As we head towards 2030, a terrible realisation is dawning on us – that we have built a world that is critically dependent on a set of technologies that almost nobody understands, and which are also extremely fragile and insecure. Fancy Bear Goes Phishing seeks to tackle both sides of this dilemma: our collective ignorance, on the one hand, and our insecurity on the other. Its author says that he embarked on the project seeking an understanding of just three things. Why is the internet so insecure? How (and why) do the hackers who exploit its vulnerabilities do what they do? And what can be done about it?
In ornithological terms, Scott Shapiro is a pretty rare bird – an eminent legal scholar who is also a geek. Wearing one hat (or perhaps a wig), he teaches jurisprudence, constitutional law, legal philosophy and related topics to Yale students. But wearing different headgear (a reversed baseball cap?), he is also the founding director of the university’s cybersecurity lab, which does pretty good research on security and information technology generally.
Shapiro was fascinated by computers from a young age, and for a time was a computer science major at Columbia University and a startup entrepreneur. But eventually legal philosophy got a grip on him and he wound up with a professorship in a law school. Embarking on the book forced him to revisit his past: relearning old programming languages; coming to terms with Unix, Linux and other operating systems, internet protocols and database technology; and wading through the weeds of malicious software – worms, viruses, distributed denial of service (DDoS) attacks and other loathsome creatures of the cyberdeep.
Most authors in his position would probably have shirked such technicalities. After all, nothing breaks a narrative like a discussion of musings on the “physicality principle” (which states that computation is a physical process of symbol manipulation), the Hungarian-American mathematician and physicist John von Neumann’s adventures with cellular automata, or Microsoft’s failure to get to grips with TCP/IP (Transmission Control Protocol/Internet Protocol). And yet Shapiro doesn’t blink, and manages to carve a readable path through the conceptual undergrowth.
It’s an impressive achievement. His technique for creating a narrative is to pick five epic hacks, each of which illustrates salient points about the networked world in which we are now enmeshed. He starts with the Morris worm, a program innocently released by a Cornell University student in 1988 that brought the internet to a grinding halt. This is a well-known story that has been told many times, but Shapiro’s account is the most illuminating I’ve seen, largely because it brings out the fiendish ingenuity of Robert Morris’s little program – and in the process justifies Shapiro’s decision not to shirk technicalities when telling the tale.
The second hack takes him to an unlikely place: Bulgaria in the 1980s – the world’s first centre of excellence in creating computer viruses – and to the battle between an exceptionally gifted hacker, the “Dark Avenger”, and his nemesis, the antivirus expert Vesselin Bontchev. This chapter also required Shapiro effectively to become a sociologist of hacking, seeking an understanding of who hackers are and what motivates them.
From Bulgaria the story moves to the US in the 00s and the hacking of Paris Hilton’s phone, followed by Microsoft’s introduction of the Visual Basic programming language into its Office suite of programs. The idea was to enable users of the software to automate routine tasks. The unintended consequence was that it also enabled the “macro” viruses – such as Melissa and ILOVEYOU – that infected Microsoft Word and brought nearly every office in the western world to a halt for a few weeks.
The fourth hack is what gives the book its title – the hacking by Russian agencies of the Democratic National Committee’s computers in 2016 and the subsequent release of a huge trove of emails that were damaging to Hillary Clinton’s presidential campaign. Again, this is a story we thought we knew, but Shapiro’s account is detailed and fascinating, and still leaves you wondering whether the hack played a role in Clinton’s defeat.
Shapiro’s final hack is about the “botnet wars” – in which virtual armies of compromised networked devices are marshalled to deliver paralysing DDoS attacks on targeted websites – and the subsequent evolution of DDoS as a service. Once upon a time, that kind of destructive hacking required significant technical nous. Now it just requires a credit card and malign intent.
What are the takeaways from this absorbing tour of cyberspace’s netherworld? Four things stand out. One: “Hacking is not a dark art, and those who practise it are not 400lb wizards or idiot savants.” Two: it’s not a hobby, but a business, conducted by rational people out to make a living, or a killing. Just like bankers, in fact. Three: we could do a lot to reduce our vulnerability to it, but governments will first have to make it a crime not to take precautions. And four: mass media plays a really malignant role by providing an endless loop of scare stories and zero understanding of the problem.