Normative Cyber Security

I was asked to take a look at Brenner’s book on cyber threats and vulnerabilities facing the U.S. and on what the consequences of not facing up to these attacks might be, and, in a number of cases, may have already been. Brenner runs through the usual suspects in chapters about organized cybercrime, nation-state pilfering of intellectual property from private industry and the military-industrial complex, attacks against industrial control systems, and deficiencies in the intelligence agencies. Much of this material has been documented elsewhere, though without Mr. Brenner’s particular perspective, since, as he specifies in the introduction to the book, he only discusses unclassified material. For many who follow these matters, there are few surprises. However, for those not familiar with the nefarious goings-on in cyberspace, the book provides a good synopsis of the dangers that the Nation faces.

What I really want to focus on are Brenner’s recommended mitigation strategies, which are all bunched into Chapter 10 on “Managing the Mess.”

First off, Brenner suggests a software-security rating service, along the lines of Consumers Reports, which issues plain English recommendations. I think that this is a great idea and have personally advocated such an arrangement in various publications and presentations. The question is: How do you put it together? Who will support it? And who will fund it? My September 26, 2011 column “So so SASO … So What?” describes my own attempt to institute such a software test lab for the banking and finance sector, which attempt did not meet with success for the reasons that I cite in the column. This is a critical key resource, yet no one seems to be willing to collaborate and provide for its creation.


  1. Heather J. @ TLC Boo Oct 25, 2011 at 7:25 pm | Permalink

    I agree that there is a need to do more than simply raise awareness – some sort of implementable plan is important in a book like this.

    Thank you for such a thorough review and for being a part of the book tour.

  2. Brian Krebs Nov 1, 2011 at 11:56 pm | Permalink

    Nice review. I’m interested in reading the book. Thank you.

    I’ve said for a long time that nobody will sufficiently dedicate the attention that cybersecurity deserves on the critical infrastructure level unless and until people start to die because of cyber-insecurity. And, of course, when that happens, there’s a very high risk that bad policies/laws will follow. I talked a bit about this in an interview a while back on Team Cymru’s Who and Why show.

Post a Comment

Your email is never published nor shared. Required fields are marked *