The Fifth Domain: Defending Our Country, Our Companies, and Ourselves in the Age of Cyber Threats [Paperback] Clarke, Richard A. and Knake, Robert K.

Recomendo aos interessados na segurança do Espaço Cibernético

The book was well written with good informative content some of which I am not aware from past readings for the general public.Whilst its mainly US centric, it nevertheless conveyed the same message that cyber will be definitely be part of the new frontier of warfare complimenting land, sea, air, and space as multi-dimensional asymmetric wars of the future.

The Fifth Domain, by Richard A. Clarke and Robert K. Knake is interesting for those who are in the cybersecurity industry and for any ordinary people. Unlike many other books written about the cybersecurity that paint the frightening landscape of cyber, this book being written by the insider also give a rare insight on how a government agency works, and how they tussle to control their domain. Written by the former National Coordinator for Security, Infrastructure Protection, and Counterterrorism for the U.S. National Security Council Richard A. Clarke and the former director for cybersecurity policy at the National Security Council, Robert K. Knake, they have a first eye view of what the country’s leadership go through to contain the cyber threat we face. In this book, they take the reader through the security issue we face and provide prescriptions to solve some of these threats.This book tells some freighting stories, some of which are in the news. It covered stories of Stuxnet virus that infect the Iranian nuclear agency damaging their vital centrifuge setting back their nuclear program by two years to WannaCry ransomware that shut down many business all over Europe and North America.The common theme on many stories is that even the well planned and executed malware attack may have unintended consequence. Stuxnet malware was designed in such a way that it spread using Microsoft’s zero day vulnerabilities that NSA knew but did not notify Microsoft. It spread targeting the Siemens SCADA systems that control nuclear power plant, but only damage the Iranian nuclear program’s SCADA. It used many zero day vulnerabilities which is very difficult to detect and defend against, and a lot of other techniques that only well financed and technically strong nation state is capable. Many information on the Stuxnet shows that it was probably designed by the Israel and the US who would want to damage or slow down the Iranian nuclear program for the political reasons. But, this malware was found in many other countries.Another example of the attack it gives is the Russian attack to cripple Ukraine. It used the combinations of the media manipulation and the tools stolen from the NSA. In this attack, several Ukrainian ministries, banks, electric grid and metro systems were affected. Russian carried out the attack using the NSA’s EternalBlue exploit that was stolen earlier. NSA discovered the vulnerabilities on the Microsoft windows software, but did not notify them to fix it, rather developed a tool to get inside the adversaries. However, 20% of the infection happened in countries outside Ukraine including the Merck in the USA.In Ukraine, Russia tested their offensive capabilities. The media manipulation they did in the Ukraine during the attack shows how and what they can do to influence the people’s perception. Russian also disrupted the Ukrainian power grid. But, they did not do the serious damage such as blowing up transformer which could have caused chaos and potentially take several months to years to repair. Perhaps Russian did not want to leave behind their trick on damaging electric grid with the fear that Ukrainian or other adversary may develop a defense for it. Russian used this lesson learned on the 2016 US election and helped to elect the person desirable for their national interest. Spending far fewer resources they were able to control arguably the most powerful country. And the scarier think is that the Russian are lurking in the American electric grid and have already demonstrated their ability in the Ukraine to damage the electric grid. And Chinese are probably in the US gas pipeline and have ability to disrupt it.The book is not all gloom and doom. They give several solutions which are effective leadership, adequate resource allocation for the cyber, international cooperation, development of the resilient systems, and ways to make the cost of attacks higher and making the monetizing difficult.They pointed out that perhaps the US problem is its politician, and an inability of different government agency to work together. They talk about the Trump administration’s steps that undermine American capability to work with the foreign countries and organizations by eliminating the point person handling the Cyber issue at the State Department. This allowed malicious foreign cyber threats acting with impunity fearing no consequences for the harm they do to the US interests. Trump also removed the Cyber czar at the White house, a position Richard Clarke held during the Bush and the Clinton administration. And the roadblock put by the Republican senator McConnell on the bill which would be helpful on securing the US voting systems. They also pointed out that security agency wanted to weaken the encryption so they can get in, which would have also allowed foreign Cyber actor to get in easily to the US systems.Another problem they pointed out is the competing nature of the public and private company’s interest and the inadequate cooperation between them. If DoD and the NSA finds out the zero day vulnerabilities on the US vendor, is it a national best interest to withhold that information from the vendors and build the exploit which NSA potentially use against the foreign entity or let the vendor know so they develop a patch for it?Perhaps their best recommendation is to use the Lockheed Martin’s concept of the Kill Chain. In their book published 10 years ago, authors like most in the industry believed that the defense is hard because the defender has to be right all the time and offense has to be right only once. But the authors now believes that the good defense is possible. They give examples of companies that are spending adequate resources, cooperating within the industry and defending their resources successfully. The concept of Kill chain is that to cause damage, the offensive cyber actor has to get in to the network, stay hidden, steal the information, exfiltrate and then monetize it. If we make any of these steps harder, then offense would be very hard. For example, financial industry worked together to bring the credit card with the chips on it. When most of the ATM and card reader were replaced with the chip reader, it becomes very difficult for the thief to steal the credit card from the point of sale. And with the wider use of the 2 Factor Authentication, it becomes difficult to use the stolen card online. So, the criminal has to work hard to steal the card and monetize it. As the barrier to monetize is raised, it raised their effort and the cost, so card thief may go down.Overall, I enjoyed this book and the prescription it offers is very helpful.

The Fifth Domain, by Richard Clarke and Robert Knake, former National Security Council members and current cybersecurity consultants, tells a frightening tale that, according to sources in the U.S. Intelligence Community (IC) and Department of Homeland Security (DHS), the Russian military intelligence operatives (GRU), having successfully attacked Ukraine’s power grid, are lurking in our own critical infrastructure and, “...the warning lights are blinking red.” In addition, China has the ability to disrupt the U.S. natural gas pipeline system, at will. Now that the authors have our attention, they offer some small measure of relief by suggesting various ways to deal with the threat to the Fifth, or cyber, domain (the first four being air, land, sea and space).While the policies and methods they suggest are great ideas, some were formulated many years ago and are still awaiting completion of the most difficult stage, implementation. Their seven-step plan to stabilize our critical infrastructure will be familiar to anyone in the field – effective leadership, more efficient allocation of funds, resilient systems, superior strength and international cooperation.One of the more intriguing concepts is to apply defense contractor Lockheed Martin’s kill chain model, which breaks the attack process down into seven stages. Conventional wisdom holds that the attacker always has the advantage. The authors suggest, somewhat counterintuitively, that penetration of a system gives the defender the advantage because the attacker is now on the defender’s home turf. It takes a great deal of skill and energy to achieve and maintain persistence in a stranger’s system, and every move made is an opportunity for the defender’s system to detect anomalous behavior.Clarke and Knake’s most ambitious idea is to create a separate internet where only organizations that comply with the rules of membership are permitted, similar to Europe’s Schengen Area. Accountability and cross-border security would be provided by mechanisms such as coordination with law enforcement and sending internal message traffic through massive encrypted tunnels. They also state that one of the most effective ways to improve network security may be to follow the example of successfully defended financial institutions that allocate at least 12% of their IT budget to cybersecurity. Their view is that government’s role should be limited to arresting criminals, leveling sanctions, and, if necessary, waging war.A theme that I found particularly interesting was that our adversaries are not all external. The authors point out many examples of internal struggle which demonstrate that one of the greatest enemies of a secure network may be ourselves. The equities issue is addressed, in which the interests of the Intelligence Community (IC), who secretly retain information on software vulnerabilities to be used offensively, conflict with the desires of the U.S Treasury Department and Homeland Security to maintain a secure network by informing the manufacturers of security flaws.Firms like Crowdstrike, in fear of losing a competitive advantage, refuse to cooperate in information-sharing programs such the Cyber Threat Alliance (CTA) formed by Palo Alto Newtorks, which includes Symantec, McAffee, Fortinet, Cisco, Sophos and Rapid 7.Then, there are the efforts of Congress to mandate compliance with regulations versus The U.S. Chamber of Commerce and Office of Management and Budget (OMB), who excuse their recalcitrance in the name of protecting innovation. This last item does not bode well for the effectiveness of Senate Bill 734 – The Internet of Things Cybersecurity Improvement Act of 2019, currently on the Senate Legislative Calendar. Senator Warner’s bill seeks to leverage the purchasing power of the U.S. Government to encourage manufacturers of Internet of Things devices to make them less vulnerable to attack. While the bill, admirably, requires the National Institute of Standards and Technology (NIST) to issue recommendations to this end, the notoriously regulation-averse OMB will have the final say on which recommendations are actually issued.Another difficult issue is the dilemma that arises when organizations fall victim to ransomware, incidents of which are increasing as countries adversely affected by sanctions seek other means of financial support. Should they pay the fee in order to regain access to their illicitly-encrypted data, or refuse and trust that their backups (if they exist) are viable? The FBI's Richard Jacobs states that they, ”...don’t condone it,” but, “...if you’re not prepared...you may not have a choice.” Payments made to certain known terrorist’s accounts may result in additional fines. This is one of Clarke and Knake’s suggestions to deal with ransomware in the future. That, or simply making the payments illegal.The final section of the book offers a thorough list of actions that everyone should take to decrease the likelihood of becoming a cyber victim. I found it an analogous microcosm of the broad advice given to government and corporations. This section, like the previous five, does not break any new policy ground, but rather serves to raise awareness of current and near-future threats and suggest methods of germinating and nurturing established ideas that will improve our information security. If examples from the financial sector are to be used as benchmarks of success, a critical element will be to fertilize these ideas with plenty of wisely allocated funds.I really enjoyed this book. The author's sense of humor will resonate with anyone who appreciates a good "dad joke" or clever pun. At times, the name dropping, while lending credibility, made it hard to keep track of the numerous sources. I found the section on cybersecurity careers inspiring, if a bit of a reality check on the number of employment opportunities actually available. Overall, an entertaining and enjoyable experience.

The Fifth Domain was a comprehensive overview of the state of our cyber security on a national and personal level. The defensive versus offensive strategies are explained in detail, along with how those strategies are implemented by companies and governments -- worldwide. The key word is RESILIENCE.The solutions, i.e. protections, as laid out in the book, are not promises to eliminate all digital insecurity. There is no promise of that here. What is stressed, is resilience, the ability to recover from cyber attacks with a minimum of loss. The book makes clear that we are currently far from a sustainable recovery mode should a major attack occur -- because companies and governments haven't been convinced that protecting themselves adequately, let alone safeguard our personal data, from a cyber attack is worth the money they would spend on it. The good news is, that viewpoint has been changing over the last several years.The section on the possibilities of quantum computing and it's ramifications in a cyber-war were chilling. Also, internet of things -- as in, allowing your microwave, or other "things" to phone home, et. al. -- could be used collectively to engage in a cyber-war. These topics are just a smattering of what is covered in the book.Richard A. Clarke has a BA and a Masters degree in Science and Technology, and has spent his career steeped in Cyber Security, inside and outside of government. Everything he has learned and experienced to date, is in this book.FYI: Trump was given credit (twice) where it was due. Trump was criticized (once). This book is not about Trump, or bashing Trump. Anyone that states otherwise has not read this book.