CYBERJUTSU

McCarty draws from the techniques of feudal Japan’s ninja warriors in order to develop a complete cybersecurity plan.

The debut author, who once worked as a developer for the National Security Agency and was among the first class of Cyber Warfare Specialists to serve in the Army Network Warfare Battalion, observes that tight cybersecurity has never been more necessary or more difficult, as security specialists and their criminal counterparts are both constantly innovating—locked in what Accenture security research and development lead Malek Ben Salem, in a foreword, calls a “cyber arms race.” McCarty’s approach to the issue is as novel as it is illuminating, as it looks deep into the past. Deeply impressed by “ninja scrolls” written in the 17th century, which were essentially tactical manuals for espionage, he decided that the basic philosophy contained within them could be converted into a “practical cybersecurity field guide.” After more research, he concluded that ninja techniques were “essentially on-the-ground training in information assurance, security, infiltration, espionage, and destructive attacks that relied on covert access to heavily fortified organizations,” which, as a cybersecurity expert, he found highly familiar. At the heart of his strategy is what he calls the “castle theory thought exercise,” in which one pretends to be “the ruler of a medieval castle with valuable assets” and imagines various ways to defend the castle and anticipate invaders’ assaults. He provides a remarkably comprehensive tour of his subject, which is especially impressive for such a concise work that’s well under 300 pages. In it, he covers such topics as mapping networks and authentication and provides unconventional tips, as well; for example, he advises that one be wary of possible “hours of infiltration”—overly predictable routines that provide opportunities for attack.

The author has decades of credentialed experience in cybersecurity, and his professional background is evident throughout the book, which manages to convey his expertise in language that will be generally accessible to laypeople and immediately actionable. The running conceit of the work at first appears implausible—that warriors from a pre-technological era could teach modern readers something about cutting-edge cybersecurity. However, McCarty will convince skeptics, as he provides an elastic and forethoughtful approach to defense based on the warrior philosophy—one that involves constant improvisation and imagination to reveal every conceivable weakness in one’s cyberfortress. As he puts it in the book’s concluding chapter, his overriding message is that it’s always “critical to consume threat intelligence and respond against dynamic threats in innovative ways.” Along the way, he describes something far more aggressive than passive vigilance—a defensive approach that makes extensive use of historical anecdotes, such as a chapter that uses a small medieval village’s distrust of outsiders as an analogy for how permissions are established in a computer system. McCarty not only articulates the elements of his overall philosophy, but also explains its practical applications in rigorous detail, recommending “security controls and mitigations” and concluding every chapter with a helpful synopsis, or “debrief.”

A thoughtful, original, and thorough guide to cybersecurity.