I've been in the information security field just about my entire professional life, both in and out of government, and I've been hearing people sound the alarms about "cyber warfare" for at least the last 15 years. Most of the time their grasp of the technical aspects is limited, they don't have a clear idea about what they're talking about, their scenarios read like movie plots, and they're usually trying to win government contracts. Although this book does have some serious shortcomings, Clarke's book is without a doubt the clearest and best work I've seen on cyber warfare. I'll lay out his book and his thesis first, then I'll tell you where I thought he fell short and what I thought of it.
Clarke first gives an overview of all the instances to date where cyber attacks have been used by state actors. In all cases but one (The Estonia attacks in 2007), the cyber attack was used to enhance a conventional attack. This is actually the best such overview I've seen, included some examples I hadn't heard of before, and Clarke's analysis is spot on. The only thing he didn't include was the very recent "operation aurora" (Google it if you want details), which probably occurred after he finished writing the book.
The book then has a detailed discussion of American policy on cyber warfare, and Clarke details all the developments to date. Since Clarke worked for presidents Clinton, Bush, and Obama on national security issues, this book provides a front row seat to the ins and outs of the way our policies have developed. Clarke also details what is known about the cyber war capabilities of other countries, including China, Russia, and North Korea.
Only then does Clarke begin to go into the technical aspects of cyber attacks, but the technical stuff is very high level (the back cover description explicitly says that this book goes "beyond the geek talk"). He really is just trying to show the potential damage that can be done with cyber attacks. (In other words, this is the part of the book where he tries to scare you).
Clarke then discusses what he views as the primary reasons there has not been significant action in the area of defending against concerted cyber attacks. It is, in my opinion, a very realistic and fair analysis which avoids finger pointing. He then starts to lay out what he feels are reasonable defenses that the US must begin to take.
In the last part of the book he lays out a clear agenda for defending against cyber attacks which includes a mix of regulation (he admits it's a dirty word but thinks it's necessary), more technical controls at major network boundaries, and an expanded scope for DHS to protect the civilian infrastructure too. He also discusses international arms control treaties, and appears to be a big fan of some international cyber war treaties, which, like nuclear arms control treaties from a generation ago, could be used to create "rules of the game" for international war.
As I said, in the beginning, this is without a doubt the best piece on cyber war I've ever read. He really does an excellent job of covering everything from the history to the players to the regulations to the endless possibilities. The one place where I feel he misses the boat is in some of the technical aspects. He admits to not being a technical person, and does make a few technical errors, although they're all far too minor to be worth mentioning. My real issue is that in all his scenarios he starts with the assumption that every combatant (like, say, the USA and China) have successfully hacked into every network that the other side controls, and left backdoors to get back in. Further, none of these back doors have been discovered and removed. As someone who does this for a living, I can assure you it's not that simple. While I have no doubt that a government spending considerable resources could certainly gain access to many networks in a relatively short period of time, and if they left backdoors some might not be discovered, if someone left too many backdoors some would certainly be discovered. Breaking in is not as simple as just pushing a button like it is in the movies - in fact, recent studies have shown that the average security breach is the result of four separate mistakes. While mistakes are made all the time (which means that breaches occur all the time _somewhere_), it's much harder to cause breaches in every system you target all at once. In several places, Clarke's dire warnings fall into the trap of imitating movies more than real life. I will admit that as a technical person this is my bias showing, and I realize that this book is still largely intended to be a policy one, which is why I still give it a very positive rating. I would simply be remiss if I let this pass unmentioned.