Understanding Cyber Security: Emerging Governance and Strategy
Cyber Canon Book Review: "Understanding Cyber Security: Emerging Governance and Strategy" (2018), by Gary Schaub Jr.
Book Reviewed by: U.S. Army Major General (Retired) John Davis, CSO (Federal), Palo Alto Networks.
Bottom Line: I don't recommend this book for the Cybersecurity Canon Hall of Fame, but it is an excellent work that gets the cybersecurity details right.
I know what you’re already thinking: “Understanding Cyber Security: Emerging Governance and Strategy” looks like something that would only apply to the “govie” and military cybersecurity audience since it appears, at first glance, to focus on public policy, strategy, governance and military applications of cyberspace. I beg to differ and believe that once you dig down into some of the details, you’ll find a fascinating (and, in some cases, very technical) look at a range of topics that impact just about everyone and every organization.
"Understanding Cyber Security" begins by acknowledging that over the past several decades, cyberspace has become “the most useful domain of productivity the world has ever known.” At the same time, our growing dependence on cyberspace for everything – from national and economic security to our personal rights, welfare and safety – increasingly reveals extreme vulnerabilities and risks that impact us all.
This book is a collection of chapters. General Hayden, former CIA and NSA Director, opens the series of chapters by speaking with various authors, from the likes of Joe Nye (Harvard professor), Herbert Lin (Stanford professor), Martin Libicki and James Farwell (well-known, cyber-related authors) and various other luminaries to tee up a rare glimpse into some of the key cyberspace questions yet to be answered. Hayden goes on to discuss why answering these questions is critical to dealing with some of the most important policy, legal and practical dilemmas we are facing today across government and industry.
The book deals with current topics, such as Internet governance, the Internet’s underlying “plumbing” and efforts to change it, national security issues in cyberspace, the concept of “cyber commons,” the growing pursuit of “cyber borders” by many nations (friend and foe alike, by the way), and various other topics.
There are some key chapters that include both technical and non-technical issues that increasingly impact a much broader audience. By exploring these issues, certain chapters in this book contribute to a better understanding of current and future dynamics. Just about everyone throughout the cybersecurity community must deal with these dynamics in order to continue to leverage the promise of cyberspace while managing its growing risks.
For example, Chapter 4 is one of my favorites in the book. The chapter is titled, “Rise of a Cybered Westphalian Age 2.0.” If you don’t read anything else in this book, you should definitely read this part. I’ll admit that the authors of this chapter, Chris Demchak and Peter Dombrowski, provide a very military perspective about the implications of the rise of “cyber borders” across the world’s digital landscape, but I believe the implications are just as stark for business. If you believe – as I do – that our cybersecurity profession is increasingly less about what’s happening only at a technology level and more about how technology affects business outcomes, then you’ll want to pay attention to this chapter. The erection of “cyber borders” by friend and adversary alike is already leading to an increasing number of laws, regulations and procedures about the “cyber passport control” processes being put in place across the global cyberspace domain.
These processes are different from nation to nation, creating complexity and introducing not only security challenges but business risks. Large, global corporations are having to make business decisions based on these risks, sometimes resulting in the loss of intellectual property and increased supply chain vulnerabilities. Ultimately, this dynamic affects our collective security, competitiveness and the very trust we place in the digital age.
The last chapter I want to highlight is, ironically, the last chapter in the book. Farwell authors this chapter about the role of public-private partnerships in national cybersecurity, and he minces no words in describing the current situation as an enormous imbalance between governments and industry and an unsustainable path that will lead to disaster. However, he offers some difficult but practical solutions that provide some promise for changing the status quo. These include a joint public-private policy framework, legislative reforms that incentivize industry to act more effectively in protecting the critical infrastructures each nation depends on for its national and economic security as well as its public health and safety, and a strategy that strengthens cybersecurity through a more balanced partnership between nations and the private sector. Again, this is as relevant to business leaders as it is to governments and militaries.
While I don’t agree with everything in the book (and it’s very lengthy at 530 pages), I consider it an important addition to my personal library. This isn’t just a book for the global public sector audience. It covers a much broader set of issues the cybersecurity community must understand, deal with effectively to restore trust, and help our leaders successfully navigate in the digital age. The content is relevant to the professional cybersecurity community at large. Since the issues highlighted within the book are causing new and complex risks to businesses, impacting fundamental human rights and even jeopardizing public safety, this book is especially relevant for an audience much broader than just the government and military reader.
We modeled the Cybersecurity Canon after the Baseball or Rock & Roll Hall-of-Fame, except for cybersecurity books. We have more than 25 books on the initial candidate list, but we are soliciting help from the cybersecurity community to increase the number to be much more than that. Please write a review and nominate your favorite.
The Cybersecurity Canon is a real thing for our community. We have designed it so that you can directly participate in the process. Please do so!