Cybersecurity Canon Book Review: The Fifth Domain: Defending Our Country, Our Companies, and Ourselves in the Age of Cyber Threats

Posted: October 21, 2020

review
review

Cybersecurity Canon Book Review: The Fifth Domain: Defending Our Country, Our Companies, and Ourselves in the Age of Cyber Threats

Written by Richard Clarke and Robert Knake

Book review by Canon Committee Member: Rick Howard

The Cybersecurity Canon Committee selected this book to be inducted into the Hall of Fame during the 2019-2020 season. They also awarded the authors, Richard Clarke and Robert Knake, a Lifetime achievement award because this is their second book to be added to the Hall of Fame. The committee inducted their first book, "Cyberwar: The Next Threat to National Security and What to Do About It,” in the 2015-2016 season.

"The Fifth Domain” is the perfect Hall of Fame book. It is part history (see timeline below), part big ideas, part fanboy service to the cybersecurity industry’s biggest thought leaders, and finally, it is a look into the future with regard to near-term technologies—such as 5G, quantum computing, and artificial intelligence—and how they might impact the security landscape as well as what the network defender community should be considering in order to influence how they are deployed.

One side note: I got the opportunity to interview the authors during Cybersecurity Canon Week this year at the CyberWire's network of podcasts. I teased both Dick and Rob during the interview that the best way to get people talking about their book was to write a paragraph or two about some of our industry’s thought leaders and their pet projects. Well, that is exactly what they did:

  • Bob Ackerman: His notion that many startup products are not essential tools; merely a feature that should be included in larger security platforms.
  • Colonel Roger Schell: He was the original developer of the Rainbow security manuals back in 1979.
  • Gary Gagnon: He was the leader behind MITRE’s initial efforts on deception and the creation of the MITRE ATT&CK framework.
  • Jim Routh: The notion that "resiliency isn’t about avoiding a breach, it’s about preventing bad outcomes.”
  • John Perry Barlow: He is the author of the 1996 “A Declaration of the Independence of Cyberspace.”
  • Rohan Amin: He is one of the co-authors to the original intrusion kill chain paper by Lockheed Martin.
  • Steve Lipner: He is the mind behind the original Microsoft Software Development Life Cycle.
  • Sounil Yu: He invented the Cyber Defense Matrix.
  • Todd Inskeep: His notion that you can actually defend your enterprise with the right strategy and enough resources.

And many more. Of course, they mentioned my pet project, the Cyber Threat Alliance, and they came on my podcast to talk about my other pet project, the Cybersecurity Canon, so you know I was going to write about their book. It would be bad form if I didn’t.

In terms of history, they focused on a theme that has been covered from different angles in other Cybersecurity Canon books too this past year: David Sanger’s "The Perfect Weapon: How the Cyber Arms Race Set the World Afire” and  Andy Greenburg’s "Sandworm: A New Era of Cyberwar and the Hunt for the Kremlin's Most Dangerous Hackers.” That theme is the continuous low level cyber conflict that has been going on by and between key nation-states like the United States, Russia, China, Iran, and North Korea for the past decade or more.

For big ideas, they have a sack of them:

  • Resilience should be our focus, not blocking technical things like malware and zero days. We must build systems so that most attacks cause no to little damage.
  • Make the bad guy spend resources to keep up with the defenders, not the other way around.
  • Adopt cybersecurity first principle thinking by getting leadership to think holistically about the nature of cybersecurity.
  • Adopt outcome-based regulation; regulation that requires entities to fund the costs associated with a breach. Ideas include bonds to cover PII loss and fines for companies that pay ransomware.
  • Breach disclosure has not had the intended effect that we thought it was going to have.
  • The industry’s personnel shortage problem is not at the entry level but at the senior level.
  • The United States electrical power grid is owned. To fix it in the short term, bring in the best commercial incident response teams. In the long term, abandon the current outdated and centralized power distribution system in favor of a more distributed system, including regional subnetworks.
  • Emphasize the CyberCorps scholarship for Service program funded by the National Science Foundation, administered by OPM, and advised by the NSA and DHS. This is an existing program. We just need to step on the gas.
  • Create a federal service program whose only customers are state, city, and country governments that need computer science services, network management, data storage, and cybersecurity. Make it cheap.
  • Focus the military on defending their own networks including the defense industrial base (DIB), the integrity of US weapons systems, and the private sector infrastructure that the military needs to do its job. Give them the green light to go on the offensive to degrade low level cyber conflict actions from other nation states.
  • The internet will be balkanized. Instead of begging authoritarian states to play by our utopian fantasy rules, we should set the terms under which they get to have unfettered access to our most valued public assets.
  • The responsibility of protecting elections, at least federal elections, should be the federal government. Give the military authority to defend this operation.

For technology, they lay out the case for why 5G, quantum computing, and artificial intelligence will each be a game changer in their own right. From my perspective, once 5G is available everywhere, everything will be connected to the internet at very high speeds—and I mean everything. It will no longer be a joke that your toaster is connected to the internet. In the next decade, we will forget why we thought that connected toasters were funny in that yesteryear of 2020. It will be the standard. But, the big one-two punch of near-future technology is quantum computing plus AI. We are probably within a decade of having an affordable quantum computer that operates with 128 qubits. The NSA math nerds are already so afraid of this because of the implications of breaking all of their cryptographic cyphers that they are hard at work developing the next generation of cyphers that can withstand quantum computer speed. From my science fiction side though, once we hit 128 qubits in quantum computing, the artificial intelligence singularity will not be far behind—that moment when a computer algorithm becomes aware of itself. With a quantum computer, this achievement will no longer be just past our reach.

I have one tiny suggestion for books of this sort like Sandworm and Perfect Weapon. When you are talking about important events, especially when you are not doing it in chronological order, it would be super helpful to include a timeline at the end of the book like the one I list below. For example, it is one thing to discuss WannaCry and NotPetya as separate events, but when you see that they are separated by only weeks, that has meaning. Also, put the day and month on the timeline. That would be helpful.

As I said, the Cybersecurity Canon Committee has already selected this book for the Hall of Fame. It is already a must read, but do yourself a favor. Put this on top of your reading queue. This one is important.

Timeline

1956:

  • Birth of AI at the Dartmouth Summer Research Project on Artificial Intelligence.

1998:

  • Richard Clarke instigated Presidential Decision Directive 63 that led to the first information sharing and analysis centers (ISACs).

2007:

  • Russia launches cyberattack against Estonia.

2008:

  • Russia launches cyberattack in parallel to the physical attack against Georgia.
  • Russia gains access to the Pentagon’s secret-level SIPRNet system.

2010:

  • The US and Israel launch Stuxnet.
  • Pfc. Bradley Manning steals classified information and releases it to the public.

2012: The Iranian Revolutionary Guard Command (IRGC)

  • Shut down the eight largest U.S. banks.
  • Penetrated the U.S. Navy Marine Corps Intranet and defied U.S. efforts to evict them for more than two years.
  • Attacked the Sands Casino in Las Vegas.
  • Crippled Saudi Aramco by wiping software off thousands of machines.

January 2013:

  • President Obama signs PPD 20 restricting offensive cyber to only his approval.

May 2013:

  • Snowden

2013:

  • Speculation: Russia (The GRU) hacked an NSA staging server to get Eternal Blue software released by the Shadow Brokers before NotPetya.
  • The Iranian Revolutionary Guard Command (IRGC) took control of networks running systems as diverse as a water system dam in New York State.

2015: Russia (The GRU)

  • Operated under the false flag name of Sandworm, attacked the Ukrainian power grid in 2015 and again in 2016.
  • Operated under the false flag name of Cyber Caliphate and shut down a French television network, TV5Monde.
  • Attempted to interfere in the investigations of the Russian assassination attempt in Bristol, England, Russian doping of Olympic athletes, and the Russian downing of Malaysia Airlines Flight 17.

4 February 2015:

  • Anthem Breach (second-largest health insurer in the country), lost all of its subscriber data (some 78 million records).

2016:

  • Speculation: Harold Martin’s cache of TAO offensive tools, including EternalBlue, likely stolen through a supply chain backdoor of Kaspersky software on his home computer.
  • North Korea compromised a classified network and stole the U.S.–South Korean combined operations plan to attack the North and kill its leadership.

May 2016:

  • Petya uses the National Security Agency’s EternalBlue weapon.

Fall of 2016

  • Operation Glowing Symphony: A United States Task Force called ARES launches a mission to knock ISIS’s media network off the internet.

March 2017

  • Joshua Schulte leaks CIA documents (Vault 7) to WikiLeaks, including zero-day exploits of widely used software and documents regarding the CIA Program UMBRAGE that used attack tools it had stolen from other governments in order to leave a misleading trail and cause investigators to believe attacks done by the CIA were done by others.

May 2017:

  • North Korea (Lazarus Group) launches WannaCry.

June 2017:

  • Russian GRU (Main Directorate of the General Staff, Fancy Bear) launches NotPetya.

2017:

  • Iran penetration of the Triconex safety-instrumented system of a petrochemical plant in Saudi Arabia, an attack apparently intended to prevent alarms going off during a planned lethal chemical leak in the future.

2018

  • A Navy contractor who worked for the Naval Undersea Warfare Center in Rhode Island stole classified data about highly sensitive programs.
  • Separately, the government discovered another Navy technician to be a criminal hacker.
  • Secretary of Defense James Mattis ordered Cyber Command to “defend forward” by joining with the intelligence community in attempting to identify potential enemy cyber systems, penetrate them, and in some cases, stop incoming attacks.
  • The National Security Agency and U.S. Cyber Command created the “Russia Small Group” to conduct operations to counter Russian cyber-related interference in that year’s Congressional elections.

Summer 2018:

  • The head of the U.S. intelligence community publicly warned that the power grid had already been successfully penetrated by Russia.

September 2018:

  • President Trump rescinds President Obama’s PPD 20 (2013).

2018:

  • Intrusion Truth began to regularly disclose the hacks, tools, and people involved in Chinese hacking groups known as APT 3 and APT 10. It is not yet generally agreed upon among the cyber-expert community who Intrusion Truth is, but it is clear that they are revealing the secret activity of the Chinese government.

End of 2018

  • The Cybersecurity and Infrastructure Security Agency (CISA) is created within the Department of Homeland Security, on a par with other agencies in the department, such as the Secret Service, Coast Guard, and Federal Emergency Management Agency (FEMA).

2019

  • The heads of all 17 U.S. intelligence agencies deliver annual threat assessment to Congress that Russia had the ability to disrupt the U.S. power grid and that China had the capability to disrupt the U.S. natural gas pipeline system.

Sources

"A Declaration of the Independence of Cyberspace,” by John Perry Barlow, EFF, 8 February 1996.

"Book Review: “The Perfect Weapon”” by John Davis, Cybersecurity Canon Project, 3 March 2020.

"Intelligence-Driven Computer Network Defense Informed by Analysis of Adversary Campaigns and Intrusion Kill Chains,” by Eric Hutchins, Michael Cloppert, and Rohan Amin, Lockheed Martin Corporation, 2010.

MITRE ATT&CK,” mitre.org.

"Patch Exchange already, will ya? GoldenSpy lurks in tax software Chinese banks prefer their foreign clients to use. Magecart gets cleverer. Another unsecured AWS S3 bucket, and this one’s not funny,” The Daily Podcast, The CyberWire, interview with Richard Clarke and Robert Knake, Minute 9:40, 6 June 2020.

"Sandworm: A New Era of Cyberwar and the Hunt for the Kremlin's Most Dangerous Hackers,” by Andy Greenberg, Doubleday, 7 May 2019.

"The 2018 DOD Cyber Strategy: Understanding 'Defense Forward' in Light of the NDAA and PPD-20 Changes,” Bobby Chesney, Lawfare Blog, 25 September 2018.

"The Fifth Domain: Dending Our Country, Our Companies, and Ourselves in the Age of Cyber Threats,” by Richard Clarke and Robert Knake, Penguin Press, July 16, 2019.

"The Perfect Weapon: How the Cyber Arms Race Set the World Afire,” by David E. Sanger, Crown, June 19, 2018.