Bill Blunden and Violet Cheung have written a timely and important book documenting (extensively footnoted throughout) the convergence of interests surrounding the notion of "cybergeddon" or as former Defense Secretary Leon Panetta put it, a possible "Cyber Pearl Harbor". Like the military industrial complex that Dwight D. Eisenhower warned of over 50 years ago, the Information Era has brought forth it's own actors who have a political and economic incentive towards threat inflation. Bill calls this the "malware industrial complex".
Cyberwarfare is a term which we have been repeatedly exposed to in the MSM, if not bludgeoned with, over the past six years. Both from politicians, and various actors who have an economic or political incentive to participate actively in "threat inflation". The net effect of these voices has been to foment a crisis mentality, and as Bill aptly documents and describes, to drive spending and budgets beyond the bounds of what otherwise could be achieved through rational fact based public discourse. As anyone within the Information Security industry will tell you, an attack vector normally has to have an actor(s) with a motive constituting a threat, a vulnerability or in this context a whole series of vulnerabilities within a set of systems, a number of exploits to take advantage of the aforementioned vulnerabilities, then impacts or outcomes that happen from exercising the exploits, and finally and most importantly meaningful consequences. This last point cannot be overstated. We hear all the time about thousands of attacks being launched against this or that, but they amount to little more than stones thrown against a massive iron gate...they are nuisances and nothing more.
When it comes to critical infrastructure you can trot out a whole list of vulnerabilities that have been documented within various ICS/SCADA components. Theoretically this represents potential exploits. But it is a lot harder to turn a potential exploit into a meaningful consequence than the number of documented vulnerabilities suggests. And this explains in large part (leaving aside actor motives for the moment) why there is nearly a complete absence of publicized attacks which have had meaningful consequences (other than being a nuisance to information security officials responsible for protecting said infrastructure). Bill points just this fact out, again and again. The hype over the threat has not translated into consequences that we can see and measure. And even some previously listed "cyber attacks" have been found to be not be cyber attacks at all, but failures of equipment due to environmental or operating conditions unrelated to information security breaches.
So in the absence of documented events constituting validation of all the fear and threat inflation we have had over the past six years what is one to make of it? Bill points out that we have seen this show before. We have seen various actors, both private and governmental inflate the threat in order to drive spending or public policy in excess of what could be critically justified if one adhered to a proper risk analysis framework which measured the actual threats and vulnerabilities against various outcomes. Threat inflation within information security and the economic incentives to engage in it, goes back at least to the dreaded Y2K bug where we were told that planes would drop from the sky as soon as computer clocks rolled over to the year 2000. The media sells fear, and various actors line up to provide the cure.
Bill does not say that there are no real threats. He goes on to point out that there are plenty of economic and espionage threats within cyberspace; they are real, growing, and cause significant (documented with $$) consequences. What he does do is separate the actual as well as reasonably probable threats from the hype of cyber doom.
If you are interested in the merging of economics, politics, propaganda, and information security you will find this book valuable if for no other reason than the extensive citations which will allow you to walk back the author's arguments as to why we are here, how we got here, and as the old latin phrase denotes "cui bono?"...or "who benefits?" from this existing state of affairs.
Well written, accessible, and fact filled.