Who knew that the internet could be dangerous? That this thoroughfare for bits and bytes, this manmade universe of electronic impulses, could be an avenue for threats to your finances, to your identity, even to national security? That it might cut the power to your home and your water supply?

Until 1988, almost no one had even a glimmer of these perils. That November, however, a student at Cornell almost brought that universe down. Since then, the threats have proliferated. Attacks using phishing, ransomware, and botnets are now common. We are all online; we are all vulnerable.

In Fancy Bear Goes Phishing, Scott J. Shapiro uses five hacks to tell the history of computer security. He writes withs three goals in mind: to discover why the internet is insecure; to learn how hackers breach it; and to propose how it can be fixed.

Shapiro, now a professor of law and psychology, was a computer geek from childhood through college. Awakened from his “longer digital slumber,” he gained a firm grasp of the technical aspects of cybersecurity before writing this book. It shows.

More than that, though, he garnishes his descriptions of the hacks with insights into computers and hacking that are novel and perceptive. These begin with his observation that “upcode shapes downcode.” Downcode is the literal code that runs computers; upcode is what people do to structure the digital universe that downcode creates. It includes culture, laws, norms, beliefs, and other artifacts of human thinking. As Shapiro puts it: “Downcode is run by computers; upcode by humans.”  

His focus here is on the influence of upcode. He argues that cybersecurity is a human problem, not a technical one. The book focuses on the hackers, the hacked, and the defenders. These include Robert Morris Jr., the Cornell student who almost brought down the internet in 1988; Vesselin Bontchev, a Bulgarian who became an expert defender against computer viruses; and celebrity Paris Hilton, whose phone was famously hacked.

Shapiro uses metaphors and models from sources ranging from game theory to fairytales to describe the technology behind these hacks. He draws on concepts developed by Alan Turing and John Von Neumann, whose theories are called on commonly in computer science. More surprising is his use of a parable from Lewis Carroll to show the difference between code and data and a description of the U.S. Postal Service to explain TCP/IP networking.

Shapiro’s focus on people leads to insights that will seem fresh even to those who know only the technical side of these hacks. The intrusions into the Democratic National Committee in 2016 have been described at length many times. But how it was done becomes clearer when Shapiro tells how individuals like the unfortunate Bill Rinehart fell victim to the blandishments of a phish. Shapiro also shows that the Russians, startlingly competent technically in bringing down Hillary Clinton, were caught because they were almost comically incompetent in other ways.

Shapiro offers proposals for fixing the internet. Technology is not enough, he argues. To manage cybercrime, he suggests we look at what draws hackers to the dark side and figure out how to lure them instead to the light. For one, restrict payments from Bitcoin, he says, to reduce criminals’ potential profit. Also, make companies liable if breached so that they’re incentivized to strengthen their defenses.

Cyber-espionage, he argues, will always be with us. He makes a distinction between foreign espionage and domestic; that is, between what the Russians and Chinese do and what Americans like Edward Snowden have done. Shapiro sees value in the latter and offers no mitigation for it.

On cyberwar, the book is informative and interesting but incomplete. Shapiro talks mostly about cyber-dependent war, which can only be waged with computers, but speaks little about cyber-enabled war, which is traditional war aided by computers. He argues that a cyber-Armageddon is unlikely because cyberattacks are the tools of weak states, which are loath to make devastating attacks on strong ones.

His arguments against the dangers of cyber-dependent war would be stronger if one of his hacks had caused physical damage. Stuxnet would have been an obvious choice. NotPetya caused damaged worldwide and brought the Maersk shipping company to its knees. And attacks in Ukraine in 2015 and 2016 shut off power to thousands. If there is to be a cyber-Armageddon, it will probably come from assaults such as these.

This is the only serious weakness in an otherwise excellent, illuminating book. Fancy Bear Goes Phishing tells the story of the internet and the attacks on it clearly, making complex topics easily understood. Throughout, Shapiro provides much food for thought about what it all means not just for the casual reader, but for tech pros, as well.  

James Voorhees is a cyber analyst with General Dynamics Information Technology. He has extensive experience as an analyst and engineer working on cybersecurity, mostly for federal agencies. He also has a Ph.D. from the Johns Hopkins School of Advanced International Studies and is the author of Dialogue Sustained: The Multilevel Peace Process and the Dartmouth Conference.

comments powered by Disqus