Normative Cyber Security

Joel Brenner’s new book, America the Vulnerable – Inside the New Threat Matrix of Digital Espionage, Crime, and Warfare (The Penguin Press, 2011), is another book of the genre of Richard Clarke’s several volumes of non-fiction, such as his most recent book, published with Robert Knake, Cyber War: The Next Threat to National Security and What to Do About It (Ecco, 2010) and a couple of novels, including Breakpoint (Putnam, 2007).

In these works, we get the real inside scoop about the frightening threats to, and vulnerability of, our critical agencies and sectors and about terrifying cyber events that have taken place within government. This is not the speculative hearsay often seen elsewhere. Among other influential positions, Brenner was senior counsel at the National Security Agency. So he really knows what was going on.

Brenner’s book describes the horrific state of affairs in the cyber world at great length and then prescribes, in a final chapter, a set of mitigation strategies. The recommended approaches depend on the responsiveness of government, collaboration between the public and private sectors, and the like, which are neither forthcoming in the current economic environment nor likely to gain much traction even in more prosperous times. In all such appeals for action, the problem is that those who get it don’t have the power to fix it; and those with the power don’t get it.

Unfortunately, those, such as Brenner, who raise issues regarding the Nation’s cyber vulnerability and the need to do something about it, are mild-mannered, well-meaning intellectual types, who are highly respected by those of us who care about protecting the U.S. against cyber attacks from within or from abroad. However, they generally have difficulty generating an appropriate level of concern, enthusiasm and action. The go-get-’em tough guys are mostly into kinetic attacks and responses and many of them seem to have little understanding of the cyber world. As described in my March 29, 2010 column “Cybergeddon … Ho Hum” (see …, I was particularly affected by Vice Admiral Michael McConnell’s testimony that nothing substantive will be done by the government until we experience a “catastrophic event.”  This is not a happy situation,


  1. Heather J. @ TLC Boo Oct 25, 2011 at 7:25 pm | Permalink

    I agree that there is a need to do more than simply raise awareness – some sort of implementable plan is important in a book like this.

    Thank you for such a thorough review and for being a part of the book tour.

  2. Brian Krebs Nov 1, 2011 at 11:56 pm | Permalink

    Nice review. I’m interested in reading the book. Thank you.

    I’ve said for a long time that nobody will sufficiently dedicate the attention that cybersecurity deserves on the critical infrastructure level unless and until people start to die because of cyber-insecurity. And, of course, when that happens, there’s a very high risk that bad policies/laws will follow. I talked a bit about this in an interview a while back on Team Cymru’s Who and Why show.

Post a Comment

Your email is never published nor shared. Required fields are marked *