The general population as well as industry and government are largely aware of the cyber threat risks to personal computers (PCs), smartphones, intelligent devices, servers, and networks. Attacks and hackers have hit all of these, exploiting many different weaknesses, including those in the very architecture of the Internet. It is also widely thought that some information technology (IT) tools and procedures offer enough of a defense, only to be proven wrong in reality, demonstrating some level of passivity.
At the same time, few still realize that an attack is often the better preemptive defense, and that such attacks against perpetrators are constrained by a battery of legal, technical, operational, and governance/doctrine rules. Therefore, as Oakley highlights in the first sentence, “there is an awful lot of hype and confusion surrounding the concept of cyber warfare.” The book’s overall goal is to offer some clarity on challenges and operational constraints. It also stresses that if war in the cyber domain is taking (or must take) place, all stakeholders must understand the difficulties and challenges related to such combat.
After an introductory chapter 1, on warfare principles, criteria for a just war, international agreements (or lack thereof), and expectations of protection, the book’s subsequent chapters address, one by one, the main script elements of a possible action. Chapter 2, “Legal Authority,” covers only legal frameworks within US defense and intelligence (Titles 10, 50, and 18 of the US Code) and identifies relevant agencies and a few examples; however, it does not address the prevailing jurisprudence applicable to the private or industrial sphere.
Chapter 3 proposes a refined definition of a cyber warfare action and describes components of cyber exploitation, for example, vulnerability analysis (with a virtual code vulnerability example), intelligence gathering, as well as attack effect analysis. Unfortunately, this chapter does not refer to chapter 5 for complementary techniques. Still, with a military action mindset, chapter 4 surveys cyberattack approaches in general terms: targeting and exploiting a host (at Title 50, then 10, levels), degradation, denial, disrupt, destruct, and manipulate. It also discusses the enemy’s perception levels at each stage.
As discussed in chapter 3, “intelligence gathering does not always rely upon cyber exploitation as an enabler,” but instead uses the established portfolio of intelligence collection approaches. This rather superficial summary ignores other major techniques, such as those related to network traffic analysis and the surveillance of a perpetrator’s internal networks and assets. Chapter 6 pursues an action script with the normal step of attribution, that is, to designate a perpetrator based on combined indicators including (or not) active responses and attributes. It also discusses the embarrassment when attribution is uncertain, or detection uncovers negligence inside one’ own organization.
Targeting, when possible, is the subject of chapter 7 and is aligned with conventional warfare concepts, including rules of engagement. Cyber warfare here is only one of several types of forces, and the chapter does not compare its efficiency with other forces. Chapter 8 is slightly more specific wit regards to access operations, that is, procedures enabling technical measures against the perpetrator’s infrastructure and managing the risks involved. The discussion stays at quite a general level.
As defined in chapter 6, “self-attribution happens when any portion of the attribution process yields an indication of perpetrated cyber activity” or where the attack’s origin has been compromised; this is the subject of operating path choices in chapter 9. As third-party Internet infrastructure resources are often traversed or used due to prevailing network routing strategy, the book uses the term “association” to cover this facet. Chapter 10 discusses incidental ways, obfuscation, distraction, and latent cyber weapons.
Finally, chapter 11 brings up the critical and necessary self-review of resource resilience when conducting cyber warfare, at the tool, infrastructure, and personnel levels. Chapter 12 discusses control and resource ownership. The most interesting chapters (13 and 14) list challenges related to human misconceptions along the chain of command, open cyber warfare, and biological warfare.
The volume provides a good index and a detailed table of contents, but there are neither references nor a bibliography. Oakley, an experienced military cyber warfare operative, provides beginner and intermediate readers with a nontechnical overview, bringing present-day pragmatics to light but only in a government/military context; many conferences have already brought awareness to stakeholders. If it were to be read by industry executives, they would miss all the frameworks and toolsets specific to their sectors, where understanding is weak and belief in vendors too high.
For both audiences, there remains the unaddressed but key top-level decision of how to trade off the principle of a cyberattack against assets at risk and explicit/implicit costs, for which insurance and cost-benefit principles apply. On the technical front, there are many more techniques than those reviewed here, for example, honey pots. A short introduction to Internet architecture and Internet protocol (IP) packets would also benefit readers. The book is recommended for any beginner who wants to get a feel for the complexity of cyber warfare as well as identify what is specific to her/his case.
More reviews about this item: Amazon
