What do you think?
Rate this book
Cyber Attacks: Protecting National Infrastructure
Cyber Attacks takes the national debate on protecting critical infrastructure in an entirely new and fruitful direction. It initiates an intelligent national (and international) dialogue amongst the general technical community around proper methods for reducing national risk. This includes controversial themes such as the deliberate use of deception to trap intruders. It also serves as an attractive framework for a new national strategy for cyber security, something that several Presidential administrations have failed in attempting to create. In addition, nations other than the US might choose to adopt the framework as well.This book covers cyber security policy development for massively complex infrastructure using ten principles derived from experiences in U.S. Federal Government settings and a range of global commercial environments. It provides a unique and provocative philosophy of cyber security that directly contradicts conventional wisdom about info sec for small or enterprise-level systems. It illustrates the use of practical, trial-and-error findings derived from 25 years of hands-on experience protecting critical infrastructure on a daily basis at AT&T. Each principle is presented as a separate security strategy, along with pages of compelling examples that demonstrate use of the principle. Cyber Attacks will be of interest to security professionals tasked with protection of critical infrastructure and with cyber security; CSOs and other top managers; government and military security specialists and policymakers; security managers; and students in cybersecurity and international security programs.
248 pages, Hardcover
First published November 26, 2010
3 people are currently reading
24 people want to read
Ratings & Reviews
Friends & Following
Create a free account to discover what your friends think of this book!
Community Reviews
Displaying 1 - 3 of 3 reviews
February 2, 2013
It got two stars because I liked the first chapter's overview of (some of) the key concepts in national infrastructure cyber defense. Unfortunately, I didn't get a whole lot out of it beyond that. While the intent of the book holds promise, I believe it to have fallen short in its intent to "initiate a dialogue among the general technical community around proper methods for reducing national risk." (Back cover)
First off, as one reviewer already pointed out, the title of the book is misleading. It is about cyber defense. While the subtitle of "Protecting National Infrastructure" is more appropriate, there is very little discussion of actual attack vectors and so the title's inclusion of the word is somewhat misdirected. While we're on the subject, there is alarmingly little discussion of perhaps the greatest challenge of protecting national infrastructure: its definition. While the author briefly touches on his own definition (which includes consumer entertainment systems), the debate over what exactly is included is far from settled. Furthermore, there is just as much debate over whose responsibility it is to protect such infrastructure and what laws would be needed in order to enable them to do so. While the subject is implicitly covered throughout the author's various suggestions, this needs to be addressed before we can go anywhere with respect to actual action. There is disappointingly little discussion of how commercial, private, and government entities would work together to enact these suggestions, which alludes to the book's most critical flaw: it explicitly rules out any discussion of the vast challenges of engendering cooperation between the many disparate groups and organizations that would need to come together in order to make these suggestions (those that there are) a reality.
On page 29, the author states that "programmatic and political issues are conveniently ignored [in order to] separate our concerns and focus in this book on the details of "what" must be done, rather than "how." First off, if there are enormous barriers to doing these "whats" (which I contend there are), it does very little good to discuss the "whats" if we do not first address how we would overcome the barriers (the whats are unrealistic until these barriers are addressed and, on some cases, are unrealistic even without the barriers, read: national desktop diversity, say hello to the free market). Second of all, many of the so-called "whats" are not much more than calls for action. I would characterize them more as "shoulds" than "whats," as in we "should" have better coordination or we "should" improve security and discretion. Without more in depth discussions of these concerns, they are just that - concerns. While it is honorable to point them out, and many are indeed issues that need addressing, there is really no plan set forth to address any of them. The author actually explicitly states that "the chapters of this book are organized around ten basic principles that will reduce the risk of cyber attack to national infrastructure in a substantive manner." (ix) Unfortunately, principles will not reduce risk, only action will. The book falls short in its analysis of the actual action that would need to be undertaken in order to overcome obstacles and actually embed these principles in the national cyber-psyche.
First off, as one reviewer already pointed out, the title of the book is misleading. It is about cyber defense. While the subtitle of "Protecting National Infrastructure" is more appropriate, there is very little discussion of actual attack vectors and so the title's inclusion of the word is somewhat misdirected. While we're on the subject, there is alarmingly little discussion of perhaps the greatest challenge of protecting national infrastructure: its definition. While the author briefly touches on his own definition (which includes consumer entertainment systems), the debate over what exactly is included is far from settled. Furthermore, there is just as much debate over whose responsibility it is to protect such infrastructure and what laws would be needed in order to enable them to do so. While the subject is implicitly covered throughout the author's various suggestions, this needs to be addressed before we can go anywhere with respect to actual action. There is disappointingly little discussion of how commercial, private, and government entities would work together to enact these suggestions, which alludes to the book's most critical flaw: it explicitly rules out any discussion of the vast challenges of engendering cooperation between the many disparate groups and organizations that would need to come together in order to make these suggestions (those that there are) a reality.
On page 29, the author states that "programmatic and political issues are conveniently ignored [in order to] separate our concerns and focus in this book on the details of "what" must be done, rather than "how." First off, if there are enormous barriers to doing these "whats" (which I contend there are), it does very little good to discuss the "whats" if we do not first address how we would overcome the barriers (the whats are unrealistic until these barriers are addressed and, on some cases, are unrealistic even without the barriers, read: national desktop diversity, say hello to the free market). Second of all, many of the so-called "whats" are not much more than calls for action. I would characterize them more as "shoulds" than "whats," as in we "should" have better coordination or we "should" improve security and discretion. Without more in depth discussions of these concerns, they are just that - concerns. While it is honorable to point them out, and many are indeed issues that need addressing, there is really no plan set forth to address any of them. The author actually explicitly states that "the chapters of this book are organized around ten basic principles that will reduce the risk of cyber attack to national infrastructure in a substantive manner." (ix) Unfortunately, principles will not reduce risk, only action will. The book falls short in its analysis of the actual action that would need to be undertaken in order to overcome obstacles and actually embed these principles in the national cyber-psyche.
January 31, 2013
This book was a significant let down.
First: The book is incorrectly titled. It does not deal with "Cyber Attacks," it focuses on "Cyber Defence". The treatment of national infrastructure is also a secondary consideration. The author defines the category so broadly as to make it cover any large national network. Apparently "consumer entertainment systems" are to be considered as "absolutely essential to the nation." (p.1)
Second: Who is the audience for this book? The author states that the book has a technical focus, but if it was geared towards the technically minded I am sure they would not appreciate the relative condescension inherent in the explanations. If it is geared towards the executive level and senior managerial level, the author provides advice and recommendations that are apparently "worth the cost" without going into an examination of the cost benefit analysis that would be needed to support such a recommendation. My frustration with this peaked with the statement regarding the development of a national correlation function that "unfortunately, many legal, social, and political issues-considered outside the general scope of this book-will complicate the creation of such a function." (p.177) If this is the case, and these fundamental barriers to implementation are not explored, the what practical use is the recommendation.
Third: The author's recommendation range from outlandish to the bleedingly obvious, leaving the reader wondering why it is that these recommendations are being made. Is there such a lack of understanding within the broader cyber community (non-hackers) of the need not to broadcast vulnerabilities to the world? If there is, this would be a good point for the author to make and support. Something that he does not do very well.
The fact that author found it necessary to highlight that the "disclosure of vulnerability information must be minimized and confined to those in a position to design and embed a proper solution" should raise concerns about the social and institutional mindset of industry, not only in terms of cyber, but more broadly.
Contrast this obvious recommendation with the statement that "national infrastructure protection requires a deliberate and coordinated introduction of diversity into the global desktop computing environment." (p.79) Surely an impractical recommendation.
In Summ: I may have missed the point completely of this book, but that brings me back to my second criticism of it, who is this book for?
First: The book is incorrectly titled. It does not deal with "Cyber Attacks," it focuses on "Cyber Defence". The treatment of national infrastructure is also a secondary consideration. The author defines the category so broadly as to make it cover any large national network. Apparently "consumer entertainment systems" are to be considered as "absolutely essential to the nation." (p.1)
Second: Who is the audience for this book? The author states that the book has a technical focus, but if it was geared towards the technically minded I am sure they would not appreciate the relative condescension inherent in the explanations. If it is geared towards the executive level and senior managerial level, the author provides advice and recommendations that are apparently "worth the cost" without going into an examination of the cost benefit analysis that would be needed to support such a recommendation. My frustration with this peaked with the statement regarding the development of a national correlation function that "unfortunately, many legal, social, and political issues-considered outside the general scope of this book-will complicate the creation of such a function." (p.177) If this is the case, and these fundamental barriers to implementation are not explored, the what practical use is the recommendation.
Third: The author's recommendation range from outlandish to the bleedingly obvious, leaving the reader wondering why it is that these recommendations are being made. Is there such a lack of understanding within the broader cyber community (non-hackers) of the need not to broadcast vulnerabilities to the world? If there is, this would be a good point for the author to make and support. Something that he does not do very well.
The fact that author found it necessary to highlight that the "disclosure of vulnerability information must be minimized and confined to those in a position to design and embed a proper solution" should raise concerns about the social and institutional mindset of industry, not only in terms of cyber, but more broadly.
Contrast this obvious recommendation with the statement that "national infrastructure protection requires a deliberate and coordinated introduction of diversity into the global desktop computing environment." (p.79) Surely an impractical recommendation.
In Summ: I may have missed the point completely of this book, but that brings me back to my second criticism of it, who is this book for?
November 4, 2011
Interesting history/stories.
Displaying 1 - 3 of 3 reviews