{"id":20868,"date":"2016-10-13T15:00:59","date_gmt":"2016-10-13T22:00:59","guid":{"rendered":"https:\/\/www.paloaltonetworks.com\/blog\/?p=20868"},"modified":"2020-04-21T14:23:48","modified_gmt":"2020-04-21T21:23:48","slug":"cybersecurity-canon-will-cyberwar","status":"publish","type":"post","link":"https:\/\/origin-researchcenter.paloaltonetworks.com\/blog\/2016\/10\/cybersecurity-canon-will-cyberwar\/","title":{"rendered":"The Cybersecurity Canon: There Will Be Cyberwar"},"content":{"rendered":"

\"big-canon-banner\"<\/span><\/div><\/a><\/p>\n

We modeled the\u00a0Cybersecurity Canon<\/a>\u00a0after the Baseball or Rock & Roll Hall-of-Fame, except for cybersecurity books. We have more than 25 books on the initial candidate list, but we are soliciting help from the cybersecurity community to increase the number to be much more than that.\u00a0Please write a review and nominate your favorite.\u00a0<\/em><\/p>\n

The Cybersecurity Canon is a real thing for our community. We have designed it so that you can\u00a0directly participate in the process<\/a>. Please do so!<\/em><\/p>\n

Book Review by Canon Committee Member, Jon Oltsik<\/a>:\u00a0<\/strong>There Will Be Cyberwar: How The Move To Network-Centric War Fighting Has Set The Stage for Cyberwar<\/em>\u00a0(2015)\u00a0<\/em>by\u00a0Richard Stiennon<\/p>\n

Executive Summary<\/h3>\n

Richard Stiennon\u2019s book There Will Be Cyberwar <\/em>is a short (i.e., 136 pages), concise analysis of the cybersecurity impact of the U.S. military\u2019s adoption of network-centric warfare. The book traces the history of the transition to network-centric warfare, which began in the early 1990s, gained steam throughout the decade, and is now a fundamental piece of U.S. military tactics and strategy overall.<\/p>\n

Clearly the transition to network-centric warfare produced some astounding outcomes, such as precision-guided weapons, improved situational awareness through sensors and data collection, and vast advances in military communications as well as command and control. Stiennon argues, however, that these benefits come with a steep cost \u2013 as it further depends upon technology, the U.S. military has become extremely vulnerable to crippling cyberattacks that could degrade or even destroy its offensive and defensive capabilities.<\/p>\n

To illustrate the extent of these vulnerabilities, the book begins with a fictitious military operation example in the Taiwan Straits, using this episode to illustrate the potential outcome if a military adversary (in this case the People\u2019s Republic of China) was able to compromise U.S. military technologies as part of an attack. Needless to say, the results aren\u2019t pretty.<\/p>\n

To supplement his thesis on military technology vulnerabilities, Stiennon weaves in numerous real-world examples of cyberattacks on all types of military, intelligence, and even private sector organizations.\u00a0 These incidents are used to hammer home what\u2019s at stake in terms of financial and operational damages. The book concludes with some brief suggestions on how the Pentagon should address its current cybersecurity weaknesses including bolstering cyber supply chain security, adopting more pervasive use of encryption (and strong key management) and continuously monitoring all network traffic.<\/p>\n

There Will Be Cyberwar <\/em>is not for everyone as it really looks at cybersecurity through the lens of network-centric warfare. As such, I cannot advocate its inclusion in the Cybersecurity Canon.\u00a0 For those cybersecurity professionals interested in military technology, IoT, public policy, and the geo-political landscape, however, this book can serve as a quick, high-level and interesting read.<\/p>\n

Review:<\/h3>\n

The goal of the Cybersecurity Canon is fairly simple and concise: \u201cTo identify a list of must-read books for all cybersecurity practitioners \u2013\u00a0be they from industry, government or academia -- where the content is timeless, genuinely represents an aspect of the community that is true and precise, reflects the highest quality and, if not read, will leave a hole in the cybersecurity professional\u2019s education that will make the practitioner incomplete.\u201d\u00a0 Based upon this objective, There Will Be Cyberwar, <\/em>by my old friend Richard Stiennon, may not qualify since it is solely focused on cybersecurity implications related to the evolution of network-centric warfare. But while this book may not be for everyone, it is an easy and worthwhile read for those cybersecurity professionals whose interests include government policies, internet of things (IoT) security, intelligence, surveillance and reconnaissance (ISR) platforms, high-tech military equipment, and geo-political issues.<\/p>\n

Unlike other cybersecurity tomes, There Will Be Cyberwar <\/em>grabs the reader\u2019s attention right away in Chapter One where Stiennon describes a fictitious future (2018) U.S. military failure in the Taiwan Straits, presented to the reader as a report to the Senate Armed Services Sub-Committee.<\/p>\n

Here, Stiennon borrows heavily from the 1995\u20131996 Taiwan Straits incidents. When tensions between the People\u2019s Republic of China (PRC) and Taiwan escalated, the U.S. demonstrated its support for Taiwan by deploying several aircraft carrier groups to the region, the largest U.S. military presence in Asia since the end of the Vietnam War. In the mid-1990s, this show of force convinced the PRC that the U.S. would defend Taiwanese sovereignty, if necessary.<\/p>\n

Stiennon\u2019s book starts with a similar scenario, a show of American military force in response to escalating tensions between the two Chinas. This is where the similarities end, however, as Stiennon paints a detailed picture that can only be described as Murphy\u2019s cybersecurity law. Just about everything that can go wrong (from a cybersecurity perspective) does go wrong \u2013 command-and-control (C2) channels are overwhelmed, nautical, aerial and satellite navigation systems are disrupted, communications systems fail, intelligence systems spew out false-positive\/negative indicators, etc.\u00a0 This series of cascading failures produces grave results as well. Airplanes fly off-course and are shot down, weapons systems don\u2019t work, radar systems fail to identify enemy assets, etc. In the end, U.S. forces dependent upon network-centric warfare tactics and equipment are mired in the fog of war and lose all ability to defend themselves. The result? Taiwan reunifies with the PRC in the most embarrassing and devastating military episode since Pearl Harbor.<\/p>\n

I should note that Stiennon insists on a strict definition for the term \u201ccyber Pearl Harbor\u201d that is used occasionally by presidents, cabinet members and legislators, as well as intelligence and military personnel. Stiennon considers an attack on the private sector or U.S. critical infrastructure to be a \u201ccyber 9\/11,\u201d as opposed to a \u201ccyber Pearl Harbor,\u201d which would be equated with a military defeat like the one the book describes.<\/p>\n

This worst-case example presented in Chapter One is used as a jumping off point for Stiennon to focus on his overall message. While the U.S. has proceeded into network-centric warfare with both feet, it has done so without an appropriate commitment to cybersecurity. The rest of the book is dedicated to presenting this thesis.<\/p>\n

Stiennon begins to prosecute his case with a brief history of how we got to this point. It starts by comparing the fictitious and real Taiwan Straits incidents and proceeds to describe the origins of network-centric warfare driven by Admiral Archie Clemins in the mid-1990s. The admiral set out to \u201cbring the fleet into the information age\u201d and enable \u201ccollaboration at sea.\u201d This included integrating software, connecting systems and ships through TCP\/IP networks, and instrumenting military equipment with sensors for information collection. It wasn\u2019t long before the military brass back at the Pentagon learned about the project\u2019s success and were more than willing to procure funding, outfit the entire naval fleet, and extend the concepts of network-centric warfare across the entire U.S. military.<\/p>\n

The capabilities of network-centric warfare were most evident with the speed and tactics used in the first Gulf War, where the U.S. military displayed things like enhanced communications, new guided weapons, improved battlefield awareness, and some early offensive cybersecurity tactics to disrupt enemy command and control. After this series of battlefield successes, network-centric warfare was proclaimed as a revolution in military affairs (RMA) and \u201cforce transformation\u201d in Washington while garnering a lot of attention from potential adversaries Moscow and Beijing. Stiennon also rightly points out that network-centric warfare progress paralleled a similar revolution in the private sector as innovations like the World Wide Web, Mosaic browser, and e-commerce transformed the internet from an academic\/scientific network to a global information superhighway.<\/p>\n

At this point in the story, Stiennon alters his role between reporter, critic and soothsayer. As the U.S. military and private sector embraced the internet, its warts were soon exposed. The book provides numerous examples where cyber adversaries intersected with the Pentagon\u2019s embrace of internet communications and network-centric warfare. Some of these include a massive breach of American government, military and private sector computers in 2003 (aka \u201cTitan Rain\u2019), a similar but more pervasive set of incursions starting in 2008 that included theft of design documents for the Lockheed F-22 Raptor and F-35 Lightening \u00a0(aka \u201cByzantine Hades\u201d), a compromise of the military\u2019s Secret Internet Protocol Routing Network (aka \u201cSIPRnet\u201d), the capture of military equipment and subsequent reverse engineering of an NSA operating system by the Chinese, and the interception of drone-to-ground communications by Iran. All of these incidents led to confidential data exfiltration and extremely high remediation costs.<\/p>\n

Stiennon also educates the reader on the precarious relationship between software development and cybersecurity. When the U.S. Airforce tested millions of lines of software code, it found one software vulnerability for every eight lines of code, one \u201chigh vulnerability\u201d for every 31 lines of code, and one \u201ccritical vulnerability\u201d for every 70 lines of code. Thus, Stiennon is making readers aware of an obvious relationship: The more lines of software code used in military equipment, the more vulnerable it becomes to cyber exploits. The book also discusses problems with cyber supply chain security. Since many components used in military equipment are originally manufactured in China, it\u2019s possible that many U.S. military assets are fraught with backdoors, easily exploited as tensions escalate.<\/p>\n

The book does acknowledge that the U.S. military recognizes today\u2019s threats and vulnerabilities and has taken some proactive steps to address these, such as the establishment of the U.S. Cyber Command. But Stiennon argues that Cybercom is focused on network defense and offensive operations; while, to this day, there is no solitary organized effort to address the potentially millions of vulnerabilities created by the military\u2019s pivot to network-centric warfare.<\/p>\n

Stiennon does offer some suggestions for addressing the issues presented in the book, such as an increased focus on encryption services and key management, improved cyber supply chain security, system hardening, operations hardening, continuous network monitoring, and the establishment of a force transformation czar with broad oversight and weapons procurement authority. These suggestions are fairly lightweight but do direct the reader to some general cybersecurity initiatives for further reading.<\/p>\n

There Will Be Cyberwar <\/em>has its share of shortcomings. For starters, the book is brief, at only 136 pages in length, so details are relatively sparse. The edition of the book I read also contained a number of typographical and textual errors which could leave readers somewhat skeptical of its overall quality.\u00a0 Finally, Stiennon dedicated a few chapters to the limitations of risk management and the need to focus on threat management instead. I understand his reasoning, that risk management equates to a \u201cboil the ocean\u201d exercise, while threat management is more focused; but any effort focused on eliminating vulnerabilities across network-centric warfare systems certainly demands a more comprehensive risk management methodology. Additionally, I\u2019ve always thought of threat management as a component of risk management, so Stiennon\u2019s argument was a bit confusing to me. In any case, truly protecting military technologies will require improvements in risk and threat management. I\u2019m sure Richard would agree with this.<\/p>\n

As I mentioned previously, There Will Be Cyberwar <\/em>is not for everyone, as some cybersecurity professionals may not want to dig into the language, history and unique cybersecurity challenges around network-centric warfare technologies. For those interested in this topic, however, the book is a worthwhile, albeit brief, read and starting point for further research into the many issues it presents.<\/p>\n

 <\/p>\n","protected":false},"excerpt":{"rendered":"

We modeled the\u00a0Cybersecurity Canon\u00a0after the Baseball or Rock & Roll Hall-of-Fame, except for cybersecurity books. We have more than 25 books on the initial candidate list, but we are soliciting help from …<\/p>\n","protected":false},"author":153,"featured_media":15556,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_jetpack_memberships_contains_paid_content":false,"footnotes":""},"categories":[155,4521],"tags":[251,2769,2766],"coauthors":[1325],"class_list":["post-20868","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-cybersecurity-2","category-canon","tag-cybersecurity-canon","tag-richard-stiennon","tag-there-will-be-cyberwar"],"jetpack_featured_media_url":"https:\/\/origin-researchcenter.paloaltonetworks.com\/blog\/wp-content\/uploads\/2016\/07\/cybersec-canon-red-500x218.png","jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/origin-researchcenter.paloaltonetworks.com\/blog\/wp-json\/wp\/v2\/posts\/20868","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/origin-researchcenter.paloaltonetworks.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/origin-researchcenter.paloaltonetworks.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/origin-researchcenter.paloaltonetworks.com\/blog\/wp-json\/wp\/v2\/users\/153"}],"replies":[{"embeddable":true,"href":"https:\/\/origin-researchcenter.paloaltonetworks.com\/blog\/wp-json\/wp\/v2\/comments?post=20868"}],"version-history":[{"count":5,"href":"https:\/\/origin-researchcenter.paloaltonetworks.com\/blog\/wp-json\/wp\/v2\/posts\/20868\/revisions"}],"predecessor-version":[{"id":21291,"href":"https:\/\/origin-researchcenter.paloaltonetworks.com\/blog\/wp-json\/wp\/v2\/posts\/20868\/revisions\/21291"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/origin-researchcenter.paloaltonetworks.com\/blog\/wp-json\/wp\/v2\/media\/15556"}],"wp:attachment":[{"href":"https:\/\/origin-researchcenter.paloaltonetworks.com\/blog\/wp-json\/wp\/v2\/media?parent=20868"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/origin-researchcenter.paloaltonetworks.com\/blog\/wp-json\/wp\/v2\/categories?post=20868"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/origin-researchcenter.paloaltonetworks.com\/blog\/wp-json\/wp\/v2\/tags?post=20868"},{"taxonomy":"author","embeddable":true,"href":"https:\/\/origin-researchcenter.paloaltonetworks.com\/blog\/wp-json\/wp\/v2\/coauthors?post=20868"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}