Notes

Chapter 1: The Back of the Beast

Venture capital investment in cybersecurity: Gertrude Chavez-Dreyfuss, “Venture Capital Funding of Cybersecurity Firms Hit Record High in 2018: Report,” Reuters, January 17, 2019, www.reuters.com/article/us-usa-cyber-investment/venture-capital-funding-of-cybersecurity-firms-hit-record-high-in-2018-report-idUSKCN1PB163.

Cyber insurance was long: “Aon: U.S. Cyber Insurance Premiums Rise 37%, to $1.84B,” Claims Journal, July 11, 2018, www.claimsjournal.com/news/national/2018/07/11/285644.htm.

It is a positive attribute of cyberspace: For a discussion on the malleability of cyberspace as a man-made domain, see Dorothy Denning, “Rethinking the Cyber Domain and Deterrence,” Joint Force Quarterly 77 (April 2015), ndupress.ndu.edu/portals/68/documents/jfq/jfq-77/jfq-77_8-15_denning.pdf, and Joseph S. Nye Jr., “Cyber Power,” Belfer Center, Harvard Kennedy School, Harvard University, May 2010, www.belfercenter.org/sites/default/files/files/publication/cyber-power.pdf.

By some estimates, the digital economy: “How Big Is the Digital Economy?,” Bureau of Economic Analysis, U.S. Department of Commerce, www.bea.gov/sites/default/files/2018-04/infographic-how-big-is-the-digital-economy.pdf.

McKinsey estimates that: James Manyika, “Digital Economy: Trends, Opportunities and Challenges,” McKinsey Global Institute Research, May 2016, www.ntia.doc.gov/files/ntia/publications/james_manyika_digital_economy_deba_may_16_v4.pdf.

Presidential Decision Directive 63: Presidential Decision Directive/NSC-63, Critical Infrastructure Protection, May 22, 1998, fas.org/irp/offdocs/pdd/pdd-63.htm.

Late in the Obama administration: “Stewardship of IANA Functions Transitions to Global Internet Community as Contract with U.S. Government Ends,” ICANN, October 1, 2016, www.icann.org/news/announcement-2016-10-01-en.

The best strategies can be summed up: We borrowed this idea from Jason Healey at Columbia University, who attributes it to former National Security Adviser Brent Scowcroft.

It’s the right idea: Jason Healey called for a “defense-dominant” strategy in a 2017 Atlantic Council report. Again, we like the approach but think the label is wrong. See Jason Healey, “A Nonstate Strategy for Saving Cyberspace,” Atlantic Council Strategy Papers, January 2017, www.atlanticcouncil.org/images/publications/AC_StrategyPapers_No8_Saving_Cyberspace_WEB.pdf.

the word “resilience”: See, for example, Executive Order 13636 from the Obama administration, which stated: “It is the policy of the United States to enhance the security and resilience of the Nation’s critical infrastructure. . . .” “Executive Order—Improving Critical Infrastructure Cybersecurity,” White House, February 12, 2013, obamawhitehouse.archives.gov/the-press-office/2013/02/12/executive-order-improving-critical-infrastructure-cybersecurity. See also the Trump administration’s National Cyber Strategy, which made “foster[ing] a vibrant and resilient digital economy” one of its pillars; White House, September 2018, www.whitehouse.gov/wp-content/uploads/2018/09/National-Cyber-Strategy.pdf.

an ill-defined and vague concept: There is a danger with an idea as vague and open-ended as cyber resilience. If the concept just means accepting that losses will occur and recovering from them quickly, then it becomes part of the defeatist attitude in the field. Using a narrow definition, Equifax, which lost every single one of its hundred-million-plus records of individuals’ credit reports, was perfectly resilient. The incident never stopped the company from collecting more data or from selling it. A year after the breach, the company’s stock had recovered all its losses. While anyone who bought Equifax on the way down and sold it before third-quarter results came in would have something to celebrate, everyone else impacted by the data breach would have tarred and feathered any executive at the company who claimed that they were resilient.

For resilience to be a useful concept: In his book Antifragile, Nassim Taleb suggested that “antifragility” was the next evolution beyond resilience, that we want to form businesses and societies that are, in the words of Max Cleland, “strong at the broken places.” Antifragility is the right concept. But it was poor branding. Where the concept of The Black Swan, Taleb’s previous book, became widely used in business schools and boardrooms, antifragility never did. It’s unfortunate because it is the right concept.

Rodin defines resilience as: Judith Rodin, The Resilience Dividend: Being Strong in a World Where Things Go Wrong (New York: PublicAffairs, 2014), 3.

Chapter 2: EternalBlue, Eternal War

patients were sent away: Damien Gayle, Alexandra Topping, Ian Sample, Sarah Marsh, and Vikram Dodd, “NHS seeks to recover from global cyber-attack as security concerns resurface,” Guardian, May 13, 2017, www.theguardian.com/society/2017/may/12/hospitals-across-england-hit-by-large-scale-cyber-attack.

National Security Agency’s EternalBlue weapon: Security Response Team, “Petya ransomware outbreak: Here’s what you need to know,” Symantec Blogs/Threat Intelligence, October 24, 2017, www.symantec.com/blogs/threat-intelligence/petya-ransomware-wiper.

damages cost them almost $900 million: Andy Greenberg, “The Untold Story of NotPetya, the Most Devastating Cyberattack in History,” Wired, August 22, 2018, www.wired.com/story/notpetya-cyberattack-ukraine-russia-code-crashed-the-world.

NotPetya was an operation: Ellen Nakashima, “Russian Military Was Behind ‘NotPetya’ Cyberattack in Ukraine, CIA Concludes,” Washington Post, January 12, 2018, wapo.st/2AV5FxW.

cyber tools without his personal approval: David E. Sanger, “Trump Loosens Secretive Restraints on Ordering Cyberattacks,” New York Times, September 20, 2018, www.nytimes.com/2018/09/20/us/politics/trump-cyberattacks-orders.html.

removed those restrictions in 2018: Dustin Volz, “White House Confirms It Has Relaxed Rules on U.S. Use of Cyberweapons,” Wall Street Journal, September 20, 2018, www.wsj.com/articles/white-house-confirms-it-has-relaxed-rules-on-u-s-use-of-cyber-weapons-1537476729.

One of those recommendations: Recommendation 30 of the NSA Review Group reads, “We recommend that the National Security Council staff should manage an interagency process to review on a regular basis the activities of the U.S. Government regarding attacks that exploit a previously unknown vulnerability in a computer application or system. These are often called ‘Zero Day’ attacks because developers have had zero days to address and patch the vulnerability. U.S. policy should generally move to ensure that Zero Days are quickly blocked, so that the underlying vulnerabilities are patched on U.S. Government and other networks. In rare instances, U.S. policy may briefly authorize using a Zero Day for high priority intelligence collection, following senior, interagency review involving all appropriate departments.” See “Liberty and Security in a Changing World,” Report and Recommendations of the President’s Review Group on Intelligence and Communications Technologies, December 12, 2013.

issue a patch for the problem: Ellen Nakashima and Craig Timberg, “NSA officials worried about the day its potent hacking tool would get loose. Then it did.,” Washington Post, May 16, 2017, www.washingtonpost.com/business/technology/nsa-officials-worried-about-the-day-its-potent-hacking-tool-would-get-loose-then-it-did/2017/05/16/50670b16-3978-11e7-a058-ddbb23c75d82_story.html.

walking out of NSA facilities: Josh Gerstein, “Judge Won’t Release Ex-NSA Contractor Accused of Hoarding Classified Data,” Politico, October 21, 2016, www.politico.com/story/2016/10/hal-harold-martin-nsa-classified-data-230168.

Kaspersky denies that this is what happened: Shane Harris and Gordon Lubold, “Russian Hackers Stole NSA Data on U.S. Cyber Defense,” Wall Street Journal, October 5, 2017, www.wsj.com/articles/russian-hackers-stole-nsa-data-on-u-s-cyber-defense-1507222108.

Israel’s military intelligence Unit 8200: Alex Hern and Peter Beaumont, “Israel hack uncovered Russian spies’ use of Kaspersky in 2015, report says,” Guardian, October 11, 2017, www.theguardian.com/technology/2017/oct/11/israel-hack-uncovered-russian-spies-use-kaspersky-lab-2015-report-us-software-federal-government.

no one in the U.S. government: Brad Smith, “The Need for Urgent Collective Action to Keep People Safe Online: Lessons from Last Week’s Cyberattack,” Microsoft Blog, May 14, 2017, blogs.microsoft.com/on-the-issues/2017/05/14/need-urgent-collective-action-keep-people-safe-online-lessons-last-weeks-cyberattack.

in the Vault 7 documents: Semantic Security Response, “Longhorn: Tools used by cyberespionage group linked to Vault 7,” Symantec Official Blog, April 10, 2017, www.symantec.com/connect/blogs/longhorn-tools-used-cyberespionage-group-linked-vault-7.

groups known as APT 3 and APT 10: Andrew Griffin, “Wikileaks Files Detail CIA ‘Umbrage’ Project, Which Would Allow Spies to Pin Attacks on Other Countries,” Independent, March 8, 2017, www.independent.co.uk/life-style/gadgets-and-tech/news/wikileaks-files-cia-umbrage-hacker-secret-spies-explained-countries-donald-trump-russia-a7618661.html.

most “reckless and indiscriminate”: This quote is attributed to British Defense Secretary Gavin Williamson, said at a meeting with U.S. Defense Secretary Jim Mattis and other defense ministers in Brussels in 2018.

shut down a French television network: Joseph Menn and Leigh Thomas, “France Probes Russian Lead in TV5Monde Hacking: Sources,” Reuters, June 10, 2015, reut.rs/1IGfCBo.

“the warning lights are blinking red”: On July 13, 2018, DNI Coats made these statements at a Hudson Institute event regarding cyber threats posed by Russia.

shut down by an Iranian attack: David Sanger, “US Indicts 7 Iranians in Cyberattacks on Banks and a Dam,” New York Times, March 24, 2016, www.nytimes.com/2016/03/25/world/middleeast/us-indicts-iranians-in-cyberattacks-on-banks-and-a-dam.html.

lethal chemical leak in the future: Clifford Krauss and Nicole Perlroth, “A Cyberattack in Saudi Arabia Had a Deadly Goal. Experts Fear Another Try.,” New York Times, March 15, 2018, www.nytimes.com/2018/03/15/technology/saudi-arabia-hacks-cyberattacks.html.

disrupt other nation’s cyber activities: Robert Chesney, “The 2018 DOD Cyber Strategy: Understanding ‘Defense Forward’ in Light of the NDAA and PPD-20 Changes,” Lawfare, September 25, 2018, www.lawfareblog.com/2018-dod-cyber-strategy-understanding-defense-forward-light-ndaa-and-ppd-20-changes.

Chapter 3: Two Kinds of Companies?

“If we have data”: Nick Theodore, “‘We Have Data, Let’s Look at Data,’” Virtual Store Trials, June 7, 2017, https://casestudies.storetrials.com/we-have-data-lets-look-at-data-e8a06e2e3331.

Very quickly, CrowdStrike observed: Joseph Menn, “China Tried to Hack U.S. Firms Even After Cyber Pact: CrowdStrike,” Reuters, October 19, 2015, www.reuters.com/article/us-usa-china-cybersecurity-idUSKCN0SD0AT20151020.

Alperovitch wrote on the company blog: Dmitri Alperovitch, “The Latest on Chinese-affiliated Intrusions into Commercial Companies,” CrowdStrike, October 19, 2015, www.crowdstrike.com/blog/the-latest-on-chinese-affiliated-intrusions-into-commercial-companies.

significant opponent of Obama-era rules: Rob Knake and Aitel have a long-running feud over the VEP process. It’s complicated. For a more thorough discussion, see Ari Schwartz and Rob Knake, “Government’s Role in Vulnerability Disclosure,” Cyber Security Project, Belfer Center, Harvard Kennedy School, Harvard University, June 2016, www.belfercenter.org/sites/default/files/legacy/files/vulnerability-disclosure-web-final3.pdf; Dave Aitel and Matt Tait, “Everything You Know About the Vulnerability Equities Process Is Wrong,” LawFare, August 18, 2016, www.lawfareblog.com/everything-you-know-about-vulnerability-equities-process-wrong.

Only months after Cyber War was published: For a thorough discussion of Stuxnet, see Kim Zetter, Countdown to Zero Day: Stuxnet and the Launch of the World’s First Digital Weapon (New York: Crown, 2014); for the movie version, see Alex Gibney’s 2016 documentary Zero Days.

there are seventy-seven Chinese APT groups alone: APT Groups and Operations is a publicly available Google Sheet maintained by Florian Roth, the CTO at Nextron Systems, a German cybersecurity company. The database can be accessed at docs.google.com/spreadsheets/d/1H9_xaxQHpWaa4O_Son4Gx0YOIzlcBWMsdvePFX68EKU/edit#gid=361554658.

the Department of Health and Human Services: The Department of Health and Human Services Breach Portal is available at ocrportal.hhs.gov/ocr/breach/breach_report.jsf.

When Inskeep and other researchers: Inskeep’s presentation of this data at the 2018 RSA Conference can be accessed at www.rsaconference.com/events/us18/agenda/sessions/10891-evidence-based-security-the-new-top-five-controls. Knake advised Booz Allen Hamilton on this project.

analysis of public information on cybersecurity incidents: This analysis was performed by Akash Patel at Northeastern University’s Global Resilience Institute, based on data from www.privacyrights.org, www.databreaches.net, www.idtheftcenter.org, ocrportal.hhs.gov, www.krebsonsecurity.com, www.law360.com, and the state attorneys general websites for California, Montana, New Jersey, and New Hampshire.

It is difficult to square the fact that in 2013: Ellen Nakashima, “U.S. Notified 3,000 Companies in 2013 About Cyberattacks,” Washington Post, March 24, 2014, www.washingtonpost.com/world/national-security/2014/03/24/74aff686-aed9-11e3-96dc-d6ea14c099f9_story.html

Keith Alexander, the former director of the NSA: See Alexander’s speech at the American Enterprise Institute, Washington, D.C., July 9, 2012, www.youtube.com/watch?v=JOFk44yy6IQ.

“Basically, you are either dealing with Mossad”: James Mickens, “This World of Ours,” Usenix.org, January 2014, www.usenix.org/system/files/1401_08-12_mickens.pdf.

National Institute of Standards and Technology (NIST, pronounced like “mist”): The NIST Cybersecurity Framework is available free to the public at www.nist.gov/cyberframework.

known as the 800 series: NIST Special Publication 800-series General Information, May 21, 2018, www.nist.gov/itl/nist-special-publication-800-series-general-information.

When Inskeep looked at last year’s report: “2017 Data Breach Investigations Report,” 10th ed., Verizon, www.ictsecuritymagazine.com/wp-content/uploads/2017-Data-Breach-Investigations-Report.pdf.

Chapter 4: The Kill Chain

“Intelligence-Driven Computer Network Defense”: Eric Hutchins, Michael Cloppert, and Rohan Amin, “Intelligence-Driven Computer Network Defense Informed by Analysis of Adversary Campaigns and Intrusion Kill Chains,” Lockheed Martin Corporation, 2011, www.lockheedmartin.com/content/dam/lockheed-martin/rms/documents/cyber/LM-White-Paper-Intel-Driven-Defense.pdf.

He dubbed the chart: The ATT&CK Matrix is conveniently located at https://attack.mitre.org (there is no ampersand in the web address).

Chapter 5: The Tech Stack

“not built to be used”: Pete Johnson, “#gluecon 2013 Day 2 Recap,” June 7, 2013, Nerd Guru (blog), https://nerdguru.wordpress.com.

The matrix tries to capture everything: Yu’s presentation of the Cyber Defense Matrix at the 2016 RSA Conference can be found at www.rsaconference.com/writable/presentations/file_upload/pdil-w02f_understanding_the_security_vendor_landscape...-final.pdf.

“Solving Cybersecurity in the Next Five Years”: Yu’s presentation at the 2017 RSA Conference can be found at www.youtube.com/watch?v=NckLpAEwkJE.

a concept borrowed from the military: For a thorough discussion of the OODA loop, see Daniel Ford, Vision So Noble: John Boyd, the OODA Loop, and America’s War on Terror (n.p.: CreateSpace Independent Publishing Platform, 2010).

DevOps, short for “development and operations”: For a kind and gentle explanation of DevOps (in novel form) see Gene Kim, Kevin Behr, and George Spafford, The Phoenix Project: A Novel About IT, DevOps, and Helping Your Business Win (Glenside, Penn.: IT Revolution Press, 2013).

According to data from Spamhaus: The “Spamhaus Botnet Threat Report 2017” put Amazon at number two on its list, behind the French hosting provider OVH. See www.spamhaus.org/news/article/772/spamhaus-botnet-threat-report-2017; rolling data from Spamhaus provided at www.spamhaus.org/statistics/networks [inactive] showed Amazon as the number four worst spammer on January 15, 2019.

how to defeat an APT actor: Rob Joyce’s presentation on “Disrupting NationState Hackers” at USENIX Enigma 2016 conference, January 17, 2016, can be accessed at www.youtube.com/watch?v=bDJb8WOJYdA.

Amoroso, a member of the task force: “Building a Defensible Cyberspace,” Report of the New York Cyber Taskforce, Columbia School of International and Public Affairs, November 2, 2017, sipa.columbia.edu/sites/default/files/3668_SIPA%20Defensible%20Cyberspace-WEB.PDF.

dubbed Spectre and Meltdown: For a fuller discussion of Meltdown and Spectre, see Josh Fruhlinger, “Spectre and Meltdown Explained: What They Are, How They Work, What’s at Risk,” CSO Online, January 15, 2018, www.csoonline.com/article/3247868/vulnerabilities/spectre-and-meltdown-explained-what-they-are-how-they-work-whats-at-risk.html.

Researchers at CrowdStrike uncovered: See Jason Geffner, “VENOM: Virtualized Environment Neglected Operations Manipulation,” CrowdStrike, May 21, 2015, venom.crowdstrike.com.

Mudge Zatko was the de facto leader: For a fuller treatment, see Dennis Fisher, “‘We Got to Be Cool About This’: An Oral History of the LØpht,” Duo.com, March 6, 2018, duo.com/decipher/an-oral-history-of-the-l0pht.

Taking a sample of: Mudge Zatko’s PowerPoint presentation of this research at CanSecWest 2013 can be found at cansecwest.com/slides/2013/CanSecWest-Final-Mudge_v1-no-notes.pptx.

By formally defining and verifying: There are a lot of problems still to be worked out in informal methods. For a thorough discussion, see Kathleen Fisher, “Using Formal Methods to Eliminate Exploitable Bugs,” 24th USENIX Security Symposium, August 13, 2015, www.usenix.org/conference/usenixsecurity15/technical-sessions/presentation/fisher.

Chapter 6: Cyber Resilience: The Best Bad Idea We’ve Got

The websites of U.S. banks such as JPMorgan: United States of America v. Ahmad Fathi, United States District Court, Southern District of New York, March 24, 2016, www.justice.gov/opa/file/834996/download; Rob Knake has also written about these attacks in “Obama’s Cyberdoctrine,” Foreign Affairs, May 6, 2016, www.foreignaffairs.com/articles/united-states/2016-05-06/obamas-cyberdoctrine.

“We’d like them to act”: Siobhan Gorman and Danny Yadron, “Banks Seek U.S. Help on Iran Cyberattacks,” Wall Street Journal, January 16, 2013, www.wsj.com/articles/SB10001424127887324734904578244302923178548.

That study, released in 1997: “Critical Foundations: Protecting America’s Infrastructures,” Report of the President’s Commission on Critical Infrastructure Protection, October 1997, fas.org/sgp/library/pccip.pdf.

President Bush rescinded PDD 63: Homeland Security Presidential Directive HSPD 7, December 17, 2003, www.energy.gov/oe/downloads/homeland-security-presidential-directive-hspd-7-december-17-2003.

When a bipartisan group chaired by Jim Lewis: “Securing Cyberspace for the 44th Presidency,” report of the CSIS Commission on Cybersecurity for the 44th Presidency, Center for Strategic and International Studies, December 2008, csis-prod.s3.amazonaws.com/s3fs-public/legacy_files/files/media/csis/pubs/081208_securingcyberspace_44.pdf.

Once President Obama came into office: “Cyberspace Policy Review: Assuring a Trusted and Resilient Information and Communications Infrastructure,” White House, May 29, 2009, fas.org/irp/eprint/cyber-review.pdf.

With unusual candor: Financial data and information on its technology workforce is drawn from JPMorgan’s 2017 annual report, www.jpmorganchase.com/corporate/investor-relations/document/annualreport-2017.pdf; data on JPMorgan’s cybersecurity spending is from “JPMorgan Chase Competitive Strategy Teardown: How The Bank Stacks Up On Fintech & Innovation,” CBInsights, January 11, 2018, www.cbinsights.com/research/jpmorgan-chase-competitive-strategy-teardown-expert-intelligence.

As Daniel explained: Michael J. Daniel’s presentation at the 2013 RSA Conference, “007 or DDOS: What Is Real-World Cyber Policy?,” https://obamawhitehouse.archives.gov/sites/default/files/docs/2013-02-28_final_rsa_speech.pdf.

writing in the Financial Times: Keith Alexander, “A Transatlantic Alliance Is Crucial in an Era of Cyberwarfare,” Financial Times, September 4, 2018, www.ft.com/content/c01a7f94-af81-11e8-87e0-d84e0d934341.

Alan Charles Raul, the former vice chairman: Alan Charles Raul, “Cyberdefense Is a Government Responsibility,” Wall Street Journal, January 5, 2015, www.wsj.com/articles/alan-charles-raul-cyberdefense-is-a-government-responsibility-1420502942.

privacy impact assessments: “Privacy Impact Assessments,”August 24, 2015, www.dhs.gov/privacy-documents-national-protection-and-programs-directorate-nppd.

Comprehensive National Cybersecurity Initiative: “The Comprehensive National Cybersecurity Initiative,” https://obamawhitehouse.archives.gov/issues/foreign-policy/cybersecurity/national-initiative.

Enhanced Cybersecurity Services: More information can be found at www.dhs.gov/enhanced-cybersecurity-services.

This technical reality: Joel Hruska, “UK Introduces Law to Ban Civilian Encryption, But Government Policies Recommend Its Use,” ExtremeTech.com, November 4, 2015, www.extremetech.com/extreme/217478-uk-introduces-law-to-ban-civilian-encryption-but-government-policies-recommend-its-use.

Nobody paid much attention until: Corey Bennett, “John Bolton, Cyber Warrior,” Politico, April 1, 2018, www.politico.com/story/2018/04/01/john-bolton-cyber-hawk-russia-451937.

the Active Cyber Defense Certainty Act: www.congress.gov/bill/115th-congress/house-bill/4036/text.

In his classic The Causes of War: Stephen Van Evera, The Causes of War: Power and the Roots of Conflict (Ithaca, N.Y.: Cornell University Press, 1999).

Allan Friedman and Peter Singer argue: Allan Friedman and Peter Singer, “Cult of the Cyber Offensive,” Foreign Policy, January 15, 2014, www.foreignpolicy.com/2014/01/15/cult-of-the-cyber-offensive.

When a group of Wall Street security executives: “Building a Defensible Cyberspace,” New York Cyber Task Force, Columbia School of International and Public Affairs, November 2, 2017, http://sipa.columbia.edu/sites/default/files/3668_SIPA%20Defensible%20Cyberspace-WEB.PDF.

Chapter 7: Nudges and Shoves

the White House delivered to Congress: “Fact Sheet: Cybersecurity Legislative Proposal,” White House, May 12, 2011, obamawhitehouse.archives.gov/the-press-office/2011/05/12/fact-sheet-cybersecurity-legislative-proposal.

The CSIS commission report: “Securing Cyberspace for the 44th Presidency,” Report of the CSIS Commission on Cybersecurity for the 44th Presidency, Center for Strategic and International Studies, December 2008, https://csis-prod.s3.amazonaws.com/s3fs-public/legacy_files/files/media/csis/pubs/081208_securingcyberspace_44.pdf.

She pulled out a copy of a book: Richard Thaler and Cass Sunstein, Nudge: Improving Decisions About Health, Wealth, and Happiness (New York: Penguin, 2009).

Twenty years ago, when President Clinton: “Defending America’s Cyberspace: National Plan for Information Systems Protection,” White House, 2000, https://fas.org/irp/offdocs/pdd/CIP-plan.pdf.

Surprisingly, the Department: U.S. Department of Homeland Security Cybersecurity Strategy, May 15, 2018, www.dhs.gov/sites/default/files/publications/DHS-Cybersecurity-Strategy_1.pdf.

Regulation E of the Electronic Funds Transfer Act: Robert K. Knake, “No, the FDIC Doesn’t Insure Your Bank Account Against Cybercrime (and Why That Is OK),” Council on Foreign Relations, December 2, 2015, www.cfr.org/blog/no-fdic-doesnt-insure-your-bank-account-against-cybercrime-and-why-ok.

The Ponemon Institute: “2017 Cost of Data Breach Study,” Ponemon Institute, June 2017, info.resilientsystems.com/hubfs/IBM_Resilient_Branded_Content/White_Papers/2017_Global_CODB_Report_Final.pdf [inactive].

Oil tankers operating in U.S. waters: Robert K. Knake, “To Prevent Another Equifax Breach, Treat Data Leaks Like Oil Spills,” Council on Foreign Relations, September 8, 2017, www.cfr.org/blog/prevent-another-equifax-breach-treat-data-leaks-oil-spills.

California has required since 2012: “California Attorney General Concludes That Failing to Implement the Center for Internet Security’s (CIS) Critical Security Controls ‘Constitutes a Lack of Reasonable Security,’” Center for Internet Security, February 22, 2016, www.prnewswire.com/news-releases/california-attorney-general-concludes-that-failing-to-implement-the-center-for-internet-securitys-cis-critical-security-controls-constitutes-a-lack-of-reasonable-security-300223659.html.

In September 2018, Governor Jerry Brown: Adi Robertson, “California Just Became the First State with an Internet of Things Cybersecurity Law,” The Verge, September 28, 2018, www.theverge.com/2018/9/28/17874768/california-iot-smart-device-cybersecurity-bill-sb-327-signed-law.

Ohio enacted legislation in 2018: Michael Kassner, “Ohio Law Creates Cybersecurity ‘Safe Harbor’ for Businesses,” TechRepublic, January 3, 2019, www.techrepublic.com/article/ohio-law-creates-cybersecurity-safe-harbor-for-businesses.

New York’s Department of Financial Services: Nate Lord, “What Is the NYDFS Cybersecurity Regulation? A Cybersecurity Compliance Requirement for Financial Institutions,” Digital Guardian, January 3, 2019, digitalguardian.com/blog/what-nydfs-cybersecurity-regulation-new-cybersecurity-compliance-requirement-financial.

According to Chris Demchak: Chris C. Demchak and Yuval Shavitt, “China’s Maxim—Leave No Access Point Unexploited: The Hidden Story of China Telecom’s BGP Hijacking,” Military Cyber Affairs 3, no. 1, article 7 (2018), doi.org/10.5038/2378-0789.3.1.1050.

regularly redirecting internet traffic: Justin Sherman, “Hijacking the Internet Is Far Too Easy,” Slate, November 16, 2018, slate.com/technology/2018/11/bgp-hijacking-russia-china-protocols-redirect-internet-traffic.html.

Zurich, the big Swiss insurance company: Steve Evans, “Mondelez’s NotPetya Cyber Attack Claim Disputed by Zurich,” Reinsurance News, December 17, 2018, www.reinsurancene.ws/mondelezs-notpetya-cyber-attack-claim-disputed-by-zurich-report.

According to the Royal Canadian Mounted Police: “Ransomware: Recognize, Reject, and Report It!,” Royal Canadian Mounted Police, Scams and Frauds, accessed on January 15, 2019, www.rcmp-grc.gc.ca/scams-fraudes/ransomware-rancongiciels-eng.htm#fn1.

The two Iranians wrote: “SamSam Subjects,” wanted poster, Federal Bureau of Investigation, accessed on January 15, 2019, www.fbi.gov/wanted/cyber/samsam-subjects.

declined to pay the fifty-thousand-dollar demand: Chris Teale, “Atlanta Mayor Says Cyberattack Came as ‘Surprise’ to City, Residents,” Smart Cities Dive, May 11, 2018, www.smartcitiesdive.com/news/atlanta-cyberattack-surprise-Keisha-Lance-Bottoms/523323.

Chapter 8: Is It Really You?

“rely less and less on passwords”: Munir Kotadia, “Gates Predicts Death of the Password,” CNET, February 25, 2004, www.cnet.com/news/gates-predicts-death-of-the-password.

President Bush signed: Homeland Security Presidential Directive 12: Policy for a Common Identification Standard for Federal Employees and Contractors, White House, August 27, 2004, www.dhs.gov/homeland-security-presidential-directive-12.

So can anyone else with that information: “Key IRS Identity Theft Indicators Continue Dramatic Decline in 2017; Security Summit Marks 2017 Progress Against Identity Theft,” Internal Revenue Service, February 8, 2018, www.irs.gov/newsroom/key-irs-identity-theft-indicators-continue-dramatic-decline-in-2017-security-summit-marks-2017-progress-against-identity-theft.

One of the first initiatives: “National Strategy for Trusted Identities in Cyberspace,” White House, April 2011, www.hsdl.org/?view&did=7010.

Grant has helped bring together: See Better Identity Coalition, About Us, www.betteridentity.org.

Chapter 9: Fixing the People Problem

fifty thousand new cybersecurity practitioners: “Report on Securing and Growing the Digital Economy,” Commission on Enhancing National Cybersecurity” December 1, 2016, obamawhitehouse.archives.gov/sites/default/files/docs/cybersecurity_report.pdf.

Chapter 10: Power Grids and Power Plays

Bush’s 2003 National Strategy to Secure Cyberspace: “The National Strategy to Secure Cyberspace,” White House, February 2003, www.us-cert.gov/sites/default/files/publications/cyberspace_strategy.pdf.

an internet worm: “Final Report on the August 14, 2003 Blackout in the United States and Canada: Causes and Recommendations,” U.S.-Canada Power System Outage Task Force, U.S. Department of Energy, April 2004, www.energy.gov/sites/prod/files/oeprod/DocumentsandMedia/BlackoutFinal-Web.pdf.

a generator was attacked: Emanuel Bernabeu and Farid Katiraei, “Aurora Vulnerability: Issues and Solutions,” Quanta Technology and Dominion, July 24, 2011, www.smartgrid.gov/files/Aurora_Vulnerability_Issues_Solution_Hardware_Mitigation_De_201102.pdf.

Russian hackers plunged much of Ukraine: Jim Finkle, “US Firm Blames Russian ‘Sandworm’ Hackers for Ukraine Outage,” Reuters, January 7, 2016, reut.rs/1OebtCB.

Bruce Willis’s Live Free or Die Hard: In the movie, Bruce Willis squared off against a villainous ex-government cybersecurity expert that Manohla Dargis thought was inspired by Clarke. Manohla Dargis, “Pick Your Poison: Fists or Fireballs,” New York Times, June 27, 2007, www.nytimes.com/2007/06/27/movies/27hard.html.

lower the threshold of incident reporting: “FERC Requires Expanded Cybersecurity Incident Reporting,” Federal Energy Regulatory Commission, July 19, 2018, www.ferc.gov/media/news-releases/2018/2018-3/07-19-18-E-1.asp.

DoD Missile Defense Agency: “Historical Funding for MDA FY85-17,” U.S. Department of Defense Missile Defense Agency, accessed January 8, 2019, mda.mil/global/documents/pdf/FY17_histfunds.pdf [inactive].

Congress approved $11.5 billion: Mike Stone, “U.S. Missile Defense Agency Budget Boosted to $11.5 Billion,” Reuters, March 22, 2018, reut.rs/2GdhC8R.

upwards of $140 billion: Jeff Daniels, “Competition to Replace US Nuclear Missiles Is Down to 2 Companies, but Uncertainties Remain,” CNBC, August 22, 2017, cnb.cx/2xaP8oY.

Chapter 12: The Military, Domains, and Dominance

cyber operations to the Pentagon: Ellen Nakashima, “White House authorizes ‘offensive cyber operations’ to deter foreign adversaries,” Washington Post, September 20, 2018, www.washingtonpost.com/world/national-security/trump-authorizes-offensive-cyber-operations-to-deter-foreign-adversaries-bolton-says/2018/09/20/b5880578-bd0b-11e8-b7d2-0773aa1e33da_story.html.

President Obama had reined in cyber operations: David E. Sanger, “Pentagon Puts Cyberwarriors on the Offensive, Increasing Risk of Conflict,” New York Times, June 17, 2018, www.nytimes.com/2018/06/17/us/politics/cyber-command-trump.html.

five stated objectives: “1. Ensuring the Joint Force can achieve its missions in a contested cyberspace environment; 2. Strengthening the Joint Force by conducting cyberspace operations that enhance U.S. military advantages; 3. Defending U.S. critical infrastructure from malicious cyber activity that alone, or as part of a campaign, could cause a significant cyber incident; 4. Securing DoD information and systems against malicious cyber activity, including DoD information on non-DoD-owned networks; and 5. Expanding DoD cyber cooperation with interagency, industry, and international partners.” See “Summary: Department of Defense Cyber Strategy 2018,” U.S. Department of Defense, September 2018, media.defense.gov/2018/Sep/18/2002041658/-1/-1/1/CYBER_STRATEGY_SUMMARY_FINAL.PDF.

Iran did penetrate: Julian E. Barnes and Siobhan Gorman, “U.S. Says Iran Hacked Navy Computers,” Wall Street Journal, September 27, 2013, www.wsj.com/articles/us-says-iran-hacked-navy-computers-1380314771.

successfully used wiper hacks: Lily Hay Newman, “The Iran Hacks Cybersecurity Experts Feared May Be Here,” Wired, December 18, 2018, www.wired.com/story/iran-hacks-nuclear-deal-shamoon-charming-kitten.

issued a scathing report: “Weapon Systems Cybersecurity,” Report to the Committee on Armed Services, U.S. Senate, GAO-19-128, Government Accountability Office, October 2018, www.gao.gov/assets/700/694913.pdf.

USS Freedom-class combatants are vulnerable to hacking: Andrea Shalal-Esa, “Cyber vulnerabilities found in Navy’s newest warship: official,” Reuters, April 23, 2013, www.reuters.com/article/us-usa-cybersecurity-ship/cyber-vulnerabilities-found-in-navys-newest-warship-official-idUSBRE93N02X20130424.

Naval Undersea Warfare Center in Rhode Island: Gordon Lubold and Dustin Volz, “Navy, Industry Partners are ‘Under Cyber Siege’ by Chinese Hackers, Review Asserts,” Wall Street Journal, March 12, 2019, www.wsj.com/articles/navy-industry-partners-are-under-cyber-siege-review-asserts-11552415553.

Windows XP operating system: Jeremy Hsu, “Why the Military Can’t Quit Windows XP,” Slate, June 4, 2018, slate.com/technology/2018/06/why-the-military-cant-quit-windows-xp.html.

Among the weapons systems compromised: Caitlin Dewey, “The US Weapons Systems That Experts Say Were Hacked by the Chinese,” Washington Post, May 28, 2013, wapo.st/18qIQBk.

he was “largely disappointed”: Ash Carter, “A Lasting Defeat: The Campaign to Destroy ISIS,” Belfer Center, Harvard Kennedy School, Harvard University, October 2017, www.belfercenter.org/publication/lasting-defeat-campaign-destroy-isis.

operations without his personal approval: David E. Sanger, “Trump Loosens Secretive Restraints on Ordering Cyberattacks,” New York Times, September 20, 2018, www.nytimes.com/2018/09/20/us/politics/trump-cyberattacks-orders.html.

The CIA and the NSA did: James Bamford, “NSA Snooping Was Only the Beginning. Meet the Spy Chief Leading Us into Cyberwar,” Wired, June 12, 2013, www.wired.com/2013/06/general-keith-alexander-cyberwar.

authorized a contingency plan: David E. Sanger and Mark Mazzetti, “U.S. Had Cyberattack Plan If Iran Nuclear Dispute Led to Conflict,” New York Times, February 16, 2016, www.nytimes.com/2016/02/17/world/middleeast/us-had-cyberattack-planned-if-iran-nuclear-negotiations-failed.html.

They were not given that authority until 2018: Robert Chesney, “The 2018 DOD Cyber Strategy: Understanding ‘Defense Forward’ in Light of the NDAA and PPD-20 Changes,” Lawfare, September 25, 2018, www.lawfareblog.com/2018-dod-cyber-strategy-understanding-defense-forward-light-ndaa-and-ppd-20-changes.

In the 2018 Department of Defense Cyber Strategy: “Department of Defense Cyber Strategy Summary,” Department of Defense, 2018, https://media.defense.gov/2018/Sep/18/2002041658/-1/-1/1/CYBER_STRATEGY_SUMMARY_FINAL.PDF.

North Korean ballistic missile tests: David E. Sanger and William J. Broad, “Trump Inherits a Secret Cyberwar Against North Korean Missiles,” New York Times, March 4, 2017, www.nytimes.com/2017/03/04/world/asia/north-korea-missile-program-sabotage.html.

authority to the Department of Defense: Dakota S. Rudesill, “Trump’s Secret Order on Pulling the Cyber Trigger,” Lawfare, August 29 2018, www.lawfareblog.com/trumps-secret-order-pulling-cyber-trigger.

Chapter 13: A Schengen Accord for the Internet

“Cyberspace is not borderless”: Author interview with Michael Daniel, 2019.

Eric Schmidt thinks the internet: Lora Kolodny, “Former Google CEO Predicts the Internet Will Split in Two—And One Part Will Be Led by China,” CNBC, September 20, 2018, www.cnbc.com/2018/09/20/eric-schmidt-ex-google-ceo-predicts-internet-split-china.html.

the New York Times editorial board: Editorial Board, “There May Soon Be Three Internets. America’s Won’t Necessarily Be the Best,” New York Times, October 15, 2018, www.nytimes.com/2018/10/15/opinion/internet-google-china-balkanization.html.

“open, interoperable, secure, and reliable”: “International Strategy for Cyberspace: Prosperity, Security, and Openness in a Networked World,” White House, May 2011, https://obamawhitehouse.archives.gov/sites/default/files/rss_viewer/international_strategy_for_cyberspace.pdf.

While Russia announced plans: Tracy Staedter, “Why Russia Is Building Its Own Internet,” IEEE Spectrum, January 17, 2018, spectrum.ieee.org/tech-talk/telecom/internet/could-russia-really-build-its-own-alternate-internet.

as of the spring of 2019: Catalin Cimpanu, “Russia to disconnect from the internet as part of a planned test,” ZDNet, February 11, 2019, www.zdnet.com/article/russia-to-disconnect-from-the-internet-as-part-of-a-planned-test.

When Yahoo told France: For an excellent discussion on this topic, see Tim Wu and Jack Goldsmith, Who Controls the Internet? Illusions of a Borderless World (New York: Oxford University Press, 2006).

UN’s Group of Governmental Experts: Elaine Korzak, “UN GGE on Cybersecurity: The End of an Era?,” The Diplomat, July 31, 2017, https://thediplomat.com/2017/07/un-gge-on-cybersecurity-have-china-and-russia-just-made-cyberspace-less-safe.

“offered the best chance for the UK”: Asa Bennett, “Did Britain really vote Brexit to cut immigration?,” Telegraph, June 29, 2016, www.telegraph.co.uk/news/2016/06/29/did-britain-really-vote-brexit-to-cut-immigration.

The attempt to jettison NAFTA: For an overview of these provisions, see Anupam Chander, “The Coming North American Digital Trade Zone,” Council on Foreign Relations, October 9, 2018, www.cfr.org/blog/coming-north-american-digital-trade-zone.

As Michael Geist: Michael Geist, “How the USMCA falls short on digital trade, data protection and privacy,” Washington Post, October 3, 2018, www.washingtonpost.com/news/global-opinions/wp/2018/10/03/how-the-usmca-falls-short-on-digital-trade-data-protection-and-privacy.

The CLOUD Act, passed: For a solid overview of the Cloud Act see Jennifer Daskal and Peter Swire, “Why the Cloud Act Is Good for Privacy and Human Rights,” Lawfare, March 14, 2018, www.lawfareblog.com/why-cloud-act-good-privacy-and-human-rights.

Chapter 14: Democracy’s Shield

“Brush your teeth”: Andy Greenberg, “Hacked or Not, Audit This Election (And All Future Ones),” Wired, November 23, 2016, www.wired.com/2016/11/hacked-not-audit-election-rest.

Chen revealed his findings: Adrian Chen, “The Agency,” New York Times, June 2, 2015, www.nytimes.com/2015/06/07/magazine/the-agency.html.

what the Internet Research Agency was doing: Ellen Nakashima, “US Cyber Command Operation Disrupted Internet Access of Russian Troll Factory on Day of 2018 Midterms,” Washington Post, February 27, 2019, www.washingtonpost.com/world/national-security/us-cyber-command-operation-disrupted-internet-access-of-russian-troll-factory-on-day-of-2018-midterms/2019/02/26/1827fc9e-36d6-11e9-af5b-b51b7ff322e9_story.html.

“Their [U.S. adversaries’] dream”: Alex Stamos, “The Battle for the Soul of the Internet,” National Security and Technology Congressional Briefing Series, Washington, D.C., November 15, 2018.

an action plan for defending against hybrid war: Jamie Fly, Laura Rosenberger, and David Salvo, “The ASD Policy Blueprint for Countering Authoritarian Interference in Democracies,” German Marshall Fund of the United States, June 26, 2018, www.gmfus.org/publications/asd-policy-blueprint-countering-authoritarian-interference-democracies.

went on to write a playbook: “Cybersecurity Campaign Playbook,” Belfer Center, Harvard Kennedy School, Harvard University, November 2017, www.belfercenter.org/publication/cybersecurity-campaign-playbook.

would give up and go home: Michael Powell and Peter Slevin, “Several Factors Contributed to ‘Lost’ Voters in Ohio,” Washington Post, December 15, 2004, www.washingtonpost.com/wp-dyn/articles/A64737-2004Dec14.html.

Russians attempted to break into: Cynthia McFadden, William M. Arkin, and Kevin Monahan, “Russians Penetrated U.S. Voter Systems, Top U.S. Official Says,” NBC News, February 7, 2018, www.nbcnews.com/politics/elections/russians-penetrated-u-s-voter-systems-says-top-u-s-n845721.

“state IT officials”: Stamos, “The Battle for the Soul of the Internet.”

the American people do not: Ellen Nakashima, “U.S. cyber force credited with helping stop Russia from undermining midterms,” Washington Post, February 14, 2019, www.washingtonpost.com/world/national-security/us-cyber-force-credited-with-helping-stop-russia-from-undermining-midterms/2019/02/14/ceef46ae-3086-11e9-813a-0ab2f17e305b_story.html.

Chapter 15: Real and Artificial Intelligence

“Whoever becomes the leader”: Vladimir Putin made these remarks at National Knowledge Day while speaking to students in the Yaroslavl region of the Russian Federation in September 2017, https://ruptly.tv/#/videos/20170901-032.

the birthplace of AI: James Moor, “The Dartmouth College Artificial Intelligence Conference: The Next Fifty Years,” AI Magazine 27, no. 4 (December 2006): 87–89.

bans autonomous weapons: “Autonomy in Weapon Systems,” Department of Defense Directive Number 3000.09, U.S. Department of Defense, May 8, 2017, www.esd.whs.mil/Portals/54/Documents/DD/issuances/dodd/300009p.pdf.

“generative adversarial network” to fool other software: Omid Poursaeed et al., “Generative Adversarial Perturbations,” CVPR (2018), vision.cornell.edu/se3/wp-content/uploads/2018/03/2387.pdf.

AI attack program called DeepLocker: Marc Ph. Stoecklin, with Jiyong Jang and Dhilung Kirat, “DeepLocker: How AI Can Power a Stealthy New Breed of Malware,” IBM.com, August 8, 2018, securityintelligence.com/deeplocker-how-ai-can-power-a-stealthy-new-breed-of-malware.

Chapter 16: A Quantum of Solace for Security

the famous double-slit experiment: “The Quantum Experiment That Broke Reality,” Space Time, PBS Digital Studios, July 27, 2016, youtu.be/p-MNSLsjjdo.

Chinese scientists created two entangled photons: Juan Yin et al., “Satellite-Based Entanglement Distribution over 1200 Kilometers,” Science 356, no. 6343 (June 2017): 1140–44.

The Chinese government has what: Stephen Chen, “China Building World’s Biggest Quantum Research Facility,” South China Morning Post, September 11, 2017, www.scmp.com/news/china/society/article/2110563/china-building-worlds-biggest-quantum-research-facility.

quantum-resistant encryption standard: “Post-Quantum Cryptography,” National Institute of Standards and Technology, CSRM.NIST.com, accessed January 4, 2019, csrc.nist.gov/projects/post-quantum-cryptography.

Chapter 17: 5G and IoT

quarter trillion dollars: Hillol Roy, “Tackling the Cost of a 5G Build,” Accenture, August 3, 2018, www.accenture.com/us-en/insights/strategy/5G-network-build.

publicly published 132 questions: “Promoting Unlicensed Use of the 6 Ghz Band,” Notice of Proposed Rulemaking, Federal Communications Commission, October 2, 2018, https://docs.fcc.gov/public/attachments/DOC-354364A1.pdf.

“It is widely expected that 5G networks”: Federal Communications Commission, “Fifth Generation Wireless Network and Device Security,” Federal Register 82, no.13 (January 23, 2017): 7825–30, www.govinfo.gov/content/pkg/FR-2017-01-23/pdf/2017-01325.pdf.

farmers learned that hackers: Jason Koebler, “Why American Farmers Are Hacking Their Tractors with Ukrainian Firmware,” Motherboard, March 21, 2017, motherboard.vice.com/en_us/article/xykkkd/why-american-farmers-are-hacking-their-tractors-with-ukrainian-firmware.

in a petrochemical plant in Saudi Arabia: David E. Sanger, “Hack of Saudi Petrochemical Plant Was Coordinated from Russian Institute,” New York Times, October 23, 2018, www.nytimes.com/2018/10/23/us/politics/russian-hackers-saudi-chemical-plant.html.

“third-party control risk”: Warning letter to Abbott Laboratories from the Food and Drug Administration, April 12, 2017, www.fda.gov/iceci/enforcementactions/warningletters/2017/ucm552687.htm.

issuing regulations requiring such assurances: Colin Dwyer, “Department of Transportation Rolls Out New Guidelines for Self-Driving Cars,” National Public Radio, September 12, 2017, www.npr.org/sections/the-two-way/2017/09/12/550533833/department-of-transportation-rolls-out-new-guidelines-for-self-driving-cars.

Chapter 18: Derisking Ourselves

We like ten-character passwords: “How to Choose a Password,” Office of Information Security, University of Cincinnati, accessed January 6, 2019, www.uc.edu/infosec/password/choosepassword.html.

Fraudulent debit-card charges: “Lost or Stolen Credit, ATM, and Debit Cards,” Consumer Information, Federal Trade Commission, August 2012, www.consumer.ftc.gov/articles/0213-lost-or-stolen-credit-atm-and-debit-cards.

Chapter 19: Everything Done but the Coding

released its International Strategy for Cyberspace: “International Strategy for Cyberspace,” White House, May 2011, obamawhitehouse.archives.gov/sites/default/files/rss_viewer/international_strategy_for_cyberspace.pdf.

a simple conclusion: Matthew G. Devost, Jeff Moss, Neal A. Pollard, and Robert J. Stratton III, “All Done Except the Coding: Implementing the International Strategy for Cyberspace,” Georgetown Journal of International Affairs (2011), 197–208, www.jstor.org/stable/43133830?seq=1#page_scan_tab_contents.