FANCY BEAR GOES PHISHING: The dark history of the information age, in five extraordinary hacksby Scott J. Shapiro
Don’t let the cutesy title fool you: As Scott J. Shapiro acknowledges in “Fancy Bear Goes Phishing,” his new book on cybersecurity, hacking can do terrible damage. Shapiro is the co-author with Oona A. Hathaway of “The Internationalists” (2017), which recounts 20th century efforts to outlaw war; one of the many questions that animates “Fancy Bear Goes Phishing” is whether hacking has otherwise opened the door to war.
After all, “Fancy Bear” and “Cozy Bear” refer to the cyber-espionage units linked to Russian intelligence agencies that gained access to Democratic National Committee computer systems before the 2016 presidential election. Fancy Bear has released a trove of emails, including Hillary Clinton’s behind-closed-door speeches to Goldman Sachs and her campaign chairman’s tips for risotto.
The hack was undeniably embarrassing, and the 2016 election result came so close it’s impossible to say whether the trickle of leaked emails was a factor in turning a swirling tide in Donald J. Trump’s favor. Not to mention that hacking into the DNC’s systems was “standard espionage,” Shapiro writes, and espionage is legal under international law. Spies like to phishing – so what? It’s what they do with their catch that’s the real question. By “releasing the stolen information” for the world to see, “Fancy Bear may have committed an act of war.”
“Maybe” – now there’s a little phrase with lots of wiggle room, and Shapiro isn’t in a hurry to pin it down. One of his themes is how hackers “exploit the principle of duality” or “the ambiguity between code and data”, both of which can be represented by numbers. I’d say Shapiro, a professor of law and philosophy at Yale Law School, does something similar with this book — though unlike most of the hackers he describes, he uses ambiguity to largely benevolent effect. Books are made up of words, and those looking for words that amount to a comprehensive guide to cybersecurity or an apocalyptic thriller about a digital Armageddon would be better served elsewhere. Shapiro may have something to say about cybercrime and cyberwar, but what he really wants to do with his words is tell us the stories of five hacks.
Business with the DNC is one. The others concern the Morris Worm, which infected the early Internet in 1988 and was coincidentally created by the son of the chief scientist for computer security at the National Security Agency; the 1990s malware craft of a Bulgarian hacker known as the Dark Avenger; the 2005 burglary of Paris Hilton’s cell phone by a 16-year-old boy; and the “Mirai botnet”, a networked supercomputer developed in 2016 by three teenagers who gathered power by secretly employing so-called smart devices, such as security cameras and toasters.
Shapiro himself started out as a computer science major in college and had a time as a tech entrepreneur, building databases for clients including Time-Life Books. He did not hack his first computer until he was 52, although he made up for lost time by hacking into the Yale Law School website, “a feat my dean did not appreciate”. Shapiro is amusing and tirelessly fascinated with his subject, luring even the non-specialist into technical descriptions of coding by making connections between computer programming and, say, the paradox of Achilles and the tortoise. He offers Rousseau as an illuminating guide to the early days of the Internet. A single paragraph moves deftly from Putin to Descartes to “The Matrix.”
The technological element is only half of the hacking problem, which amounts to what Shapiro calls the “downcode.” The other half is the “upcode,” which refers to everything human: laws, norms, the cognitive biases that make smart people think they can get by with poor cyber hygiene. Shapiro argues that technical solutions are important, but they can only protect us to a limited extent. Downcode is downstream from upcode. “Cybersecurity is not primarily a technology problem that requires a primarily technical solution,” he writes. “It’s a human problem that requires an understanding of human behavior.”
And such human behavior can change depending not only on incentives and punishments, but also on lessons learned. A virus doing the rounds in 2000 was ILOVEYOU, sent as an attachment to an email. In addition to exploiting serious technical vulnerabilities in Microsoft’s operating system, it “also exploited our love upcode,” Shapiro explains. “People want to be loved.” No doubt people still want to be loved, but 23 years later, the infected email looks so obviously suspicious it reads like a parody of an infected email. Most casual computer users are now probably too hardened and cynical to open an attachment in an email that clumsily declares “please check the LOVELETTER coming from me.”
So over time, we build defenses by becoming less innocent — less likely to click on weird links, less likely to give out our social security numbers, less likely to think a good password is 12345. But as Shapiro shows, regulation can leave even the cautious computer user more vulnerable than necessary. The impenetrable legality of endless licensing agreements has allowed software companies to evade liability in ways that, say, the manufacturer of a faulty toaster could not: “None of us read the licensing agreements because (1) they are impenetrable to non-lawyers; (2) they are inscrutable even for lawyers; (3) we are impatient; and (4) we have no choice.”
In addition, Shapiro adds, we now live in a world of “surveillance capitalism,” meaning much of our data is stored and sold by corporations. We entrust them with highly personal information and assume that they will do everything they can to protect that information from hacking. Still, the legal ramifications companies face for data breaches are “ridiculously small”.
Stricter penalties could help; better legislation too. Still, Shapiro also advises against succumbing to the belief that there’s a silver bullet that will end our cyber troubles once and for all. “We don’t need perfect security,” he writes, “just reasonable precautions.” Readers who begin this book thinking they’ll get a more sweeping conclusion will find that their expectations have been (entertainingly) subverted: in other words, they’ve been hacked.
FANCY BEAR GOES PHISHING: The dark history of the information age, in five extraordinary hacks | By Scott J. Shapiro | Illustrated | 420 pp. | Farrar, Straus & Giroux | $30