BKINFWFR.RVW 20020721 "Information Warfare", Michael Erbschloe, 2001, 0-07-213260-4, U$29.99 %A Michael Erbschloe %C 300 Water Street, Whitby, Ontario L1N 9B6 %D 2001 %G 0-07-213260-4 %I McGraw-Hill Ryerson/Osborne %O U$29.99 800-565-5758 905-430-5134 fax: 905-430-5020 %O http://www.amazon.com/exec/obidos/ASIN/0072132604/robsladesinterne %P 315 p. %T "Information Warfare: How to Survive Cyber Attacks" In both the preface and the introduction, the author makes a point of stating that this book is different from others in the field, that it does not simply use the old military paradigm to analyze information warfare, and, as a result, will be more useful to business. It is, therefore, rather startling to find, in chapter one, background basics that stick strictly to the military model. Everything is presented purely from the perspective of single attacker and single defender, and it's definitely black hat versus white. The model thus constructed is weak in several areas, and would not seem to be able to even address a number of issues. For example, writers such as Dorothy Denning (cf. BKINWRSC.RVW) postulate the potential harm that can arise from corrupted data and other misinformation, which may be used for purposes ranging from propaganda to degrading decision systems. And what do we do about business situations, where today's colleague may be tomorrow's competitor? Chapter two uses profligate verbiage to list a few points about economic impacts that will come as no surprise whatsoever to anyone with the slightest background in business impact analysis. In chapter three, Erbschloe turns to fiction. He proposes a scenario in which a gang of cyber-terrorists causes one trillion dollars worth of damage. In doing so, the author demonstrates that a) his experience in information warfare is limited to viruses, b) his experience with viruses is limited to Loveletter, and c) he believes all the movie stereotypes about "hackers." Black hat communities are seldom as cosmopolitan as the one proposed. They are never as original: multiple viruses based on the model used would quickly be caught by generic means. It is also a lot easier to write simple virus variations than it is to break into specific targeted systems for specific targeted information. We are told, in chapter four, that in order to fight against the information warfare threat, all governments and militaries must get together. (Can we hear a chorus of "And do it my way!" swelling in the background?) Then we have a relay of military strategies in chapter five. Supposedly chapter six turns to corporate strategies, but with the emphasis on terrorists and the FBI, we seem to be back to the military again. A number of tables are used to assert that terrorists and rogue criminals are interested in attacking various industries. (Proof of these statements seems to be singularly lacking.) Chapter eight lists companies proposed to be in the "information warfare" reserve: able to provide expertise in the event of an attack. In light of the recent business debacles, these lists unintentionally provide some of the most humorous reading in the book. (For those who know the security problems of some of these companies, the lists are even funnier.) Tellingly, the material on the civilian "casualties" of infowar, in chapter nine, is the most restricted in the book. Chapter ten seems to move into fiction again. Erbschloe, without much in the way of evidence, says that the "geek in the basement" brigade is now about to turn pro, en masse. (He also states that we are going to have a skilled and active black hat population of 600,000 by 2005.) The statement, in chapter eleven, that we need more skilled law enforcement people is unsurprising, and also unhelpful. The conclusion, in chapter twelve, that we need more money and attention for security is equally useless. This is a verbose reiteration of minor points that are evident to anyone with any background in security, let alone specialists in the information warfare field. Mind you, the book was probably not intended for experts. However, readers with no knowledge of data security are likely to be misled. They will feel that they have been taught about information warfare. They haven't. copyright Robert M. Slade, 2002 BKINFWFR.RVW 20020721