Book Review: "The Fifth Domain"
"The Fifth Domain: Defending Our Country, Our Companies, and Ourselves in the Age of Cyber Threats" by Richard A Clarke and Robert Knake is the natural and long awaited squeal to their classic "Cyber War". Clarke has written several books since then, but this one follows up on many of the predictions in "Cyber War". "The Fifth Domain" goes even further, better categorizing and exploring the domain than Cyber War ever did. The most pronounced difference, is this book spends a good deal of the focus looking at the changes in the last 10 years, whereas "Cyber War" was trying to look ahead the next 10 years. "The Fifth Domain" mostly talks about how many private sector companies have stood up to fight the silent theft of IP and cyber espionage, such as Mandiant, CrowdStrike, Cylance, and many more. I thought this was a neat revelation, in which the private sector is directly addressing the failure of the government to protect the market, as was called for in "Cyber War". I paid ~$20 for the audobook version and listened to it for about 12 hours, which was engaging and informative. Ultimately, I give the book 7 out of 10 stars, but recommend it over "Cyber War" (which I gave the same rating) as I think this is more modern take and there are more lessons learned here as opposed to the conjecture in "Cyber War". I generally recommend it to anyone interested in cyber security, as it's fairly non-technical, and especially recommend it those who like the policy and intelligence sides of infosec. The book covers many of the major incident response shifts in thinking over the last few years, from tracking adversaries kill chains, to studying their exact techniques, and sharing intel between companies regarding the threats. "The Fifth Domain" also talks about the foundation of the Raytheon Cyber Kill Chain and explores this technique in depth, examining ways a defender can stop the attacker even after they've been compromised. The book also gives some great backstory on MITRE and how they came about their now famous ATT&CK Framework. It's a pretty amazing story that I hadn't heard before. The following are the chapters of the book, in my typical fashion, to help the reader get a sense of the topics the book covers:
Part I: The Twenty Year War
Chapter 1: The Back of the Beast
Chapter 2: EternalBlue, Eternal War
Part II: The Corporate Frontline
Chapter 3: Two Kinds of Companies?
Chapter 4: The Kill Chain
Chapter 5: The Tech Stack
Chapter 6: Cyber Resilience: The Best Bad Idea We've Got
Part III: The Government's Supporting Role
Chapter 7: Nudges and Shoves
Chapter 8: Is It Really You?
Chapter 9: Fixing the People Problem
Chapter 10: Power Grids and Power Plays
Chapter 11: Securing the Feds
Part IV: Warriors, Diplomats, and Candidates
Chapter 12: The Military, Domains, and Dominance
Chapter 13: A Schengen Accord for the Internet
Chapter 14: Democracy's Shield
Part V: The (Near) Future in Cyberspace
Chapter 15: Real and Artificial Intelligence
Chapter 16: A Quantum of Solace for Security
Chapter 17: 5G and IoT
Part VI: You and The Way Ahead
Chapter 18: Derisking Ourselves
Chapter 19: Everything Done but the Coding
I really enjoyed this book, having a followup on predictions made seven years earlier is something you rarely see in such a fast moving space. Clarke talks about some of his predictions in "Cyber War", such as where he thought the Pentagon was being too offensive, and now in "The Fifth Domain" says they were not offensive enough. "The Fifth Domain" also attempts to tackle issues of scale and revisits if it is the American government's responsibility to protect cyber assets like their responsibility to protect physical assets. Ultimately however, the book puts the onus on the private sector, suggesting companies are responsible for protecting their own assets and the private sector can help address this need for new technologies. The book also talks about how the cyber security venture capital scene is a self feeding problem, in that these venture capital companies are setting up sloppy tech designed to "move fast and break things" as opposed to building secure solutions from the ground up. "The Fifth Domain" actually predicts a consolidation of the private sector infosec companies despite also praising them for coming to the rescue of the suffering industry. Finally, I think the book definitely reaches a lot, similar to CyberWar. Statements like 'hackers in Russia can blow up your house using the gas pipelines' is a stretch in my opinion. Maybe it's just sloppy writing, or maybe it's intentional exaggeration, but the consistent over exaggeration of hacking details removed me from my otherwise immersion in the book. For example, while discussing personal security and password best practices, the book mentions that hackers will try to brute force your online accounts for weak passwords, using "millions of attempts a second", which is pretty false with any website. The basic physics of the internet often wouldn't let millions of attempts happen over the network that fast. That could really only be the case if the attackers had already hacked that site, acquired password hashes, and were attempting offline cracking of the hashes. All of that said, below is an interview with the authors where they cover many of the same subjects they cover in the book:
Part I: The Twenty Year War
Chapter 1: The Back of the Beast
Chapter 2: EternalBlue, Eternal War
Part II: The Corporate Frontline
Chapter 3: Two Kinds of Companies?
Chapter 4: The Kill Chain
Chapter 5: The Tech Stack
Chapter 6: Cyber Resilience: The Best Bad Idea We've Got
Part III: The Government's Supporting Role
Chapter 7: Nudges and Shoves
Chapter 8: Is It Really You?
Chapter 9: Fixing the People Problem
Chapter 10: Power Grids and Power Plays
Chapter 11: Securing the Feds
Part IV: Warriors, Diplomats, and Candidates
Chapter 12: The Military, Domains, and Dominance
Chapter 13: A Schengen Accord for the Internet
Chapter 14: Democracy's Shield
Part V: The (Near) Future in Cyberspace
Chapter 15: Real and Artificial Intelligence
Chapter 16: A Quantum of Solace for Security
Chapter 17: 5G and IoT
Part VI: You and The Way Ahead
Chapter 18: Derisking Ourselves
Chapter 19: Everything Done but the Coding
I really enjoyed this book, having a followup on predictions made seven years earlier is something you rarely see in such a fast moving space. Clarke talks about some of his predictions in "Cyber War", such as where he thought the Pentagon was being too offensive, and now in "The Fifth Domain" says they were not offensive enough. "The Fifth Domain" also attempts to tackle issues of scale and revisits if it is the American government's responsibility to protect cyber assets like their responsibility to protect physical assets. Ultimately however, the book puts the onus on the private sector, suggesting companies are responsible for protecting their own assets and the private sector can help address this need for new technologies. The book also talks about how the cyber security venture capital scene is a self feeding problem, in that these venture capital companies are setting up sloppy tech designed to "move fast and break things" as opposed to building secure solutions from the ground up. "The Fifth Domain" actually predicts a consolidation of the private sector infosec companies despite also praising them for coming to the rescue of the suffering industry. Finally, I think the book definitely reaches a lot, similar to CyberWar. Statements like 'hackers in Russia can blow up your house using the gas pipelines' is a stretch in my opinion. Maybe it's just sloppy writing, or maybe it's intentional exaggeration, but the consistent over exaggeration of hacking details removed me from my otherwise immersion in the book. For example, while discussing personal security and password best practices, the book mentions that hackers will try to brute force your online accounts for weak passwords, using "millions of attempts a second", which is pretty false with any website. The basic physics of the internet often wouldn't let millions of attempts happen over the network that fast. That could really only be the case if the attackers had already hacked that site, acquired password hashes, and were attempting offline cracking of the hashes. All of that said, below is an interview with the authors where they cover many of the same subjects they cover in the book: