At 4am on 22nd March 2016, a groggy Billy Rinehart opened his laptop in a Honolulu hotel room and made quite possibly the biggest mistake of his life. Google had just sent him a message claiming that somebody had found out his password, detailing the time of the infringement, the IP address of the perpetrator and their purportedly Ukrainian location. “You should change your password immediately,” said the email, providing him with a link that, once he clicked on it, took Rinehart to a Gmail password-reset page.
But it wasn’t a reset page. The message was really from Fancy Bear, nickname for the computer hacking unit of the Glavnoye Razvedyvatelnoye Upravlenie (GRU), Russia’s military intelligence agency, the same outfit responsible for the Salisbury Novichok attack on Yulia and Sergei Skripal in 2018. Rinehart filled in his password, got dressed and went to work at the local Democratic party headquarters—unaware that he had been phished or, as Scott Shapiro terms it in his new book, “mudged” (that is, maliciously nudged) by Russians bent on derailing Hillary Clinton’s presidential campaign.
Vladimir Putin despised Clinton, argues Shapiro, not least because she had backed tougher sanctions against Russia after the annexation of Crimea, as well as denouncing his support for Syrian dictator Bashar al-Assad. Having the more biddable Donald Trump in the White House would, of course, suit the Kremlin better.
Rinehart wasn’t the only Democratic staffer hacked by Fancy Bear that spring. John Podesta, chairman of Hillary for America, received a similar spear-phishing email (spear phishing is when an individual is targeted, as opposed to mass phishing, which, as Shapiro puts it, focuses on “the small number of highly gullible chumps willing to invest in get-rich-quick schemes”). Sensibly, Podesta showed it to his cybersecurity guy, Charles Delavan, who, less sensibly, pronounced it “legitimate”.
Delavan later told the New York Times he meant to type “illegitimate” rather than “legitimate”. We’ve all made such cyber-booboos, I guess, but rarely with such deleterious consequences. By the end of April, Fancy Bear had 50,000 of Clinton’s and other leading Democrats’ emails. Hillary for America was a soft target, not requiring from its members the multi-factor authentication techniques that are nearly ubiquitous today.
In the seven years since this hack, phishing and ransomware attacks have become more frequent and more sophisticated, targeting organisations all over the world. Over Christmas last year, for instance, the Guardian was subject to a phishing attack involving third-party access to part of its network. That attack got my attention because, as a former employee, I worried whether my bank details and National Insurance number would be seized by cyber criminals and exploited to plunder my (thankfully negligible) fortune. Suddenly, the abstruse mathematics of code-based hackery seemed profoundly personal, fully justifying Shapiro’s repurposing of a remark, widely attributed to Leon Trotsky, about war: “You may not be interested in hacking, but hacking is interested in you.”
Unlike such ransomware attacks, the Hillary hack was, though criminal, politically motivated. A Transylvanian sock puppet account called Guccifer 2.0—whose predecessor, Guccifer 1.0, had been responsible for a 2013 hack that exposed how Hillary had routed government emails through her private email server—was privately messaged on Twitter by Julian Assange of WikiLeaks. “We think trump has only a 25 percent chance of winning against hillary,” wrote Assange in that message, “so conflict between bernie and hillary would be interesting.”
Guccifer 2.0 (really a GRU operative) provided the goods: the most damaging scoop it got on Hillary’s campaign was an email from the Democratic National Convention chief finance officer looking to smear Hillary’s rival for the presidential nomination, Bernie Sanders, for his atheism. After WikiLeaks released that smear, Trump gleefully tweeted: “Leaked e-mails of DNC show plans to destroy Bernie Sanders. Mock his heritage… really vicious. RIGGED.”
This isn’t the first or last tale in Shapiro’s gripping, entertaining, yet intellectually rigorous history of hacking. But there is a common thread to the most technically ingenious takedowns that he details: they were mostly performed by socially awkward, vitamin D- and sex-deprived teenage boys (no female hacker makes it into Shapiro’s narrative). In 2005, 16-year-old Cameron Lacroix revealed nude photos hacked from Paris Hilton’s mobile phone because he wanted to be famous. In 2014, Paras Jha created a botnet that got him out of a calculus exam and went on to disrupt Minecraft games worldwide and nearly crash the internet. Dark Avenger (not their real name) was a bored Bulgarian computer whizz who nearly terminated the antivirus industry by creating a self-replicating virus engine in order to impress his crush. I can almost hear her enraptured response: “You broke computing for me? Soooo sweeeet!” In 2017, 19-year-old David Colombo hacked Tesla’s third-party software, enabling him to control car door locks and lights—though not (at least, not yet) Tesla’s driving features.
I’m still not quite sure how We-Vibe, the world’s first smart dildo, billed as allowing users to remotely “turn on your lover” via a Bluetooth connection, was hacked in 2016. But I’m certain that the two New Zealanders going by the handles “goldfisk” and “follower” did the world a favour by demonstrating how to take control of the We-Vibe 4 Plus remotely and activate it. The following year, manufacturers Standard Innovation settled a class-action lawsuit that resulted from the hack, paying $3.75m after allegations that they had violated users’ privacy by recording information gathered through the We-Vibe app.
Nobody is safe from hackers. Even Shapiro, a professor of philosophy and law at Yale who literally teaches a course on cybersecurity, is not immune: a malware attack on the publishers Macmillan halted this book’s production. In 2020, an estimated 18,000 customers of the Texan software firm SolarWinds were prompted to update their software: “This release includes bug fixes, increased stability and performance improvements”. In fact, this “update” inserted malicious code that enabled hackers (again thought to be Russian) to not just capture private data but also alter it. Among those conned was the Cybersecurity and Infrastructure Security Agency, or CISA—the office at the Department of Homeland Security whose job, ironically enough, is to protect federal computer networks from cyberattacks.
The following year, again in Texas, the Colonial Pipeline paid a ransom of 75 bitcoin, or $4.4m, to hackers after suffering a ransomware attack on their pipeline system carrying gasoline and jet fuel. The firm shut down those pipelines to limit the fallout from the attack—which was reportedly made possible by the breaching of an employee’s personal password, likely found on the dark web—and created fuel shortages and spiking gas prices in the process. The moral? Nowadays, you don’t actually need to blow up a pipeline if you want to get Big Oil’s attention.
I’m still not sure how the world’s first smart dildo, billed as allowing users to remotely ‘turn on your lover’, was hacked
What can be done? Shapiro estimates that 3.5m cybersecurity jobs are yet to be filled, and that existing professionals in this field are often underpaid and overworked, while suffering from depression, anxiety and substance abuse. “If we are to remain vigilant in the face of these new twenty-first-century threats,” he writes, “we need to address the yawning gap between supply and demand.” The questionable word there is “remain”: cybersecurity is not at all fit for purpose.
Shapiro’s story begins in 1988—an innocent time before social media and hackable dildos—when Robert Morris, a young PhD student in computer science at Cornell, remotely logged into a computer at MIT’s artificial intelligence lab, to which he transferred three files, thereby creating a computer worm that spread through networks across the world, wrongfooting cyber-gatekeepers at Nasa, UC Berkeley and the US Air Force, among others, costing thousands of dollars. American courts were uncertain how to punish him for this fascinating new crime. Eventually, he was fined $10,000 and required to do 400 hours of community service, though his father, Robert Senior, a mathematical cryptographer at the National Computer Security Center of the NSA, couldn’t help thinking that his son was something of a chip off the old block.
In the decades since, the rapid expansion and commercialisation of the online world, with negligible user safeguards, has provided fertile ground for hacktivism and cybercriminality. Shapiro is especially withering about Microsoft. Before it launched such software as Windows, Outlook and Word, the infectiousness of viruses was limited by what could be shared across the so-called “sneakernet” (the use of physical media, such as floppy discs, to infect computers). But as that software was launched and connected to the internet, the means of infection were expanded massively.
In 1999, for example, the virus “Melissa”—named, with the infantile heteronormativity you’d associate with this cyber milieu, after a Florida stripper—was triggered when people opened a Word document and then automatically spread to other computers through Outlook. The problem was that Microsoft was hurrying to bring new products to market before attending properly to security: Word, Outlook and Windows had no antivirus screening. The result? An estimated 1m computers were infected, with costs to businesses of $80m.
Shapiro writes always entertainingly and often considerately, putting cyber-rubes like me on a steep learning curve as he patiently explains not just such murky terms as “ransomware”, “DDoS”, “click fraud”, “fuzzing” and “kill chains”, but also the relevance of Alan Turing’s distinctions between code and data to the rise of hacking. It’s a fascinating narrative with elegant digressions into philosophy, psychology and geopolitics.
On the last of these, you might be wondering why Russia is so often behind cyberattacks. Shapiro’s theory is that power is relational: Russia is geopolitically weaker than the US, with a trifling economy smaller than New York’s, but is geopolitically stronger than Ukraine. That’s why the Kremlin limits itself to “cyber-dependent conflict when quarrelling with a nuclear superpower, but uses bombs, tanks, and bullets against its more vulnerable neighbor”.
But there is a twist to that tale. Last year, the hacktivist group Cyber Partisans encrypted the servers of the Belarussian railway system, which the Russian army had been using to transport troops to the front, thereby hobbling Putin’s war effort. Nobody is safe from hackers, not even some of the worst perpetrators.
Perhaps it all comes down to one of the key distinctions that Shapiro makes in the book, between “downcode” and “upcode”: the former is what clever computer whizzes create; the latter is the political, social and other arrangements that humans set up. If we attend too much to the problems of downcode, we miss the weakest link in the system: us.
Fancy Bear’s hack of the Clinton campaign was not so much technically ingenious as it was psychologically astute. As Shapiro notes, it relied on the human tendency to make irrational choices. It exploited weaknesses in upcode rather than downcode. We are not, as the Israeli psychologists Daniel Kahneman and Amos Tversky have been telling us for years, rational in our choices, certainly not as rational as economists have supposed. Rather, human nature is governed by non-rational heuristics. Fancy Bear made the email look like a Google email. Rinehart should have responded not by clicking on the dodgy link that it contained, but by opening a separate browser window and (safely) changing his password through that. Yet he clicked on that link in part, Shapiro contends, because of the all-too-human attribute of loss aversion—we just don’t want to use up our time and effort.
That psychological truth about human irrationality certainly resonates for me. In similar circumstances, Fancy Bear could have hacked me just as easily as it did poor Rinehart. I am gullible, lazy and eager to add no more bureaucracy to a life that’s mired in it. Hence the lure of the shortcut that lays you open to having your data or bank accounts plundered by Putin’s lackeys or their non-Russian homologues.
But here’s what makes Fancy Bear Goes Phishing more disturbing than perhaps even Shapiro recognises: many of the most dreary time-sucks are those set up precisely to protect us from hackers. I suspect I’m not alone in finding the growing everyday burden around cyber security—things such as multi-factor authentication—eye-shuttingly tedious. The money I lost (albeit temporarily) during the Guardian ransomware attack should have made me more attuned to the risks of an always-online world. But it probably didn’t: I am weak and easily suckered.
What I want is for someone else to take responsibility for all this hard, boring work. Can’t some geek ring-fence me from Fancy Bear while I chillax? That’s why the notion of solutionism—the idea that hacking is a technical problem to which there is a technical solution—is so popular. As Shapiro points out, solutionism is typified by the 2012 Wired magazine headline, “Africa? There’s an App for that.” And as he also points out: no, there isn’t. Solutionism is a false promise. It’s irrational, in the case of hacking, to imagine that there is a technical solution to a human problem.
Shapiro’s right, no doubt. But if solutionism is a delusion, and people like me are irrational and lazy, we are simply ripe for the taking. Even though we were warned. Even though we now know, all too well, that hackers all over the world are devising ingenious new ways to monetise our all too human failings.
None of this is reassuring. Rather, it suggests that, so long as humans use computers, hacking will never be eradicated.
Clarification, 21st July 2023: The review originally stated that "an estimated 18,000 customers of the Texan software firm SolarWinds were duped by a pop-up window to update their software...". This has since been changed to: "an estimated 18,000 customers of the Texan software firm SolarWinds were prompted to update their software...".