We modeled the Cybersecurity Canon after the Baseball Hall of Fame and the Rock & Roll Hall of Fame, except it’s a canon for cybersecurity books. We have more than 25 books on the initial candidate list, but we are soliciting help from the cybersecurity community to increase the number. Please write a review and nominate your favorite. 

The Cybersecurity Canon is a real thing for our community. We have designed it so that you can directly participate in the process. Please do so!

Executive Summary

I know what you’re already thinking. Understanding Cyber Security: Emerging Governance and Strategy looks like something that would only apply to the “govie” and military cybersecurity audience since it appears at first glance to focus on public policy, strategy, governance and military applications of cyberspace. I beg to differ and believe that while this book is certainly written mostly for the public sector crowd and is not a contender for a Cybersecurity Canon Hall of Fame nomination, it deserves consideration for a place in the Canon. This is because once you dig down into some of the details, you’ll find a fascinating (and, in some cases, very technical) look at a range of topics that impact just about everyone and every organization that depends on cyberspace for all they do ... and isn’t that increasingly all of us?

Understanding Cyber Security begins by acknowledging that over the past several decades, cyberspace has become “the most useful domain of productivity the world has ever known.”[1]  At the same time, our growing dependence on cyberspace for everything, from national and economic security to our personal rights, welfare and safety, increasingly reveals extreme vulnerabilities and risks that impact us all. This book is a collection of chapters from the likes of Joe Nye (Harvard), Herbert Lin (Stanford), Martin Libicki and James Farwell (well-known, cyber related authors) and other luminaries, with an insightful opening from General Michael Hayden (former NSA and CIA Director). It deals with current topics, such as internet governance, the internet’s underlying “plumbing” and efforts to change it, national security issues in cyberspace, the concept of “cyber commons,” the growing pursuit of “cyber borders” by many nations (friend and foe alike, by the way), a vision of cyberwar in 2025, a discussion about whether we can learn from nuclear lessons when it comes to cybersecurity, escalation and conflict termination in cyberspace, “nonobvious warfare,” the important role of attribution in cyberspace, and finally (whew!), the role of public-private partnerships in national cybersecurity.

While I don’t agree with everything in the book, and it’s very lengthy at 530 pages, I consider it an important addition to my personal library. I also believe that certain chapters in the book are especially relevant for an audience much broader than just the government and military reader. Therefore, I will focus my review on those chapters for the broader audience. I recommend this book for the broader cybersecurity professional community and as an addition to the Canon.

Review

Understanding Cyber Security: Emerging Governance and Strategy is a book that deserves consideration for acceptance into the Cybersecurity Canon. I say this because although most of the chapters within this book certainly focus on the professional government and military cybersecurity community (and therefore disqualify this book as a Canon Hall of Fame contender), there are some key chapters that cover a range of topics that include both technical and non-technical issues that increasingly impact a much broader audience. By exploring these issues, select chapters in this book contribute to a better understanding of current and future dynamics. Just about everyone throughout the cybersecurity community must deal with these dynamics in order to continue to leverage the promise of cyberspace while managing its growing risks. Specifically, the first four chapters as well as the last chapter meet these criteria for the broader professional cybersecurity audience. I will focus my review on these portions of the book and only generally cover the topics from other chapters to provide context.

General Hayden, former CIA and NSA Director, opens the series of chapters by various authors and tees up a rare glimpse into some of the key cyberspace questions yet to be answered. He discusses why answering these questions is critical to dealing with some of the most important policy, legal and practical dilemmas we are facing today across government and industry. He sums up his experience by saying, “Rarely has something been so important and so talked about with less clarity and less apparent understanding than this phenomenon.”[2] This is appropriately an eye-opening beginning to the chapters that follow.

Chapter 1 is about internet governance and describes the history of how cyberspace evolved, why we’re now at a very important inflection point based on what’s going on within the underlying internet infrastructure, efforts to change the original rules of the road about how it is governed, and why it matters greatly from a national and international security (and I believe business) perspective. I equate this chapter to helping all of us in the cybersecurity community understand how the original “building codes” of the internet were established, where the cracks are beginning to show in the aging and underlying internet foundation, and who’s trying to change the codes and install new infrastructure to put themselves in a position of future advantage over the United States and its partners. You might say that internet “plumbing” sounds boring and isn’t for all cybersecurity professionals. However, I think this view is worse than sticking your head in the sand. The conclusion of this chapter states, “As the hardware and software on which the global internet is based evolve, and non-U.S. entities begin to invent new hardware, standards, and protocols, potentially taking market share away from U.S. entities, the U.S. position as core cyber infrastructure operator will diminish.”[3] This has significant implications for us all.

Chapter 2 complements the first chapter and is about the implications of the growing decentralized nature of internet governance amidst the continuing global nature of internet physical and logical resources. The outcome of this dynamic is that we’re going to continue to see an increasing number of autonomous actors and organizations (both nation and non-state) making decisions that will have both intended and unintended consequences for others across the interconnected digital landscape. This can contribute to increased complexity and uncertainty for both public and private institutions when dealing with both coordination and conflict resolution ... meaning increased national security and economic friction, not to mention potentially significant impact to individual rights issues, such as privacy and freedom of expression.

Chapter 3 follows a parallel theme associated with the first two chapters and discusses the concept of “cyber commons” and the impact this dynamic is having on other concepts, such as sovereignty. A growing number of nations and multinational groups, both friendly and adversarial alike, are creating a variety of mechanisms (e.g., laws, policies, regulations, and technical procedures) designed to control data and information flows across their cyber borders for a variety of national and domestic security, economic, law enforcement, military and other reasons. The authors of this chapter conclude that we are more likely than not on a path that will change the very character of the digital environment. What began as a trust-based, self-governing global commons with nearly unrestricted access and opportunity for all will increasingly give way to independent and uneven national control mechanisms and the growing influence of privatization. If correct, the implications on national and domestic security, economic stability, public access to resources and individual rights could be dramatic.

Chapter 4 is one of my favorites in the book.  The chapter is titled, “Rise of a Cybered Westphalian Age 2.0.” If you don’t read anything else in this book, you should definitely read this part.  I’ll admit that the authors of this chapter (Chris Demchak and Peter Dombrowski) provide a very military perspective about the implications of the rise of “cyber borders” across the world’s digital landscape, but I believe the implications are just as stark for business. And if you believe as I do that our cybersecurity profession is increasingly less about what’s happening only at a technology level and more about how technology affects business outcomes, then you’ll want to pay attention to this chapter. The erection of “cyber borders” by friend and adversary alike is already leading to an increasing number of laws, regulations and procedures about the “cyber passport control” processes being put in place across the global cyberspace domain.  These processes are different from nation to nation, creating complexity and introducing not only security challenges, but business risks. Large, global corporations are having to make business decisions based on these risks, sometimes resulting in the loss of intellectual property and increased supply chain vulnerabilities. Ultimately, this dynamic affects our collective security, competitiveness, and the very trust we place in the digital age.

The last chapter I want to highlight is, ironically, the last chapter in the book. James Farwell authored this chapter about the role of public-private partnerships in national cybersecurity, and he minces no words in describing the current situation as an enormous imbalance between governments and industry and an unsustainable path that will lead to disaster. However, he offers some difficult but practical solutions that provide some promise for changing the status quo.  These include a joint public-private policy framework, legislative reforms that incentivize industry to act more effectively in protecting the critical infrastructures each nation depends on for its national and economic security as well as its public health and safety, and a strategy that strengthens cybersecurity through a more balanced partnership between nations and the private sector.  Again, this is as relevant to business leaders as it is to governments and militaries.

Conclusion

Understanding Cyber Security: Emerging Governance and Strategy is not just a book for the global public sector audience. It covers a much broader set of issues and is relevant to the professional cybersecurity community at large. Yes, there are many chapters of particular interest to the government and military cybersecurity crowd, such as national security issues in cyberspace, a vision of cyberwar in 2025, a discussion about whether we can learn from nuclear lessons when it comes to cybersecurity, escalation and conflict termination in cyberspace, “nonobvious warfare,” and the important role of attribution in cyberspace.  However, the chapters dealing with issues such as internet governance, the internet’s underlying “plumbing” and efforts to change it, the concept of “cyber commons,” the growing pursuit of “cyber borders” by many nations, and the role of public-private partnerships in national (and international) cybersecurity lend themselves to a much broader audience. These issues are causing new and complex risks to business, impacting fundamental human rights and even jeopardizing public safety. As such, I believe this book should be considered for acceptance into the Cybersecurity Canon because it covers issues the cybersecurity community must understand, deal effectively with to restore trust, and help our leaders successfully navigate in the digital age.

[1] W. Michael Guillot, Understanding Cyber Security: Emerging Governance and Strategy (London and New York: Rowman & Littlefield International, 2018), Preface, p.12.

[2] General (Retired) Michael V. Hayden, Understanding Cyber Security: Emerging Governance and Strategy (London and New York: Rowman & Littlefield International, 2018), The Future of Things Cyber, p.16.

[3] Panayotis A. Yannakogeorgos, Understanding Cyber Security: Emerging Governance and Strategy (London and New York: Rowman & Littlefield International, 2018), Internet Governance and National Security, p.56.