Ben's Book of the Month: Losing the Cybersecurity War: And What We Can Do to Stop It

Posted on

If you are looking for a feel-good book about information security, Losing the Cybersecurity War: And What We Can Do to Stop It (CRC Press) by Steve King won’t leave you with a peaceful, easy feeling. He cuts straight to the chase and shows how the United States, both at the government level and at the corporate level, is significantly behind the eight-ball. This leads to risks at every level of technology and across every industry sector. 


If there is any single culprit in the book that King points fingers at, it’s China. Not far behind them are Russia and North Korea. The big three of China, Russia, and North Korea have made it a priority to attack, and profit off United States technology. Many of the problems detailed here are correspondingly due to the US not creating effective security countermeasures to details with those adversaries. 


King gives countless examples of how China, Russia, and North Korea are aggressively working towards these goals. It’s not just that they are working towards that, what exacerbates it is that the United States is not doing enough to counteract these attacks. 


Of the 10 suggestions on how to fix the problem according to King, three of them apply to China. He says to close down all Chinese-owned venture capital firms, stop buying hardware made in China, and stop using any products or services, including mobile devices and telecom made in China. 


Andrew Stewart writes in A Vulnerable System: The History of Information Security in the Computer Age, which was my information security book of the year 2021, that many security issues we face today are inherited from architectural mistakes and failings from decades past. In Losing the Cybersecurity War, he details how to fix those mistakes, but these don’t come easy or cheap. 


Stewart closes with the observation that after the Napoleonic Wars, Prussian General Carl von Clausewitz wrote that an effective military strategy requires insight into the great mass of phenomena and their relationships. It must be left free to rise into the higher realm of action. This is the case also with information security, where the substantial must replace the superficial, and the essential must replace the ephemeral.


With that, King provides what he feels are 10 recommendations to fix the sorry state of security. Many of these require significant regulations and mandates at the Federal level. Ironically, much of the success of China’s attacks on US systems is due to their government-sanctioned advanced persistent threat (APT) attack campaigns.


But getting those equivalent counter-defenses in the US is unlikely to happen anytime soon given the overall hands-off approach the US has taken. Combined with industry lobbying efforts that would quash any such initiative. The lesson learned from this is that security at the government level will only occur in an authoritarian one-party state or one-party communist dictatorship.


One area of particular concern the book highlights is that of 5G networks. A new generation of 5G networks will be the single most challenging issue for the cybersecurity world. Within a few years, it’s estimated that 100 billion new devices will be connected to the Internet annually. Running critical applications and infrastructure at nearly 1,000 times the speed of current Internet technologies. 


The recommendations King details here while pragmatic and eminently logical, are unlikely to happen. His approach requires a complete redesign and reengineering of most networks and infrastructure. While this won’t happen at the national level, individual companies can certainly take the advice to harden their systems and redesign them to be more resilient against attacks. 


Bruce Schneier has often repeated a saying he said comes from inside the NSA “Attacks always get better; they never get worse.” And unless serious initiatives are implemented to deal with those, some of them detailed here, the attackers will prevail. 

Security Strategy & Architecture

professional development mobile device security government regulations unmanaged devices security architecture

Blogs posted to the website are intended for educational purposes only and do not replace independent professional judgment. Statements of fact and opinions expressed are those of the blog author individually and, unless expressly stated to the contrary, are not the opinion or position of RSA Conference™, or any other co-sponsors. RSA Conference does not endorse or approve, and assumes no responsibility for, the content, accuracy or completeness of the information presented in this blog.

Share With Your Community

Related Blogs