Amazon.com just posted my five star review of America the Vulnerable by Joel Brenner. I reproduce the
review in its entirety below.
I've added bold in some places to emphasize certain areas.
America the Vulnerable (ATV) is one of the best "big picture" books I've read in a long while. The author is a former NSA senior counsel and inspector general, and was the National Counterintelligence Executive (NCIX). In these roles he could "watch the fireworks" (not his phrase, but one popular in the intel community) while the nation suffered massive data exfiltration to overseas adversaries. ATV explains the problem in terms suitable for those familiar with security issues and those learning about these challenges. By writing ATV, Joel Brenner accurately and succinctly frames the problems facing the US and the West in cyberspace.
In this review I'd like to highlight some of Mr Brenner's insights and commentary.
On pp 65-7 he discusses "China's Long View...
China had the world's largest economy for eighteen of the past twenty centuries. The two exceptions were those of America's youth and rise to power.... Like India, China does not regard Western domination as normal, and it does not suffer from an inferiority complex. China's chief national strategic objectives are to lift its population out of poverty and reestablish its place in the international order."
On pp 68-71 he explains the problem with the binary thinking of Westerners regarding war.
China does not see war as a binary issue, where one is either at peace OR at war. "This kind of ambiguity is difficult for Americans to digest. We are direct and aboveboard, and we like to think others are like us -- or would be if given half a chance... [W]e suffer from a Western misconception in our law, religion, and policy that 'peace' and 'war' are opposites that cannot occur at the same time... Many Americans cling to this view, even though war has not been declared on the planet since 1945, while there have been hundreds of organized, violent, and militarized struggles in the interim."
On pp 71-3 he reiterates my point that the consequences of digital assault from China are indeed new, as well as the assault itself. "Our companies are under constant, withering attack. After the Google heist,
companies [all emphasis is original] started asking the government for help in defending themselves against nations. This was unprecedented. We are now in uncharted territory... the boundary between economic security and national security has completely disappeared... While the scope of and intensity of economic espionage have assumed startling proportions, the 'traditional' espionage assault on our national defense establishment dwarfs anything we have ever before experienced."
On pp 75-77 Mr Brenner describes instances of espionage and consequences. "[Chi Mak] is the first spy (that we know of) through whom we lost critical military secrets and who was not a government employee. He will not be the last. If further proof were required, the case thus illustrates how thoroughly the functional boundary between the private sector and the government has dissolved... In essence,
the PRC is leveraging the Pentagon's R&D budget in support of its own war-making capability."
Mr Brenner focuses on Chinese espionage in ATV; the following from p 78 is a good summary: "In contrast to the Russians, who are highly professional, the PRC often enlists amateurs from among a huge pool of sympathizers."
In the middle of the book Mr Brenner concentrates on the China threat by correctly identifying that
the Chinese do not want a shooting war with the US. Rather (quoting Chinese military thinkers on p 118) "the objective in warfare would not be killing or occupying territory, but rather paralyzing the enemy's military and financial computer networks and its telecommunications. How? By taking out the enemy's power system.
Control, not bloodshed, would be the goal... [Continuing on pp 126-7,] The Prussian Carl von Clausewitz, and Mao after him, had called war 'politics by other means.' [Strategists] Qiao and Wang seemed to be saying the reverse: Politics -- and economics and communications and everything else -- was war by other means. And while Clausewitz had preached the doctrine of the decisive battle, Qiao and Wang said there would be no more decisive battles."
Ch 9, "Thinking About Intelligence," is one of my favorite chapters because Mr Brenner examines the role of information and intelligence agencies in the modern world. On p 196 he makes a fascinating point: "To understand the future of the private sector's role in intelligence, we don't need a crystal ball. We can just as well look backward as forward, because we are experiencing a return to a historical norm." He then argues that the private sector is developing intel capabilities rivaling the government, which was the case prior to the creation of national agencies in the 20th century. On p 209 he recommends the following: "[T]he best way to run an intelligence agency is to focus tightly on the parts of the business that are really secret and separate them from the rest. You spend more money on open-source collection and analysis, and let them happen in controlled but unclassified space. You beef up counterintelligence. And you pay much more attention to the electronic handling and dissemination of information."
In the final chapter he offers some recommendations for improvement. I liked this statement on p 216: "If you wait for the incoming danger to reach you, you won't be able to defend against it. CYBERCOM solves this problem by letting the general in charge of defending national security networks use offensive tools outside his networks in order to know what's coming. To be blunt, espionage is an essential aspect of defense.
To know what's coming, we must be living inside our adversaries' networks before they launch attacks against us." Note that is the traditional role of espionage, a model which the Chinese shatter by
living inside our companies' networks, solely to steal our intellectual property.
I only found one small typo on p 194: The Yom Kippur War happened in 1973, not 2003.
Overall, I really enjoyed ATV. While I don't think the suggestions for improvement in the last chapter are sufficient to mitigate the threat, several of them are a good start. I highly recommend reading ATV at your earliest opportunity!
Join me and Lucas Zaichkowsky on Friday at 2 pm eastern as we talk about what happened at our annual MANDIANT conference, MIRCon! Registration is free and I expect you'll enjoy the discussion! We plan to review what we saw and heard, and how those lessons will help your security program. 
(Photo: Business Insider)
Christopher Booker interviewed me and several other policy-oriented security people for his video Financial Times story The expanding cyber industrial complex. This was a different experience for me for two reasons. First, Christopher conducted the interviews via Skype. Second, you can see what appear to be the home offices of several of the contributors, including me.
Today at MIRCon I mentioned that one of my colleagues, Jeff Yeutter, had updated the somewhat famous CERT/CC study of CIRT characteristics as part of his degree program. Jeff posted the survey online as Computer Incident Response Team Organizational Survey, 2011 with this description:
Tony Sager from the NSA is one of my Three Wise Men. (Dan Geer and Ross Anderson are the other two.) Eric Parizo from SearchSecurity.com interviewed Tony this week and posted the video online. 
Thanks to a source who wishes to remain anonymous, I read Chinese spy mania sweeps the world, an article not from a Western publication. Rather, it's from Voice of Russia. Does any of this sound familiar?
(Photo credit: AINOnline)
The comments in the CDB post pointed me to this engine comparison for the J-20, which I sometimes mention in my classes. Essentially the Chinese appear to be testing two engines on the J-20, because they are not sure if they will use a Russian-made engine (or copy) or an "indigenous" engine (which is probably a copy of someone else's technology).
The House Cybersecurity Task Force released its report (.pdf) today. NextGov offers a good summary in their story House GOP Cyber Task Force Touts Industry Leadership by Jessica Herrera-Flanigan.
You can now access video of Tuesday's House Select Committee on Intelligence Hearing on Cybersecurity at C-SPAN.
Today I was fortunate to attend a hearing of the US House Permanent Select Committee on Intelligence (HPSCI). That's me on the far left of the photo, seated behind our MANDIANT CEO Kevin Mandia. I'd like to share a few thoughts on the experience.
Third, I was very pleased that this hearing was conducted in an open forum, and not behind closed doors. While I haven't found the whole hearing online or on TV yet (aside from Rep Rogers' statement and that of Rep Myrick (R-NC)), I encourage as much discussion as possible about this issue. 
