The Fifth Domain: Defending Our Country, Our Companies, and Ourselves in the Age of Cyber Threats Audible Audiobook – Unabridged
An urgent new warning from two best-selling security experts - and a gripping inside look at how governments, firms, and ordinary citizens can confront and contain the tyrants, hackers, and criminals bent on turning the digital realm into a war zone.
"In the battle raging between offense and defense in cyberspace, Clarke and Knake have some important ideas about how we can avoid cyberwar for our country, prevent cybercrime against our companies, and in doing so, reduce resentment, division, and instability at home and abroad." (Bill Clinton)
There is much to fear in the dark corners of cyberspace. From well-covered stories like the Stuxnet attack which helped slow Iran's nuclear program, to lesser-known tales like EternalBlue, the 2017 cyber battle that closed hospitals in Britain and froze shipping crates in Germany in midair, we have entered an age in which online threats carry real-world consequences. But we do not have to let autocrats and criminals run amok in the digital realm. We now know a great deal about how to make cyberspace far less dangerous - and about how to defend our security, economy, democracy, and privacy from cyber attack.
This is a book about the realm in which nobody should ever want to fight a war: the fifth domain, the Pentagon's term for cyberspace. Our guides are two of America's top cybersecurity experts, seasoned practitioners who are as familiar with the White House Situation Room as they are with Fortune 500 boardrooms. Richard A. Clarke and Robert K. Knake offer a vivid, engrossing tour of the often unfamiliar terrain of cyberspace, introducing us to the scientists, executives, and public servants who have learned through hard experience how government agencies and private firms can fend off cyber threats.
Clarke and Knake take us inside quantum-computing labs racing to develop cyber superweapons; bring us into the boardrooms of the many firms that have been hacked and the few that have not; and walk us through the corridors of the US intelligence community with officials working to defend America's elections from foreign malice. With a focus on solutions over scaremongering, they make a compelling case for "cyber resilience" - building systems that can resist most attacks, raising the costs on cyber criminals and the autocrats who often lurk behind them, and avoiding the trap of overreaction to digital attacks.
Above all, Clarke and Knake show us how to keep the fifth domain a humming engine of economic growth and human progress by not giving in to those who would turn it into a wasteland of conflict. Backed by decades of high-level experience in the White House and the private sector, The Fifth Domain delivers a riveting, agenda-setting insider look at what works in the struggle to avoid cyberwar.
- Click above for unlimited listening to select audiobooks, Audible Originals, and podcasts.
- One credit a month to pick any title from our entire premium selection — yours to keep (you'll use your first credit now).
- You will get an email reminder before your trial ends.
- $14.95 a month after 30 days. Cancel online anytime.
People who viewed this also viewed
People who bought this also bought
Related to this topic
|Listening Length||12 hours and 8 minutes|
|Author||Richard A. Clarke, Robert K. Knake|
|Whispersync for Voice||Ready|
|Audible.com Release Date||July 16, 2019|
|Best Sellers Rank|| #81,331 in Audible Books & Originals (See Top 100 in Audible Books & Originals) |
#15 in Science & Technology Public Policy
#159 in Intelligence & Espionage (Audible Books & Originals)
#298 in Computers & Technology Industry
Top reviews from the United States
There was a problem filtering reviews right now. Please try again later.
This book tells some freighting stories, some of which are in the news. It covered stories of Stuxnet virus that infect the Iranian nuclear agency damaging their vital centrifuge setting back their nuclear program by two years to WannaCry ransomware that shut down many business all over Europe and North America.
The common theme on many stories is that even the well planned and executed malware attack may have unintended consequence. Stuxnet malware was designed in such a way that it spread using Microsoft’s zero day vulnerabilities that NSA knew but did not notify Microsoft. It spread targeting the Siemens SCADA systems that control nuclear power plant, but only damage the Iranian nuclear program’s SCADA. It used many zero day vulnerabilities which is very difficult to detect and defend against, and a lot of other techniques that only well financed and technically strong nation state is capable. Many information on the Stuxnet shows that it was probably designed by the Israel and the US who would want to damage or slow down the Iranian nuclear program for the political reasons. But, this malware was found in many other countries.
Another example of the attack it gives is the Russian attack to cripple Ukraine. It used the combinations of the media manipulation and the tools stolen from the NSA. In this attack, several Ukrainian ministries, banks, electric grid and metro systems were affected. Russian carried out the attack using the NSA’s EternalBlue exploit that was stolen earlier. NSA discovered the vulnerabilities on the Microsoft windows software, but did not notify them to fix it, rather developed a tool to get inside the adversaries. However, 20% of the infection happened in countries outside Ukraine including the Merck in the USA.
In Ukraine, Russia tested their offensive capabilities. The media manipulation they did in the Ukraine during the attack shows how and what they can do to influence the people’s perception. Russian also disrupted the Ukrainian power grid. But, they did not do the serious damage such as blowing up transformer which could have caused chaos and potentially take several months to years to repair. Perhaps Russian did not want to leave behind their trick on damaging electric grid with the fear that Ukrainian or other adversary may develop a defense for it. Russian used this lesson learned on the 2016 US election and helped to elect the person desirable for their national interest. Spending far fewer resources they were able to control arguably the most powerful country. And the scarier think is that the Russian are lurking in the American electric grid and have already demonstrated their ability in the Ukraine to damage the electric grid. And Chinese are probably in the US gas pipeline and have ability to disrupt it.
The book is not all gloom and doom. They give several solutions which are effective leadership, adequate resource allocation for the cyber, international cooperation, development of the resilient systems, and ways to make the cost of attacks higher and making the monetizing difficult.
They pointed out that perhaps the US problem is its politician, and an inability of different government agency to work together. They talk about the Trump administration’s steps that undermine American capability to work with the foreign countries and organizations by eliminating the point person handling the Cyber issue at the State Department. This allowed malicious foreign cyber threats acting with impunity fearing no consequences for the harm they do to the US interests. Trump also removed the Cyber czar at the White house, a position Richard Clarke held during the Bush and the Clinton administration. And the roadblock put by the Republican senator McConnell on the bill which would be helpful on securing the US voting systems. They also pointed out that security agency wanted to weaken the encryption so they can get in, which would have also allowed foreign Cyber actor to get in easily to the US systems.
Another problem they pointed out is the competing nature of the public and private company’s interest and the inadequate cooperation between them. If DoD and the NSA finds out the zero day vulnerabilities on the US vendor, is it a national best interest to withhold that information from the vendors and build the exploit which NSA potentially use against the foreign entity or let the vendor know so they develop a patch for it?
Perhaps their best recommendation is to use the Lockheed Martin’s concept of the Kill Chain. In their book published 10 years ago, authors like most in the industry believed that the defense is hard because the defender has to be right all the time and offense has to be right only once. But the authors now believes that the good defense is possible. They give examples of companies that are spending adequate resources, cooperating within the industry and defending their resources successfully. The concept of Kill chain is that to cause damage, the offensive cyber actor has to get in to the network, stay hidden, steal the information, exfiltrate and then monetize it. If we make any of these steps harder, then offense would be very hard. For example, financial industry worked together to bring the credit card with the chips on it. When most of the ATM and card reader were replaced with the chip reader, it becomes very difficult for the thief to steal the credit card from the point of sale. And with the wider use of the 2 Factor Authentication, it becomes difficult to use the stolen card online. So, the criminal has to work hard to steal the card and monetize it. As the barrier to monetize is raised, it raised their effort and the cost, so card thief may go down.
Overall, I enjoyed this book and the prescription it offers is very helpful.
While the policies and methods they suggest are great ideas, some were formulated many years ago and are still awaiting completion of the most difficult stage, implementation. Their seven-step plan to stabilize our critical infrastructure will be familiar to anyone in the field – effective leadership, more efficient allocation of funds, resilient systems, superior strength and international cooperation.
One of the more intriguing concepts is to apply defense contractor Lockheed Martin’s kill chain model, which breaks the attack process down into seven stages. Conventional wisdom holds that the attacker always has the advantage. The authors suggest, somewhat counterintuitively, that penetration of a system gives the defender the advantage because the attacker is now on the defender’s home turf. It takes a great deal of skill and energy to achieve and maintain persistence in a stranger’s system, and every move made is an opportunity for the defender’s system to detect anomalous behavior.
Clarke and Knake’s most ambitious idea is to create a separate internet where only organizations that comply with the rules of membership are permitted, similar to Europe’s Schengen Area. Accountability and cross-border security would be provided by mechanisms such as coordination with law enforcement and sending internal message traffic through massive encrypted tunnels. They also state that one of the most effective ways to improve network security may be to follow the example of successfully defended financial institutions that allocate at least 12% of their IT budget to cybersecurity. Their view is that government’s role should be limited to arresting criminals, leveling sanctions, and, if necessary, waging war.
A theme that I found particularly interesting was that our adversaries are not all external. The authors point out many examples of internal struggle which demonstrate that one of the greatest enemies of a secure network may be ourselves. The equities issue is addressed, in which the interests of the Intelligence Community (IC), who secretly retain information on software vulnerabilities to be used offensively, conflict with the desires of the U.S Treasury Department and Homeland Security to maintain a secure network by informing the manufacturers of security flaws.
Firms like Crowdstrike, in fear of losing a competitive advantage, refuse to cooperate in information-sharing programs such the Cyber Threat Alliance (CTA) formed by Palo Alto Newtorks, which includes Symantec, McAffee, Fortinet, Cisco, Sophos and Rapid 7.
Then, there are the efforts of Congress to mandate compliance with regulations versus The U.S. Chamber of Commerce and Office of Management and Budget (OMB), who excuse their recalcitrance in the name of protecting innovation. This last item does not bode well for the effectiveness of Senate Bill 734 – The Internet of Things Cybersecurity Improvement Act of 2019, currently on the Senate Legislative Calendar. Senator Warner’s bill seeks to leverage the purchasing power of the U.S. Government to encourage manufacturers of Internet of Things devices to make them less vulnerable to attack. While the bill, admirably, requires the National Institute of Standards and Technology (NIST) to issue recommendations to this end, the notoriously regulation-averse OMB will have the final say on which recommendations are actually issued.
Another difficult issue is the dilemma that arises when organizations fall victim to ransomware, incidents of which are increasing as countries adversely affected by sanctions seek other means of financial support. Should they pay the fee in order to regain access to their illicitly-encrypted data, or refuse and trust that their backups (if they exist) are viable? The FBI's Richard Jacobs states that they, ”...don’t condone it,” but, “...if you’re not prepared...you may not have a choice.” Payments made to certain known terrorist’s accounts may result in additional fines. This is one of Clarke and Knake’s suggestions to deal with ransomware in the future. That, or simply making the payments illegal.
The final section of the book offers a thorough list of actions that everyone should take to decrease the likelihood of becoming a cyber victim. I found it an analogous microcosm of the broad advice given to government and corporations. This section, like the previous five, does not break any new policy ground, but rather serves to raise awareness of current and near-future threats and suggest methods of germinating and nurturing established ideas that will improve our information security. If examples from the financial sector are to be used as benchmarks of success, a critical element will be to fertilize these ideas with plenty of wisely allocated funds.
I really enjoyed this book. The author's sense of humor will resonate with anyone who appreciates a good "dad joke" or clever pun. At times, the name dropping, while lending credibility, made it hard to keep track of the numerous sources. I found the section on cybersecurity careers inspiring, if a bit of a reality check on the number of employment opportunities actually available. Overall, an entertaining and enjoyable experience.
The solutions, i.e. protections, as laid out in the book, are not promises to eliminate all digital insecurity. There is no promise of that here. What is stressed, is resilience, the ability to recover from cyber attacks with a minimum of loss. The book makes clear that we are currently far from a sustainable recovery mode should a major attack occur -- because companies and governments haven't been convinced that protecting themselves adequately, let alone safeguard our personal data, from a cyber attack is worth the money they would spend on it. The good news is, that viewpoint has been changing over the last several years.
The section on the possibilities of quantum computing and it's ramifications in a cyber-war were chilling. Also, internet of things -- as in, allowing your microwave, or other "things" to phone home, et. al. -- could be used collectively to engage in a cyber-war. These topics are just a smattering of what is covered in the book.
Richard A. Clarke has a BA and a Masters degree in Science and Technology, and has spent his career steeped in Cyber Security, inside and outside of government. Everything he has learned and experienced to date, is in this book.
FYI: Trump was given credit (twice) where it was due. Trump was criticized (once). This book is not about Trump, or bashing Trump. Anyone that states otherwise has not read this book.
Top reviews from other countries
Whilst its mainly US centric, it nevertheless conveyed the same message that cyber will be definitely be part of the new frontier of warfare complimenting land, sea, air, and space as multi-dimensional asymmetric wars of the future.