Not all important subjects make good reading, but cyber security is an exception: not only do we all need to know about and take responsibility for it, but it also generates nonfiction books worthy of John le Carré. Cyber security and policy expert Josephine Wolff, author of You'll see this message when it is too late, recommends the best cyber security books.
You'll see this message when it is too late: The Legal and Economic Aftermath of Cybersecurity Breaches by Josephine Wolff
Cyber security sounds like it’s just about remembering to install your antivirus software, but when I got into some of these cyber security books, I found it’s really exciting to read about: there are crimes being committed, there’s detective work, and there are a lot of goodies and baddies. Can you start by giving a general introduction to what cyber security is all about for you?
My cyber security book, You’ll See This Message When It Is Too Late, is about a series of nine incidents. It’s really focused on the question of what happens after they hit the headlines and disappear from view. If you take the year (or two, or even three) after a cyber security breach occurs, what’s the fallout? What are the long-term lessons that we take away from these incidents and are they the right lessons? Where do they come from? Who’s bearing the costs? Do they change behaviour?
I do this by looking at three financially-motivated incidents, three espionage incidents and a set of three ‘revenge’ incidents, as I call them, in which the perpetrators aren’t trying to get money or secrets—they’re really just trying to take out some frustration on their target.
One of the big problems that I identified and looked at from the lens of these different types of cyber security incidents is that the liability regimes are really, really poorly defined. We don’t have good ways of dealing with who we think is responsible for what, in this space. And because we don’t have good legal and policy structures, there’s a lot of leeway for all of the companies and government agencies involved to pass the buck and to say, ‘This is not our problem, it’s someone else’s.’ I would say there is even fear that if they step up and take any responsibility—or do anything in the name of security—then all of a sudden, they’ve somehow assumed that mantle and become the entities who are responsible for it moving forward.
Related is the question of what happens to the individuals affected by these incidents. How much protection do they have from the fallout? There’s a really sad set of stories around people who try to use the law to file class action lawsuits and the like. There just aren’t good legal tools for dealing with these kinds of incidents, because there aren’t good legal frameworks for saying, ‘Your privacy has been breached; your data has been stolen; you deserve some kind of protection or compensation for that.’ It’s just viewed as, ‘So you lost your data, so what? Come back when you’ve had a lot of money stolen.’
One of the interesting things that came out of reading your own cyber security book is that we tend to think it’s all about finding more effective technical tools for preventing hacking. In fact, it may be more to do with public policy and other non-technical issues.
That’s a big part of what I focus on in my cyber security book. On the one hand, it’s true that there are sometimes very new and sophisticated and complicated technical ways of breaking into systems. A lot of people in academia do research on that and how we can fix it. On the other hand, if you look at, for example, the Verizon Data Breach Investigations Report, they point out that 98-99% of the incidents they track could have been prevented using the controls that they already have. It’s just that people weren’t using them. A lot of my work is really focused on these questions: Why aren’t we using the technology we have any better? Why is it so hard, even once we have figured out certain ways of protecting ourselves, to actually get that implemented, and implemented correctly?
And is it partly the result of that blame game, where nobody wants to take responsibility?
It’s about who has the incentives to invest in security. One of the fascinating things about talking to people at companies that think about cyber security—which is a lot of companies now—is that everybody is trying to do some kind of cost-benefit analysis. They say, ‘How much money would we lose if all of our customer data was stolen? Let’s invest up to that amount in the security.’ The problem is that, first of all, those numbers are all wishy-washy because nobody really knows how much any of this data is worth.
“If your data is stolen from a company, the person who stands to lose the most is you.”
Secondly, it’s a very problematic way of thinking about it, because if your data is stolen from a company, the person who stands to lose the most is you. And you’re not deciding how much is invested in securing that data, the company is. That externality creates a very twisted set of incentives for investing in security.
Who were you trying to convince with your cyber security book? Who needs to know? Is it the general public?
I would, of course, always love the general public to be interested in these topics and read my cyber security book! But I’d also like to engage a policymaking audience. There are a lot of people in a lot of governments all over the world right now who feel they should be doing more on cyber security. That can take a lot of different forms. In the EU, they’ve got the General Data Protection Regulation (GDPR) and in the US we have a whole bunch of security legislation being proposed. A lot of it focuses on these small, important but fairly short-lived technical fixes.
What I’m really interested in is shifting the focus to thinking about where the liability regimes can help align incentives, so that people who are in a position to do really good defensive work actually have incentives to do that work without narrowing in and saying, ‘Here’s this one stakeholder who’s responsible for all the security everywhere.’ That’s a very misguided way of thinking about the Internet; it’s always been a very interconnected setup.
Let’s start talking through the cyber security books you’ve recommended. First on the list, I’ve got Spam Nation by Brian Krebs, which is a very fun book.
He’s fun to read, isn’t he? Brian Krebs is a great reporter in this space.
Why did you choose Spam Nation as a good book to read on cyber security? I mean, he feels strongly that everybody should understand these issues.
There are a couple things I love about Brian Krebs. One is that he’s really good at creating these characters—especially some of the cyber criminals who he knows better than anyone—and drawing out who they are, and what they want, and all of their infighting.
Yes, because in the book, he complains that one of the cyber criminals kept calling him and he was having to spend hours on the phone with him.
Brian Krebs is really more deeply reported on financial cyber criminals than almost anybody in the world. The other thing that I really admire—and try to imitate in my own cyber security book, especially in the financial section—is that he’s really smart about the ways in which money drives a lot of these crimes. He’s really interested in the perspective of, ‘Who is making money from these crimes, and how much money?’
I’m perhaps more interested in how you disincentivize this kind of crime by making it less profitable, but in order to come up with policy proposals for that, you have to understand where these profits are coming from. That’s one of the things that Spam Nation illuminates more clearly than almost anything I’ve ever read—how these structures are set up, how well organized they are and how much infrastructure there is underlying these groups.
He’s also a great writer. He’s really good at creating a narrative structure. He draws you in and makes you want to find out what’s going to happen to all of these people.
And he spins himself very much as the hero of the tale, doing what he can to fight the evil of spam.
We’re perhaps all a little bit susceptible to that . . .
I found the book fascinating because I’ve always been wondering a) who sends all these Viagra messages and b) who’s responding them. He also goes around interviewing people who have responded to these spam emails.
He’s very smart about how these business models work and what’s required from people on all sides. Who’s initiating this? How many people do they need to respond in order to pay off their expenses? Who are the people who are getting involved, and why?
Interestingly, he also goes into the money mule space and understands who the people are who get recruited peripherally to receive the financial transfers. All of that is such a key piece of trying to understand how we could do a better job of making policy to make it harder to do this.
I think that’s something you touch on in your cyber security book as well—that Visa and Mastercard and the credit cards that people use are key to the system’s functioning, and that if you can shut down a few payment providers, you can shut down a lot of activity.
Visa and Mastercard have a lot of power to decide that they’re not going to settle transactions with, say, one bank in Azerbaijan that is behind more than 90% of all commercial spam transactions. Those kind of ideas are very powerful because they allow governments to make laws that govern entities they can actually control. Whereas the laws that we see being made in the US and the UK say things like, ‘It’s illegal to use computers to steal money.’ That’s all well and good, but as Krebs points out, if everyone doing this and enjoying the fruits of their crimes is living in Russia, those laws aren’t going to get us very far.
The next of the cyber security books on your list is Countdown to Zero Day by journalist Kim Zetter. The Washington Post review says that the author manages to turn “a complicated and technical cyberstory into an engrossing whodunit.” That sounds very promising.
Countdown to Zero Day is Kim Zetter’s book about Stuxnet, which is the virus that the United States and Israel designed to speed up the centrifuges in an Iranian uranium enrichment facility. It’s a really fascinating book because Stuxnet was one of the first examples of a piece of malware that had very concrete physical ramifications. There are test tubes breaking because the centrifuges are speeding up, and on top of that, it overrode the controls in place to warn that was happening. So, nobody who was monitoring was even aware until suddenly there were all these broken test tubes.
As a book, Countdown to Day Zero is a stunning example of a case study, of really diving into a cyber security incident. She takes on very technical material—getting into malware and the question of how these SCADA machines work and how this piece of software compromises them—but then also brings in this really rich and complicated geopolitical conflict that this is happening as a part of.
“There just aren’t good legal tools for dealing with these kinds of incidents”
I also like this book because Stuxnet is a case that stands alone. In my cyber security book, I group the cases I write about according to motivation. Stuxnet doesn’t have any peers, because it’s so unlike anything we’ve seen before or since. She does a great job of drawing out all of the ways this is something a little new and a little different.
It’s really richly reported and a fascinating narrative story that draws people into the idea that cyber security is, as you said at the beginning, not just about your antivirus program and annoying warnings on your computer, but actually about how countries and governments make decisions and use force against each other—and what that might look like in the future.
Looking forward, do you think we’ll see more of those kinds of incidents?
In a weird way, I hope so. When I look at the Stuxnet story, I think, ‘Here’s a way that two governments in conflict were able to attack each other in a totally nonviolent way.’ If you think of the other ways we’ve thought about dealing with (or even dealt with) other countries’ nuclear programmes in the past—by dropping bombs on uranium enrichment plants—this, to me, seems an example of something very targeted. It was designed to do one very specific operation with fairly little collateral damage. It does end up infecting a lot of other machines, but it doesn’t do a lot to them.
Stuxnet wasn’t perhaps quite as contained as we might have liked, and there are lots of things about it that are complicated and ethically fraught, but, to me, the model is one that I could see a lot of countries wanting to pursue, including the US. Instead of launching a very ostentatious public and potentially violent conflict you use computers to try and sabotage some very particular piece of an adversary’s infrastructure. Of course, if you shut down a country’s power grid, there would be more collateral damage, but I thought Stuxnet was a fairly well done operation in that regard. So, yes, I think we’re probably already seeing more of it and I would expect that to continue.
Have people tried to sabotage North Korean infrastructure?
It’s a little harder in North Korea because there’s much less internet infrastructure. What we have seen—and I write about this a little bit in the Sony Pictures case study—is the US basically cutting off North Korea’s access to the outside internet. If you wanted to cut the US off from the internet that would be very hard, because there are a lot of undersea cables and interconnection points. But for North Korea, it’s not hard to do because they only get access through a couple of points in China. You only have to cut off three access points and we have seen that done. I don’t know beyond that if there’s been a lot of deliberate sabotage of the North Korean infrastructure, not to my knowledge, but there could be lots of things going on I don’t know about.
Until I started reading this book I didn’t realize that Stuxnet was the work of the US government. I guess I presumed it was some hackers.
One of the things that’s interesting about Stuxnet is, on the one hand, they never officially acknowledged it. On the other hand, it’s very clear that they want credit for it, so they’re very deliberately leaking, ‘this was us and we want everyone to know we have this capability.’
The next book you’ve chosen is Worm by Mark Bowden. I’ve read some of his other books—Killing Pablo andBlack Hawk Down—but I hadn’t read this one. Tell me what it’s about and why it’s on your list of good cyber security books.
Worm is about the Conficker worm, which was one of the earlier very, very effective pieces of malware used to build an enormous bot. Mark Bowden goes in and looks at who the people are trying to stop it. And perhaps partly because of the other stories he’s written, it’s very much an action adventure/good guys and bad guys/race to the end of the world setup. Again, it’s an example of framing a narrative around one very particular piece of malware that affects many people and homing in on its impact and how it affects individual people in their day-to-day lives.
One of the things I really took away from Worm is there were a lot of very smart people putting a lot of time and energy into dealing with it and it just kept evading them. It’s one of the first books that gave me a feel for, ‘Oh, this is what it means when they say attacking is easier than defending.’ The defensive efforts were well-coordinated and reasonably well resourced, but Conficker was very hard to get a handle on.
Also, I write about attacks from the angle of, ‘What is it the attacker wants to get? Is it money? Is it espionage?’ Conficker is an example of how hard it is to try and combat a piece of malware when you don’t know what the person behind it wants.
We still don’t know?
We still don’t really have any sense of who was behind it, or what was being built. That makes it a big challenge to defend against—it really restricts us to very technical means. It’s also scary. Part of the suspense build-up of the book is, ‘Who’s doing this? Why? To what end?’
There doesn’t even necessarily have to be a particular motivation. One of the things that people who build large botnets do sometimes is rent out their botnets and say, ‘Would you like to launch an attack? You can rent my botnet by the hour.’ So, there are many possible explanations for what’s going on. The story shows how hard it is to attack cybercrime in the abstract.
How does Conficker affect us now?
It’s mostly died down and been replaced by other types of bots. Today it’s not in the top 10-20 things you need to be worried about. But part of what is interesting about that story, and is true of a lot of the threats today, is that they’re coming through our own individual devices. When I talk about cyber security with my parents—who are not interested in the field at all—one of the things they often say is, ‘I’ve nothing worth stealing.’ Every time we talk my mother says to me, ‘Who cares if they can read my email?’ One of the points that it’s hard to make but worth trying to get across is that a lot of this is not about your personal security. Just because you feel there’s nothing on your laptop worth protecting doesn’t mean that your laptop can’t be harnessed to do really dangerous and evil things to other people. Worm makes that point really gracefully and says, ‘Look. Whether or not you care that your machines are compromised, if you’re not willing to take on the responsibility of doing some basic security hygiene they can be used in some really scary ways.’
Why are bots so scary? What are they exactly?
Bots are just groups of compromised machines that are all controlled by the same remote server. So if I want to do almost anything—send phishing emails to millions of people, steal money, mine cryptocurrency, conduct espionage through hotpoints—it helps to have control of a lot of computers that I don’t own. That’s because my computers can probably be traced back to me or to where I live. Bots are just a way of controlling computers you don’t own and having a lot of processing power that you can use.
Support Five Books
Five Books interviews are expensive to produce. If you're enjoying this interview, please support us by donating a small amount.
We see it in espionage. If I’m stealing secrets from the UK government, if I’m working for the Chinese military, I probably don’t want to do it from a computer in Chinese military headquarters, because that’s probably going to alert the intrusion system. On the other hand, if I’ve compromised a bunch of computers at Oxford University, Oxford University has interactions with the UK government all the time. So you route your stolen data through Oxford University and it doesn’t raise any red flags. And then from Oxford you take it back to China or wherever else. We see universities playing this role a lot, because they often have more open networks, they often clamp down less on security than corporate or government networks. It’s a big thing at all universities, people’s computers getting compromised and being used as hotpoints for attackers.
I should add about Worm by Mark Bowden that it’s very much aimed at a popular audience in the sense of, he starts by explaining what the internet is. He’ll tell you the difference between a worm and a virus and other things you may have heard about but don’t know exactly what they are or how they work.
Krebs and Zetter are both very technical journalists. They’ve worked in the space a long time. Mark Bowden is interesting because he’s somebody who writes about all sorts of things, but then decided to write this book about computer security. Because of that, I think he has a very good ear for what people might want to have explained to them that people who are steeped in technical backgrounds might not think to define.
I suppose the internet of things also proliferates the number of devices people have that can be used in these bots?
Yes, absolutely. When we think about what we’re most scared of today and in the future just the fact that there are so many more devices online means that there’s more potential for bigger and bigger bots.
The other piece of that is cleaning these devices. Once you create a bot, if I want to shut it down, ideally I have to wipe all those devices—which requires sending a lot of notifications and updates that everybody ignores. But hard as it is to get you to update your phone or your laptop, it’s so much harder to get you to update your wireless router or your security camera or anything that doesn’t have a screen or keyboard and the user interface that we’re accustomed to. That’s been a big, big challenge around the internet of things devices. You’re not going to bother changing the default password on your light bulbs because what do you care and who’s ever going to want to infect your light bulbs? And then they could all be harnessed really quickly because they all have the same password.
So the last two of your cyber security books focus on warfare. Let’s start with Dark Territory: The Secret History of Cyber War. Do you want to tell me what it’s about?
This book is by Fred Kaplan and it’s a historical study of the ways that governments—and in particular the US government—have tried to think about and use cyberpower for state-to-state conflict. He looks at what the origins of that were in the 1980s and how it has evolved over the past 30 or so years.
Again, he comes at it not from the technical world, but as someone who’s interested in how governments adapt to new threats and incorporate new types of power into their arsenals. He does a really thorough reporting job, talking to people who have been involved in this all along the way and looking at the ways they were influenced. He talks about WarGames, the 1983 movie starring Matthew Broderick, and how influential that was in shaping the government’s ideas about cyber power.
I think it’s so important—especially for people who work on the technical side of these things—to understand the ways in which policymakers’ ideas about technology and cyber security get shaped. It’s so easy to rail about how nobody understands computers, and how if only Ronald Reagan had understood this or that.
But the reality is that there are a lot of people making policy for whom these technologies are very foreign and very unfamiliar. They don’t know a lot about how they work. It is both important to understand the history of how we got to where we are and also understand that this is still true moving forward. We have a Supreme Court in the United States with a lot of people who did not grow up with these technologies and still are not necessarily comfortable using them. That comes through when they ask questions in cases related to technology and it comes through when they make rulings about these technologies.
So I like that historical perspective on how we got to where we are now. What is it that’s going through the heads of the people in government who are making these decisions? And whether or not it’s always absolutely factually accurate or technically sophisticated, understanding those forces is really important and really interesting.
So in terms of warfare and the bigger picture, if almost everything is controlled by computers, the idea is that if you can control computers you can control the world?
That philosophy has clearly influenced a lot of really powerful people when they approach this domain. What was most interesting for me about the book was how people in power think about computers: what they think the risks are and what they think the opportunities are for using them. That tone is set, to large degree, by the people who run governments. If you look at administration changes in the US there are people who are very cautious and think this could be very risky. Their approach to computers and cyberpower is very different from people who come in and say, ‘This is how you win in the 21st century!’
I think I saw an endorsement on the back of the book from John Le Carre, so I expect it’s also a good cyber security read.
All of these books are written by people with a strong sense of narrative, which is one of the reasons that I admire them. A lot of books about cyber security are structured as, ‘here’s the section on passwords and here’s the section on viruses.’ All of these are authors who really get that if you want to draw people in and make them interested in this you have to be telling stories and stories with real characters and real stakes.
So we’re now on the last of your recommended cyber security books, again focusing on cyber warfare. This is an edited volume called Bytes, Bombs, and Spies by Herbert Lin and Amy Zegart, which is a bit more academic. Why did you choose it and what kind of issues is it addressing?
I chose it partly because it’s the most recent of the books. It’s a nice partner for the Kaplan book because it’s a more academic look at the different ways that states use cyber capabilities and the different angles for thinking about that. How do we use some of the ideas from the Cold War, like deterrence? Is this a useful or an applicable concept when we’re talking about cyber security? How do we think about attribution and saying who is responsible for a cyber attack? We’ve always known who the enemy is and who is behind attacks coming from nation states. What are some of the things that we have always been able to count on, that we can’t necessarily count on anymore? And what do we do about that?
It’s a collection that really thoroughly investigates the many different ways that cyberpower has challenged existing ideas about statecraft and diplomacy and international relations. So this is a really interesting recent collection looking at questions about cyberwar. What is it we’re actually talking about and what are some of the instances where we see it concretely playing out? What does that look like? Because it’s so easy in this space to fall into vague, hyperbolic discussions.
All of these books I like because they’re very focused on real examples and specific stories and they are not just fear-mongering. I guess Worm comes the closest but that’s mostly coming from a good place, of trying to impress upon people what the stakes are rather than, ‘the cyber-Armageddon is coming and none of us are ready.’
Beyond Stuxnet, can you give me another good example of cyberwarfare from the book?
They are a really interesting unit set up in about 2011 and very actively stealing corporate information on behalf of Chinese companies. They use US college campuses very effectively to exfiltrate information from companies. It’s totally fascinating. First of all, it lasts for so long. It goes on for years and years and years in the same US steel companies as well as Siemens Westinghouse. They’ve got access to every email and every server. They steal so much information and it’s so hard to understand what they do with it.
The narrative of US-China cyber espionage in terms of popular discussion often centers on this idea of ‘they’re stealing intellectual property and ruining US companies.’ You steal the intellectual property and then you make the iPhone. But that’s not at all how it works. Instead it’s all about, ‘Do we know how they’re going to come into this trade negotiation? Can we use this information to our advantage at all?’ I don’t mean to dismiss the threat of economic espionage, it’s just that the actual arc of it is very slow and very complicated and very hard to pull out. It’s very hard to show that, ‘Well, you only did that because of this information you stole.’
In 2014, the US Department of Justice filed an indictment against five officers of the People’s Liberation Army. Firstly, it’s a weird thing to do—using our legal system to charge people who work for foreign governments for doing their jobs. They’re never going to turn those people over to stand trial, so it’s not a particularly productive use of the Department of Justice’s time. But also, they were only able to come up with one file that had been stolen that actually contained intellectual property. It was a plan for laying a pipe in a nuclear facility that was stolen from Westinghouse. That’s astonishing given the way we hear the US government talking about the threats from Huawei and from China. It’s hard to pinpoint a lot of actual examples of that.
We all have this idea that cyber security is a fast moving field, that things are changing all the time and it’s hard to keep up. But a really interesting point you make in your own book, You’ll See This Message When It Is Too Late, which focuses on incidents between 2005 and 2015, is that a lot of things—like the motives behind cybercrime—don’t really change at all.
The motives stay the same. One of the reasons that the cyber security books I’m recommending are not all books that came out yesterday is that a lot of these stories have staying power. Kaplan’s history tells us a lot about how policy narratives and decisions about cyberpower are still being made in the same way that they were 20, 30 years ago. If you read Worm, a lot of the challenges they’re grappling with are challenges we’re still grappling with when we talk about emerging threats and internet of things bots. So this idea that there’s no value in studying these past incidents is really silly—because there’s so much that’s being used over and over and over again.
Also, just because I’ve come up with a way to protect myself from something does not mean that everybody is using it. Almost certainly nobody’s using it and nobody’s planning to use it for the next ten years.
In terms of the three motivations that you go through in your cyber security book, we’ve talked about financial gain, we’ve talked about the state actors. Can you end by telling us a bit more about revenge?
This is the hardest category to define. I call it ‘revenge’ but it’s more of a chaos motivation. There are some people who just want to make a lot of trouble in a very public way. The incidents I talk about are a denial of service attack directed at an organization called Spamhaus, which is one of the leading anti-spam entities. The way they work is that they keep blacklists. So they say, ‘Here are servers that we know are sending a lot of spam, here are the content hosts that we know.’ Thee reason they do that is because there are a number of companies in the world for whom that’s their business model. It’s called bulletproof hosting: they host content and don’t look too closely. They then become a magnet for people who do a certain kind of thing that doesn’t allow for too much scrutiny.
And if you blacklist those companies that provide the infrastructure to criminals, that’s much more efficient than just blacklisting each individual criminal. Because if my website, josephinecybercrimes.com gets blocked I can just buy a new website in five minutes and replace it. What you really want is to find who I’m buying my websites from and block them. So that’s what Spamhaus did and because they did that they managed to anger a lot of cyber criminals who weren’t able to use their infrastructure. So they launched a massive denial of service attack. I talk in the book about the ways that Spamhaus tries to protect itself. They rely very heavily on a company called Cloudflare.
Also, I look at, ‘What is it that these guys are hoping to get out of this?’ Again, it’s this weird story where they’re not going to make any money. They’re certainly not stealing anything. They’re just really angry. They just really want to take down this organization that has caused so much trouble for them.
In the book, I also talk about the Sony Pictures breach. That’s where we see North Korea go in and blackout all the screens at Sony Pictures and put up an old skull and crossbones. Then they release a lot of their data in public data dumps. Again, it’s a weird one. The North Koreans are upset about this movie, The Interview (2014) where James Franco and Seth Rogen go to North Korea to assassinate Kim Jong-Il. And they just decide to cause a lot of headaches for Sony Pictures in a very public way.
The other example I talk about is the Ashley Madison case. Ashley Madison was a website run out of Canada and was basically a dating website for people who were looking for extramarital affairs. There was a breach in 2015 where all of the information about their users was dumped publicly and caused a lot of problems for a lot of people. There were some suicides that were traced to it.
There again you’ve got this challenge where, when there’s nothing that somebody stands to gain in these stories, how do you try to stop them from reaching their end goal? Those are really hard cases to defend against and find legal solutions for. In the Ashley Madison case, there was a class action lawsuit against the company brought by a lot of people. First of all the judge said, ‘Well, if you’re going to file a class action lawsuit, you all have to list all your names on it. You can’t do it as John or Jane Doe.’ Then there were a lot of questions about, ‘Well, what have you really lost here? You haven’t lost any money, you’ve just lost your dignity.’ The law doesn’t really allow for the fact that there are a lot of ways data can be stolen that can cost you a lot—even if it doesn’t cost you money in the most direct sense.
May 6, 2019
Five Books aims to keep its book recommendations and interviews up to date. If you are the interviewee and would like to update your choice of books (or even just what you say about them) please email us at email@example.com