Jeffrey Caruso concludes Inside Cyber Warfare: Mapping the Cyber Underworld (O'Reilly Media) with the stark observation, "I'm not optimistic about our future." After reading this concise and insightful book and having worked in Information Security for decades, I find his comment quite accurate.

How bad is the situation? Forty years ago, if China wanted to steal the designs for the latest US fighter jet, it would have had to send numerous spies to the US, have them settle, and then hope that it could penetrate the military contractor after a few years.

Today, with a combination of LinkedIn, TikTok, cloud storage, people who share way too much on social media, insecure mobile devices, and more, China can do that much more effectively, cheaply, and remotely. 

The book starts with the sobering observation that we depend entirely on devices and systems that cannot be made safe from sabotage or attacks. It's not ironic that Dan Geer, who wrote the book's forward, was fired from his job in 2003 when he wrote that Microsoft's dominance with Windows was a threat to national security. Countless government and commercial data breaches and petabytes of breached data later, it's eminently clear that Geer was correct and ahead of his time. 

 The book takes a heavy focus on the Russia/Ukraine war, where cyberattacks have been an almost daily occurrence. This includes attacks that have taken down the power grid and using coordinated data from social media to launch a drone attack against enemy fighters. 

In July 2024, then US Director of National Intelligence Avril Haines said that the Islamic Republic of Iran had been encouraging and funding often violent pro-Hamas protests across the United States. Similarly, Russia has long used bots, trolls, and other techniques on social media to influence the public.

That, combined with the power of social media, reveals that we live in a world where our most popular media is run by attention-seeking algorithms that serve to further inflame division and hatred because increasing the user's screen time makes money. The downside for these vendors is that preventing the propagation of misinformation and deepfakes costs money.

Others and I recently ran into this when Meta flagged things related to the late, great Amit Yoran as violating their community standards. A piece I wrote in memory of Yoran was specifically flagged as violating their cybersecurity standards.

The book's first edition was published in 2009 and was quickly followed by a second edition in 2011. In the third edition, Caruso writes that the world and cybersecurity have changed significantly in the last 13 years.

Caruso advocates for more government regulation of software and discusses the industry's overall poor state in securing data. He writes that the state of security is dreadful, and the companies responsible for securing networks, products, and services are making record profits. 

He compares it to the automobile sector before the passage of the National Traffic and Motor Vehicle Safety Act of 1966 when the government started to set car safety standards. He writes that the lack of regulation has enabled companies to tolerate poor coding practices and focus solely on sales, while the carnage of breaches and ransomware has spawned a separate growth industry of defenders and incident responders. 

Holding the manufacturer of software products responsible for the safety and security of what it has built seems like common sense. It applies to every other industry except for the sector upon which every critical system relies—software. 

While the book closes with his observation that he isn't optimistic, he does supply a three-step plan to deal with things. This includes reducing your attack surface, creating redundancies for critical systems, and diversifying your risks. These are not easy things to do. But do them, and you will find you are more secure than most organizations.

At 135 pages, this is a relatively quick read. Caruso could have easily made it five times the size had he wanted to include more examples of never-ending cyberattacks. But if the reader doesn't get the message in this essential read in 135 pages, they will never get it at any length.