The execution of and defense against CNE is vital to our national security, our economy, and our personal privacy and security. Although CNE is a young discipline, it will continue to increase in importance. This book provides a framework for developing the strategies necessary to guide the offensive and defensive actions that will dominate the coming decades of computer security.

I believe that sustained access is and will continue to be the foundation of all offensive operations. Although cyberwar, if it occurs, will be sudden, espionage will remain a game of patience and require the development of long-term capabilities.

The attacking community will continue to be well funded. The sums of money at stake and the national security implications are simply too great. Further, the community will expand to include as-yet undeveloped players, as countries race to keep up with the more technologically advanced by developing or purchasing their own offensive capabilities. The Attackers' collective effectiveness will depend heavily on their professionalism and their ability to conceive and implement strategy.

Meanwhile, though the defensive industry is currently failing quite spectacularly, this is not preordained. The industry must find methods to actively counter offensive principles. Ideas include segmenting communication, inhibiting reverse engineering of defensive products, and rapidly spreading knowledge of methods instead of signatures. These actively counter the principles of precaution, knowledge, and program security, respectively. Any path that does not directly recognize and counter the Attacker's strategy will leave the dynamics of the conflict static, which for the Defender means losing.

Attackers will retain an advantage for the next decade. New espionage campaigns and tools will be stopped and revealed, such as Regin, Turla, and no doubt more before the ink on this book dries, but the balance will remain in the Attackers' favor. The asymmetries and frictions of the space, especially those tied to motivation and focus will require an enormous coordinated effort to overcome. This will be difficult, but it is not impossible.

In 10 to 20 years, I expect the conflict will become more evenly matched. Tolerance for insecurity will plummet as the so-called Facebook generation, with its identities firmly planted in the virtual world, comes to maturity and takes control of company budgets.

A little of this is happening now. When the actress Jennifer Lawrence, of The Hunger Games fame, had her personal pictures stolen and sent out across the Internet, she did not react with embarrassment. She reacted with anger at the infiltrators. Other celebrities reacted with anger at the storage providers that allowed it to happen. Almost immediately mobile providers started introducing stronger defensive measures. If enough people get angry, generate enough negative publicity, and start voting for security with their wallets, the nature of the conflict will change.

The societal tipping point will provide funding and motivation for defense at large. How far it tips will depend on the strategy of the defensive community in the coming years. With the proper groundwork, the coming change in perception could be leveraged to great effect.

As the saying goes, “It's tough to make predictions, especially about the future.” It's hard to know if the defense can wrest away the initiative. There are just too many variables. In the meantime, as we watch the Attacker/Defender dynamic continue to play out, it is my hope that this book will help those involved make better choices in shaping that future.

Good luck. And don't forget to change your password.