Like Virgil guiding Dante through the bowels of a medieval Renaissance Hell, Scott J. Shapiro steers readers of Fancy Bear Goes Phishing: The Dark History of the Information Age in Five Extraordinary Hacks through a modern one: the feral realm of cyberhacking. The book’s underworld might even be more dreadful than Dante’s—at least there a reader can feel the security of the great writer’s poetic control. Fancy Bear’s techno-torments are chaotic, often inscrutable, and, when illegal, frequently beyond the reach of retribution. But readers who persevere to the end of the book—this won’t always be easy—will walk away with enhanced insight into our disquieting digital environment.
In Fancy Bear’s introduction, Shapiro writes, “these five stories, all featuring elements of human interest, also illustrate my message precisely because they show that the most interesting questions posed by our roiling new [cyber]world have little or nothing to do with technology per se. . . . Hacking is about humans, and my aim is to approach it as such.” In this book Shapiro comes across as an intelligent scholar-reporter dedicated to helping his readers understand diverse forms of cyber subterfuge (he even has a sense of humor: “Mathematical details are in the endnote. You’re welcome.”). Fancy Bear sometimes seems as much an example of cyber mayhem as an examination of it. But reader, stick with Fancy Bear all the way through. It is, despite its flaws, a wise book.
The “five extraordinary hacks” mentioned in Fancy Bear’s subtitle comprise its structure. There’s a history of hacking, from the nerdy Robert Morris Jr. who might have invented the art in 1988, all the way to Fancy Bear—also known as APT 28, a group that has been linked to the Russian government—which intervened in the 2016 U.S. presidential race. There are also stories of the motley techniques (those wielded now and those yet to come) of cyberwar. The book—despite the author’s promise to explore the human element—is mostly told through its scrutiny of cybertechnology. And that, for me at least, was problematic.
Shapiro discusses the various tools hackers use: worms, viruses, vorms (worm-virus hybrids), Distributed Denial of Service attacks (DDoS): “In a DDoS,” he writes, “the attacker attempts to shut down a computer service by exhausting its resources—available bandwidth, network connections, memory, storage space, or its central processing units. To exhaust these resources, attackers typically use a ‘botnet,’ a collection of bots.” He also covers phishing (hence the book’s title), and more.
The author defines downcode (“technical computer code”), upcode (“the instructions we tap out”), and metacode (“fundamental principles that control all forms of computation”), and scrutinizes their moral implications. He explores the differences between code and data (code: “a set of instructions”; data: “opposite of code”) and how “[o]ne of the main techniques that hackers use is to manipulate the ambiguities between code and data.” Shapiro explicates the significance of computer operating systems like UNIX (built in 1971, it contained a “vast number of security holes”), Linux, and Windows. He considers them “beautiful” (to each his own) because “[t]he operating system plays the role of magician, security guard, and back office manager by acting as the intermediary between software and hardware.”
The book’s consideration of the nature and ploys of cyberwarfare is particularly intriguing. Shapiro believes that a full-scale cyberwar is unlikely to happen, at least not in the near future: “One reason we have not seen a large-scale cyberattack on the United States is that there isn’t anyone who can pull it off. But even if it were technically possible, it would not be in the attackers’ interest to do so. Any such strike would be catastrophic for the aggressor.” Also, “[b]ecause weak states tend not to launch devastating attacks on strong ones, we should not expect a cyber Armageddon anytime soon.” Feel better? Not so fast. A corollary, Shapiro maintains, is that “. . . while cyberweapons are rarely powerful enough to win a military engagement or hold territory, they are excellent tools of resistance. They are used by weak states to harass, slander, pilfer, and sabotage—and most important, covertly and deniably.”
I assume I’m the kind of reader the book is aimed at—a nonscientist interested in science and technology. But I had trouble, sometimes a lot of it, with Shapiro’s convoluted dives into technology. It’s ironic, and puzzling, because he is a good writer. So perhaps it’s just the nature of Fancy Bear’s subject. In any case, since you have already read some brief samples of the author’s forays into technology-clarification, I will only mention one other brief example to prove my point.
“Heuristics,” the author writes, “play an essential role in what psychologists call dual-process theories of thinking and choosing. According to dual-process theories, our cognitive life comprises two systems of mental upcode. The first one, which [psychologist Daniel] Kahneman calls System 1, is the fast system. It automatically and rapidly produces answers to a variety of questions, usually concerning beliefs that must be formed, and actions that must be performed immediately. The heuristics, which belong to System 1, work through substitution.” Heuristics, bless them; but I’m still clueless.
Shapiro, the director of Yale University’s Center for Law and Philosophy and the university’s Cybersecurity Lab, is also a professor of law and philosophy at Yale Law School. But here is why I really respect him: he is sensible. He offers his “three Ps,” methods that will somewhat thwart cybercrime: “pathways to cybercrime, payments for cybercrime, and penalties for vulnerable software.” And he compliments those three Ps with some important admonitions: “[They] are not silver bullets that will solve our problem of cyber-insecurity, but they are more efficient than constant patch-and-pray, which has characterized our digital lives until now.”
“Cybersecurity is not a primarily technological problem that requires a primarily engineering solution. It is a human problem that requires an understanding of human behavior,” he continues, concluding that, “There is no such thing as ‘solving’ the ‘problem’ of cybersecurity.”
Shapiro optimistically opines that it is possible that cyber desperadoes (criminal hackers seem almost invariably male—I wish that the author had discussed this phenomenon more fully than he does), can with the right strategies and teachers become “white hats,” digital Good Samaritans. I’m not as sanguine—but I’m biased on the subject.
Having been the victim of ransomware some years ago and losing all my files when I refused to pay up, I have a visceral, ferocious hatred of “black hat” hackers and suspect that they are not reformable. But, I suppose, that’s irrelevant to my summing up: Shapiro is a trustworthy escort for the myriad people frazzled by the contemporary cyber labyrinth.