Cyber War...and Peace: Building Digital Trust Today with History as Our Guide
Book written by Nicholas Shevelyov
Book review by Ben Smith
I don't recommend this nonfiction book for the Cybersecurity Canon Hall of Fame, but if you are interested in the topic, this is a good one to read.
While books are all about collecting and dispensing knowledge about specific topics, usually with a specific audience in mind, there is sometimes a lost opportunity to bring that knowledge to a broader audience. A marketing failure, perhaps, but more importantly a failure to attract would-be readers from adjacent disciplines. What author doesn't want the widest audience available to consume their book?
Strong books actively seek to build bridges between disciplines, which brings us to a look at Cyber War...and Peace: Building Digital Trust Today with History as Our Guide, where lessons about the technical disciplines of cybersecurity and risk management are brought to the reader through a historical lens.
This book is a "two-fer." Judging from its title, the casual reader will not be surprised to find a series of cybersecurity-relevant analogies and lessons from history. But the secondary, less obvious benefit of this book is that it also serves as a solid introduction and on-ramp to the industry-reference control set known as the Center for Internet Security (CIS) Critical Security Controls (CSC). Many of the historical anecdotes lead right into control recommendations for the reader to consider applying within their own present-day environments.
Each chapter in this short book is devoted to one story from history, and most of the stories are based on lessons learned in a military context. But you don't have to be a soldier, or a highly seasoned technical resource, to understand the morals or outcomes of each of these stories.
Several essential truths about the challenges facing today's cybersecurity and risk management leader are laid out clearly. Managing the attack surface becomes an easier task when you deliberately architect just a handful of chokepoints - places where an adversary must move through as they advance towards your crown jewels, a finite number of key places where your detection and response budget is best allocated within your environment. While it's important to have a risk register and a set of controls defined and in place to mitigate those risks, understand that constantly granting exceptions will make those controls brittle and prone to breakage over time, sometimes spectacularly. Having a shared vocabulary about risk makes your organization stronger. And retention policies should be driven not exclusively by external regulations but from the business value of the retained data: are you holding data today which provides no economic value, and if so, why?
Through its historical storytelling, the book also touches on two especially important concepts. The first is the importance of understanding how incentives work. Incentives should be created and enforced to drive behavior towards a destination beneficial to your organization. Incentives always (always!) lead to outcomes, but frequently those outcomes are not what was originally envisioned.
An example offered up by the author is to recognize what incentives exist for the externally-sourced consultants who are providing cybersecurity and risk management advice to your organization today. The Code of Hammurabi, almost four thousand years old, specified that building architects were liable in the event of a structural collapse which resulted in death. And the remedy in that case was that the architect would meet the same fate: he would be crushed to death by a wall. Today's consultants almost never hang around past the conclusion of their engagement with you, metaphorically standing under the wall they are recommending you implement; they are usually long-gone by the time their recommended wall fails. Treat your consultants as tourists, understand where their incentives lay, and process their advice to you accordingly.
The second of these especially important concepts is introducing the reader to the importance of pre-mortems as a management tool. We are all probably familiar with the concept of post-mortems, literally "after the death" reviews of a project or a product, usually one gone wrong. Post-mortems are designed to surface lessons learned, especially when those lessons lead to failure. But why should we wait until the end of a project to think about this?
One of the many people management lessons I've absorbed over my career is to build a mandatory circuit-breaker into the hiring process, an opportunity to pause the process to ask the question, "How will this candidate fail in this job in the future?" It's a question we should internally consider about any potential new hire, especially someone who otherwise is smoothly moving through their interviews. Weaknesses don't have to be disqualifying, but everyone has them. You want to have spent some time thinking about this before you hire, and not just at termination time.
Pre-mortem exercises in the cybersecurity project world can provide the same benefit: even if you think everything is plotted out cleanly and you believe you know all of the steps to your destination, make a point of pausing once you are inside the process to think outside the box, to try and identify where failure may be lurking. Draw your colleagues into this conversation and get these potential issues out into the open (they always exist!), so that they can be considered and noted as appropriate.
Throughout the book, the author borrows liberally from, and credits fully, industry resources offered by SANS, OWASP, IAPP and other groups and authors. Several pages are devoted to reproducing a fine NACD-sourced list of questions board members should ask to determine the cyber-literacy of the management team they oversee.
If you enjoy a historical angle to how you learn about challenges in today's world, you'll find this book to be a solid introduction, especially if you are an executive or leader for whom cybersecurity may not be your primary focus.
We modeled the Cybersecurity Canon after the Baseball or Rock & Roll Hall-of-Fame, except for cybersecurity books. We have more than 25 books on the initial candidate list, but we are soliciting help from the cybersecurity community to increase the number to be much more than that. Please write a review and nominate your favorite.
The Cybersecurity Canon is a real thing for our community. We have designed it so that you can directly participate in the process. Please do so!