CSO Perspectives is a weekly column and podcast where Rick Howard discusses the ideas, strategies and technologies that senior cybersecurity executives wrestle with on a daily basis.
Four cybersecurity novels to distract you from the current zombie apocalypse.
Threat Vector, Tom Clancy and Mark Greaney,
Neuromancer, William Gibson,
Breakpoint, Richard A. Clarke,
Cryptonomicon, Neal Stephenson,
As I write this, the CyberWire team is basically a month into our self-quarantine to keep everybody safe--our staff, of course, but also everybody that we would have encountered in public if things were normal. As the visceral impact of exponential math in a virus outbreak becomes a reality to us all, it’s easy for a feeling of existential dread to creep in. But be of stout heart. Take a couple of deep breaths. We will get through this, but not if we push the existential needle into the red zone twenty-four hours a day. This is a marathon, not a sprint. We need to find a way to let off some of that existential steam.
My own personal mechanism is dog walking around the neighborhood— staying the requisite +6 ft from the other dog walkers— and listening to audiobooks and podcasts. I’m going to write about some of my favorite podcasts later down the road, but today it occurred to me that we all could use a little escapist entertainment; something to get us out of our heads for a bit. And if the material had some tangential connection to cybersecurity, however loosely, I might even be able to chalk up these walks to my boss as “research” or “training” or “self education.” So far, I think he’s buying it.
Harry Potter-ish vs Tom Clancy-ish.
Which brings me to my favorite cybersecurity novels. The thing about this genre of niche books is that they generally fall into two categories: "Harry Potterish cyber novels'' and "Tom Clancyish cyber novels." "The Harry Potterish cyber novels'' are usually engaging stories that have a cyber component to the narrative, but the cyber part of it is totally preposterous. The hackers do a lot of hand-waving and say a lot of magic words like “Sending spike now!” or “Breaking encryption, this will just take a couple of seconds,” but you never really see how they accomplish those tasks. My best example here is Dan Brown’s “Digital Fortress.” If you’re a fan of “The Davinci Code,” one of Brown’s most popular, you know that the author can tell a compelling story. That’s evident here too, but the thing that puts this into the "Harry Potterish cyber novel" category for me is how the bad guy breaks into the NSA’s super-secret network. In a novel that’s supposed to be about “cybersecurity” stuff, the bad guy gets in by guessing an administrator’s password which is literally “password.” Now, there are many things you can say about the real-world NSA, both good and bad, but that the password to their super secret network would be “password” is ludicrous. My advice: read “Digital Fortress” for entertainment, but don’t try to convince the boss that it was training material.
In contrast, the "Tom Clancyish cyber novel" is also an engaging story but, the cyber components are realistic, or at least possible. I’m an old, retired, Army guy. I grew up reading the original Tom Clancy novels back in the 80s. Soldiers passed around The Hunt for Red October, and Red Storm Rising because they were thrilling adventures, but also because Clancy got how the military works. He was pro-military and pro-service-to-the-nation. Clancy pretty much invented the techno-thriller genre, or at least put it on the map. As a soldier, It felt good to imagine yourself in a Tom Clancy world.
Threat Vector, by Tom Clancy and Mark Greaney.
The best example of a "Tom Clancyish cyber novel” is actually a Tom Clancy novel. The book is called Threat Vector, and the Clancy team published it in 2012. The nation-state cyber world was a bit different back then compared to how it is today. It wasn’t public knowledge, yet, that political actors weren’t going to conduct cyber battles per se in a purely digital war. We knew it, but nobody was talking about it out loud. It wasn’t public knowledge yet that political actors could use something akin to a continuous low-level cyber conflict against their enemies in cyberspace without actually having to conduct a physical war. Today, that’s common practice among Russia, China, Iran, North Korea, the United States, and others. But in 2012, we were still thinking that our biggest fear was a physical military threat from China, and that’s what the story of Threat Vector revolves around. Still, there are some realistic cyber techniques the characters demonstrate:
- Insider threat operations using honey traps to compromise an employee and using him to install a backdoor to an intelligence agency.
- Laptop video camera compromises.
- Phone trackers.
- Malware analysis.
- Social engineering.
- Cyber first strike to precede any physical combat operations.
Threat Vector is a lot of fun, and you might even learn a thing or two here.
Neuromancer, by William Gibson.
My next "Tom Clancyish cyber novel” recommendation is a classic written by William Gibson back in 1984, Neuromancer. It won several science fiction awards (a Nebula, the Philip K. Dick Award, and a Hugo Award). In 2005, Time magazine listed Neuromancer as one of its top 100 English-language novels written since 1923. Literary scholars have credited Gibson with one of the best ever opening lines:
“The sky above the port was the color of television, tuned to a dead channel.”
Now, that’s some good writing.
The main Neuromancer character is Case, a world-class cowboy-hacker who’s fallen from grace. The government caught him doing something stupid and, through surgery, made it impossible for him to ever “jack” into “cyberspace” again. He joins a misfit team: the Leader, Armitage (ex-military); the Assassin, Molly (a beautiful cyborg); the Techie, Finn (a prototypical scrounger); and the Mentalist, Peter (a psychopathic mind bender). The reader is never really sure what the team’s ultimate objective is until close to the end of the story, but along the way we get plenty of Kung Fu between the assassin and every bad guy we meet, love-making between the hacker and the assassin, and a verbal description of what it means to hack that is eerily similar to how modern computer gamers play almost 40 years later. Gibson invented and clarified the language that we are still using today ten years before it became mainstream. He coined the word "cyberspace," launched the "cyberpunk" genre, pontificated about "the singularity," guessed that "hacktivism" would be a thing, and understood that we would need "Google search" long before any of us even knew how vital that service would become. It’s a must-read for every cyber security professional, not because you will learn new insights into your craft, but because you will understand why this book was so influential to the cyber security zeitgeist back in the day.
Breakpoint, by Richard A. Clarke.
I would be remiss if I didn't add Richard Clark to my list of favorite "Tom Clancyish cyber novel” authors. In his government career, he served for an unprecedented decade of continuous service to three U.S. Presidents (Bush-41, Clinton, and Bush-43). He was part of the White House National Security Council, was the Special Assistant to the President for Global Affairs, was the National Coordinator for Security and Counter-terrorism (“Terrorism Czar’), and was the Special Advisor for Cyberspace (the first “Cyber Czar”). He’s traveled some rough roads in his career. But he also uses novels to explain complex policy ideas to the masses.
Back in 2007, he published Breakpoint. If you like Michael Crichton stories like Jurassic Park, Disclosure, and Airframe, you will like this book. He does a good job explaining what could be done in cyberspace by a well-resourced adversary. As a side plot, you learn a little about the ethical issues, pro and con, surrounding the transhumanist Movement, which advocates using performance enhancement technology to influence human evolution.
The bad guys in this novel destroy several key beach head routers on both U.S. coasts that reduce inbound and outbound internet traffic to just 10%, launch a buffer overflow attack against a communications satellite that sends it reeling out to space, use a SCADA attack to blow up a research institution with a live nuclear reactor, and execute another a well-coordinated SCADA attack that takes out all power west of the Mississippi. In the real world, most network defenders are worried about how such things could happen today. Clarke was writing about them over a decade ago.
I don’t know this for sure, but I think the main bad guy in Clarke’s story is based on the Internet founding father, Bill Joy. Joy created vi, the original UNIX text editor. He had a big hand in creating BSD UNIX, the precursor to LINUX and, for all intents and purposes, created the first working software implementation of the TCP-IP stack. He went on to co-found Sun Microsystems; a company that built some of the most beautiful UNIX machines of the time. And then, out of nowhere, in 2000, he wrote an article for Wired Magazine decrying the transhumanist movement. To have somebody of that stature, a legend, really, on the same level as Vint Cerf, Tim Berners-Lee, and, sure, Al Gore, come out against the advancements of science made the entire scientific community pause for a beat. Some were comparing his manifesto to Albert Einstein’s letter to President Eisenhower that argued against the use of nuclear weapons. If somebody like Bill Joy says that we need to think a bit before we go forward with transhumanism, then maybe we better do it.
Just an aside, tech nerds like me like to poke fun at Vice President Gore for getting credit for inventing the internet. But he did have a significant role to play. According to Andrew Blum’s fantastic book Tubes, then-Senator Gore sponsored and helped pass the High Performance Computing and Communication Act that, "got the Internet out of its academic ghetto.” He never claimed that he invented the internet either, but the origin of the phrase “information superhighway” came from this bill. From Blum:
[...] rather than putting shovels in the ground to build it, government policymakers catalyzed private companies to do it for them, by funding the construction of 'on-ramps.' A network access point, or NAP, as they called it, would be 'a high-speed network or switch to which a number of networks can be connected via routers for the purpose of traffic exchange and interoperation.
This essentially turned the early academic internet mesh network into a commercially viable hub and spoke network that could facilitate the anticipated rising bandwidth requirements.
But let’s get back to “Breakpoint.” The bottom line here is that this book is a fun political thriller that gets the cyber security stuff right.
Cryptonomicon, by Neal Stephenson.
Let me recommend one more. It is my favorite hacker novel of all time: Cryptonomicon, by Neal Stephenson. I use the word “hacker” here from the old-school definition; not computer trolls who spend their time breaking into systems for fun and profit, but technological wizards who have a genuine passion for learning about how things work, and making the world a better place with that knowledge. These are the kind of people that Joe Menn describes in the book he published last year, The Cult of the Dead Cow.
I admit it: I am a fan-boy of Mr. Stephenson. He has written several of my favorite hacker novels over the last almost three decades:
- Snow Crash (1992) – A classic in the cyberpunk genre.
- The Baroque Cycle (2003) – A three-volume collection of historical fiction that weaves in some old-school hackers like Sir Isaac Newton and Gottfried Wilhelm Leibniz who are related to some of the fictional characters in Cryptonomicon.
- Reamde (2011) – A modern-day hacker novel that touches upon many of the same themes as Cryptonomicon.
And, the Cybersecurity Canon Committee, the group that selects books for the cybersecurity hall of fame, awarded him a lifetime achievement award last year.
Stephenson uses Cryptonomicon as his personal petri dish to explore some wide-ranging ideas. He touches on everything from the impact of Allied code-breaking during World War II, to the importance of Dungeons and Dragons to modern-day geeks, to the jaw-dropping complexities of twentieth-century banking, to the necessity and procedures for getting the correct ratio of milk to Cap’n Crunch kernels in your morning cereal, to the horrors experienced by soldiers and civilians in the Philippines during WWII, to the significance of cryptologic systems in our state-of-the-art world, to the excitement of a present-day treasure hunt, and, most importantly, to the beauty of family ties across numerous generations. Stephenson also manages to drop-in cameo appearances from some historical figures that you would not normally associate with each other, such as Alan Turing, General MacArthur, Lieutenant Ronald Reagan, and Hermann Goering.
As you might expect, it’s a dense read. One fan, author Charles Yu, describes the book this way:
"A copy of Cryptonomicon has more information per unit volume than any other object in this universe. Any place that a copy of the book exists is, at that moment, the most information-rich region of space-time in the universe."
You get the idea. It’s not a novel you are going to get through on a weekend.
One of Stephenson’s great gifts is his ability to juggle many seemingly unrelated and interesting characters within a story and then surprise the reader about how they are all connected. He crafts four main narrative arcs in Cryptonomicon, and uses a parade of major and minor characters that intersects at key moments to propel the story. Three of the arcs happen during WWII, and the fourth happens during the Internet boom of the 1990s:
Team Bobby Shaftoe: Shaftoe is a US Marine who starts the story in the Philippines just before WWII, loses his Filipino fiancée because of the ravages of war, becomes one of the operating arms of the Allied codebreakers at Bletchley Park, and spends a good portion of the book working his way back to the Philippines to find his lost fiancée.
Team Goto Dengo: Dengo is a Japanese military engineer. He gets caught behind enemy lines, escapes and evades his way across New Guinea, and eventually ends up as the primary engineer to design and build one of the tombs in the Philippines that the Japanese leadership plans to use to store large amounts of pilfered gold ( a true story, by the way). The tomb is the object of the treasure hunt that binds the entire book together across multiple generations.
Team Lawrence Waterhouse: Lawrence is a US cryptologist in the Pacific theater of operations who spends his time breaking Japanese codes. He is friends with Alan Turing, and Stephenson uses this relationship to explore code breaking in general and the nuances of information theory during a world war. The nuance here is diabolical. Because the Allies had broken the German Enigma encryption scheme and pretty much knew the orders of the German field commanders before they did, how many times could they act on that intelligence to save lives before the German’s figured out that their system was broken? The implications of that question are heartbreaking. The word “cryptonomicon,” from the book’s title, is a collection of code-breaking techniques that Lawrence inherits and develops throughout the story.
Team Randy Waterhouse: Randy is Lawrence’s direct descendent in the present day (1990s). He and a group of college buddies, who played Dungeons and Dragons during their school years, have banded together to form a start-up. They want to build something called the “Vault” in the Philippines, which is a sort of data haven that anybody can use to store whatever kind of digital information they want free and clear of government intervention. Along the way, Randy partners with the Shaftoe family (related to Team Shaftoe) who runs an underwater salvage company, helps build the vault, and becomes an essential partner in the treasure hunt.
Just so you don’t think that this book is only about men and math and computers and commando operations, Cryptonomicon has three fairly decent love stories. I already highlighted Bobby Shaftoe’s epic journey to find his fiancée, but both Waterhouse boys get their share of romance too, especially Randy. It’s amusing to watch these two brainiac math and computer wizards try to reduce the world to binary equations on one hand and, on the other, become completely befuddled with the mysteries of the opposite sex. It is sweet and funny and spot-on for how the Dungeons and Dragons crowd approaches girls. Well, at least I recognized myself in their bewilderment.
While these orbiting characters bounce off of each other through nearly 1,000 pages, Stephenson also tosses in a mix of some groundbreaking math ideas from the likes of Kurt Gödel and his incompleteness theorems, Alfred North Whitehead and Bertrand Russell and their re-imagining of the math ecosystem in Principia Mathematica, Alan Turing and the Turing Machine thought experiment that changed the world, and Bernhard Riemann and his zeta function. Stephenson also dips his toes into modular arithmetic, probability distributions, information theory, and cryptanalysis. But don’t let the math scare you away. His intent here is to introduce these subjects to the uninitiated, and he is a pretty good teacher.
Cryptonomicon is the quintessential hacker novel. It is unique in that it qualifies in two different categories: “books for important historical context” and “novels that don’t exaggerate the genre.” For historical context, Stephenson describes a story that is set around the intersection between the discovery of world-changing math insights and the incipient designs of our computer science founding fathers. That intersection is ground zero for our chosen profession—cybersecurity—and the hacks that we see Team Randy Waterhouse perform are interesting and well within the realm of the possible. But with all of that, Cryptonomicon is not an easy read. It is dense with ideas. You do not skim through this looking for the good parts, but if you take the time to savor the journey, you will not be disappointed. There is something for everyone here, and you owe yourself the pleasure of finding your favorite part.
Distractions during the crisis.
Those are my recommendations for cybersecurity novels to keep you distracted during the pandemic. We are all going through this experience together but separated. It may seem like you need to stay focused on the crisis 24 X 7. But there be dragons in those waters. Take a moment for yourself. Curl up with a good book, any will do, but consider one or more of my four favorites. Remember, listening to an audio book counts as reading. And, If you can convince your boss that it has something to do with cybersecurity, even the better.
Breakpoint, by Richard A. Clarke, Published by Putnam Pub Group, 16 January 2007, Last Visited 31 March 2020.
Cryptonomicon, by Neal Stephenson, Published by Avon, May 1999, Last Visited 31 March 2020.
Cult of the Dead Cow: How the Original Hacking Supergroup Might Just Save the World, by Joseph Menn, Published by PublicAffairs, 4 June 2019, Last Visited 31 March 2020.
Digital Fortress, by Dan Brown, Published by Corgi books, 1998, Last Visited 30 March 2020.
Neuromancer, by William Gibson, Published by Ace, July 1984, Last Visited 31 March 2020.
Reamde, by Neal Stephenson, Published by William Morrow, 20 September 2011, Last Visited 31 March 2020.
Red Storm Rising, by Tom Clancy, Published by Random House Audio, 28 August 1986, Last Visited 31 March 2020.
Snow Crash by Neal Stephenson, Published by Spectra, June 1992, Last Visited 31 March 2020.
The Baroque Cycle Collection: Quicksilver, The Confusion, and The System of the World, by Neal Stephenson, Published by HarperCollins e-books, 12 August 2014, Last Visited 31 March 2020. on
The Hunt for Red October (Jack Ryan #3), by Tom Clancy, Published by Berkley Trade 28 October 1984, Last Visited 30 March 2020.
Threat Vector (Jack Ryan Universe #15), by Tom Clancy and Mark Greaney, Published by Putnam Adult, 4 December 2012, Last Visited 31 March 2020.
Tubes: A Journey to the Center of the Internet, by Andrew Blum, Published by Ecco, 1 January 2012, Last Visited 31 March 2020.
“The Cybersecurity Canon Project,” Palo Alto Networks, Last Visited 31 March 2020.
“Why the Future Doesn’t Need Us,” by Bill Joy, Wired Magazine, April 2000, Last Visited 31 March 2020.