Review of @War by Shane Harris

@War
The Rise of Cyber Warfare
Shane Harris, 2014

First things first, this book is way more interesting than the title might suggest. While it sounds like it could be just another rehash of the same tired arguments we've had beaten into us since Snowden went public, it’s actually some extremely well researched and original work on state-level military cyberwarfare, plus some phenomenal hints towards the larger questions of how the internet fits into our existing ideas about government, and how the government will fit into our existing ideas about the internet.

It's because of those hints that I'm not sure how I feel about the distribution of the approach here. By and large, the book tilts far more towards accounting than analysis, which makes sense given that the author, Shane Harris, is a journalist. Not to mention, this is the first time a lot of this stuff has been released to the public before, so obviously a large part of the book needs to be dedicated to simply laying out the facts. However, Harris steps beyond the bounds of the reporting profession and gives some seriously original thought towards the end, and it’s easily the best part of the book. While @War is a good book, the last few chapters definitely feel like the pitch for a revolutionary book, whether Harris will be the one to write it or not.

Before that, however, comes nearly two hundred pages of rather dry taxonomy of major cybersecurity incidents from the past decade or so. It’s important information no doubt, but the nature of the topic means that it’s a series of more or less isolated incidents, constraining the first part of the book to be more of a data dump than an interesting narrative. You can probably skip most of it if you’re willing to take the following list as gospel.

Cyber surveillance played a huge role in mapping insurgent networks in Iraq, and was one of the main drivers of the successes of 07–08
China stole the plans for the F-35 by hacking defence contractors
China hacked the emails of the Obama and McCain campaigns in 2008
The US military have demonstrated a capability to launch attacks on infrastructure in wargames
Iran have massively ramped up their cyber capability following Olympic Games/Stuxnet
Someone staged a massive attack on Saudi Aramco in 2012, probably Iran
And obviously a lot more, but those are enough to paint the picture

As I've said, the really interesting stuff comes at the end, when Harris starts to explore the relationships that are developing between governments and the internet, and what those are going to look like in the years to come.

We have come to depend on [cyberspace] as a public utility — like electricity and water. But it’s still mostly a collection of privately owned devices.

I’ve long held that it’s a tragedy that Bob Kahn and Vint Cerf aren’t household names, and the fact you probably just opened up a Wikipedia tab confirms it. The unrecognised genius of the founding fathers of the internet lies in the fact that they created not just an efficient data shuttling system, but a wholly new mode of social organisation (new to humans at least, TCP/IP has some incredible functional similarity to message passing in harvester ant colonies), coalescing private devices into a public network with a total absence of central control.

This is terra incognita for orthodox concepts of governance built around central control and clear delineation between the private and public spheres. As Harris points out, the problem is only compounded by the fact that anaemic public service salaries are increasingly sending talented people to private security startups. The increasing power of dedicated security firms and security-interested firms like Google or financial institutions is raising them to the status of what I’m calling ‘near-state actors’, and we’re genuinely nearing the point where a private company will be able to launch a damaging military strike against a large nation state in cyberspace, if we’re not there already.

So far, governments have responded to this change in two different ways. The first is the US model, which is what Harris, an extremely well regarded US National Security journalist, focuses on. @War details the degree to which Presidents Bush and Obama have massively expanded the responsibility of US government cyber resources to defend all American computer networks from serious threat, contrasted with their prior role of simply providing network security for the government itself; much like the Army defend the entire country, not only government buildins. In addition, the US is starting to form strong links with the tech industry, both through open resource and information sharing programs (not unlike conventional relationships with defence contractors), but also covertly buying secret exploits from hackers (the polite term is ‘security researchers’) on the global black market, a process Harris likens to a 21st century system of letters of marque. It’s a shame my version of @War was published with the subtitle The Rise of Cyber Warfare, because the US edition bears the much cleverer and more relevant The Rise of the Military-Internet Complex. I suppose some publisher figured Australians weren't up to date on their Eisenhower quotes.

The other response to this change, and the one I personally think is more interesting, is the model being followed by almost every country other than the US: Complete and utter ignorance. Harris’s research in the first part of the book destroys any remaining ambiguity as to whether or not computer networks are a domain of war or not. They are. And it’s a domain where most world governments have have been sleepwalking for too long to notice that they've completely ceded their Weberian monopoly. We’re already starting to see this in the ‘Going Dark’ debate, with Apple bringing in iPhone encryption that completely vetoes the governmental power of search and seizure, search warrant or not. @War was an excellent book about the way the US government is adapting to world that’s starting to change, but it suggests a truly great book, a book about just how much the fundamental position of government is changing and how little governments are aware of it. That’s the book I want to read.

Hat tip for this one goes out to the Steptoe CyberLaw Podcast, via the Lawfare Project at Brookings, probably my favourite site on the entire internet. Read it daily and listen to the podcast every week, trust me.

The cover image for this review is a randomly selected block of code from the partially decompiled source code of the Stuxnet worm. Credit goes to Laurelai on GitHub.