Why Cyberwarfare Is Overhyped
David Schneider: Hi, I'm David Schneider for IEEE Spectrums Fixing the Future podcast. Before we launch into this episode, I'd like to let listeners know that the cost of membership in IEEE is currently 50% off for the rest of the year. Giving you access to perks, including Spectrum magazine and many education and career resources. Plus, you'll get a cool IEEE-branded Rubik's Cube when you enter the code CUBE online. Simply go to IEEE.org/join to get started. I'm talking with Scott J. Shapiro. I'm very excited to talk to him about his new book which is titled Fancy Bear Goes Phishing: The Dark History of the Information Age in Five Extraordinary Hacks. So, Scott, if I can call you that rather than addressing you as professor?
Scott Shapiro: Please do. Please do.
Schneider: Before we talk about your book, tell me a little bit about yourself.
Shapiro: So I'm a professor of law and philosophy at Yale University. My primary appointment is at the law school where I teach legal philosophy. But like so many people my age, I grew up in the 70s and 80s where I got hooked on personal computers. My parents bought me an Apple II when they first came out. Used a TRS-80 at school in biology class and got really into coding and really into computers. And I was a computer science major at Columbia University. And I had a small database construction company, but then gave it up when I went to law school and then graduate school on philosophy. And I just kind of forgot that I had ever done that.
Schneider: And from our earlier conversations, you told me about a class that you were teaching. Can you tell me a little bit about that since that, I think, leads into the book about what this class was?
Shapiro: What happened was the book before Fancy Bear was called The Internationalists, and it was a history of the regulation of war over 400 years. So it was from 1600 to 2014, about whether you're allowed legally to go to war. And a lot of people were asking when the book came out in 2017, What about cyber war? What about cyber war?" And so I got interested in, What about cyber war?" And so at the time, my colleague Oona Hathaway and I and Joan Feigenbaum from the computer science department, who's a very famous mathematical cryptographer, we applied to the Hewlett Foundation to get a grant to teach an interdisciplinary course on I think it was called The Law and Technology of Cyber Conflict. And so it was going to be half computer science undergrad majors and half law students, and we would teach both of them the technology and the law. And one of the things about the class was it was the worst class I had ever taught. I don't think anybody learned anything. I certainly didn't learn anything. At any given point, half the class is bored and the other half was confused. And what I realized was that law and computer science, those are both very technical subjects and the intersection is very difficult. And so I thought, How would I teach students about this new world of hacking and cybersecurity? And how does it relate to legal and ethical questions we have? And how should we regulate it and respond to it?"
Schneider: The particular hacks that you go over in the book, they are things that you and your students looked at in depth while you were teaching this course, I take it.
Shapiro: Actually, no. What happened was when I taught the course, I really taught the students how to hack. I taught this, by the way, with two other of my colleagues, both with extensive network experience and cybersecurity experience. No, we taught them the Linux command line, how the internet works, how its [packing?] switching works, how Wireshark works, how to do network reconnaissance, how to crack passwords. We taught them practical skills and kind of theoretical conceptual ideas about how our digital ecosystem works, how encryption works, yada yada yada. I was doing research on those stories as I was teaching the course. And so the book doesn't teach you how to hack. That's not the point of the book. The point of the book is to teach you how hacking works, how hackers have hacked the internet, and what various types of legal, ethical, psychological, technical, historical considerations go into this practice of hacking and how might we try to reverse the trend towards safer digital ecosystem?
Schneider: So you and I have worked now on your article in Spectrum which is based on a section of the book that covers the Mirai malware. Maybe you could just take a second to mention the other extraordinary hacks that are in the book.
Shapiro: So the book lays out five hacks. The first one is the Robert Morris hack, the Morris worm, the first hack that's kind of brought down the public internet in 1988. And the next is the Bulgarian virus factory of the early 1990s and the mysterious virus writer, Dark Avenger, who created the first polymorphic virus engine which genetically scrambles, so to speak, the code of every virus, making it very difficult for antivirus software to detect. The third is the hack of Paris Hilton in 2005 when her sidekick was hacked and nude photos were leaked onto the internet. The fourth is where Fancy Bear comes in- Fancy Bear Goes Phishing. Fancy Bear is the name of a lead hacking unit in the Russian military intelligence, the GRU, which hacked the Democratic National Committee in 2016 and leaked the emails and various documents that were found and caused real chaos and turmoil in the 2016 election between Hillary Clinton and Donald Trump. And finally, the Mirai botnet, which was created by three teenagers in order to basically get more market share for their Minecraft servers but ended up knocking the internet off for many people in the United States.
Schneider: I'd like really to focus on the conclusion of the book which you title as The Death of Solutionism." So I'm going to ask you to explain a little bit what you mean by the death of solutionism and also maybe you could tell us or define for our listeners the terms you use throughout the book of upcode and downcode.
Shapiro: So let me first say what solutionism is. Solutionism is a term coined by the social critic Evgeny Morozov to kind of capture this idea that is part of the culture, that all social problems can have technological solutions. It's the famous example of solutionism as when Wired UK famously wrote, You want to help Africa? There's an app for that." It's just like an app is going to reverse centuries of colonialism and blah blah blah. Cybersecurity is particularly prone to solutionism because we're always kind of looking for the next-generation firewall, the next-generation intrusion detection system, all these types of technological solutions. The argument of the book is that this is a mistaken way to think about cybersecurity. Cybersecurity is not primarily a technical problem that requires an engineering solution, but it primarily is a political problem which requires a human solution. And so one way I try to get at this idea, which you might think initially is counterintuitive because what could be more technical than cybersecurity, is the idea of a fundamental distinction that I draw between what I call downcode and upcode. Downcode are literally all the code below your fingertips when you're typing on a computer keyboard, see your operating system, the application, network protocols, yada yada yada. Upcode is anything above your fingertips. So the rules that I follow, my personal ethics, social norms, legal norms, all those types of things, industrial standards, terms of service, these are all the norms that regulate our action and give us different incentives to behave in certain ways.
Schneider: You give some concrete examples of where you see, to use the metaphor, patching the upcode would be useful. Maybe you could give our listeners some examples of this kind of tweaking the upcode.
Shapiro: One of the things that you want to do from a criminological perspective is you want to tailor whatever policy solution you're going to offer to the kind of problem that you're trying to solve. And in particular, when it comes to crime, you want to see what are the motivations of the offenders. Young boys, in particular, get into hacking through gaming culture and through a process of escalation, start engaging in first cheat sheets and then small little hacks and then they can transmogrify, grow, metastasize into real, very serious criminality. And so the idea to do in the United States what law enforcement has done in the United Kingdom, in the Netherlands which is to try to engage in diversion programs to try to divert people who might have skills to be, so to speak, on the blue team, on defense but because of various types of social pressures, get pushed to the red team, get pushed to being attackers and to try to change that. Another thing I'll just very quickly mention is as a legal matter, there's no software liability for security vulnerabilities. So you can't sue Microsoft for putting out really bad code resulting in your being hacked. And the Biden administration just released their National Cybersecurity Strategy where they are finally proposing software liability for security vulnerabilities. And I think that's a very important move.
Schneider: Why is that? I mean, when I go and I buy a ladder at the big-box hardware store, if I fall off of it because it's faulty, there's somebody I can sue. But why is it a piece of software that's faulty that can do something much more devastating to me, there's nobody to sue?
Shapiro: In American law, and actually, Anglophone legal systems, typically what will happen is when you sue somebody, you can only sue for physical damage or pain or suffering that happens to you through physical destruction. But you can't sue for purely economic damages for, let's say, negligence or recklessness in creating bad software because economic damages are not generally recoverable in American courts. There's also- I mean, that's a technical reason, but the larger kind of cultural reason, economic and political reason is that the United States takes a certain view about technology. In the United States, we have this idea that we don't want to regulate new technologies for fear of choking off innovation. The same story was with the car. There's very, very little regulation on the automobile because the power of the United States was as an industrial behemoth, and the idea is like, We don't want to stop that." I think we've gotten to the- we got to the point in the 1960s with Ralph Nader and Unsafe at Any Speed where he came out with reports saying, Look, this is a really, really dangerous technology. It needs to be regulated." And that's how we got seat belts. I think the same thing is true for the internet now, I think, where a book has suggested various ways to try to regulate it.
Schneider: Tell us more about kind of the upcode tweaks that you'd see around cyber espionage.
Shapiro: There's almost nothing you can do about cyber espionage is the point. The point is that it is part of the upcode of the world. I mean, it's amazing. It is part of global upcode that nations are allowed to spy on each other. In fact, it's almost encouraged, and you can imagine why it might be encouraged, that it's probably good for nations to know about each other's military intentions. But whereas you might be able to get law enforcement to really crack down on cybercrime, it's very, very difficult to crack down on cyber espionage when the United States is the largest spying country on the planet.
Schneider: But there was a suggestion there that there might be things to be done about economic espionage.
Shapiro: Right. So when we say espionage, we have to distinguish between, let's say, national security-focused espionage and financial, corporate, or economic espionage. So the United States is the largest national security hacker on the planet, but it almost never engages in corporate espionage. That is, it doesn't actually hack into Chinese companies, let's say, and steal their blueprints. China hacked into defense contractor and stole the entire blueprints for the F-35. Now, there had been a talk between Xi and President Obama, and they signed an agreement limiting economic espionage. And that worked out decently till Trump came into office and started a trade war with China, and then the economic and political relationship with China kind of fell apart. But there is room to cut down on espionage through international agreements because it isn't the case that financial espionage is legal. So there are things we can do, but the core national security, kind of hacking into leaders and their intelligence agencies to learn about the military and strategic intentions of a country, that's never going away.
Schneider: I mean, your book basically has a kind of optimistic message. You seem to be telling us, if I've interpreted you correctly, cyber war is going to be a kind of a simmering thing rather than a complete boiling over.
Shapiro: Right. Yeah. So in a way, this kind of surprised me just because of the hype associated with cyber war. But in a way, I think studying the history of war before I came to this project made me see things, I think, slightly differently because of that background. And so the first thing is just the technical challenges associated with trying to hack a digital infrastructure like the United States which has so many different kinds of operating systems, so many different kinds of applications, so many different versions, so many different network configurations. They're very, very difficult to hack across platforms like that. But secondly, and I think more importantly, cyberweapons are not great weapons. I mean, it's very hard to hold territory with cyberweapons. It's very hard to blow things up with cyberweapons. If you really want to blow things up, use bombs. So when Russia was going to invade Ukraine, which it did, people were saying, Oh, no. This is going to be the cyber war, cyber war, cyber war." And I thought to myself, Why would you burn exploits if you're Russia when you actually have bombs?" And that's what happened. Russia had been harassing Ukraine for seven years with cyberattacks. And then when they really wanted to get real, when they really wanted to capture territory or decapitate Ukraine, they sent in the tanks, the troops, the planes, the bombs. That hasn't worked out so well for them, but a cyber war wasn't going to be the answer. So what I try to say is that cyberweapons are weapons of the weak. They are used by weak nations to harass stronger nations. But when nations really want to compete and go against each other, they use kinetic weapons like bombs and tanks.
Schneider: You make a very nice, I guess, analogy with peasant revolts or rebellions.
Shapiro: Yeah. So there's a very well-known book written by the anthropologist James Scott called Weapons of the Weak. He used to teach at Yale. He was a brilliant, brilliant person. And what happened during his fieldwork, he went in the late 70s to Indonesia to a rice village because he was really interested why do peasants not revolt more often. And the Marxists had said, Oh, they have false consciousness. They really buy into what their lords tell them." And what Jim Scott hypothesized was that in fact, that's not at all the case. The peasants hate their lords, and they strike back at them all the time but in this kind of low-level, covert way, ways that he called weapons of the weak because it's too dangerous to strike at them directly. And I think that's what cyberweapons are. Cyberweapons are weapons of the weak. It's when, well, you can't afford to go all out on another adversary but you really want to cause the other person pain but not too much pain so that they retaliate and escalate. So I think that Russia, North Korea, Iran, they're the geopolitical peasants, so to speak. Russia is actually a tricky situation because Russia is an intermediate power. It has very strong kinetic capabilities, although much less than it did, and very strong cyberweapons. But ultimately, if they wanted to attack an equal, they would probably go with cyberweapons. And if they really wanted to go into a large war, they would use kinetic weapons.
Schneider: I like to end with a kind of philosophical question-you're a professor of philosophy - so I would venture to say that a lot of our listeners and readers of Spectrum are people who are, what you'd call, solutionists. They gravitate towards technical fixes to problems. And I'm wondering how someone with that mindset could have his or her consciousness raised to realize that maybe the solution isn't a technical solution.
Shapiro: Yeah. So I think that lawyers and engineers are at root the same. We're both coders. Engineers are downcoders. Lawyers are upcoders. We're both trying to solve problems using instructions, and we hold ourselves to standards of rationality. Yeah. So that's what I would say.
Schneider: Well, that sounds good. Well, I should thank you. And I hope you have great success with this book because it certainly deserves to be read. That was Scott J. Shapiro speaking to us about his new book Fancy Bear Goes Phishing. I'm David Schneider, and I hope you'll join us next time on Fixing the Future.