Taking the Fifth …

“The Fifth Domain” is a recent book by Richard A. Clarke and Robert K. Knake. It is about cybersecurity and how it has become the fifth military domain following land, sea, air and space. Except that it isn’t really, n’est-ce pas? While intellectually one can imagine a fifth domain, it’s more like a fifth dimension. While there are some physical representations in the form of machines and networks, cybersecurity doesn’t quite follow any of the rules of the four physical domains. It seems ephemeral and, as such, impossible to nail to the wall … even more so than nailing Jello. Nevertheless, cyberattacks are a real and present danger to us all. The first part of Clarke and Knake’s book is quite optimistic in that it describes how some large companies, mostly in financial services, may have gotten the better of cyberattackers—at least for the time being. As the book continues, however, it becomes apparent that all is not so well in Camelot. And, as the authors delve into 5G networks and the IoT (Internet of Things), the cybersecurity situation is described as very bad and rapidly worsening.

There are many worthy suggestions to “solve” the problems in “The Fifth Domain,” but they are mainly normative, have little prospect of ever being done and, if done, little chance of succeeding. Part of the problem might be bad government project management as outlined in Michael Lewis’s book “The Fifth Risk.” For the most part, Lewis examines the nonexistent transition project between the Obama and Trump administrations, but the problem is broader than that. The past two decades have been disappointing with regard to the U.S. government’s (indeed, all governments’) handling of cybersecurity risk, which has been addressed piecemeal and ineffectively. The Clarke and Knake book places great credence on the “Risk Management Framework for Information Systems and Organizations” from NIST, Revision 2 (December 2018), which can be downloaded via https://www.nist.gov/publications/risk-management-framework-information-systems-and-organizations-system-life-cycle  This NIST Special Publication 800-37 provides good guidance for those wanting to establish a cybersecurity program. But, as I noted in my BlogInfoSec column “Missed by NIST” of December 9, 2013, it is lacking with respect to application security and cyber-physical systems.

Which brings us to the fifth column, a cadre of ne’er-do-wells who are embedded in society and are acting against our national interests and security. If you read Ryan Lucas’s article “People Are Looking at Your LinkedIn Profile. They Might Be Chinese Spies,” dated September 19, 2019, you will get an interesting perspective on how potential spies are researched and recruited. You may want to revise your LinkedIn profile after reading the article at https://www.npr.org/2019/09/19/761962531/people-are-looking-at-your-linkedin-profile-they-might-be-chinese-spies

There has also been a spate of arrests of alleged spies in California, including one described in Brian Pascus’s September 30, 2019 article in The New York Times, “A U.S. citizen has been arrested in California and charged with spying for China,” which is available at https://www.cbsnews.com/news/china-spy-arrested-in-california-by-federal-bureau-of-investigation-edward-peng-charged-with-espionage/

In a CBS Evening News video accompanying the article, Mike Morell, former CIA deputy director, stated that this was the fourth such arrest in recent months. Of course, it is likely that this is only the tip of the iceberg.

Among the most dangerous aspects of all are denial and obfuscation (as allowed with the Fifth Amendment), and not admitting responsibility to resolve the very serious issues raised in the Clarke and Knake book. Perhaps it is a combination of moral hazard, that is, being able to claim not to be responsible, and the tragedy of the commons, where no one is responsible, that has led to our current impasse. Whatever might be the causes, we don’t seem able to resolve the problems. Perhaps another approach is needed—one based on why evil people act as they do, and why good people have such difficulty stopping them, at least in the short term. If we can answer these questions, then perhaps we will be able to address cybersecurity risk problems more effectively.

Post a Comment

Your email is never published nor shared. Required fields are marked *