Singer, P.W. & Friedman, A. Cybersecurity and cyberwar: what everyone needs to know. New York, NY: Oxford University Press, 2014. viii, 306 p. ISBN 978-0-19-991811-9. $16.95

The revelations of Edward Snowden have drawn the world's attention to the extent of the surveillance and cyber-espionage practised by the US government, with the collaboration of the UK's intelligence services, not only in relation to suspected terrorists, but also in relation to the ordinary citizen, representatives of foreign governments, and the servers of major national and international telecommunications corporations. The reaction of the governments in the USA and the UK have been interestingly different: in the USA it seems that there is a genuine attempt to redraw the boundaries of the activities of the intelligence agenices, while in the UK, the Guardian newspaper is still accused of putting national security at risk, and George Orwell would recognize as Newspeak, the utterances of the UK politicians and security chiefs.

Cypersecurity and cyberwar, therefore, comes at an interesting time in the history of security services world-wide, when the extent of inter-connectivity of every agency, corporation and individual makes cyber-surveillance more and more easy to put into effect. The authors are experts in their field: Peter Singer is Senior Fellow and Director of the Center for 21st Century Security and Intelligence at the Brookings Institution, a former co-ordinator of Obama's defence policy task-force during the 2008 campaign and author of three other books on aspects of warfare. Allan Friedman is also a well-known expert in the field of information security and cyber-security, formerly Research Director for the Center for Technology Innovation at the Brookings Institution, and currently Visiting Scholar at George Washington University's Cyber Security Policy Research Institute. In other words, this is an authoritative text.

Following the Introduction, the book is divided into three parts, How it all works, Why it matters and What can we do?, the whole finished off with a Conclusions. The parts are not divided into chapters, rather they are themselves lengthy chapters with many section headings, which, in other texts, might be brought together into chapters. As a result of not providing rather artificial chapter boundaries, the authors maintain the coherence of the story they unfold. The Introduction explains that the book is based on the proposition that there is a gap between those who know the importance of cyber-security in the modern world, largely because they have the underlying technical know-how, and the rest of us, including the politicians who have to determine and implement national policies on cyber-security. The book aims to fill that gap by explaining how security issues arise in the virtual world and their impact on the real world, and what we can do about it.

Part I, How it all works, is, as the title suggests, an explanation of the nature of cyberspace, rejecting a rather dense definition proposed by the Pentagon and opting for:

cyberspace is the realm of computer networks (and users behind them) in which information is stored, shared, and communicated online. (p. 13)

The authors explain that not everything in cyberspace is virtual, the real-world components of cyberspace are absolutely physical, including the servers, the fibre optic cables, the computer on your desk and your iPad, and the buildings within which all of these are housed, not to mention the physical reality of the users behind them. Another book has recently explored, and really explored through a geographical expedition, the physical nature of the Internet; this is Tubes, by Andrew Blum, and it makes plain just how physical is the basis for the virtual world. The authors deal with how it all works by covering the very basics of access to and communication over the Internet, assuming no previous knowledge, and this part of the book would make a good set reading for any introductory course on the Internet and cyberspace.

Part II. Why it matters is the essential core of the book, setting out in a little under 100 pages, the extent to which cyberspace is the battleground of 21st century warfare, where cyber attacks are very different from the battles fought on the World War II battlefields. Two distict differences are dealt with: the fact that an attack in cyberspace can move at the speed of light, unconstrained by the physical world, and the nature of the target, which is never a battalion, a fighter plane or a naval vessel, but a computer and the information stored on its hard discs and memories. Following on from these fundamental differences are the fact that cyber-warfare costs less than real warfare, that the effects on the computer network under attack may be unpredictable, and, importantly, that the source of the attack may be unknown and difficult to determine—on the battlefield, you know who is shooting at you!

Of ccourse, cyber-warfare is not the only hazard in cyberspace, there is also cyber-crime, cyber-terrorism and cyber-espionage, and the authors present actual examples of these, as they do with the issue of cyber-warfare. However, determining the extent of any of these threats is problematical. The authors quote Ross Anderson of the Oxford University, to the effect that there are more than 100 different sources of information on cyber-crime, but all of them are incomplete, with under-reporting and over-reporting depending upon the source (banks are prone to under-reporting because it reflects badly upon their security methods, while security consultancies are prone to over-report in the hope of stimulating demand for their services.

Part III deals with what is probably the most challenging issue, What can we do?, i.e., what can we do a) to secure the Internet, and b) to prevent cyber-warfare? It's a difficult question, for several reasons, the most central of which is the fact that the physical basis for the Internet is under the control of different organizations users, different organizations and different governments. As demonstrated recently, the Turkish government can shut down access to social media sites and, of course, the Chinese government has been blocking sites at will. The authors draw attention to the founding, following a meeting in Paris in 1865, of the International Telegraph Union, to administer agreed standards for telegraphy, the steam-age version of today's Internet. Moves are afoot to create an international treaty for cyberspace, analogous to existing international treaties such as the 1967 Outer Space treaty and the 1959 Antarctic treaty.

The goal of any initial cyber treaty effort should be to establish the basic building blocks, the key rules and values that all responsible parties can and should agree to... All share an interest in making sure the Internet runs smoothly and cybercrime is controlled (p. 187)

A basis already exists in the Council of Europe's Convention on Cybercrime:

This treaty was originally intended to harmonize European nations' approaches to cybercrime, but with the United States, Canada, Japan and South Africa also signing on, it also holds the potential to evolve into a broader framework (p. 187).

Regardless of what happens at international and governmental levels, cybersecurity will continue to be an issue for organizations and individuals, since it is they that suffer from attack, and the authors offer some guidelines. The first is the much-repeated warning about the use of passwords, the need for them to be different for different sites and services, and the need for them to be changed regularly. This, I fear is rarely likely to happen: most people will continue to use simple passwords, use them on every site they open and never change them. The principle of least effort prevails, and until eyeball iris recognition or fingerprint recognition is commonly available, most personal computer systems are going to continue to be at risk. The second bit of advice is always to update whatever systems you have on your computer with the security patches issued by the software companies. This is certainly much easier to implement, since most systems will have an automatic update capability, which requires the user to do nothing at all other than initialise it. Finally, there is human behaviour: if you accept every e-mail message as authentic and non-dangerous, you are likely to get into difficulty. If, on the other hand, you remember that assuming someone out there is out to get you does not necessarily mean that you are paranoid and if you treat every unusual message from an unknown source as a potential threat, your systems are likely to survive much longer.

The Conclusion can be summed up as: we know the risks and need to manage them, personally, organizationally, nationally and internationally. My conclusion is that this is an excellent text and ought to be on the reading list of any course on cyber-crime and cyber-security, or computer security more generally.

Professor Tom Wilson
May, 2014