In our first jobs in cybersecurity, at the Pentagon in 1998, Greg Rattray and I had to help the Air Force to “normalize” cyber and other information operations. But was it more “normal” to treat such operations as an aspect of intelligence or instead as warfighting in a new domain? Our answer matters little to history, as the Air Force and Pentagon subsequently seesawed many times about what was “normal.”Jon Lindsay’s “Age of Deception” sides with those saying cyber operations predominantly serve intelligence functions. Since cybersecurity is driven by the “logic of deception,” normalizing it requires treating it as a new form of an ancient type of international contest, what he calls “secret statecraft.”“Age of Deception” is two books in one. The first explores secret statecraft, drawing from international relations, intelligence, and cyber conflict. Anchored in crucial case studies, it provides novel insights about how the logic of deception affects gray-zone cyber competition between states.The second book extends that foundation to claim that all of cybersecurity—not just the competition between states taking place in cyberspace, but all of it—is best seen through the lens of deception. Here Lindsay overreaches. Deception of course matters, but he overlooks other key factors, especially vulnerability.Deception in cybersecurity may never have received such sustained attention from an academic of Lindsay’s caliber. His book deserves the attention of all those interested in the ways in which governments use their intelligence and cyber capabilities. The book’s importance would have been magnified had he either focused more fully on developing his theory of deception and secret statecraft or more systematically addressed the complex ways deception plays out across all of cybersecurity.Deception and Secret Statecraft“Secret statecraft,” the book begins, “is the use of organized deception for strategic advantage.” And while it is an ancient practice, “cyberspace dramatically expands the scope and scale of secret statecraft,” expanding the opportunities “but also its liabilities.” After all, Lindsay argues, “if technology gives advantages to the offense in intelligence then defenders can enjoy the same advantage in counterintelligence.”Lindsay’s theory of secret statecraft uses well-chosen case studies to demonstrate how “vulnerable institutions (a permissive operational environment) and clandestine organization (a proficient operational actor) improve intelligence performance (persistent secret channels)” as actions across intelligence contests. His cases—Bletchley Park in World War II, Stuxnet, Russia’s 2016 election interference, and Chinese cyber power—are indeed “critical cases” in the history of cybersecurity that “any theory of intelligence performance must be able to explain.”And explain them he does, to me most convincingly for the joint U.S.-Israeli Stuxnet malware program, as “secret statecraft offered a third option” to disrupt Iranian nuclear enrichment, “between war and doing nothing.” Lindsay explains how the United States “used covert action to dissuade Israel from starting a preventive war [and] encouraged Iran to enter diplomatic negotiations.” Readers will especially appreciate Lindsay’s candid assessment of his earlier take on Stuxnet, framed as a case of cyberwarfare, compared to the greater explanatory power of the lens of secret statecraft.His theory, backed by these cases, leads to important insights:“Network intrusions are at once a normal feature of global politics and an enduring source of dread, threatening yet tolerated, provocative yet restrained, alluring yet frustrating, neither peaceful nor warlike.”A “paradoxical feature of the digital liberal order is that it interconnects its own challengers”“It is profoundly mistaken to describe cyberspace as anarchy. On the contrary, cyberspace is the largest experiment in institutions that we have ever had.”“The most complex system of control ever devised by humanity, in turn, gives rise to the most complex contests of deception in history.”“We have China to thank, in no small part, for the professional state of the art in cybersecurity today.”Lindsay is slinging truth here, and I wish there were more of it. Countless tiny details—such as the internal schematics of Germany’s Enigma machine—could have been dropped to leave room for other predigital cases, such as Washington’s Culper ring or Richelieu’s “Cabinet Noir”. It is likewise a shame that his Russia example includes only the 2016 election interference, untethered from previous dark exploits of the NKVD or KGB or current sabotage and assassination plots of the GRU.Such cases would have added strength to his arguments that the patterns of deception are timeless and will not be changed, for example, by changes in technology such as artificial intelligence (AI).And while many readers will appreciate the case study on Chinese cyber power, a narrower case study on Chinese theft of intellectual property would have better built on the prior case studies. Or Lindsay might have tested his theory by comparing China’s cyber power with Russia’s, Iran’s, and the United States’, as Daniel Moore does in his 2022 “Offensive Cyber Operations.”Still, readers interested in the interplay of intelligence, international relations, and cyber will gain many historical insights from these chapters.Jamming Cybersecurity Into a Deception-Based TheoryThe book is not as convincing that all of cybersecurity should be understood through Lindsay’s preferred lens of secret statecraft and deception. It was hard at times to understand whether statements such as the following were assumptions, strawmen, or conclusions:Cybersecurity is all about “deceiving deceivers” in which defenders have “reinvent[ed] classic counterintelligence practice.”“Information technology does not create any simple (systemic) advantage for offense or defense.”“If technology gives advantages to the offense in intelligence, then defenders can enjoy the same advantage in counterintelligence.”“These patterns are unlikely to change with artificial intelligence or any other technology … because technology did not create these patterns in the first place.”“This reality is at odds with the popular assumption that cyberspace makes hacking cheap and easy for weaker actors.”“There is … a state-centric bias in my cases, there is also a state-centric bias at the higher end of the spectrum of cyber conflict.”By being “noisy,” ransomware operations create a “less permissive environment for future operations.”Lindsay might have been able to support such definitive statements, but not just with four cases, all similarly focused on high-end intelligence forces in sensitive operations. Of those, one (Bletchley) was pre-internet, another swerved into disinformation (election interference), and a third into domestic information control (China). You cannot shed much meaningful light into cybersecurity, much upend it, with just one full (Stuxnet) and two half cases.U.S. cyber operations focus on quality; nearly everyone else depends on quantity. As I wrote in Lawfare in 2021, relying too much on the “singularly high-end, targeted and sophisticated” Stuxnet is “like trying to understand the dynamics of the global auto industry using a case study of Rolls-Royce,” but ignoring down-market GM, BYD, and the secondhand car market.Josephine Wolff explores both quality and quantity with a broader set of nine cases in “You’ll See This Message When It Is Too Late”; Scott Shapiro likewise used 10 in “Fancy Bear Goes Phishing.”By ignoring quantity, Lindsay misses the main reasons cyber practice and literature argue there is a bias to the offense. “Age of Deception” accordingly needed a survey exploring the role of deception in cybersecurity and reinforced with other “critical cases” that any theory “must be able to explain,” such as fraud, cybercrime, and ransomware.Had he done so, he might have found that assessments on topics such as offense bias are guided not by “popular assumptions,” but by literature driven by databases with over 22,000 confirmed data breaches just in 2025. These drive billions of dollars of investment, and Federal Reserve economists have found such tools rigorous enough to improve predictions of “whether a bank will experience a cyber incident within the next year.”Many such findings, we shall see, bolster Lindsay’s own; others the opposite. Missing such context, Lindsay both underanalyzes deception and overemphasizes its importance in cybersecurity.Underanalyzing DeceptionLindsay missed opportunities to explore the rich role of deception in cyberspace.For example, to attempt to eliminate deception, zero-trust architectures have become a $48.3 billion market by assuming that all people, systems, agents, and actions are fraudulent unless repeatedly proved to be authentic.Indeed, whether cyber defenders are better at finding or attackers are at hiding is such a core question that practitioners have long prioritized precise measurements. In 2011, it took on average 416 days to discover a breach. By 2018, 31 percent of incidents were discovered within 30 days, improving to 61.6 percent by 2025, driven by advancements in technologies like end-point detection and response and security incident and event management (with market sizes of $6.3 billion and $12 billion, respectively).This reduction is needed but not enough. The fastest quartile of attackers in 2025 were using AI and other advanced automation tools to exfiltrate information within 72 minutes, down from 285 minutes the year prior. This feels like an advantage as even AI-driven defenses struggle to detect so quickly, much less stop the bleeding.These are not obscure statistics; they are crucial to cybersecurity practice and literature. “Age of Deception” would have been richer with a chapter-length survey of such factors.Lindsay’s arguments rely heavily on his assessment that technology gives defenders the “same advantages” as the offense. But does this include all information technologies or only some? Are the advantages necessarily the same, with zero bias either way? Does balancing happen automatically or is it conditional on defenders’ implementation? Is there a lag between when the advantages accrue to offense versus defense?This needed further exploration, not least to understand the impact of AI. Any conditionality or lag is likely to prefer the offense: a small number of agile, focused predators choosing from a herd of plodding, low-capability prey.Lindsay might also have examined why his assessment that the offense has no overall advantage in the intelligence contest of cybersecurity differs from those of Gen. Michael Hayden, who regularly referred to an internet-driven “golden age” of signals intelligence, and Chris Inglis, who wrote that the score in cyberspace “is not 1-0 or 2-1; the score is 423 to 352. That is not a game you want to be in if you are a defender.”“Age of Deception” accordingly needed chapters on fraud, cybercrime, or ransomware or a survey chapter on the complex interplay of deception across all cybersecurity.Fraud. AI “is transforming criminal practice by industrializing deception, compressing attack cycles, and corroding evidentiary trust,” with AI-generated phishing clicked on nearly half the time and over four times more frequently than traditional frauds. Equal improvements in counterdeception seem distant: Neither human nature, corporate controls, nor law enforcement can easily match technology’s acceleration of fraud.Cybercrime. Enabled by U.S.-government funded innovations, dark web sites rely heavily on deception to sell malware, drugs, and weapons while groups such as Scattered Spider/Lapsus$ have had substantial success not easily explained by “Age of Deception.” Mostly teenagers or in their early 20s, and using attacks of only modest sophistication, their campaigns had repeated successes against well-defended targets such as Microsoft and major casinos.Ransomware. Similar dynamics drive ransomware, on which Lindsay spends fewer than 200 words. In the closing pages of the book, he dismisses all ransomware, because the DarkSide gang only got a $4.4 million payment from Colonial Pipeline in 2021.There are few aspects of offensive cyber operations, however worrying, which are not similarly rejected. There’s always another side, always some difficulty in trying to pull off a success. “Age of Deception” is rarely so generous to defenders and the complexity and difficulties they face fending off relentless attackers.A richer assessment would not have ignored the nearly 1,800+ ransomware victims that same year of 2021 from whom $602 million was successfully extorted. It is not clear that being “noisy” is such a losing proposition, nor how the environment became subsequently “less permissive,” when gangs stole a further $1.1 billion the following year, targeting 2,800+ victims. Indeed, 2022 would have been even worse had the FBI not used their own deceptive operations to infiltrate the Hive ransomware group. An “age of deception” indeed!President Biden, in contrast to Lindsay, treated Colonial Pipeline and related ransomware attacks as core to Russian secret statecraft. Making it a central topic of his one-and-only summit with Russian President Vladimir Putin, Biden might disagree with Lindsay about making too much of any “stabilizing” role of cyber operations.Lindsay missed these opportunities to explore secret statecraft and cybersecurity. Can we really say nothing meaningful, as Lindsay would have it, about some kind of offense advantage using such statistics without individually examining tens of thousands of cases?Overemphasizing DeceptionDeception is important, but it is incorrect to treat all of cybersecurity as secret statecraft in an intelligence contest.A book on deception in American football would be an amazing read, exploring its impact as offense and defense compete over 60 minutes of iterated violence. A book that reduced all football to a deception contest might not, as it would minimize aggression, skill, strength, speed, and strategy.It was the development of cryptocurrencies, after all, not any improvements in deception, which sparked the rise of ransomware, as criminals could easily monetize their intrusions. Across a range of criminal behavior, “illicit cryptocurrency addresses received at least $154 billion in 2025,” a 162 percent annual increase. Cryptocurrencies supersize crime with few compensating defensive advantages. Yet “Age of Deception” mentions them only once.In addition, many simple and devastating attacks barely rely on deception. The first White House cyber summit, in 2000, was convened in response to denial-of-service attacks against web-commerce sites. And cybersecurity from 1998 to 2005 was driven by the “great worms” like ILOVEYOU, Melissa, Nimda, Slammer, and Sobig, which caused astounding levels of disruption. Sobig itself caused perhaps $37 billion in damage. None of these was caused by states; several were the handiwork of teenagers.Moreover, “Age of Deception” would have been more relevant in 2026 had it built on Moore’s distinction in “Offensive Cyber Operations” between military-like event-based attacks and deception-reliant, intelligence-like presence-based attacks. Lindsay elsewhere calls it a “category mistake” to consider offensive cyber effects as anything other than an intelligence contest, a perhaps uncomfortable contrast with the Pentagon’s seeming wartime enthusiasm for its Joint Integrated Fire Center.Likewise, though Lindsay includes “vulnerable institutions” as a core part of his theory, he does not explore cyber vulnerabilities in any depth, missing three opportunities to enrich his book and our understanding.First, common-mode vulnerabilities allow attackers to have impact-at-scale. The worms mentioned above “spread from one to another computer at high rates,” a group of cybersecurity luminaries wrote in 2003, because “they did not have to guess much about the target computers because nearly all computers have the same vulnerabilities.” Such “unacknowledged correlated risk of cyberspace” leads to very unpredictable, extremely high-consequence incidents. Broadly similar logic applies to ransomware. Such quantity-versus-quality, one-on-multitude attacks succeed because the attackers need not be interested in highly deceptive, “complex operations against sensitive targets,” just whichever will pay them off.Second, most organizations skip “deceiving deceivers” to prioritize risk management, especially patching vulnerabilities. As Jen Easterly, former head of the Cybersecurity and Infrastructure Security Agency summarized, “the United States does not have a cybersecurity problem. It has a software quality problem.”And there are already a lot of vulnerabilities. Despite improvements in application security (to fix bugs early, a $14.8 billion market), the growth rate of vulnerabilities has held steady over the past several years, with 237,687 known vulnerabilities as of May 2024, of which approximately 14,000 have been actively exploited. The year 2025 was particularly challenging, with a 36 percent increase in highly exploitable, high-severity flaws.Worse, the gap from when vulnerabilities are first reported to when they are first exploited dropped precipitously from 2.3 years in 2018 to 2.6 days in 2026, outpacing the average patching cadence of organizations, which barely improved, from 252 to 243 days, despite the $17.8 billion market for vulnerability-management tools and services.Vulnerabilities also drive public policy, to convince companies to include security by design and default, reduce market incentives for insecure software, push for memory safe languages, and reduce single points of failure.Third, there is no iron law that technology need affect attackers and defenders equally. AI might revolutionize deception and counterdeception, but it is first revolutionizing vulnerability discovery. The Cloud Security Alliance recently warned:AI, as demonstrated by Anthropic’s Mythos, has significantly increased the likelihood of attackers discovering new vulnerabilities, creating new exploits, and using them in complex automated attacks at scale. While AI also increases the speed of patch development and reduces defects in new software, defenders still face a heavier relative burden due to the inherent limitations of patching. Attackers gain asymmetric benefits.Lindsay suggests all such assessments are mistaken: Since there is no systemic bias, assessments of offense-defense bias can be understood only via “details of specific cyber campaigns … between particular competitors in specific circumstances.”As Lindsay’s theory suggests, Mythos and other AI systems may someday provide enough defensive benefit to balance the gains to attackers, or even to surpass them. Easterly agrees that “we may finally have tools powerful enough to begin reducing the cost and difficulty of addressing the root causes of cyber risk.”But success is not guaranteed, she continues, as “progress will still depend on human judgment, institutional will, and organizations prepared to do the hard work of acting on what these systems reveal.”Pessimistic readers will note these are precisely the same elements that were lacking in the decades prior to the rise of AI.Conclusion“Age of Deception” is a good read, rich with detail and insights on secret statecraft and intelligence contests. It weaves together technology, international relations, and intelligence studies to shed important light on intelligence power, which states have increasingly been using to contest one another below the level of armed conflict. Lindsay’s retelling of Stuxnet and of Russia’s 2016 election interference were especially compelling to this reviewer.Deception matters in cybersecurity, and Lindsay is spot on with his conclusions about high-end cyber operations against well-defended targets. Echoing what Rattray wrote in 2001, strategic effects in cyberspace are indeed difficult, especially against the “security one percent” of truly capable defenders.However, because Lindsay dismisses non-state cyber incidents—the vast majority—and a substantial amount of cybersecurity literature and practice, readers should be cautious about the applicability of his theory and conclusions for cybersecurity to the rest of us.And can any of us be sure that future deception will play out the same as it has since before Machiavelli, when most of the participants are nonhuman intelligences?This book would have surpassed Lindsay’s earlier, excellent “Information Technology and Military Power” had his editors pushed him to either write the best book on deception and secret statecraft or the best on deception and cybersecurity. By aiming for both, he hit neither.