In ‘Fancy Bear Goes Phishing,’ Tales of Harmful Hacks
FANCY BEAR GOES PHISHING: The Dark History of the Information Age, in Five Extraordinary Hacks, by Scott J. Shapiro
Don’t let the adorable title fool you: As Scott J. Shapiro acknowledges in “Fancy Bear Goes Phishing,” his new book about cybersecurity, hacking can inflict terrible harm. Shapiro is the author, with Oona A. Hathaway, of “The Internationalists” (2017), which recounts 20th-century efforts to outlaw war; among the numerous questions animating “Fancy Bear Goes Phishing” is whether hacking has opened the door to war by other means.
After all, “Fancy Bear” and “Cozy Bear” refer to the cyberespionage units linked to Russian intelligence that gained access to the Democratic National Committee’s computer systems before the 2016 presidential election. Fancy Bear released a trove of emails that included Hillary Clinton’s closed-door speeches to Goldman Sachs and her campaign chairman’s tips for risotto.
The hack was undeniably embarrassing, and the 2016 election results ended up being so close that it’s impossible to say whether the drip-drip-drip of leaked emails was a factor in turning a roiling tide in Donald J. Trump’s favor. Not to mention that hacking into the D.N.C.’s systems “was a standard act of espionage,” Shapiro writes, and espionage happens to be legal under international law. Spies like to go phishing — so what? It’s what they do with their catch that’s the real question. In “releasing the pilfered information” for the world to see, “Fancy Bear might have engaged in an act of war.”
“Might have” — now there’s a tiny phrase with a lot of wiggle room, and Shapiro is in no hurry to pin it down. One of his themes is how hackers “exploit the duality principle,” or “the ambiguity between code and data,” both of which can be represented by numbers. I would argue that Shapiro, a professor of law and philosophy at Yale Law School, does something analogous with this book — though unlike most of the hackers he describes, he uses ambiguity to largely benevolent effect. Books are composed of words, and anyone looking for words that amount to a comprehensive guide to cybersecurity or an apocalyptic thriller about a digital Armageddon would be more efficiently served elsewhere. Shapiro might have some things to say about cybercrime and cyberwar, but what he really wants to do with his words is tell us the stories of five hacks.
The business with the D.N.C. is one. The others involve the Morris Worm, which infected the early internet in 1988 and happened to be created by the son of the chief scientist for computer security at the National Security Agency; the 1990s malware handiwork of a Bulgarian hacker known as the Dark Avenger; the 2005 hack into Paris Hilton’s cellphone by a 16-year-old boy; and the “Mirai botnet,” a networked supercomputer developed in 2016 by three teenagers that gathered strength by secretly conscripting so-called smart appliances, like security cameras and toasters.
Shapiro himself started out as a computer science major in college and had a stint as a tech entrepreneur, constructing databases for clients that included Time-Life Books. He didn’t hack his first computer until he was 52, though he made up for lost time by hacking the Yale Law School website, “a feat that my dean did not appreciate.” Shapiro is funny and unflaggingly fascinated by his subject, luring even the nonspecialist into technical descriptions of coding by teasing out connections between computer programming and, say, the paradox of Achilles and the tortoise. He offers Rousseau as an illuminating guide to the early days of the internet. A single paragraph moves nimbly from Putin to Descartes to “The Matrix.”
The technological element is just one half of the hacking problem, amounting to what Shapiro calls the “downcode.” The other half is the “upcode,” which refers to everything human: laws, norms, the cognitive biases that allow clever humans to think they can get by with poor cyberhygiene. Shapiro argues that technical fixes are important, but they can only protect us so much. Downcode is downstream from upcode. “Cybersecurity is not a primarily technological problem that requires a primarily engineering solution,” he writes. “It is a human problem that requires an understanding of human behavior.”
And such human behavior can change, depending not only on incentives and punishments, but also on lessons learned. One virus that made the rounds in 2000 was ILOVEYOU, sent by email attachment. In addition to exploiting serious technical vulnerabilities in Microsoft’s operating system, it also “exploited our ‘love upcode,’” Shapiro explains. “People want to be loved.” No doubt people still want to be loved, but 23 years later the infected email looks so obviously suspicious that it reads like a parody of an infected email. Most regular computer users are probably too hardened and cynical now to open an attachment in an email that awkwardly declares: “kindly check the LOVELETTER coming from me.”
So over time we build up defenses by becoming less innocent — less prone to clicking weird links, less disposed to handing over our Social Security numbers, less inclined to thinking a good password is 12345. But as Shapiro shows, regulation can still leave even the careful computer user more vulnerable than necessary. The impenetrable legalese of endless licensing agreements has allowed software companies to escape liability in ways that, say, the manufacturer of a defective toaster could not: “None of us read the licensing agreements because (1) they are inscrutable to nonlawyers; (2) they are inscrutable even to lawyers; (3) we are impatient; and (4) we have no choice.”
Besides, Shapiro adds, we now live in a world of “surveillance capitalism,” meaning that much of our data is stored and sold by corporations. We entrust them with highly personal information and assume that they will do everything they can to protect that information from hacking. Yet the legal consequences faced by corporations for data breaches “are laughably slight.”
Stiffer penalties could help; better legislation, too. Still, Shapiro also counsels against succumbing to the belief that there’s a silver bullet out there that will stop our cybertroubles once and for all. “We don’t need perfect security,” he writes, “just reasonable precautions.” Readers who start this book assuming they will be handed a more sweeping conclusion will find that their expectations have been (entertainingly) subverted: In other words, they’ve been hacked.
FANCY BEAR GOES PHISHING: The Dark History of the Information Age, in Five Extraordinary Hacks | By Scott J. Shapiro | Illustrated | 420 pp. | Farrar, Straus & Giroux | $30