Bytes, Bombs, and Spies: The Strategic Dimensions of Offensive Cyber Operations

"I chose it partly because it’s the most recent of the books. It’s a nice partner for the Kaplan book because it’s a more academic look at the different ways that states use cyber capabilities and the different angles for thinking about that. How do we use some of the ideas from the Cold War, like deterrence? Is this a useful or an applicable concept when we’re talking about cyber security? How do we think about attribution and saying who is responsible for a cyber attack? We’ve always known who the enemy is and who is behind attacks coming from nation states. What are some of the things that we have always been able to count on, that we can’t necessarily count on anymore? And what do we do about that? It’s a collection that really thoroughly investigates the many different ways that cyberpower has challenged existing ideas about statecraft and diplomacy and international relations. So this is a really interesting recent collection looking at questions about cyberwar. What is it we’re actually talking about and what are some of the instances where we see it concretely playing out? What does that look like? Because it’s so easy in this space to fall into vague, hyperbolic discussions. All of these books I like because they’re very focused on real examples and specific stories and they are not just fear-mongering. I guess Worm comes the closest but that’s mostly coming from a good place, of trying to impress upon people what the stakes are rather than, ‘the cyber-Armageddon is coming and none of us are ready.’ It talks a lot about Chinese espionage from the People’s Liberation Army unit 61398. They are a really interesting unit set up in about 2011 and very actively stealing corporate information on behalf of Chinese companies. They use US college campuses very effectively to exfiltrate information from companies. It’s totally fascinating. First of all, it lasts for so long. It goes on for years and years and years in the same US steel companies as well as Siemens Westinghouse. They’ve got access to every email and every server. They steal so much information and it’s so hard to understand what they do with it. The narrative of US-China cyber espionage in terms of popular discussion often centers on this idea of ‘they’re stealing intellectual property and ruining US companies.’ You steal the intellectual property and then you make the iPhone. But that’s not at all how it works. Instead it’s all about, ‘Do we know how they’re going to come into this trade negotiation? Can we use this information to our advantage at all?’ I don’t mean to dismiss the threat of economic espionage, it’s just that the actual arc of it is very slow and very complicated and very hard to pull out. It’s very hard to show that, ‘Well, you only did that because of this information you stole.’ In 2014, the US Department of Justice filed an indictment against five officers of the People’s Liberation Army. Firstly, it’s a weird thing to do—using our legal system to charge people who work for foreign governments for doing their jobs. They’re never going to turn those people over to stand trial, so it’s not a particularly productive use of the Department of Justice’s time. But also, they were only able to come up with one file that had been stolen that actually contained intellectual property. It was a plan for laying a pipe in a nuclear facility that was stolen from Westinghouse. That’s astonishing given the way we hear the US government talking about the threats from Huawei and from China. It’s hard to pinpoint a lot of actual examples of that. The motives stay the same. One of the reasons that the cyber security books I’m recommending are not all books that came out yesterday is that a lot of these stories have staying power. Kaplan’s history tells us a lot about how policy narratives and decisions about cyberpower are still being made in the same way that they were 20, 30 years ago. If you read Worm, a lot of the challenges they’re grappling with are challenges we’re still grappling with when we talk about emerging threats and internet of things bots. So this idea that there’s no value in studying these past incidents is really silly—because there’s so much that’s being used over and over and over again. Also, just because I’ve come up with a way to protect myself from something does not mean that everybody is using it. Almost certainly nobody’s using it and nobody’s planning to use it for the next ten years. This is the hardest category to define. I call it ‘revenge’ but it’s more of a chaos motivation. There are some people who just want to make a lot of trouble in a very public way. The incidents I talk about are a denial of service attack directed at an organization called Spamhaus, which is one of the leading anti-spam entities. The way they work is that they keep blacklists. So they say, ‘Here are servers that we know are sending a lot of spam, here are the content hosts that we know.’ Thee reason they do that is because there are a number of companies in the world for whom that’s their business model. It’s called bulletproof hosting: they host content and don’t look too closely. They then become a magnet for people who do a certain kind of thing that doesn’t allow for too much scrutiny. And if you blacklist those companies that provide the infrastructure to criminals, that’s much more efficient than just blacklisting each individual criminal. Because if my website, josephinecybercrimes.com gets blocked I can just buy a new website in five minutes and replace it. What you really want is to find who I’m buying my websites from and block them. So that’s what Spamhaus did and because they did that they managed to anger a lot of cyber criminals who weren’t able to use their infrastructure. So they launched a massive denial of service attack. I talk in the book about the ways that Spamhaus tries to protect itself. They rely very heavily on a company called Cloudflare. Also, I look at, ‘What is it that these guys are hoping to get out of this?’ Again, it’s this weird story where they’re not going to make any money. They’re certainly not stealing anything. They’re just really angry. They just really want to take down this organization that has caused so much trouble for them. In the book, I also talk about the Sony Pictures breach. That’s where we see North Korea go in and blackout all the screens at Sony Pictures and put up an old skull and crossbones. Then they release a lot of their data in public data dumps. Again, it’s a weird one. The North Koreans are upset about this movie, The Interview (2014) where James Franco and Seth Rogen go to North Korea to assassinate Kim Jong-Il. And they just decide to cause a lot of headaches for Sony Pictures in a very public way. The other example I talk about is the Ashley Madison case. Ashley Madison was a website run out of Canada and was basically a dating website for people who were looking for extramarital affairs. There was a breach in 2015 where all of the information about their users was dumped publicly and caused a lot of problems for a lot of people. There were some suicides that were traced to it. There again you’ve got this challenge where, when there’s nothing that somebody stands to gain in these stories, how do you try to stop them from reaching their end goal? Those are really hard cases to defend against and find legal solutions for. In the Ashley Madison case, there was a class action lawsuit against the company brought by a lot of people. First of all the judge said, ‘Well, if you’re going to file a class action lawsuit, you all have to list all your names on it. You can’t do it as John or Jane Doe.’ Then there were a lot of questions about, ‘Well, what have you really lost here? You haven’t lost any money, you’ve just lost your dignity.’ The law doesn’t really allow for the fact that there are a lot of ways data can be stolen that can cost you a lot—even if it doesn’t cost you money in the most direct sense."