Back to the Future in The Fifth Domain

I picked up The Fifth Domain, by Richard Clarke and Robert Knake not knowing what to expect, since I had missed its release in 2019. It turned out to be a great overview of cybersecurity, especially from the US government point or view, where the authors are both cybersecurity experts and pioneers. I was also able to check their predictions made in 2019. They proved very insightful and accurate. I am updating my observations to November 2023.

The Fifth Domain refers to the cyberspace battlefield that has been added to land, sea, air and space domains. If you haven’t been following this, the US defense Department officially recognized it in 2011. Cyberspace is a special domain that permeates the other four. The book is an excellent introduction to the public-private partnership that overarches cybersecurity in the US. Much maligned at conferences and cocktail parties, it is, as the authors’ recount, the best bad idea we have.

There are three main characters profiled in the book: private industry, government entities and hackers (the bad guys). What Fifth Domain does best is illuminating the relations between these characters and how to think about protecting both private industry and government systems. The authors’ focus is larger organizations, not SMB. Their strongly held view is that in the US, private industry needs to defend itself, with support from the government. They pull no punches when holding investors partly accountable for security flaws by demanding software releases not yet vetted for security and VC’s for pushing ever more security products on CISO’s. This may be changing as I see more security mergers and acquisitions and fewer startup funding events.

Clarke and Knake’s model for government’s role in private sector security is the “Home Depot model”. You can do it; we will help. Going one step further, the government can provide nudges, incentives and shoves to encourage business to secure themselves. Regarding nudges, think of the NIST CSF at the federal level. In my state, Connecticut, Public Act 21-119 (2021) protects firms from civil lawsuits, if they are using and implementing accepted security frameworks, a nudge plus incentive. I think the nudge concept is broadly application to meet the challenges associated with implementing security programs. Business and individual often don’t make the best security choices, even for their own self-interest.

Fifth Domain ends up with “resilience” as the best cybersecurity option for private businesses and government agencies. If you are resilient, you can keep operating when under attack. You will still need good security hygiene and zero trust to keep the number of incidents as close to zero as possible. After that, DDoS protection, encryption and good incident response processes are your friends. Recently the New Haven, CT School system was hit by a BEC attack. What does resilience look like for them? Resilience includes the ability to react quickly. In this case, it is the ability to recoup funds for your organization’s bank account. If funds are transferred to a vendor or outside entity, do you get an acknowledgement from them immediately? That is the only way to reverse the transfer.

A significant part of Fifth Domain is devoted to the government’s role in securing cyberspace. For the most part the authors recommend nudges, not strict regulation. Government nudges include the NIST CSF, arising out of conversations going back to 2012. Also on the nudge side is CISA, created in 2018 to help government agencies and private industry secure itself. On the regulatory side, the authors recommend mandatory breach disclosure. This past summer the SEC did add a requirement for mandatory disclosure of material cybersecurity breaches, within 4 days of the event.

Other regulatory recommendations: the authors suggest regulation for the three critical internet vulnerabilities they describe: DDoS attacks, DNS and BGP. These haven’t gone away; witness the recent DDoS attack on ChatGPT . For DNS and BGP the authors suggest government regulation. I couldn’t find their recommendation for DDoS attacks.

Fifth Domain contains several other useful observations on the role of government. Most interesting is what the book calls ReallyU, a standardized identity proofing and authentication platform, NOT administered by the Federal government. Instead private companies would be engaged to provide these services and citizens would choose their identity provider.

Other recent news highlights the patchwork Federal Cybersecurity regulation noted by Fifth Domain. The EPA had planned to regulate cybersecurity at public water systems; that plan was recently rescinded . CISA is working to fill this gap in an advisory role. More state level initiatives are seeking to fill the gaps. New York State recently announced proposed cybersecurity regulations for hospitals…and proposed funding to help them meet those new regulations.

Chapter 9 addresses the “people problem” in cybersecurity. Given that the Verizon DBIR (Data Breach Investigations Report) attributes 82% of breaches to a contributing human factor, this is an important topic. ISC2 just released its 2023 Workforce study. This report states that the North America workforce gap is 482,985, up 17.6% from 2022. This “gap” is the difference between companies say they need and those available for hire. At the same time 47% of respondents reported experiencing cybersecurity-related cutbacks. So what is going on? Fifth Domain highlights a continuing problem: the biggest demand is for experienced professionals, not entry level roles. The authors suggest “cyber guilds” to teach by doing. Government scholarship and internship programs do this, but they need to be expanded.
The chapter on cyberspace and the military was especially interesting. The authors sketch out a likely conflict where cyber might play a role. The one they picked was Iran-Israel; too close for comfort to the current Hamas-Israel conflict. So far that hasn’t included the cyber-attacks described In Fifth Domain, but the conflict will be continuing.

The chapter on the (Near) Future is Cyberspace is also prescient, including discussions on AI in security, quantum computing and IoT devices and networks. Regarding AI, the book highlights applications in endpoint detection and response, vulnerability management, and IAM (Identity and Access Management). Vendors are using AI in all three areas today. The authors also speculate on an AI “Network Master” to organize all security telemetry and recommend an action plan. So far this seems out of reach. Regarding quantum, the book’s predictions seem a little overstated in some areas. It quotes Chad Rigetti predicting a 128-qubit computer by 2022. We are far beyond this today (with Atom Computer announcing a 1100 qubits machine last month). But useful applications including prime factorization are not being demonstrated yet.

The last chapter of The Fifth Domain makes the point that we already know what to do; the hard part is doing it. I’m not sure we know everything that needs to be done. Technology is still changing even more rapidly than in the previous decade. The AI revolution is upon us.

People, organizational issues, money and business pressures still conspire to block progress. In my opinion the most valuable security professionals are those who know how to get things done. Reading Fifth Domain will help practitioners choose the right path.