"America the Vulnerable: Inside the New Threat Matrix of Digital Espionage, Crime, and Warfare," by Joel Brenner

Published by Penguin Press (2011)

Reviewed by Benjamin Wittes

Joel Brenner's America the Vulnerable offers the best general-interest treatment I have yet read of this country's cyber-vulnerabilities. It is elegantly argued, teeming with facts and illuminating anecdotes, sophisticated about technology, and all written with an insider's understanding of the intelligence community. Brenner's thesis, that the United States has made itself enormously vulnerable with its rapidly-acquired dependency on networked computers for just about everything, does not break a great deal of new ground, nor does Brenner offer especially bold prescriptions for the ills he diagnoses. But his book brings the subject together more cogently and cohesively than do prior alarmed warnings about our cybersecurity future. It thus deserves pride of place in a literature we can all hope will read some day as a mere expression of anxiety at modernity--but which we must all fear is prophecy we continue to ignore at our great collective peril.

At a stylistic level, America the Vulnerable is not merely readable. Brenner has crafted it in simple, direct, and engaging prose. While the book deals in technologically complex subject matter, Brenner never gets bogged down in jargon. Nor does he ever get bogged down in the bureaucratic politics that float always just beneath his argument's surface. While Brenner's story and subject may induce despair and depression, his writing is a pleasure. When he tells stories--as he frequently does--they hold whole chapters together. When he uses a metaphor, it sticks. The man knows how to write.

He also has a blunt message to deliver. Brenner served as inspector general to the National Security Agency, and he subsequently ran the Office of the National Counterintelligence Executive. So he knows something about trying to keep secrets--and how difficult this task is becoming. And he has come to a stark set of conclusions on the subject, which he presents unsentimentally in his introduction:

[O]ur inability to figure out who's responsible for illegal behavior on our electronic networks is a fundamental reason why we can't safeguard our personal data, corporate intellectual property, or national defense secrets.

Nor can we ensure the safety of the infrastructure without which our world would collapse: electricity grids, financial systems, air-traffic control, and other networks. All these systems run electronically; all run on the same public telecommunications backbone; and increasingly all run on commercial, off-the-shelf hardware and software that can be bought anywhere in the world. Many of these systems have already been penetrated by criminal gangs or foreign intelligence services--sometimes to steal, sometimes to reconnoiter for uncertain purposes--using offensive tools that are often more effective than our defenses. All of these systems could become targets for disruption in wartime or even during a lower-grade conflict like a diplomatic standoff.

One of the book’s real virtues, as this passage reflects, is that Brenner takes a decidedly unorthodox--but I think profoundly correct--approach to the relationship between privacy and security. Most commentators tend to see privacy and security as in tension with one another, and they treat as threats to privacy well-functioning intelligence agencies. This is, of course, true up to a point, but it misses a big dynamic which Brenner captures. Brenner sees the erosion of both government's capacity for secrecy and the individual’s capacity for privacy as features of the same underlying problem. The problem, in his view, is a degree of transparency in day-to-day life that makes all of us--from Israeli covert operators trying to kill a Hamas leader in Dubai to companies trying to protect valuable intellectual property to each of us in the most mundane activities of our lives--trackable and exposable: "the difficulties of protecting your privacy and mine and the difficulties of keeping secrets in an intelligence agency or corporate office are remarkably alike. Secrecy is to companies and governments as privacy is to individuals. Both rise or fall on the same technologies and cultural proclivities, and at the moment both are falling precipitously."

But ironically, Brenner argues, "[i]f you want to shield yourself against information theft or hide your own identity as you go about your business, it's extremely difficult. But if you want to hide your identity in order to attack a person or an institution, it's unnervingly easy." The result is that we are vulnerable individually; our government institutions are subject to ongoing cyber-espionage; the country is vulnerable as a collective; and our corporations are subject in an ongoing way to a "massive theft of Western intellectual property"--mostly but not exclusively from China.

Brenner’s treatment has another intellectual virtue. In a great deal of writing on the subject of cybersecurity, there is a tendency either to conflate the issues of crime, espionage, and warfare or to disaggregate them completely. The danger of the first error is that it obscures big differences between what are ultimately different problems--problems which may call for dramatically different policy responses. For example, if one were confident we could get cyber-espionage under control and fend off major attacks against critical infrastructure, one might well decide to live with a certain level of identity theft and cyber-stalking--as unpleasant as both are for victims. The danger of the second error is the failure to see linkages and common causes behind problems that, while distinct, are related and may benefit from integrated thinking.

Brenner does an excellent job of adjusting his focal lens continually to give a holistic sense of the picture. So unlike Richard Clarke and Robert Knake's book Cyber War: The Next Great Threat to National Security and What To Do About It, he does not focus particularly on cyber warfare, though he does treat the issue richly. And unlike the privacy activists, he doesn't focus on the privacy problems facing individuals to the exclusion of the related problems facing governments and institutions. But at the same time, he never lumps everything together in a general soup of cybersecurity either. Brenner, rather, describes a general problem--a society that has gone in big for networked computers, convenience, and efficiency and has incurred great vulnerabilities in the process--and he then carefully discusses the quite-different manifestations of that problem at a variety of levels of society.

Throughout the book, Brenner's experience in the intelligence community is very much on display. This is not a kiss-and-tell book. It's not an any sense a memoir about Brenner's service in government. Rather, it’s a book about an issue. But it is, at the same time, pervasively informed--and enriched--by the things the author has seen. While Brenner doesn't tell any classified secrets--and may, in fact, even play coy and stick to the public record about matters on which he knows a great deal--he does talk with a great familiarity about intelligence operations and the concerns within the community, and he puts things together in ways that certainly reflect more knowledge than he is allowed to share. He knows the community’s culture intimately--what it does well, and what it will never do well. So, for example, when he criticizes the tendency to dress up journalism as intelligence analysis and classify it, the critique has a wizened air. At one point, he describes having compared classified intelligence reports on the 2007 French presidential race to news coverage in the New York Times, the Washington Post, and Le Monde. "There was no information in the official reports that could not be found in the Times and the Post, and none of these American sources was as detailed or interesting as what I could read in Le Monde," he writes. "Rehashing unclassified information about foreign affairs is a long mile from the core business of intelligence, which is stealing secrets."

Brenner's book has, in my judgment, three main weaknesses. The first, as I mentioned above, is that his thesis isn't all that novel. The book really amounts to an argument that as a result of networked computers, we're all suddenly a lot more vulnerable--individually and collectively--that we're not doing enough about it, and that there's going to be a heavy price for our inaction, one we are already invisibly paying but which could become catastrophic. Brenner makes the case better than I've seen it made before, but the case is not new. Jack, for example, has been making this argument for some time, as has Stewart Baker. And warnings of the catastrophic electronic Pearl Harbor have been floating around for years. And many of the themes Brenner fleshes out will have a familiar ring to people who have read writers like Bruce Schneier over the past couple of decades. Brenner is admirably candid that his concerns are not new. He starts his final chapter with a recitation of the legion of high-level executive branch statements--dating back to the first Bush administration--that America has a serious problem on its hands. That said, the reader looking for a fresh take on the problem will probably emerge disappointed. Brenner distills and analyzes it beautifully and brings a wealth of examples and anecdotes to the table to describe aspects of it. But the problem will not surprise the reader who has not been living in cyber-denial for the past decade.

Second, like almost everyone else who has written on this subject, Brenner is far stronger in diagnosing the problem than he is on proposing solutions to it. His final chapter has some useful policy suggestions: on enhancing internet service provider reporting on botnet attacks, for example, and on organizing government--and the intelligence community--to confront the problem. But it reads like a thin gruel given the magnitude of the problem he describes. I don't want to be too hard on Brenner here, because this problem's roots lie in one of his book's real virtues: He does not want to overpromise in the way of solutions, because the constellation of problems he's describing are tremendously difficult and defy magic bullet proposals. Still, if I were a policy-maker reading this book for guidance, I might feel a bit let down: If I moved mountains to implement each and every one of Brenner's recommendations, the country's next Pearl Harbor might still be lain at my feet by the next 9/11 Commission.

Finally, Brenner's book, like a lot of the literature on this subject, goes light on the potential role of offensive cyber operations in addressing the vulnerability problem. Brenner alludes to offense as a form of defense near the end of the book in the military context, when he writes that,

If you wait for the incoming danger to reach you, you won't be able to defend against it. CYBERCOM [the new military command devoted to cyberwarfare and cyberdefense] solves this problem by letting the general in charge of defending national security networks use offensive tools outside his networks in order to know what's coming. To be blunt, espionage is an essential aspect of defense. To know what's coming, we must be living inside our adversaries' networks before they launch attacks against us.

But these words appear in the context of higher-grade attacks against higher-level military networks. If one takes the rest of Brenner's book seriously--and I do--that is actually not the place where America seems to be most helpless. The greatest vulnerability lies in the pervasive attacks on the totality of our networked infrastructure--the daily exfiltration of terabytes of valuable data, the penetration of civilian critical infrastructure systems in fashion that could lead to catastrophic attack, and the vulnerability of the financial system. Brenner does not discuss what role offense might play in creating a kind of forward defense for these areas. But the same logic Brenner describes with respect to CYBERCOM should be part of the conversation here; offense is a piece of the defensive puzzle. While we have trouble attributing individual attacks, we know in general--and often in very specific terms--who is coming after us. Brenner, for example, discusses at some length an institution called Lanxiang Vocational School, which he describes as a training ground for the People's Liberation Army computer operations and as one of the homes of the computers from which the attacks on Google emanated. Retaliatory attacks on such institutions--of one sort or another--seem to me a legitimate part of the picture. I would certainly not be sorry if individuals known to be working in institutions that are actively attacking us should suddenly find themselves victims of, say, identity thefts or subject to embarrassing disclosures of their personal failings. More generally, I see no reason why just as China is attacking us where it hurts, we should not be doing the same to them--for example, constantly endeavoring to degrade the Great Firewall of China--about which the Chinese care a great deal. There are people and institutions whom our criminal justice apparatus and diplomacy cannot reach, and covert operations against such targets must of course be deniable. But that does not mean that we cannot raise the cost to individuals, states, and organizations of eroding our security.

I assume--and I would certainly hope--that our operators are engaged in a fair bit of offensive activity. But Brenner's book, undoubtedly because of classification hurdels, contains scant discussion of what we can be or should be doing affirmatively to attack those who are attacking us when we can identify them, and those who are sponsoring them when (as is far more often the case) that level of attribution is obvious enough.

These criticisms, however, are ultimately minor. Brenner has, at day's end, produced a very important book--one that distills and synthesizes years, even decades, of warnings into a crisp call to action. That this call will likely be, like so many before it, given concerned notice but then not adequately acted upon does not make it less compelling.