There's an unseen, mostly unacknowledged cyber war going on. The author of Dark Market tells us who's involved, how far it spreads and what could happen if we let it continue unchecked
What is the most useful catch-all term for the sometimes ill-defined and often ill-understood issues we will be discussing today? I think it has to go under the rubric of cyber security. This is, unsurprisingly, a very young area of study. The very interconnectedness of the web creates problems for cyber security, because the various types of malfeasance on the web are interconnected in ways which are not obvious but very important. There are three basic types of malfeasance online. The first pillar is cyber crime, the most obvious of which is mass credit card fraud – credit card details stolen digitally. But cyber crime goes up to much higher endings than that, in which larger sums of money are stolen and much more sophisticated hacking work is required. The second pillar is cyber industrial espionage, which is a good third of the bad stuff on the web but about which you will read virtually nothing. This is espionage perpetrated by firms who are trying to find out what their competitors’ latest design is or what their figures are. The reason why no one ever hears about it is that the companies which are victims of it – which is basically every company in the world – don’t like to advertise it, because it can have an immediate impact on their share price. They’re even reluctant to tell the police or any state authorities, although you are beginning to see legislation being introduced compelling companies to report cyber industrial espionage. And the third pillar is cyber warfare, which is the state to state stuff. By cyber warfare we don’t mean conventional warfare enhanced by robotics or computers. We don’t mean battlefield robots. We don’t mean drones being driven over the Pakistan-Afghanistan border by a computer in Nevada. We do, however, mean someone managing to hack into the Pentagon systems controlling those drones, and sending them to fly over Moscow instead of north-western Peshawar. You have defensive cyber warfare – protecting your network systems – and offensive cyber warfare, which is penetrating the network systems of actual and potential opponents and then using that penetration to your advantage. In the horror scenarios, you turn off the air-traffic control system or the electricity system, and the sky falls on our heads. So those are the three pillars. They’re usually controlled and managed by identifiable people. Cyber criminals and law enforcement in the first case; private sector and big security corporations in the second; and the military and cyber commands in the third. But then you have two sets of actors who migrate between these three areas. One is the hackers themselves – you need very specialised knowledge in order to do advanced hacking on the sort of scale that would make a significant impact – and the other is intelligence agents. Intelligence agents have to go backwards and forwards to see what is going on. For example, if Google is attacked by addresses in China, then the NSA [US National Security Agency] will want to know whether that is Baidu [a Chinese internet company] or the PLA [the Chinese army] organising that. So you have three defined areas, but they are tangled up in an impenetrable ball. Even if you’re an advanced hacker or intelligence agent, migrating between these three areas is like playing seven-dimensional chess, and you’re never sure who you’re actually talking to. Is it helpful to think of cyber war in the terms of conventional war, only in a different domain? Or you’ve called it a “cold war of the web”. There is a fundamental difference between warfare in cyberspace and conventional warfare. The cold war aspect is more on the espionage end of cyber warfare. Let us look at the cold war itself. The US and its allies were able to count the Russian warheads, they knew the delivery systems, their capabilities, distance and range, and they knew exactly where they were. And the Russians knew exactly the same about the Americans, the French and the British. That made deterrence a real possibility. If you can come to an agreement that you won’t have first use, and you both share information about where your missiles are and what they can do, it means that the possibility of deterrence – even if it doesn’t work – is there. The problem with cyber is that your assets are not the weapons that you control. Your assets are the vulnerabilities of your actual and potential enemies. In order to know your enemies’ vulnerabilities you have to find out where they are, and once you have got hold of them you cannot afford to let go. That means that long before we get to anything that might be identified as actual conflict, cyber warfare requires each side to establish themselves within the network systems of their potential opponents. And so deterrence is a very difficult thing to organise, because nobody wants to or can admit to penetrating the vulnerabilities of their opponents’ systems. The importance of espionage within the framework of cyber war is absolutely immense. The Americans talk a lot about Chinese offensive capability, but let us not forget that the United States has the most advanced offensive cyber capability in the world, and it uses it – it just doesn’t advertise the fact. China has complained of being hit by thousands of cyber attacks from the US. It is absolutely axiomatic that that is going on. If the United States were not probing the network systems of China, then it would be a dereliction of duty. Everyone has to be doing this, everyone is doing this, and even if they say that they’re not doing this, they are. Who are the main players in this cold war? The US is out there as number one, followed by China and Russia, very closely followed by Israel, which punches way above its weight. Then you have France, Britain and Germany coming up, and India and Brazil as well. So with the exception of Israel, it’s a relatively predictable hierarchy in terms of their offensive and defensive capabilities.
Let’s talk about your first selection, Cyber War by Richard A Clarke and Robert Knake. There is an element in this book of getting caught up in “cybergeddon”, as I like to call it. They get obsessed by the idea that everything is going to collapse, that there is going to be some major attack – the digital Pearl Harbor that Bill Clinton first mentioned. It’s perfectly true that in the past 12 months we have seen an acceleration of offensive capabilities that is clearly aimed at the destruction of industrial infrastructural processes. The emergence of the Stuxnet virus showed that in particular. But a book like Cyber War, while not complete fantasy, overstates the case. It runs the risk of saying that everything is completely hopeless and there’s nothing we can do about it. What’s good about it is that it is the articulation of the nightmare scenario that if we just sit back, and if we don’t pour huge amounts of resources into cyber defensive and offensive capability, then an effective cyber attack will be able to bring a society as networked as the United States down to a stone age level in about 10 days. There are lots of dramatic scenarios. Because Dick Clarke served successive presidents as a terrorism expert, he is very good at detailing what it’s like in the situation room when a cyber attack gets going. So it’s racily written, and it outlines what will happen if we don’t take measures to defend ourselves very quickly. I don’t subscribe, however, to its assumption that we live in an entirely anarchic world, in which everyone is interested in bringing down everyone else. In particular, Dick Clarke alludes to the threat from China. But I think everyone who sees the Chinese-American relationship as a hostile one tends to forget that the two countries are entirely dependent on each other in economic terms. If the Chinese were to bring down the Americans, they would find very quickly that bankruptcy and much worse fates await them. And vice versa – the US is completely dependent on China. So there’s an absence of political perspective in the book. Nonetheless, it is a very good detection of just how serious the threat might be, if things were to deteriorate politically. And it is easy to read as well. The US established a cyber command not long ago. What exactly is that? The cyber command was set up in the wake of a couple of things. One was theTitan Rain attacks, a series of attacks in 2003 – by China it was thought – on strategic US institutions, including national security institutions. The other was the massive DDoS assault on Estonia. A DDoS [Distributed Denial of Service] is the most basic tool of cyber warfare, whereby you corral tens of thousands of computers using viruses and then use that computing power to attack a particular website. The sheer volume of traffic will bring the server crashing down, so a DDoS will render a website unusable. In the spring of 2007, when there was tension between Estonia and Russia – although the Russian government said that it had no involvement in this – there was an absolutely huge and coordinated series of DDoS attacks on the Estonian Internet, focusing particularly on government, banks and the media. Once this happened, two things occurred inside the Pentagon. One was that they gave NATO the green light to fund a centre of excellence that deals with cyber warfare in Tallinn, the Estonian capital. And the other was to start discussions as to the establishment of a cyber command. This was officially launched in October 2010, and it means that we now have five military domains. Along with land, sea, air and space, we how have cyber, which is the fifth military domain and the first man-made military domain. The commander, a four-star general called Keith Alexander, is also – not coincidentally – the boss of the NSA, which is the biggest digital intelligence agency in the world, in fact probably the single most powerful espionage agency in history. And now that cyber is regarded as a military domain it has all sorts of implications for what the Pentagon can and can’t do. The model is also being followed in several countries. Britain is preparing to establish a cyber command. The Chinese already have a huge section of the PLA working on this. Russia’s capacity is invested first and foremost in the FSB [its security and intelligence agency], but the military also has significant cyber capacity. So is this what every government should be doing to protect its interests? The primary function is to defend your networks from attack. But the problem is whether that only means networks which have the suffix .mil, or whether it also means defending networks which are part of its critical national infrastructure. Should that be under military command or civilian command? All this is being thrashed out in a very worthy, acrimonious and so far utterly inconclusive debate in wonk centres all over the world. It’s the beginning of a head-wrenchingly difficult discussion. Again occasioned by the interconnectedness of the web.
The Future of the Internet and How to Stop It. This is a book I would recommend everyone to read. Jonathan Zittrain is a professor at Harvard, formerly at Oxford, and a very brilliant theoretician of the Internet. His essential thesis is that whilst the absence of design in how the Internet proliferated is part of its wonderment and all the things that it has enabled, if you were to look at it now you would design it in an entirely different way. He says that the absence of design is one of the reasons why security is such an important issue, and also such a difficult issue to get your head round and do anything about. Zittrain is in some respects a Renaissance figure, in the sense that he understands both the technology and the social and political implications of the technology. This is a first class introduction for anyone who uses the Internet as to why it’s worth their while thinking about the Internet and the implications of the web. As a starting place I really can’t recommend it highly enough. How do we stop the future of the Internet? There are a variety of problems. One of the biggest, which there is no stopping at all, is that our desire for convenience consistently overrides our need for personal security, even institutional security. So we’re always ready to welcome and celebrate technological innovation, without necessarily working out what the implications are. To give one example which I think is very telling, there was a British bank which I investigated for my last book, McMafia. They had a very tight digital barrier around them, and they thought they were entirely invulnerable. But a hacker found a vulnerability in a chocolate dispensing machine that they had in the building. Like everything else it had its own IP address, and they had forgotten to put it on the automated patching updates system. And so a British bank was penetrated through a chocolate vending machine. With the proliferation of mobile devices this is going to become a big headache. Now if you are on Apple, you immediately reduce your vulnerability by about 90%, because 95% of network systems run on Windows so virus makers just don’t bother to do it on Apple. I’m not advertising Apple – I have no pecuniary interest in this – but that is the quickest way to dramatically reduce your security risk. The other reason why Apple is relatively secure is because their applications on the iPhone are screened. So you cannot get any Tom, Dick and Harry putting an application out there for anyone to download. What Apple is creating is effectively a controlled system, where Steve Jobs and his team are the arbitrators of taste, and of what is permissible and what is not. For example, no pornographic apps are allowed on the iPhone. Now, if you don’t have a pressing need to look at pornography on your iPhone through apps, that’s absolutely fine. If you do have a pressing need, you’re going to have to get an Android. But if you do, then your vulnerability to viruses – particularly if you’re downloading pornography – is massively increased. So chocolate and pornography are the temptations that will bring everything crashing down. As was ever thus!
I saw Jonathan Zittrain in a debate arguing against the motion that the Internet is a force for democratisation. This is perhaps a good segue to Evgeny Morozov’s book The Net Delusion. Yes it is. The Net Delusion is a very important corrective to what I refer to as the “Kumbaya ideology” of the Internet – that somehow the Internet is going to solve all our problems, in particular in democratisation. By that account, you could talk about the Blackberry messaging system that was of huge benefit to the demographic will expressed in the burning buildings in Tottenham, Enfield and Liverpool this month. The reason why India and the United Arab Emirates are so keen on having a Blackberry server inside their countries is that they don’t want people’s emails to be immune from being read. But the real fear of the UAE is not that they can't monitor their own citizens but that the Americans, with privileged access to RIM servers [Research in Motion, Blackberry's developer], can. Now, I don’t think any country is likely to allow complete freedom on the Internet. My main thesis is that we’re seeing the emergence of a large number of intranets – national intranets which are defined in their own way, rather in the way that national law defines freedom of the press or otherwise. That’s now happening digitally with the Internet as well. Evgeny points out how the hope and optimism of the Internet led people to make irrational and nonsensical analyses of what was actually going on in the world. Of course, Evgeny knew all about this because he comes from Belarus. He picked up very quickly on how Lukashenko was able to monitor what was going on in the opposition in Belarus, simply by looking at people’s Facebook pages or the equivalent thereof. This book was a very important corrective, which was then pooh-poohed because of the Arab Spring, and in particular what happened in Egypt. But I think this in itself needs to be understood. The point about the Arab regimes, and Egypt in particular, is that although they absorbed information from the Internet they had a very weak Internet monitoring team. And because Egypt was a gerontocracy, they had not really understood the implications of how dangerous the Internet could be unless you take it under your own control. So Egypt actually confirmed what Evgeny was saying, which is that regimes – dictatorships in particular although it’s also very relevant to democracies – are deciding how much control they want over the web. My feeling is that ever more governments will be seduced in their desire – either in the name of political control or in the name of intellectual property rights – to basically seize ever greater parts of the Internet, and to monitor it in a more effective fashion. We’ve certainly been seeing that quite dramatically over the last couple of years. So do we have to entirely burst the bubble of the idea of revolutions spurred on by the Internet? Not entirely. In Egypt, control and monitoring of the Internet, and understanding of what the implications of the Internet are, were at a relatively low level. And so people were able to exploit Twitter and so on, in order to promote a successful revolution. The same was true in Tunisia as well. Having said that, networking has not had a role at all in Libya, or a very limited role relative to Egypt and Tunisia. Then there are places like China, where it’s all rather a grey area. If on the one hand you pronounce from Beijing that anti-corruption strategies are a great thing, then you mustn’t be too surprised when citizens use the Internet in order to highlight local corruption. This will create a dilemma. With each scandal that emerges in China – as the derailed high-speed train in Wenzhou demonstrated – even while the government says “there will be no more writing about this incident”, they have not successfully stopped it. As I understand it there are lively discussions on the blogs. What is interesting is that it’s not just a full-blown “we will control the Internet”. There is an ambiguity as to what’s happening in China which is very interesting.
Let’s move onto cyber crime with your final two book selections. First, Fatal System Error. This was really the first serious book about cyber crime that was written by someone who could write – Joseph Menn, who was the technology correspondent at the FT. What he does, quite sensibly, for much of the book is write not about computers but about the characters and the detective work behind a couple of crimes. Fatal System Error is a very readable book, and it demonstrates that if a crime takes place on the web, if you’re the victim all you know is that someone has stolen your ID or your credit card details or whatever, and nothing else. This gives you a profound feeling of powerlessness, which I think is very interesting, and is one of the things I try and explore inDark Market. What Joseph has done, which I think is very important, is begin to show how the real world interacts with cyber when it comes to crime. And just how complex and developing the relationships are between cyber and traditional organised crime, which is beginning to get in on the cyber action, because they realise that it’s a hugely reduced risk from a lot of their other activities. But the hackers who have the technical ability to do this are a very different type. They do not fall into types recognised by classical criminology. They tend to be very young when they get started – aged between 12 and 15 – and they become involved incrementally in crime. Sometimes they don’t understand the moral implications of what they’re doing at all, because they get involved in it before their moral compass is anywhere like fully formed. They are also quite vulnerable personalities. Hackers tend to conform to certain personality types. They often find the formation of relationships in real life difficult, and often look for some form of affirmation. Menn writes very well about this interaction between the real and the virtual world.
Next is Kingpin. This is taken a step further in Kevin Poulsen’s book. Kingpin deals with an extraordinary guy called “Iceman”, whose real name is Max Butler, although he then changed it to Max Bishop. In the late 1990s, Butler was a really exceptional, legal, so-called penetration tester. Companies would pay him to try to attack their systems, to see where the vulnerabilities in the system lay. He worked voluntarily with the FBI as well. But he had some of the obsessive characteristics that most hackers demonstrate. One of those, which is very common, is that all times of day and night they are obsessively trying to crack into network systems. They do this rather like you or I might turn on the telly. Butler managed to penetrate almost all US government networks, including a lot of military networks and nuclear research facilities. And essentially he saved the US from huge embarrassment by patching up this vulnerability. But he left himself a little hole in the system, through which he could crawl and no-one else. This was spotted by an eagle-eyed investigator from the air force, who had responsibility for cyber at the time, in 1999. Butler went to jail for two years as a consequence. He shouldn’t have, in my opinion, but he did. He went to an open prison, and almost everyone else was there for financial fraud. They spotted that he was a hacker, and recruited him there in prison. When he came out, just as he was one of those brilliant people working legally in the security system, he became probably the smartest hacker involved in criminal activity out there. A really incredible operation, the whole thing. He made millions of pounds, not for himself but for his employers, before he was eventually busted. Kevin Poulsen, who is the editor of Wired! magazine’s security section, is himself a convicted felon. So for him, Iceman – as he was called when he was doing his hacker work – was a hero. And this is written very sympathetically, about Iceman and his life. I have met Butler, I’ve interviewed him at length, and I think he’s a very decent guy. I don’t think he should be spending the next 13 years in prison, which he will be. As the issue of cyber security becomes ever more complex and important, we need help from people like him, we do not need to be throwing them into jail. In some way, these last two books are a more constructive way of looking at malfeasance on the web. Actually, the people involved in crime and hacking of various types have real abilities and skills. So it’s food for thought, and I hope that in Dark Market I was able to contribute a bit more towards that. Finally, besides buying a Mac, what should individuals do to be safer? Well, buy a Mac is the first thing! Secondly, if you prefer or happen to be on Windows, you have to make sure that you keep your anti-virus software up to date, and try to look for the best anti-virus products as well. Personally I was running two or three anti-virus ones on Windows. Encrypt your data wherever you can, which is legal to do [in Britain]. That’s very important. And take great care about opening emails, because that is the most common form of penetration of your computer, when you open an email that has an attachment. You very quickly learn whether something is from a friend or not because of the language used. About once a week I have to write to a friend saying, “I just received an email from you making it perfectly clear that your computer has been compromised. You have to scrub it, reformat it and completely reload your system. Either that or find someone who can get rid of the virus.”