The Hacked World Order: How Nations Fight, Trade, Maneuver, and Manipulate in the Digital Age
Author Adam Segal dives into the political and technical details of nation-state cyber hacking addressing complex issues in great detail with numerous references; however detail does not lead to an enjoyable reading experience. The introduction to The Hacked World Order appears to be 40 pages of unedited notes.
Despite the detail or maybe because of the detail, the question that Segal does not get around to answering is how to make sense of it all. There is a lot going on, nationally and internationally, to make sense of cause and effect. Cyber-exploits are ephemeral tactics for a specific purpose (but for what purpose?), are difficult to attribute (was it China or Russia posing as China, or someone else entirely?), while the inter-workings of computers and networks are difficult to explain and difficult to understand.
Segal identifies the period of June 2012 to June 2013 as year zero in the battle for cyberspace; cyber attacks were notable in two aspects: in their source and in their sophistication. What makes this attack unique was the attacker was a nation-state that was intent on not stealing data but on destroying equipment, and that computers attacked were not on the Internet. Segal refers to the U.S. sponsored Stuxnet attack on Iran’s nuclear centrifuges. This period also experienced NSA contractor Edward Snowden revelations that the NSA spies on friends and enemies around the world in targeted attacks and in bulk vacuuming of data and metadata.
Segal claims the number one cyber threat to the U.S. is China, and that China’s hacking became so serious that in 2015 President Obama and China’s President Xi met to discuss cybersecurity at a summit in California. What did the two presidents say to each other on this (or any other) topic?
Note that The Hacked World Order was published before the detection of the break in into the U.S. Democratic Congressional Campaign computer system attributed to Russia. Would Segal have changed China’s ranking as the number one cyber threat had The Hacked World Order been published later? President Obama just recently met Putin to talk about Syria. It has also been reported that they discussed cybersecurity. What did the two presidents say to each other on this (or any other) topic?
The most significant problem with the Internet is the problem of attribution, that is, the inability to determine with any level of confidence who anyone is on the Internet. This means, at meetings between Presidents Obama and Xi, or Obama and Putin, one president at some point must own up to sponsoring a cyber attack on another. You can easily imagine Xi saying, “Don’t look at me, it was Putin!” And Putin saying, “Don’t look at me, it was Xi!”
It’s not just major superpowers making cyber attacks. Segal lists cyber attacks between many smaller nation-states including Estonia, Georgia, and Syria. For example, Syrian hackers attacked NPR, BBC, The Washington Post, and The New York Times, at one point taking over the Twitter accounts of the Associated Press (AP), and sending a fake message about a bomb attack causing the stock market to plunge. The more interesting aspect may be that it does not cost much to conduct a successful cyber attack (while the cost of defense appears to be open-ended).
There is some belief that cyber attacks are no more than political games without significant consequence. When cyber espionage or a cyber attack is discovered and made public there might be (at most) a rebuke and international relations seemingly go on as before. The reason to consider it all a game is that nations expect advance warning of legal indictments, expect politeness in accusations, and expect to be told in private that they have been caught before any accusations are made public.
Given Segal’s accounting of hacking and counter hacking, there are a few useful impressions that can be wrested out of the rich material in understanding how governments express themselves in the void of international law. Where there are no consequences to actions, what goes on between nation-states in regards to cyber attacks seems to come down to no more than tit-for-tat; nations hacking each other in response to previous hacks—acting as immature kids. Perhaps diplomacy was always thus. On the world stage diplomats speak to each other politely, while behind the scenes the principal parties behave abysmally, as anarchists and nihilists.
The most interesting hacks reported are the ones that expose the corruption of nations’ leaders, and in response to these exposures, nations tend to respond with more restrictive laws on reporting. Adam Segal writes, “[the] concept of the role of the state echoes Thomas Hobbes whereby the state acts to defend and protect the national interest and, at times, violates individual rights, if necessary, for state preservation.” Segal was specifically referring to China, but to no surprise this applies equally well to all nations.
Segal notes that very little progress has been made on the legal front against nation-sponsored hacking. The line between nuisance and attack, between civilian and military, all presupposes attribution, that enforcers of law knows who did the hacking. Not all is anarchy and nihilism—Segal points out the success of international law in addressing a limited set of problems. The Budapest Convention entered into force of law in 2004, and was ratified by the U.S. in 2006 contains international agreements on Intellectual Property (IP) theft and child pornography. One assumes that nation-states avoid sponsoring these kinds of crimes, making ratification that much easier.
How about laws within each nation-state, for the purpose of protecting their citizens from hacking? Internal to the U.S., the Department of Homeland Security (DHS) is responsible for the laws for cyber security; however, the DHS is beholden to the NSA, and the NSA spies on whomever it wants. The gist of Snowden’s revelations is the NSA prefers our nation’s cyber security to be weak so they can continue to spy.
Segal provides a list of NSA’s anti-cyber-security successes including hacking cryptographic software libraries to make random number generators weak and easier to crack, inserting backdoors into hardware and software of commercial networking equipment and commercial equipment manufacturers, and discovering and exploiting vulnerabilities without disclosure of those vulnerabilities to U.S. manufacturers. To add to the misery of the status quo, there is a philosophical incompatibility between spying versus arresting. Segal claims that in 2010, the CIA (reported to be the NSA’s boss) and U.S. Cyber Command (the Department of Defense) were actively working against each other.
For the U.S. government to change its direction and actively defend civilian computer networks means, more or less, allowing the U.S. government to take control of civilian computers, an idea that has been raised with industry more than once, and to date appears to be politically (though not technically) unachievable.
As U.S. policy is inconsistent, blame becomes a blame game. “Surely companies cannot expect the government to step in when they have not done the minimum themselves.” As for U.S. industries protecting their own computers and networks, most U.S. firms won’t pay for what appears to be a bottomless money pit. Effective/affordable security by companies doesn’t even matter for in the end, “nation-states will always win against companies.”
Does cyber espionage actually matter to you and me, the little guys? Segal claims that spying has low impact on international politics as long as spying is not made public—public disclosure provokes distrust in our government (another sign that nations hacking nations is a game). Though in making this claim Segal has forgotten the economic cost of espionage that he earlier mentioned and continues to detail.
If you want to know true the impact of The Hacked World Order Segal writes, “The clearest evidence of concern is to follow the money.” The reader learns that China is swapping out U.S. manufactured equipment for homegrown, which not only improves China’s security but also locks-out U.S. manufacturers from Chinese markets.
As previously noted, cyber security appears to be a bottomless money pit. Segal notes that the U.S. Cyber command received $120M in 2010, which increased to $509M in 2015—though their funding goes to military priorities first.
On the domestic side, DHS has been budgeted $750M in 2015 for cybersecurity operations—though their goals and priorities are not described here. JP Morgan Chase increased their cyber security funding to $250M in 2013 and said it would double this amount over the next five years. Cyber security related businesses received $1.75B in venture capital 2014, and $1.2B in the first half of 2015. Worldwide spending on cyber security is expected to reach $75B in 2015.
Segal is not optimistic about the future, “Everybody is spying on everybody else. There is little cost and much to gain, and states will continue to conduct cyber espionage for a very long time.”