Book Reviews

Arms, Arms Control and Technology

Bruno Tertrais

Cyber War: The Next Threat to National Security and What To Do About It

Richard A. Clarke and Robert K. Knake. New York: Ecco, 2010. £16.99/$25.99. 290 pp.

Cyber war is an extraordinarily arcane subject of which few commentators have detailed knowledge. Richard Clarke, a former White House adviser with a taste for writing thrillers, and Robert Knake, a fellow at the Council on Foreign Relations, have produced one of the first serious, informed books about cyber war which is truly accessible to the greater public, filled with scenarios and concrete examples.

What makes cyber war particularly attractive – and cyber defence difficult – is that the Internet is a highly vulnerable system, since it was primarily designed for civilian use, and is, if the authors are to be believed, ‘deeply imbued with the sensibilities and campus politics of [the 1960s]’ (p. 82).   

Clarke and Knake make interesting comparisons with the field of nuclear strategy. They argue that deterrence may not work well in cyberspace: many capabilities are highly classified; clear and convincing ‘demonstrations’ are hard to make; attacks happen at the speed of light, but may not be detected for a long time; perpetrators are difficult to identify; commercial, civilian and military networks are tightly connected; and Western countries are much more dependent on networks than are some of their potential adversaries. The authors note that there is a dangerous incentive to strike preventively.

The book is clearly intended for an American readership: long passages are devoted to the way successive US administrations have dealt with the problem and to recommendations for improving American cyber-warfare capabilities. But these recommendations are potentially of wider interest as they incorporate valuable and creative discussion of the applicability of various Cold War concepts (‘no-first-use’, ‘crisis instability’, ‘target withholds’, ‘arms control’) to cyberspace.

Some passages may raise eyebrows among technical experts. There is no question that hostile acts such as Distributed Denial of Service (DDoS) attacks designed to crash or jam a network are relatively easy to organise and are thus frequent. But the authors may overstate the ease with which a Supervisory Control and Data Acquisition (SCADA) software program controlling a distribution and transport network (such as an electrical power grid) can be disabled, as well as the consequences of a successful attack, in particular in countries that have decentralised networks. They may also overestimate the threat of a foreign attack on banking and financial systems, given the international interdependence that exists in this field. But any flaws on the technical side do not diminish the value of Clarke and Knake’s book as a thought-provoking exercise.