Taking the Fifth …

by C. Warren Axelrod on October 29, 2019

“The Fifth Domain” is a
recent book by Richard A. Clarke and Robert K. Knake. It is about cybersecurity
and how it has become the fifth military domain following land, sea, air and
space. Except that it isn’t really, n’est-ce pas? While intellectually
one can imagine a fifth domain, it’s more like a fifth dimension. While there are
some physical representations in the form of machines and networks, cybersecurity
doesn’t quite follow any of the rules of the four physical domains. It seems
ephemeral and, as such, impossible to nail to the wall … even more so than nailing
Jello. Nevertheless, cyberattacks are a real and present danger to us all. The
first part of Clarke and Knake’s book is quite optimistic in that it describes
how some large companies, mostly in financial services, may have gotten the
better of cyberattackers—at least for the time being. As the book continues, however,
it becomes apparent that all is not so well in Camelot. And, as the authors
delve into 5G networks and the IoT (Internet of Things), the cybersecurity
situation is described as very bad and rapidly worsening.

There are many worthy suggestions
to “solve” the problems in “The Fifth Domain,” but they are mainly normative, have
little prospect of ever being done and, if done, little chance of succeeding.
Part of the problem might be bad government project management as outlined in
Michael Lewis’s book “The Fifth Risk.” For the most part, Lewis examines the
nonexistent transition project between the Obama and Trump administrations, but
the problem is broader than that. The past two decades have been disappointing with
regard to the U.S. government’s (indeed, all governments’) handling of
cybersecurity risk, which has been addressed piecemeal and ineffectively. The
Clarke and Knake book places great credence on the “Risk Management Framework
for Information Systems and Organizations” from NIST, Revision 2 (December
2018), which can be downloaded via https://www.nist.gov/publications/risk-management-framework-information-systems-and-organizations-system-life-cycle This NIST Special Publication 800-37 provides
good guidance for those wanting to establish a cybersecurity program. But, as I
noted in my BlogInfoSec column “Missed by NIST” of December 9,
2013, it is lacking with respect to application security and cyber-physical
systems.

Which brings us to the
fifth column, a cadre of ne’er-do-wells who are embedded in society and are
acting against our national interests and security. If you read Ryan Lucas’s
article “People Are Looking at Your LinkedIn Profile. They Might Be Chinese
Spies,” dated September 19, 2019, you will get an interesting perspective on how
potential spies are researched and recruited. You may want to revise your
LinkedIn profile after reading the article at https://www.npr.org/2019/09/19/761962531/people-are-looking-at-your-linkedin-profile-they-might-be-chinese-spies

There has also been a
spate of arrests of alleged spies in California, including one described in
Brian Pascus’s September 30, 2019 article in The New York Times,
“A U.S. citizen has been arrested in California and charged with spying for
China,” which is available at https://www.cbsnews.com/news/china-spy-arrested-in-california-by-federal-bureau-of-investigation-edward-peng-charged-with-espionage/

In a CBS Evening News video
accompanying the article, Mike Morell, former CIA deputy director, stated that this
was the fourth such arrest in recent months. Of course, it is likely that this
is only the tip of the iceberg.

Sponsorships Available

Among the most dangerous
aspects of all are denial and obfuscation (as allowed with the Fifth
Amendment), and not admitting responsibility to resolve the very serious issues
raised in the Clarke and Knake book. Perhaps it is a combination of moral
hazard, that is, being able to claim not to be responsible, and the tragedy of
the commons, where no one is responsible, that has led to our current impasse.
Whatever might be the causes, we don’t seem able to resolve the problems.
Perhaps another approach is needed—one based on why evil people act as they do,
and why good people have such difficulty stopping them, at least in the short
term. If we can answer these questions, then perhaps we will be able to address
cybersecurity risk problems more effectively.