Cyber Canon Book Review: "Threat Vector" by Tom Clancy and Mark Greaney
Book Reviewed by: Rick Howard
Bottom line: I don't recommend this book for the Cybersecurity Canon Hall of Fame, but it is an excellent novel that gets the cybersecurity details right.
Review:
I’m a retired Army veteran who grew up reading Tom Clancy novels. Soldiers passed around “The Hunt for Red October” and “Red Storm Rising” because they were thrilling adventures but also showed understanding of how the military works. They were pro-military and pro-service-to-the-nation. Clancy pretty much invented the techno-thriller genre, or at least put it on the map. As a soldier, it felt good to imagine yourself in a Tom Clancy world.
He and his collaborators have gone on now to publish scores of these kinds of novels; too many to count. “Threat Vector” caught my eye because “cyber” plays a pivotal role in the story and they largely get the cyber right. Jack Ryan Jr. is the main character in the story and he’s the son of Jack Ryan Sr., who’s the President of the United States (in the previous Clancy books, Jack Ryan Senior was the main hero).
Many times, novelists wave their hands at cyber in a "Deus ex machina” kind of way to move the story along. For example, a bad guy breaks into the NSA by magically guessing the NSA’s password, which is “password.” That is unlikely to happen. I call that the “Harry Potter” cyber. In this book, however, Clancy and Greaney paint realistic scenarios of how “cyber" might be used by government espionage entities to spy on each other and by the military in acts of war. Some examples include:
- Honey Traps: This is not necessarily a cyber move, but is illustrative of what is possible if you travel to China. By law, Chinese commercial organizations must do what the state demands. This means that the state has installed surveillance equipment everywhere and, at the very least, Chinese officials closely watch foreigners who travel to the country. At the extreme end, foreigners could get caught in what is known as a “honey trap.” In this book, a beautiful Chinese woman lures a married American to her room for sex. Chinese officials break into the hotel room and convince the American to work for them or they will tell his wife.
- Malware Analysis: In the book, after the Chinese compromise the American with the honey trap, they get him to deliver compromised hard drives to Jack Ryan Jr.’s undercover company front called “The Campus.” The Campus CTO realizes that an intruder has penetrated his defenses and finds a piece of the malware responsible, so he reverse-engineers it. In other words, he determines what the code did and how it did it. This is exactly what security analysts do when they are researching Adversary Playbooks.
- Back Door Installation: This is a common move by many intelligence agencies in the real world, including the U.S. and China. The idea is to secretly plant technology into common commercial tech, like routers, switches, computers, etc. If they are successful, the intelligence agency can easily use their “back door” to steal intellectual property or to destroy/degrade operations. When you read headlines saying the U.S. is concerned about the Chinese company Huawei, a commercial producer of networking equipment, back doors are the concern. But the U.S. does it too. For example, according to David Sanger’s book, “The Perfect Weapon,” President George W. Bush authorized Operation Quantum, which was a multi-pronged cyber operation to "bore deep into Huawei’s hermetically sealed headquarters in Shenzhen, crawl through the company’s networks, understand its vulnerabilities, and tap the communications of its top executives.” Sanger writes that they wanted to “exploit Huawei’s technology so that when the company sold equipment to other countries – including allies like South Korea and adversaries like Venezuela – the NSA could roam through those nations’ networks.”
- Phone Tracker: In the book, Jack Ryan Jr.’s compromised girlfriend installs a software phone tracker onto his phone. This is the reason that co-workers hassle you when you walk away from your work computer without logging off. If bad guys have access to your system, they don’t have to hack at all. So, Junior’s girlfriend simply installed a program on Jack’s phone that allowed the bad guys to track his movements – think FindMyPhone for cyber espionage purposes.
- Social Engineering: In any spy story, social engineering plays an important role as part of the spy’s tool kit. In the real world, cyber adversaries use a version of it to trick victims into doing things they shouldn’t like click on a link or visit dodgy websites. This book is filled with examples from both the good guys and the bad guys of human-on-human social engineering.
"Threat Vector" is typical spy-thriller stuff. China threatens to take control of Taiwan and the U.S. objects. For me though, the fun was riding along with how the authors think nation-states will use cyber in future conflicts. “Threat Vector” is not hall of fame material, but if you want a great beach read where the authors get the cyber right, this is a good one to take with you.
We modeled the Cybersecurity Canon after the Baseball or Rock & Roll Hall-of-Fame, except for cybersecurity books. We have more than 25 books on the initial candidate list, but we are soliciting help from the cybersecurity community to increase the number to be much more than that. Please write a review and nominate your favorite.
The Cybersecurity Canon is a real thing for our community. We have designed it so that you can directly participate in the process. Please do so!