FANCY BEAR GOES PHISHING: The Dark History of the Information Age, in Five Extraordinary Hacks
Author: Scott J Shapiro
Publisher: Farrar, Straus & Giroux
Pages: 420
Price: $30
Also Read
Don’t let the adorable title fool you: As Scott J Shapiro acknowledges in Fancy Bear Goes Phishing, his new book about cybersecurity, hacking can inflict terrible harm. Shapiro is the author, with Oona A Hathaway, of The Internationalists (2017), which recounts 20th-century efforts to outlaw war; among the numerous questions animating Fancy Bear Goes Phishing is whether hacking has opened the door to war by other means.
“Fancy Bear” and “Cozy Bear” refer to the cyberespionage units linked to Russian intelligence that gained access to the Democratic National Committee’s computer systems before the 2016 presidential election. Fancy Bear released a trove of emails that included Hillary Clinton’s closed-door speeches to Goldman Sachs and her campaign chairman’s tips for risotto.
The hack was undeniably embarrassing, and the 2016 election results ended up being so close that it’s impossible to say whether the drip-drip-drip of leaked emails was a factor in turning a roiling tide in Donald J Trump’s favour. Not to mention that hacking into the DNC’s systems “was a standard act of espionage,” Shapiro writes, and espionage happens to be legal under international law. Spies like to go phishing — so what? It’s what they do with their catch that’s the real question. In “releasing the pilfered information” for the world to see, “Fancy Bear might have engaged in an act of war.”
Anyone looking for words that amount to a comprehensive guide to cybersecurity or an apocalyptic thriller about a digital Armageddon would be more efficiently served elsewhere. Shapiro might have some things to say about cybercrime and cyberwar, but what he really wants to do with his words is tell us the stories of five hacks.
The business with the DNC is one. The others involve the Morris Worm, which infected the early internet in 1988 and happened to be created by the son of the chief scientist for computer security at the National Security Agency; the 1990s malware handiwork of a Bulgarian hacker known as the Dark Avenger; the 2005 hack into Paris Hilton’s cellphone by a 16-year-old boy; and the “Mirai botnet,” a networked supercomputer developed in 2016 by three teenagers that gathered strength by secretly conscripting so-called smart appliances, like security cameras and toasters.
Shapiro himself started out as a computer science major in college and had a stint as a tech entrepreneur, constructing databases for clients that included Time-Life Books. He didn’t hack his first computer until he was 52, though he made up for lost time by hacking the Yale Law School website, “a feat that my dean did not appreciate.” Shapiro is funny and unflaggingly fascinated by his subject, luring even the non-specialist into technical descriptions of coding by teasing out connections between computer programming and, say, the paradox of Achilles and the tortoise.
The technological element is just one half of the hacking problem, amounting to what Shapiro calls the “downcode.” The other half is the “upcode,” which refers to everything human: Laws, norms, the cognitive biases that allow clever humans to think they can get by with poor cyberhygiene. Shapiro argues that technical fixes are important, but they can only protect us so much. Downcode is downstream from upcode. “Cybersecurity is not a primarily technological problem that requires a primarily engineering solution,” he writes. “It is a human problem that requires an understanding of human behavior.”
And such human behaviour can change, depending not only on incentives and punishments, but also on lessons learned. One virus that made the rounds in 2000 was ILOVEYOU, sent by email attachment. In addition to exploiting serious technical vulnerabilities in Microsoft’s operating system, it also “exploited our ‘love upcode,’” Shapiro explains. “People want to be loved.” Most regular computer users are probably too cynical now to open an attachment in an email that awkwardly declares: “kindly check the LOVELETTER coming from me.”
So over time we build up defences by becoming less innocent. But as Shapiro shows, regulation can still leave even the careful computer user more vulnerable than necessary. The impenetrable legalese of endless licensing agreements has allowed software companies to escape liability in ways that, say, the manufacturer of a defective toaster could not: “None of us read the licensing agreements because (1) they are inscrutable to non-lawyers; (2) they are inscrutable even to lawyers; (3) we are impatient; and (4) we have no choice.”
Besides, Shapiro adds, we now live in a world of “surveillance capitalism,” meaning that much of our data is stored and sold by corporations. We entrust them with highly personal information and assume that they will do everything they can to protect that information from hacking. Yet the legal consequences faced by corporations for data breaches “are laughably slight.”
Stiffer penalties could help; better legislation, too. Still, Shapiro also counsels against succumbing to the belief that there’s a silver bullet out there that will stop our cybertroubles once and for all. “We don’t need perfect security,” he writes, “just reasonable precautions.” Readers who start this book assuming they will be handed a more sweeping conclusion will find that their expectations have been (entertainingly) subverted: In other words, they’ve been hacked.
The reviewer is the nonfiction book critic for The Times. ©2023 The New York Times News Service