Clarke Richard Alan - The fifth domain: defending our country, our companies, and ourselves in the age of cyber threats

The future is already here; its just not very evenly distributed.

WILLIAM GIBSON

Sitting in the back of the Beast, the armored vehicle custom made for the President of the United States, Bill Clinton wanted to talk about his cousin from Hope, Arkansas. He didnt want to talk about the major speech he was about to give at the National Academy of Sciences. It was January 1999, and Clinton had just proposed budget initiatives to combat emerging threats, including those in the cyber domain. Few people then saw cyber threats as a major problem. But he did. Dick Clarke sat next to him with a PowerPoint deck and an annotated version of the speech, but the President was channeling his Bubba persona, telling a story about Arkansas, and not to be stopped.

When the Beast pulled into the underground parking at the academy, Clinton finally turned to the business at hand. I read the speech. Its okay. That meant it wasnt.

But really, isnt what we want to say something like this: Throughout history there is a competition between offensive and defensive technologies and a gap between their development. A guy in a cave carves a rock and attaches it to a stick and creates a spear, and then someone needs to defend against that, so they get some animal hides and make a shield. Later on, people defend towns with walls and then some guy invents battering rams and catapults. But there is time between when an offensive weapon is created and when the defensive counter to it comes along. A Secret Service agent standing next to the vehicle opened the heavy door of the Beast. You cannot really open it from inside.

The President kept going, warming to his theme. And right now, the problem is that the new offensive technologies have taken to the field and they now have the advantage over the things that we have to defend against them. So, what we have to do is invest in new technologies that will give the defense the advantage again, or at least even out the playing field. Have I got it right?

Clarke looked at the President, bemused, reminded again about the preternatural ability he had to make the complex comprehensible. Clarke put away his copy of the draft speech and the PowerPoint deck, sighed, and said, Yeah, Mr. President, you should say that today. And he did.

Nineteen years and three months later, Clinton said the same thing verbatim in answering a question about his cyber-oriented novel while sitting on stage in Washingtons Warner Theatre. It was still true. In the intervening twenty years, hundreds of billions of dollars in public and private investment in cybersecurity research, development, and deployment had not fundamentally changed the advantage. It remains a case of what military theorists call offensive advantage or offensive preference.

Any scenario between adversaries is a balance between offense and defense. When the offense has the advantage because of some combination of technological superiority or cost, military theorists write, there will be conflict. When the reverse is true, when it costs more to attack, or when the chances of an attack defeating the defenses is low, greater stability will prevail. We think these generalities apply now to the ongoing hostilities between hackers and corporations, to the current covert espionage done by nation-states, and to the potential for a future nation-state-on-nation-state cyber war. Today, as for the last twenty-five years, the conventional wisdom in the fields of computer science, information technology, and networking is that there is an enormous offensive preference. That might not have been a big deal to most people, except that in the last twenty-five years, we have also made almost everything dependent upon computer networks. In fact, because the offense is thought to have the advantage right now, in a crisis situation of possible conventional warfare, there is likely to be an inclination to go first with a cyberattack.

This book is about how the balance between offense and defense is changing and how the rate of change can be increased to set us on the path to stability. We think it is possible to reduce the risks posed by offensive cyber technologies and actors, and to increase peacetime stability for corporations and crisis stability for nations.

As we write this in 2019, we see a pattern of malicious activity in cyberspace that suggests we are already engaged in a low-grade, simmering cyber conflict with Russia, China, and Iran. We also are beginning to turn a corner on this problem. Estimates put worldwide cybersecurity spending at $114 billion in 2018. Venture capital investment in cybersecurity technology is up, topping $5 billion in 2018 alone. More than three thousand new technology firms have sprung up, backed by ample venture capital, to develop new solutions. Cyber insurance was long a fringe product. Today, the market is (finally) growing and thriving, with almost $2 billion in premiums written in 2017.

Long-standing problems created by government, such as barriers to information sharing, have been solved and companies are actually beginning to organize communities not only to share information, but also to provide mutual aid during crises. One chief information security officer (CISO) at a major bank we spoke with thinks that in five years his bank will largely be immune to cyberattacks as it upgrades from legacy systems that are inherently insecure to systems that are secure by design. Many leaders in Silicon Valley, where optimism is never in short supply, would tend to agree.