CSO Perspectives (Pro) 4.20.20
Ep 3 | 4.20.20

Four cybersecurity novels to distract you from the current zombie apocalypse.


Rick Howard: [00:00:00] As the visceral impact of exponential math in a virus outbreak becomes a reality to us all, it is easy for a feeling of existential dread to creep in. But be of stout heart. Take a couple of deep breaths. We're going to get through this but not if we push the existential needle to the red zone 24 hours a day. This is a marathon, everybody, not a sprint. We need to find a way to let off some of that existential steam.

Rick Howard: [00:00:37]  My name is Rick Howard. You are listening to "CSO Perspectives," my podcast about the ideas, strategies and technologies that senior security executives wrestle with on a daily basis. This episode, I get to talk about my favorite pastime - reading and not just any reading but reading cybersecurity novels. My own personal mechanism for existential relief is walking my dog around the neighborhood and listening to audiobooks and podcasts. I expect that many of you have the same habit or you wouldn't be listening to me jabbering on on this podcast. And by the way, my 6-foot leash practically guarantees my social distancing protocol when I run into other dog walkers. 

Rick Howard: [00:01:25]  So I thought I would offer a little change of pace from worrying about the COVID virus or even the bread-and-butter security stuff that I typically like to talk about and provide some escapist entertainment recommendations, something to get us all out of our heads for a bit. And if the material had some tangential connection to cybersecurity, however loosely, I might even be able to convince my boss that these walks are research or training or maybe even self-education. So far, I think he's buying it. I'll let you know if the situation changes. Which brings me to my favorite cybersecurity novels. The thing about this genre of niche books is that they generally fall into two categories - "Harry Potter" cyber novels and Tom Clancy cyber novels. The "Harry Potter" cyber novels are usually fictional thrillers or mysteries that have a cyber component, but the cyber part of it is totally preposterous. The hackers do a lot of handwaving and say a lot of magic words, like this dialogue from the James Bond movie "Skyfall..." 


Ben Whishaw: [00:02:24]  (As Q) He's using a polymorphic engine to mutate the code. Whenever I try to gain access, it changes. It's like solving a Rubik's Cube that's fighting back. 

Rick Howard: [00:02:31]  ...Or this dialogue from the TV show "Castle." 


Sunkrish Bala: [00:02:34]  (As Vikram Singh) Someone synced a RAT to one of my servers - a remote access tool. We're being hacked. 

Toks Olagundoye: [00:02:40]  (As Hayley Shipton) Uh-oh. 

Nathan Fillion: [00:02:40]  (As Richard Castle) What? 

Toks Olagundoye: [00:02:40]  (As Hayley Shipton) They're onto us. Spectrum's trying to track our IP address. 

Nathan Fillion: [00:02:43]  (As Richard Castle) Can you stop it? 

Toks Olagundoye: [00:02:44]  (As Hayley Shipton) No. 

Rick Howard: [00:02:44]  But you never really see how they accomplish those tasks. My best example here is Dan Brown's "Digital Fortress." Now, if you're a fan of "The Da Vinci Code," one of Brown's most popular, you know that the author can tell a compelling story. That's evident here, too. But the thing that puts this into the "Harry Potter" cyber novel category for me is how the bad guys break into the NSA's super secret network. In a novel that is supposed to be about cybersecurity stuff, the bad guy gets in by guessing an administrator's password, which is literally "password." Now, there are many things you can say about the real-world NSA, both good and bad, but the chances that the password to their super secret network is "password" is ludicrous. My advice - read "Digital Fortress" for entertainment but don't try to convince the boss that it was training material. 

Rick Howard: [00:03:37]  Now, on the other end of the spectrum is the Tom Clancy cyber novel. These stories are also engaging, but the cyber components are realistic or, if not, they're at least possible. You all may know this already, but I am an old, retired Army guy. I grew up reading the original Tom Clancy novels back in the '80s. Soldiers passed around "The Hunt For Red October" and "Red Storm Rising" not only because they were thrilling adventures but also because Clancy got how the military works. He was pro military and pro service to the nation. Clancy pretty much invented the techno-thriller genre or at least put it on the map. As a soldier, it felt pretty good to imagine yourself in a Tom Clancy world. The best example of a Tom Clancy cyber novel is actually a Tom Clancy novel. The book is called "Threat Vector" and the Clancy team published it in 2012. The nation-state cyber world was a bit different back then compared to how it is today. It wasn't public knowledge yet that political actors were not going to conduct cyber battles, per se, in a purely digital war. We knew it, but nobody was really talking about it, at least not out loud. It also wasn't public knowledge yet that political actors could use something akin to a continuous low-level cyber conflict against their enemies in cyberspace without actually having to conduct a physical war. Today, that's common practice between Russia, China, Iran, North Korea, the United States and others. 

Rick Howard: [00:05:03]  If you are interested in this topic, check out David Sanger's "A Perfect Weapon" (ph). He gives lots of examples from before 2010 to just last year. But in 2012, we were still thinking that our biggest fear was a physical military threat from China. And that is what the story of "Threat Vector" revolves around. But Clancy and team do a great job of injecting some realistic cyber moments into the story, like insider threat operations using honey traps to compromise an intelligence agency employee and using him to install a backdoor into the agency's network back home. Another is when the good guys hack back into their attacker's laptop and use the onboard camera to identify the people. This is the same technique that Mandiant used to identify the Chinese military when they first discovered APT1 back in the day. They used this technique to learn who the attackers were. And finally, the Clancy team describes what happens when a nation-state uses a massive cyberattack before the physical war starts. "Threat Vector" is a lot of fun, and you might even learn a thing or two here. 

Rick Howard: [00:06:12]  My next Tom Clancy cyber novel recommendation is a classic published by William Gibson back in 1984, and it's called "Neuromancer." It won several science fiction awards - The Nebula, the Philip K. Dick Award and the Hugo Award. And in 2005, Time magazine listed "Neuromancer" as one of its top 100 English-language novels written since 1923. Literary scholars have credited Gibson with one of the best-ever opening lines. And here it is - the sky above the port was the color of television tuned to a dead channel. Now that is some good writing. The main "Neuromancer" character is Case. He's a world-class cowboy hacker who has fallen from grace. The government caught him doing something stupid and through surgery made it impossible for him to ever jack into cyberspace again. He joins a misfit team - the leader, Armitage, ex-military; the assassin, Molly, a beautiful cyborg; the techie, Finn, a prototypical scrounger; and the mentalist, Peter, a psychopathic mind-bender. The reader is never really sure what the team's ultimate objective is until close to the end of the story. But along the way, we get plenty of kung fu between the assassin and every bad guy we meet, lovemaking between the hacker and the assassin and a verbal description of what it means to hack that is eerily similar to how modern computer gamers play almost 40 years later. Gibson invented and clarified a language that we are still using today 10 years before it became mainstream. He coined the word cyberspace, launched the cyberpunk genre, pontificated about the singularity, guessed that hacktivism would be a thing and understood that we would need Google search long before any of us knew how vital that service would become. It is a must-read for every cybersecurity professional, not because you will learn new insights into your craft but because you will understand why this book was so influential to the cybersecurity zeitgeist back in the day. 

Rick Howard: [00:08:16]  I would be remiss if I didn't add Richard Clarke to my favorite Tom Clancy cyber novel authors. In his government career, he served for an unprecedented decade of continuous service to three U.S. presidents - Bush 41, Clinton and Bush 43 - was the special assistant to the president for global affairs, was the national coordinator for security and counterterrorism - the terrorism czar - and was the special adviser for cyberspace. He was actually the first cyber czar. He infamously warned President Bush - Bush 43 - and Condoleezza Rice, the president's national security adviser, about the potential of a bin Laden attack about a month before 9/11 occurred. He has traveled some rough road in his career. And I got to interview him about his other book, "Cyber War," back in 2015. "Cyber War" is another cybersecurity Canon Hall of Fame non-fiction book whose audience is primary military strategists and government policy wonks. But Mr. Clarke likes to use novels to explain complex policy ideas to the masses. 

Rick Howard: [00:09:22]  Back in 2007, he published "Breakpoint." If you like Michael Crichton stories like "Jurassic Park" and "Disclosure" and "Airframe," which I do, you will also like this book. He does a good job explaining what could be done in cyberspace by a well-resourced adversary. And as a side plot, you'll learn a little bit about the ethical issues, pro and con, surrounding the transhumanist movement, which is the advocacy of using performance-enhancement technology to influence human evolution. The bad guys in this novel destroy several key beachhead routers on both U.S. coasts that reduce inbound and outbound internet traffic to just 10%. They launch a buffer overflow attack against a communications satellite that sends it reeling out to space. They use a SCADA attack to blow up a research institution with a live nuclear reactor. And they use another well-coordinated SCADA attack that takes out all of the power west of the Mississippi. In the real world, most network defenders are worried about how these kinds of things could happen today. Clarke was writing about them over a decade ago. 

Rick Howard: [00:10:27]  Now, I don't know this for sure, but I think the main bad guy in Clarke's story is based on the internet founding father Bill Joy. Joy created vi, the original Unix text editor. He had a big hand in creating BSD Unix, the precursor to Linux, and, for all intents and purposes, created the first working software implementation of the TCP/IP Stack. He went on to co-found Sun Microsystems, a company that built some of the most beautiful Unix machines of the time. And then out of nowhere, in 2000, he wrote an article for Wired magazine decrying the transhumanist movement. To have somebody of that stature, a legend, really, on the same level as Vint Cerf, Tim Berners-Lee and, you know, sure, Al Gore come out against the advancements of science made the entire scientific community pause for a beat. Some were comparing his manifesto to Albert Einstein's letter to President Eisenhower that argued against the use of nuclear weapons. If somebody like Bill Joy says that we need to think a bit before we go forward with transhumanism, then maybe we better do it. 

Rick Howard: [00:11:32]  And just as an aside, tech nerds like me like to poke fun at Vice President Gore for getting credit for inventing the internet. But he did have a significant role to play. According to Andrew Blum's fantastic book called "Tubes," Senator Gore sponsored and helped pass the High-Performance Computing and Communications Act that, according to Blum - this is a quote for him - "got the internet out of its academic ghetto." Now, Gore never claimed that he invented the internet either. But the origin of the phrase information superhighway came from this bill. Here's another quote from Blum - "rather than putting shovels in the ground to build it, government policy policymakers catalyze private companies to do it for them by funding the construction of on-ramps, a network access point, or NAP as they called it, would be a high-speed network or switch to which a number of networks can be connected via routers for the purpose of traffic exchange and interoperation" - end quote. This essentially turned the early academic internet mesh network into a commercially viable hub-and-spoke network that could facilitate the anticipated rising bandwidth requirements. But I was supposed to be talking about cyber novels and in particular this book by Richard Clarke, "Breakpoint." The bottom line here is that this book is a fun, political thriller that gets the cybersecurity stuff right. I think you will like it. 

Rick Howard: [00:12:57]  Let me recommend one more. It is my favorite hacker novel of all time, and it is called "Cryptonomicon" by Neal Stephenson. I use the word hacker here from the old-school definition, not computer trolls who spend their time breaking into systems for fun and profit but technological wizards who have a genuine passion for learning about how things work and making the world a better place with that knowledge. These are the kind of people that Joe Menn described in his book he published last year, the "Cult Of The Dead Cow." 

Rick Howard: [00:13:29]  I admit it. I am a fanboy at Mr. Stephenson. He has written several of my favorite hacker novels over the last, oh, three decades - "Snow Crash," published in 1992, a classic in the cyberpunk genre; The "Baroque Cycle," published in 2003, a three-volume collection of historical fiction that weaves in some old-school hackers like Sir Isaac Newton and Gottfried Leibniz who, by the way, are related to some of the fictional characters in "Cryptonomicon;" and "Reamde," published in 2011, a modern-day hacker novel that touches upon cybercrime, malware and gaming. And, by the way, the Cybersecurity Canon Committee, the group that selects books for the Cybersecurity Hall of Fame, awarded Stephenson a lifetime achievement award last year. Stephenson uses "Cryptonomicon" as his personal petri dish to explore some wide-ranging ideas. He touches on everything, from the impact of Allied code-breaking during World War II to the importance of Dungeons & Dragons to modern day geeks to the jaw-dropping complexities of 20th-century banking to the necessities and procedures for getting the correct ratio of milk to Captain Crunch kernels in your morning cereal to describing the horrors experienced by soldiers and civilians in the Philippines during World War II to the significance of cryptological systems in our state-of-the-art world to the excitement of a present-day treasure hunt and most importantly to the beauty of family ties across numerous generations. Stephenson also manages to drop in cameo appearances from historical figures that you would not normally associate with each other, such as Alan Turing, General MacArthur, Lieutenant Ronald Reagan and Hermann Goring. As you could expect, it is a dense read. One fan and author Charles Yu describes the book this way - "a copy of "Cryptonomicon" has more information per unit volume than any other object in this universe. Any place that a copy of the book exists is at that moment the most information-rich region of space time in the universe" - end quote. I guess you get the idea. This is not a novel you're going to get through on a weekend. 

Rick Howard: [00:15:37]  One of Stephenson's great gifts is his ability to juggle many seemingly unrelated and interesting characters within a story and then surprise the reader about how they are all connected down the line. He crafts four main narrative arcs in "Cryptonomicon" and uses a parade of major and minor characters that intersect at key moments to propel the story. Three of the arcs happen during World War II and the fourth happens during the internet boom of the 1990s. So we have team one, Bobby Shaftoe. Shaftoe was a U.S. Marine who starts the story in the Philippines just before World War II. He loses his Filipino fiancee because of the ravages of war, joins one of the operating arms of the Allied code-breakers at Bletchley Park and spends a good portion of the book working his way back to the Philippines to find his lost fiancee. 

Rick Howard: [00:16:27]  Team Goto Dengo - Dengo is a Japanese military engineer. He gets caught behind enemy lines, escapes and evades his way across New Guinea and eventually ends up as the primary engineer to design and build one of the tombs in the Philippines that the Japanese leadership plans to use to store large amounts of pilfered gold. This is a true story by the way. The tomb is the object of the treasure hunt that binds the entire book together across multiple generations. 

Rick Howard: [00:16:56]  Team three - team Lawrence Waterhouse. Lawrence is a U.S. cryptologist in the Pacific theater of operations who spends his entire time breaking Japanese codes. He is friends with Alan Turing, and Stephenson uses this relationship to explore code-breaking in general and the nuances of information theory during a world war. The nuance here is diabolical. Because the Allies had broken the German Enigma encryption scheme and pretty much knew the orders of the German field commanders before they did, the question was how many times could they act on that intelligence to save lives before the Germans figured out that their system was compromised? The implications of that question are heartbreaking. The word cryptonomicon from the book's title is a collection of code-breaking techniques that Lawrence inherits and develops throughout the story. 

Rick Howard: [00:17:47]  And finally we have team four - Team Randy Waterhouse. Randy is Lawrence's direct descendant in the present day - early 1990s. He and a group of college buddies who played Dungeons & Dragons during their school years have banded together to form a startup. They want to build something called the vault in the Philippines, which is sort of a data haven that anybody can use to store whatever kind of digital information they want, free and clear of government intervention. Really, this is the first cloud provider but with no government entanglements. Along the way, Randy partners with the Shaftoe family, related to team one Bobby Shaftoe, who runs an underwater salvage company, helps build the vault and becomes an essential partner to the treasure. And just so you don't think that this book is only about men and math and computers and commando operations, "Cryptonomicon" has three fairly decent love stories. My wife, who is a judge of all matters of the heart in the Howard family, gives it two thumbs up. I already highlighted Bobbie Shaftoe's epic journey to find his fiancee, but both Waterhouse boys get their share of romance too, especially Randy. It is amusing to watch these two brainiac math and computer wizards try to reduce the world to binary equations on one hand and on the other become completely befuddled with the mysteries of the opposite sex. It is sweet and funny and spot on for how the Dungeons & Dragons crowd approaches girls. Well, at least I recognize myself in their bewilderment. And, yes, I played Dungeons & Dragons. I still would today, but it is such a time commitment. My son plays, though, and I play the D&D campaigns vicariously through him. 

Rick Howard: [00:19:27]  While these orbiting characters bounce off of each other through the nearly 1,000 pages, Stephenson also tosses in a mix of some groundbreaking math ideas from the likes of Kurt Godel and his incompleteness theorems, Alfred Whitehead and Bertrand Russell and their reimagining of the math ecosystem in a book titled "Principia Mathematica," Alan Turing and his Turing machine thought experiment that changed the world and Bernhard Riemann and his zeta function. Stephenson also dips his toes into modular arithmetic, probability distributions, information theory and cryptanalysis. But don't let the math scare you away. His intent here is to introduce these subjects to the uninitiated. And he's a pretty good teacher. "Cryptonomicon" is the quintessential hacker novel. It is unique in that it qualifies in two different categories - books for important historical context and novels that don't exaggerate the genre. For historical context, Stephenson describes a story that is set around the intersection between the discovery of world-changing math insights in the incipient designs of our computer science founding fathers. That intersection is ground zero for our chosen profession, cybersecurity, and the hacks that we see Team Randy Waterhouse perform are interesting and well within the realm of the possible. But with all of that, "Cryptonomicon" is not an easy read. It is dense with ideas. You do not skim through this looking for the good parts. But if you take your time to savor the journey, you will not be disappointed. There is something for everyone here, and you owe yourself the pleasure of finding your favorite part. 

Rick Howard: [00:21:06]  Those are my recommendations for cybersecurity novels to keep you distracted during the pandemic. We are all going through this experience together but separated. It may seem like you need to stay focused on the crisis 24-by-7, but there be dragons in those waters. Take a moment for yourself. Curl up with a good book - any will do, but consider one or more of my four favorites. Remember, listening to audiobooks count as reading. And if you can convince your boss that it has something to do with cybersecurity, even the better. That's a wrap. If you agree or disagree with anything I have said, hit me up on LinkedIn or Twitter, and we can continue the conversation there. "CSO Perspectives" is edited by John Petrik and executive produced by Peter Kilpe. The sound design and mix was done by the insanely talented Elliott Peltzman. And I am Rick Howard. Thanks for listening to "CSO Perspectives" and be sure to learn more about Pro Plus content at thecyberwire.com/pro website.

Recommended reading.

Breakpoint, by Richard A. Clarke, Published by Putnam Pub Group, 16 January 2007, Last Visited 31 March 2020.

Cryptonomicon, by Neal Stephenson, Published by Avon, May 1999, Last Visited 31 March 2020. 

Cult of the Dead Cow: How the Original Hacking Supergroup Might Just Save the World, by Joseph Menn, Published by PublicAffairs, 4 June 2019, Last Visited 31 March 2020. 

Digital Fortress, by Dan Brown, Published by Corgi books, 1998, Last Visited 30 March 2020. 

Neuromancer, by William Gibson, Published by Ace, July 1984, Last Visited 31 March 2020. 

Reamde, by Neal Stephenson, Published by William Morrow, 20 September 2011, Last Visited 31 March 2020. 

Red Storm Rising, by Tom Clancy, Published by Random House Audio, 28 August 1986, Last Visited 31 March 2020. 

Snow Crash by Neal Stephenson, Published by Spectra, June 1992, Last Visited 31 March 2020. 

The Baroque Cycle Collection: Quicksilver, The Confusion, and The System of the World, by Neal Stephenson, Published by HarperCollins e-books, 12 August 2014, Last Visited 31 March 2020. on

The Hunt for Red October (Jack Ryan #3), by Tom Clancy, Published by Berkley Trade 28 October 1984, Last Visited 30 March 2020. 

Threat Vector (Jack Ryan Universe #15), by Tom Clancy and Mark Greaney, Published by Putnam Adult, 4 December 2012, Last Visited 31 March 2020.

Tubes: A Journey to the Center of the Internet, by Andrew Blum, Published by Ecco, 1 January 2012, Last Visited 31 March 2020.

The Cybersecurity Canon Project,” Palo Alto Networks, Last Visited 31 March 2020.

Why the Future Doesn’t Need Us,” by Bill Joy, Wired Magazine, April 2000, Last Visited 31 March 2020.