chinese APT.” (p.40)
“And when that sensitive information appears on the dark web, law enforcement often comes knocking” (p.40)
“There is an old saw in cybersecurity that being in the field is like being chased by a bear. You don’t need to outrun the bear, you just need to outrun the other companies in the field (so that the bear will eat them).” (p.42)
“Resiliency isn’t about avoiding a breach, it’s about preventing bad outcomes.” (p.42)
“But most companies aren’t being attacked by APT actors. For large swaths of the economy, ‘good enough’ cybersecurity is a relatively straightforward proposition.” (p.44)
“If you can’t regulate, the next best thing is for government to simply put out voluntary standards and urge companies to meet them.” (p.45)
“Every year Verizon’s cybersecurity division puts out its Data Breach Investigations Report, the VDBIR in acronymland.” (p.46)
“Finding these vulnerabilities and patching them should, therefore, be a priority.” (p.47)
“No group is going to waste a zero-day exploit if they can use Metasploit, an open-source penetration-testing tool, to gain access to your network.” (p.47)
“If some animals are good at hunting and others are suitable for hunting, then the gods must clearly smile on hunting. —ARISTOTLE” (p.48)
“‘Intelligence-Driven Computer Network Defense Informed by Analysis of Adversary Campaigns and Intrusion Kill Chains’ was written by Eric Hutchins, Michael Cloppert, and Rohan Amin, a group of researchers at Lockheed Martin, the large defense industrial base (DIB) company. The paper was released in 2011 with little fanfare at an obscure conference, the International Conference on Information Warfare.” (p.48)
“Amin and his colleagues took inspiration from the Air Force, which coined the term ‘kill chain’ to break down the process from locating a target to putting a bomb on it: find, fix, track, target, engage, assess.” (p.49)
“What the writers suggested was that attackers needed to string together an intricate series of events to achieve their objective. Defenders, on the other hand, only had to detect and stop them at any one of several possible stages. This kind of thinking proved to be revolutionary.” (p.50)
“Weaponization is hard to counter directly, but the next stage, delivery, is not.” (p.51)
“the attack tool is new or changed in any way, companies such as FireEye can ‘detonate’ the attempted spear phishing by quarantining the suspicious email and then automatically clicking on each pdf or link and seeing what happens.” (p.51)
“…but Dave is largely the same. There is no training Dave. No matter how many PowerPoint slides you make them click through or security-awareness videos they watch, the Daves of the world will always click.” (p.52)
“Gagnon is not your typical CISO. Against his initial instincts, he green-lit an audacious idea from his incident response team, who argued that instead of trying to get the adversary out of the network quickly, they needed to keep the adversary inside their network, to try to understand their intent and interests. They proposed firewalling off the intruder to limit what information he could access, and then doing their own man-in-the-middle attack to compromise his command and control and learn his tactics and techniques.” (p.54)
“…attackers did not change the tools or tactics they used once they got inside the network…” (p.56)
“It benefits you only if, in return, the companies you share with also share with you. Some have described this as a tragedy of the cyber commons.” (p.58)
“The most successful of these is the Financial Services Information Sharing and Analysis Center (FS-ISAC).” (p.58)
“A large portion of professionals in the field got their start in military, government, or law enforcement. For them, ’the mission’ never changes, no matter whom they are working for.” (p.59)
“There is a concept borrowed from the military called the OODA loop, for observe, orient, decide, act.” (p.69)
“The concept of chaos engineering pioneered at Netflix has corporations running a constant stream of experiments to test the resilience of their systems.” (p.69)
“Far and away the best way to rapidly increase security is to move from local computing to software as a service (SaaS).” (p.72)
“Google is so confident in its security capabilities that, instead of arguing that it shouldn’t be expected to be able to stop government intelligence organizations, it is actively working to protect its customers from them and will notify individual Google account holders if they are being targeted by an APT actor.” (p.73)
“Since the VENOM vulnerability was discovered, a new layer of protection has been put in place for most applications that run in the cloud: containers.” (p.74)
“With Dick’s prompting, Zatko and other members of the L0pht team were asked to testify before the Senate, where they stated in matter-of-fact terms that they could take down the entire internet in thirty minutes, referencing abuse of the Border Gateway Protocol (BGP),” (p.75)
“Boeing and Wells Fargo told their software vendors that they would not buy their software unless it had been checked by Veracode. IBM, WhiteHat, Black Duck, and other companies offer similar and related services.” (p.77)
“The Rice project, called Bayou, was funded by the Defense Department and Google. Microsoft was also funding work at Cambridge University in 2018 in which AI was attempting to determine human intent and then finding or generating the appropriate code. That project, called DeepCoder, is designed to grow from developing a snippet of a few lines for a minor component of a program to gradually tackling larger tasks.” (p.78)
“Buyers should insist on security being built into the design of new IT-enabled products, rather than letting them be rushed to market only then to be hacked and later modified for security.” (p.80)
“There are only bad options. It’s about finding the best one. —BEN AFFLECK AS TONY MENDEZ IN ARGO” (p.81)
“Media outlets, with the help of unnamed officials in the Obama administration, quickly pointed to Iran as the culprit, believing the attacks were a response to the Stuxnet malware that had disrupted Iran’s nuclear enrichment program several years earlier. Phones began to ring throughout the White House West Wing. At every level from CEO down to CISO, the banks wanted the government to do something to stop the attacks.” (p.81)
“The public-private partnership needed to be ’enhanced’ and ’evolved,’ but would remain the cornerstone of the nation’s cybersecurity efforts.” (p.84)
“‘we don’t expect Walmart or Tesco to put surface-to-air missiles on top of their warehouses to defend against Russian bombers. Yet when it comes to cyberattacks, we demand exactly that from JPMorgan and Barclays.’” (p.89)
“Alexander seems to be calling for is a tighter coupling of industry and government so that intelligence can be shared and collective action can be taken. We wholly agree with and endorse that approach.” (p.90)
“Einstein, a program run by the Department of Homeland Security to protect federal agencies, available more broadly.” (p.91)
“This technical reality has put the British government in the ironic position of calling for traffic to move unencrypted, an act that would be counterproductive from a cybersecurity perspective.” (p.92)
“In his classic The Causes of War, Stephen Van Evera of MIT offers convincing evidence that the question of whether offense actually has an advantage over defense is not as important as whether aggressors believe that they have an advantage. On the eve of World War I, combatants widely believed that the ability to move troops around rapidly on rail gave an advantage to the offense, not realizing the reality of the trench warfare to come, where defending machine-gun nests would cut down advancing troops by the millions. Allan Friedman and Peter Singer argue that the belief in a first-strike advantage is as misguided today in cyberspace as it was on the eve of the First World War.” (p.95)
“We meet with Jason Healey in his office at Columbia University in the Morningside Heights neighborhood of Manhattan. It’s on the thirteenth floor and his office number is 1337. Asked whether he got that office and number assigned to him at random, Healey is somewhat coy. If you invert ‘1337’ it looks somewhat like the word ‘LEET,’ hackerspeak for someone who is ’elite.’” (p.96)
“Healey remembers Rattray asking questions in the 1990s that no one else in the military did, such as ‘What is the failure mode of the internet?’” (p.98)
“Contrary to the current political dogma, regulation doesn’t kill innovation, it can create it. When markets are not valuing what we as a society want them to value, regulation can create whole new markets. The common refrain from industry is that regulation can’t possibly move fast enough to keep up with innovation. We can find many examples where twenty-year-old security standards are still applicable and still have yet to be broadly implemented. We also see a growing reluctance to use digital products and services by consumers and businesses because of security risks.” (p.104)
“…in 2017, recovered its stock price in less than a year. We think it is necessary that the fines for losing PII be significant enough to make companies think twice about storing that data.” (p.107)
“At a certain level of flood, the companies that specialize in stopping DDoS attacks, such as Akamai and Cloudflare, will be overwhelmed.” (p.110)
“BGP is still the biggest security flaw in the internet, even twenty years after Mudge Zatko testified that he and the other members of the L0pht could take it down in thirty minutes.” (p.110)
“According to Chris Demchak of the U.S. Naval War College and Yuval Shavitt of Tel Aviv University, China Telecom has been messing around with the BGP tables.” (p.111)
“Zurich, the big Swiss insurance company, refused to pay out. The Swiss said that NotPetya was an act of war, an attack carried out by the Russian military and, therefore, excluded from the insurance policy.” (p.112)
“insurance companies used to being able to predict with more than 90 percent accuracy when you will get into a car crash and how much it will cost them, cyber was a scary place, a terra incognita.” (p.113)
“What the insurance policies would not cover were the two most expensive effects of cyber breaches: reputational damage and intellectual property theft.” (p.113)
“If Apple created a way to break the encryption on its devices, malicious actors would find a way to use it too.” (p.115)
“FBI announced that it had opened the iPhones with the help of an Israeli security firm.” (p.116)
“There is honor among thieves, and if you pay, you usually get back to business pretty quickly. If the ransomware thieves did not free up your network when you paid up, then word would get around and no one would pay. After all, they have their reputation to maintain.” (p.117)
“Requiring the same card to access a building and to use a computer caused problems when people forgot to take them out of their computers when they left the office to go to the bathroom or the cafeteria, something no amount of scolding could fix.” (p.119)
“Simply put, these technologies were too hard to implement and too difficult to use. A few years after Gates’s 2004 speech, however, a new technology emerged that people almost never are without because they almost never put it down: the smartphone.” (p.120)
“Although Microsoft makes two-factor authentication freely available to its customers, an independent survey recently reported that only 20 percent of subscribers to Microsoft’s Office 365 suite of productivity applications are using any form of multifactor authentication. Surveys of other platforms have found similar results. As we have noted, upwards of 80 percent of data breaches still involve weak or stolen passwords.” (p.121)
“Jim Routh at Aetna is in the process of eliminating passwords for his twenty-million-plus subscribers using Trusona, a passwordless authentication app.” (p.122)
“With your address, your phone number, your date of birth, and your Social Security number, you can file your tax return.” (p.124)
“The TSA created TSA PreCheck for people who were willing to fill out forms, go through a background check, have their biometrics registered, be photographed, and be entered into a federal database. TSA also authorized a private company, CLEAR, to manage a parallel system of authenticating travelers with a combination of your boarding pass, an iris scan or fingerprints, and a picture of you.” (p.127)
“Second, Congress needs to direct the Commerce Department’s standards office, NIST, to develop whatever standards they think are necessary for the seamless transfer of identity-proofing data and credential exchange, beyond, if necessary, existing standards.” (p.130)
“Then NIST created an online census of the cybersecurity workforce and job openings called Cyberseek, which brings real numbers to the workforce problem.” (p.132)
“For certified information systems security professionals (CISSP), certified information system auditors (CISA), and certified information security managers (CISM), there are more job openings than there are people with those certifications.” (p.133)
“…he thinks cybersecurity is best learned by doing and is mostly about working on your own with some gentle guidance.” (p.136)
“They created Escalate, a series of progressively more difficult challenges that students can take online. The first three are free. Beyond that, students, or the companies they work for, pay three thousand dollars a year for access to the program.” (p.137)
“People come with all their certificates like CISSP,” says Dornbush. “He gives them a challenge on Escalate and they sit there having no idea how to analyze the piece of malware he has dropped on them.” (p.137)
“Immersive Labs, a U.K. company, is taking a similar approach and has multiple customers at the large financial institutions.” (p.138)
“…students taking these type of courses evenings and weekends also need the opportunity to work on real-world problems by day.” (p.138)
“Learning by doing is, of course, not a new idea. Training programs in the form of hands-on apprenticeships were formalized in the Middle Ages, but they have largely fallen out of favor in the United States except in a few specialized trades (plumbing, carpenters, and electricians often still hire and train apprentices).” (p.140)
“Ajay Banga, the CEO of Mastercard, pushed leadership at Microsoft and Workday to join him in establishing the Cybersecurity Talent Initiative. Under the program, students who pursue a cybersecurity-related undergraduate or advanced degree will then do a two-year tour of duty in full-time cybersecurity roles at federal agencies such as the DoD, FBI, CIA, DHS, Treasury, and the Small Business Administration.” (p.141)
“it needs to nudge the market away from requiring undergraduate degrees to get into the field and instead create pathways for professionals later in their careers.” (p.141)
“We might train hundreds of thousands of people in cybersecurity only to have them replaced by robots.” (p.147)
“the United States now faced the specter that people in American power control rooms could someday look up at ’the big board,’ the giant monitors on the wall, and see everything blinking green for good, while the reality was that the system was malfunctioning.” (p.147)
“Left on their own to devise a reaction, the Washington policy chattering classes suggested a variety of approaches to the problem of having a potential adversary possess the ability to throw much of the nation back into a nineteenth-century pre-electric age, only worse, because this time we would be without manual devices.” (p.148)
“We got here by ignoring the warnings that have been issued by government experts for almost twenty-five years that the power grid was becoming vulnerable to cyberattacks. Those warnings were ignored because such an attack had never happened before, what Dick, in the 2017 book Warnings, called the Initial Occurrence Syndrome bias.” (p.152)
“The revolutionary parts of the SSDM proposal are threefold. First, it would be the building of a new, second national power grid on a crash basis as a major government initiative, with significant private-sector involvement. Second, the new grid would not be interconnected, but would instead consist of thousands of energy sources intended only for specific facilities. Not being interconnected, or connected in any way to the internet, it could not be taken out by a single or even a handful of cyberattacks. Third, and most important, perhaps, it would be designed with cybersecurity in mind, rather than as a grudgingly added retrofit and afterthought.” (p.152)
“Cory Schou’s program is not in the computer science department. It’s in the business school, because Schou thinks cybersecurity experts need to understand risk management and how cyber decisions fit into overall business decisions. When admitting students to the elite program, Schou looks for diverse backgrounds, not computer jockeys.” (p.155)
“This professional cadre of federal IT security experts would have ranks from entry level to a Senior Cyber Service, modeled on the Senior Foreign Service (at the State Department), the Senior Intelligence Service (at the CIA), and the Senior Executive Service elsewhere in government. These existing Senior Service ranks are now the equivalent of general and admiral ranks in the military. To advance through the ranks of the Senior Cyber Service, professionals would have to continually qualify with work experience, tests, and continuing education programs similar to the National War College (a prerequisite for becoming an Army general or Navy admiral). Homeland would, in our plan, run a National Cyber College for members of the Senior Cyber Service.” (p.159)
“As the state governments do now, the IT agency could contract out to private IT services companies to provide support, but the IT agency and CISA would specify the requirements and the standards and then ensure they are met.” (p.164)
“After land, sea, air and space, warfare has entered the fifth domain: cyberspace. —MATT MURPHY, THE ECONOMIST, JULY” (p.166)
“President Obama had reined in cyber operations in the wake of Stuxnet by issuing PPD 20, which reportedly required the President to approve significant cyber-offensive actions.” (p.167)
“Pentagon officials had traditionally talked in terms of four domains, or spheres of potential combat: ground, sea, air, and outer space. Over a decade ago, with the advent of U.S. Cyber Command, defense officials added a fifth domain of potential combat to their list: cyberspace. U.S. Cyber Command is a joint organization, meaning it is composed of Army, Navy, Air Force, and Marine components. Their mission, in the language of the Pentagon, is to achieve dominance in that domain.” (p.167)
“…the U.S. military should be capable of defending itself so well in cyberspace that it could perform its conventional (or, in the extreme case, nuclear) military operations without significant degradation from cyberattacks, and thereby deter enemy activity.” (p.168)
“North Korea succeeded in 2016 in stealing from a classified network the U.S.–South Korean combined operations plan to attack the North and kill its leadership.” (p.172)
“In October 2018, the Government Accountability Office issued a scathing report on the cybersecurity of U.S. weapons systems, claiming that an enemy could easily hack into and disable (or take control of) many of the country’s newest weapons. Although a distinguished Defense Science Board review panel had sounded a loud alarm about this precise problem in 2013, five years later the GAO concluded that the “DoD is in the early stage of trying to understand how to apply.”
“There is widespread belief in the Pentagon that the repeated collisions of U.S. Navy destroyers in the Pacific in 2017 were a result of cyberattacks, although the DoD officially denies it.” (p.173)
“The Navy still uses the outdated and insecure Windows XP operating system throughout the force.” (p.173)
“When foreign adversaries are able to hack into computer networks at private-sector corporations making things for the Defense Department, the risk is threefold. They can steal the weapon designs, potentially allowing them to reproduce similar weapons. That is what most of the hacking of the DIB companies has been used for to date. They could, however, once inside a corporate network, covertly place code in the operating systems of the weapons, allowing them to take control of the weapons if and when they encounter them in combat. Finally, hackers could do things to the controls of a factory, product line, or support systems to sabotage facility operations.” (p.173)
“…first major U.S. cyber-war attack, the now infamous Stuxnet program. Officially known as Operation Olympic Games in the intelligence community, the operation seemed at first to have been a marvel of both covert action and cyber intrusion. (The attack is now the subject of many books and even a movie, Zero Days, directed by Alex Gibney.) Upon further examination, however, it had failed on several important criteria.” (p.176)
“Under those laws, U.S. intelligence agencies can covertly collect information abroad. They can also take actions to damage or destroy things abroad, even in peacetime, when the President issues a specific ‘finding’ that it is in the national security interest of the United States to do so.” (p.177)
“Media reporting suggests that U.S. intelligence may have penetrated both Iranian and North Korean ballistic missile tests and caused several of them to blow up on the launchpad. Apparently, however, the North Koreans later developed missiles that did not include that particular feature.” (p.181)
“Negotiating the Schengen Accord was a monumental undertaking, because control over borders has defined state sovereignty for the last three hundred years.” (p.190)
“…cyberspace is the only changeable, man-made domain. While the laws of physics do apply in cyberspace, they are guideposts.” (p.190)
“The WHO-like organization would be responsible for organizing efforts to reduce vulnerable systems (the equivalent to vaccinations), identifying and responding to emerging malware families and botnets to stem them before they cause widespread harm (the equivalent to outbreak monitoring), and coordinating takedown and remediation efforts when prevention fails (crisis response).” (p.197)
“By 2018, what the Internet Research Agency was doing was so obvious that U.S. Cyber Command reportedly attacked the organization’s computer network, perhaps not coincidentally on Election Day.” (p.199)
“Clinton herself has tried to understand why there were few alarms sounding, and has written about Initial Occurrence Syndrome, citing Dick Clarke’s 2017 book Warnings.” (p.202)
“The absence of evidence is not the evidence of absence.” (p.207)
“The more important historical similarity at work here, however, is that the qualitative and quantitative changes in cyber warfare that these two new classes of weapons can bring about could be as significant as the difference between what one conventional bomb dropped by a single B-29 aircraft could do compared with what one nuclear weapon dropped from that same aircraft actually did.” (p.216)
“Think of a bunch of smart, angry hornets, then give them explosives. A DoD directive bans autonomous weapons that would use AI to determine on their own if something or someone should be attacked.” (p.224)
“…an expert at the cybersecurity firm Endgame has publicly demonstrated how offensive AI can be used to ‘poison’ defensive AI software by essentially fooling the defensive technology engaged in the learning phases of ML. Think of it this way: ML could be fooled by creating a flood of false positive alarms, which could cause the detection system to disregard a type of attack. Then the real attack, looking sufficiently like the false positive, could be launched successfully.” (p.226)
“Will they create quantum-powered network defense first? Unlikely. Militaries think first of offensive weapons.” (p.238)
“If you have opened up your internal combustion engine car’s hood lately to attempt do-it-yourself maintenance on the engine, you have been met with a sealed box that is relatively impervious to any owner’s attempts to manipulate it. Well, it turns out the same is true on newer tractors, such as those from that staple of Americana, John Deere.” (p.242)
“They are also considering requiring a ‘bill of materials’ for every device, listing the software and hardware involved and their provenance. (Does that IV drip device have some open-source software in it that might mean it is hackable?) For the FDA, this proactive attitude is a big turnaround.” (p.248)
“…because for years they would not allow medical devices to accept security patches without prolonged, elaborate, and expensive testing. As a result, many medical devices were running ancient versions of Microsoft Windows software replete with known vulnerabilities. Many still are.” (p.249)
“Suspicions about who launched Mirai fell on the supporters in North America of the hacker Julian Assange, who has been linked to Russian intelligence and the hacking of the U.S. 2016 election.” (p.250)
“What the Stuxnet attack, the hack of the Saudi petrochemical facility, and many other incidents demonstrate is that what sensors think is happening may not always be accurate and what control boards show is the condition may not always reflect reality. When simple artificial intelligence applications are given too much autonomy to act with too little verification of the readings they are employing, bad things can happen on the Internet of Things. They can happen without malicious activity, as may have been the case in the crashes of the 737 Max aircrafts (where a bad sensor reading may have caused an AI program to take control of the aircraft without telling the pilot), or they can be the result of hacking, as in the case of the two Ukrainian electrical power grid blackouts (where the control boards were hacked to indicate all was well, even after the GRU hackers had thrown the breakers on transformers all across the region).” (p.250)
“If ever there were a case of painting a moving train, securing the IoT is one. The deployment of billions of devices is well under way and may be accelerating. Getting all of those devices to be secure will be impossible.” (p.251)
“It was the food freezers at Target connecting to the HVAC service company that caused the 2013 hack that ended up getting the CEO and CIO fired.” (p.251)
“Passwords are like underwear. Don’t let people see them, change them often, and don’t share them with anyone. —ANONYMOUS” (p.254)
“The two best techniques to use if you are worried about someone getting your card information are: 1) only use a credit card, not a debit card, and 2) have a low spending limit on the credit line associated with the card, say, a thousand dollars a month (or more depending upon how profligate you want to be).” (p.257)
“No matter how innocent or authentic an email appears, do not click any link or open any attachment contained within it without first checking the sender’s email address, or hovering over the link with your mouse.” (p.259)
“there is little probability that someone is sitting around watching what goes on in your household all day, but if you’re worried regardless, turn the interior cameras off when you get home.” (p.260)
“The bottom line is don’t be so concerned about personal cyber risks that you fail to enjoy all the many wonderful things that the internet provides modern society just because there are threats lurking in the shadows.” (p.263)
“We must continually adapt and improve capabilities for individual companies and for the ecosystem as a whole. The goal is to achieve a state of ongoing improvement, where systems are continually being made more secure and the work of attacking these systems is harder, takes longer, and comes with greater risk of failure and punishment.” (p.267)
“Managed Security Service Provider (MSSP): A company to which other firms outsource some security of their network.” (p.272)
“As required by law and security agreements signed by both authors as a condition of their employment in the White House in past administrations, the text of this book was reviewed by National Security Council staff to prevent any unauthorized disclosure of classified information.” (p.280)
Conclusion
Lastly, I’d like to thank Mr. Clarke and Mr. Knake for their book. I find it insightful to discover state-private corporations’ relation to defence in cyberspace. Of course, some best practices have been applicable throughout the last decades, even though there are innovative tools in the industry, like using multi-factor authentication (MFA) for as many as all platforms. Moreover, it is still possible that we should be aware of MFA bypass techniques.