Misha Glenny's Reading List

"There is an element in this book of getting caught up in “cybergeddon”, as I like to call it. They get obsessed by the idea that everything is going to collapse, that there is going to be some major attack – the digital Pearl Harbor that Bill Clinton first mentioned. It’s perfectly true that in the past 12 months we have seen an acceleration of offensive capabilities that is clearly aimed at the destruction of industrial infrastructural processes. The emergence of the Stuxnet virus showed that in particular. But a book like Cyber War , while not complete fantasy, overstates the case. It runs the risk of saying that everything is completely hopeless and there’s nothing we can do about it. “The United States has the most advanced offensive cyber capability in the world, and it uses it” What’s good about it is that it is the articulation of the nightmare scenario that if we just sit back, and if we don’t pour huge amounts of resources into cyber defensive and offensive capability, then an effective cyber attack will be able to bring a society as networked as the United States down to a stone age level in about 10 days. There are lots of dramatic scenarios. Because Dick Clarke served successive presidents as a terrorism expert, he is very good at detailing what it’s like in the situation room when a cyber attack gets going. So it’s racily written, and it outlines what will happen if we don’t take measures to defend ourselves very quickly. I don’t subscribe, however, to its assumption that we live in an entirely anarchic world, in which everyone is interested in bringing down everyone else. In particular, Dick Clarke alludes to the threat from China. But I think everyone who sees the Chinese-American relationship as a hostile one tends to forget that the two countries are entirely dependent on each other in economic terms. If the Chinese were to bring down the Americans, they would find very quickly that bankruptcy and much worse fates await them. And vice versa – the US is completely dependent on China. So there’s an absence of political perspective in the book. Nonetheless, it is a very good detection of just how serious the threat might be, if things were to deteriorate politically. And it is easy to read as well. The cyber command was set up in the wake of a couple of things. One was the Titan Rain attacks , a series of attacks in 2003 – by China, it was thought – on strategic US institutions, including national security institutions. The other was the massive DDoS assault on Estonia. A DDoS [Distributed Denial of Service] is the most basic tool of cyber warfare, whereby you corral tens of thousands of computers using viruses and then use that computing power to attack a particular website. The sheer volume of traffic will bring the server crashing down, so a DDoS will render a website unusable. In the spring of 2007, when there was tension between Estonia and Russia – although the Russian government said that it had no involvement in this – there was an absolutely huge and coordinated series of DDoS attacks on the Estonian Internet, focusing particularly on government, banks and the media. “If the Chinese were to bring down the Americans, they would find very quickly that bankruptcy and much worse fates await them” Once this happened, two things occurred inside the Pentagon. One was that they gave NATO the green light to fund a centre of excellence that deals with cyber warfare in Tallinn, the Estonian capital. And the other was to start discussions as to the establishment of a cyber command. This was officially launched in October 2010, and it means that we now have five military domains. Along with land, sea, air and space, we how have cyber, which is the fifth military domain and the first man-made military domain. The commander, a four-star general called Keith Alexander, is also – not coincidentally – the boss of the NSA, which is the biggest digital intelligence agency in the world, in fact probably the single most powerful espionage agency in history. And now that cyber is regarded as a military domain it has all sorts of implications for what the Pentagon can and can’t do. The model is also being followed in several countries. Britain is preparing to establish a cyber command. The Chinese already have a huge section of the PLA working on this. Russia’s capacity is invested first and foremost in the FSB [its security and intelligence agency], but the military also has significant cyber capacity. The primary function is to defend your networks from attack. But the problem is whether that only means networks which have the suffix .mil, or whether it also means defending networks which are part of its critical national infrastructure. Should that be under military command or civilian command? All this is being thrashed out in a very worthy, acrimonious and so far utterly inconclusive debate in wonk centres all over the world. It’s the beginning of a head-wrenchingly difficult discussion. Again occasioned by the interconnectedness of the web."

"This is a book I would recommend everyone to read. Jonathan Zittrain is a professor at Harvard, formerly at Oxford, and a very brilliant theoretician of the Internet. His essential thesis is that whilst the absence of design in how the Internet proliferated is part of its wonderment and all the things that it has enabled, if you were to look at it now you would design it in an entirely different way. He says that the absence of design is one of the reasons why security is such an important issue, and also such a difficult issue to get your head round and do anything about. “The NSA is the biggest digital intelligence agency in the world, and probably the single most powerful espionage agency in history” Zittrain is in some respects a Renaissance figure, in the sense that he understands both the technology and the social and political implications of the technology. This is a first class introduction for anyone who uses the Internet as to why it’s worth their while thinking about the Internet and the implications of the web. As a starting place, I really can’t recommend it highly enough. There are a variety of problems. One of the biggest, which there is no stopping at all, is that our desire for convenience consistently overrides our need for personal security, even institutional security. So we’re always ready to welcome and celebrate technological innovation, without necessarily working out what the implications are. To give one example which I think is very telling, there was a British bank which I investigated for my last book, McMafia . They had a very tight digital barrier around them, and they thought they were entirely invulnerable. But a hacker found a vulnerability in a chocolate dispensing machine that they had in the building. Like everything else it had its own IP address, and they had forgotten to put it on the automated patching updates system. And so a British bank was penetrated through a chocolate vending machine. “Our desire for convenience consistently overrides our need for personal security, even institutional security” With the proliferation of mobile devices this is going to become a big headache. Now if you are on Apple, you immediately reduce your vulnerability by about 90%, because 95% of network systems run on Windows so virus makers just don’t bother to do it on Apple. I’m not advertising Apple – I have no pecuniary interest in this – but that is the quickest way to dramatically reduce your security risk. The other reason why Apple is relatively secure is because their applications on the iPhone are screened. So you cannot get any Tom, Dick and Harry putting an application out there for anyone to download. What Apple is creating is effectively a controlled system, where Steve Jobs and his team are the arbitrators of taste, and of what is permissible and what is not. For example, no pornographic apps are allowed on the iPhone. Now, if you don’t have a pressing need to look at pornography on your iPhone through apps, that’s absolutely fine. If you do have a pressing need, you’re going to have to get an Android. But if you do, then your vulnerability to viruses – particularly if you’re downloading pornography – is massively increased. As was ever thus!"

"Yes it is. The Net Delusion is a very important corrective to what I refer to as the “Kumbaya ideology” of the Internet – that somehow the Internet is going to solve all our problems, in particular in democratisation. By that account, you could talk about the Blackberry messaging system that was of huge benefit to the demographic will expressed in the burning buildings in Tottenham, Enfield and Liverpool this month. The reason why India and the United Arab Emirates are so keen on having a Blackberry server inside their countries is that they don’t want people’s emails to be immune from being read. But the real fear of the UAE is not that they can’t monitor their own citizens but that the Americans, with privileged access to RIM servers [Research in Motion, Blackberry’s developer], can. Now, I don’t think any country is likely to allow complete freedom on the Internet. My main thesis is that we’re seeing the emergence of a large number of intranets – national intranets which are defined in their own way, rather in the way that national law defines freedom of the press or otherwise. That’s now happening digitally with the Internet as well. Evgeny points out how the hope and optimism of the Internet led people to make irrational and nonsensical analyses of what was actually going on in the world. Of course, Evgeny knew all about this because he comes from Belarus. He picked up very quickly on how Lukashenko was able to monitor what was going on in the opposition in Belarus, simply by looking at people’s Facebook pages or the equivalent thereof. This book was a very important corrective, which was then pooh-poohed because of the Arab Spring, and in particular what happened in Egypt. But I think this in itself needs to be understood. The point about the Arab regimes, and Egypt in particular, is that although they absorbed information from the Internet they had a very weak Internet monitoring team. And because Egypt was a gerontocracy, they had not really understood the implications of how dangerous the Internet could be unless you take it under your own control. So Egypt actually confirmed what Evgeny was saying, which is that regimes – dictatorships in particular although it’s also very relevant to democracies – are deciding how much control they want over the web. My feeling is that ever more governments will be seduced in their desire – either in the name of political control or in the name of intellectual property rights – to basically seize ever greater parts of the Internet, and to monitor it in a more effective fashion. We’ve certainly been seeing that quite dramatically over the last couple of years. Not entirely. In Egypt, control and monitoring of the Internet, and understanding of what the implications of the Internet are, were at a relatively low level. And so people were able to exploit Twitter and so on, in order to promote a successful revolution. The same was true in Tunisia as well. Having said that, networking has not had a role at all in Libya, or a very limited role relative to Egypt and Tunisia. Then there are places like China, where it’s all rather a grey area. If on the one hand you pronounce from Beijing that anti-corruption strategies are a great thing, then you mustn’t be too surprised when citizens use the Internet in order to highlight local corruption. This will create a dilemma. With each scandal that emerges in China – as the derailed high-speed train in Wenzhou demonstrated – even while the government says “there will be no more writing about this incident”, they have not successfully stopped it. As I understand it there are lively discussions on the blogs. What is interesting is that it’s not just a full-blown “we will control the Internet”. There is an ambiguity as to what’s happening in China which is very interesting."

"This was really the first serious book about cyber crime that was written by someone who could write – Joseph Menn, who was the technology correspondent at the FT. What he does, quite sensibly, for much of the book is write not about computers but about the characters and the detective work behind a couple of crimes. Fatal System Error is a very readable book, and it demonstrates that if a crime takes place on the web, if you’re the victim all you know is that someone has stolen your ID or your credit card details or whatever, and nothing else. This gives you a profound feeling of powerlessness, which I think is very interesting, and is one of the things I try and explore in Dark Market . What Joseph has done, which I think is very important, is begin to show how the real world interacts with cyber when it comes to crime. And just how complex and developing the relationships are between cyber and traditional organised crime, which is beginning to get in on the cyber action, because they realise that it’s a hugely reduced risk from a lot of their other activities. But the hackers who have the technical ability to do this are a very different type. They do not fall into types recognised by classical criminology. They tend to be very young when they get started – aged between 12 and 15 – and they become involved incrementally in crime. Sometimes they don’t understand the moral implications of what they’re doing at all, because they get involved in it before their moral compass is anywhere like fully formed. “Hackers do not fall into types recognised by classical criminology. They tend to be very young when they get started – aged between 12 and 15” They are also quite vulnerable personalities. Hackers tend to conform to certain personality types. They often find the formation of relationships in real life difficult, and often look for some form of affirmation. Menn writes very well about this interaction between the real and the virtual world."

"This is taken a step further in Kevin Poulsen’s book. Kingpin deals with an extraordinary guy called “Iceman”, whose real name is Max Butler, although he then changed it to Max Bishop. In the late 1990s, Butler was a really exceptional, legal, so-called penetration tester. Companies would pay him to try to attack their systems, to see where the vulnerabilities in the system lay. He worked voluntarily with the FBI as well. But he had some of the obsessive characteristics that most hackers demonstrate. One of those, which is very common, is that all times of day and night they are obsessively trying to crack into network systems. They do this rather like you or I might turn on the telly. Butler managed to penetrate almost all US government networks, including a lot of military networks and nuclear research facilities. And essentially he saved the US from huge embarrassment by patching up this vulnerability. But he left himself a little hole in the system, through which he could crawl and no-one else. This was spotted by an eagle-eyed investigator from the air force, who had responsibility for cyber at the time, in 1999. Butler went to jail for two years as a consequence. He shouldn’t have, in my opinion, but he did. He went to an open prison, and almost everyone else was there for financial fraud. They spotted that he was a hacker, and recruited him there in prison. When he came out, just as he was one of those brilliant people working legally in the security system, he became probably the smartest hacker involved in criminal activity out there. A really incredible operation, the whole thing. He made millions of pounds, not for himself but for his employers, before he was eventually busted. Kevin Poulsen, who is the editor of Wired! magazine’s security section, is himself a convicted felon. So for him, Iceman – as he was called when he was doing his hacker work – was a hero. And this is written very sympathetically, about Iceman and his life. I have met Butler, I’ve interviewed him at length, and I think he’s a very decent guy. I don’t think he should be spending the next 13 years in prison, which he will be. As the issue of cybersecurity becomes ever more complex and important, we need help from people like him, we do not need to be throwing them into jail. In some way, these last two books are a more constructive way of looking at malfeasance on the web. Actually, the people involved in crime and hacking of various types have real abilities and skills. So it’s food for thought, and I hope that in Dark Market I was able to contribute a bit more towards that. Well, buy a Mac is the first thing! Secondly, if you prefer or happen to be on Windows, you have to make sure that you keep your anti-virus software up to date, and try to look for the best anti-virus products as well. Personally I was running two or three anti-virus ones on Windows. Encrypt your data wherever you can, which is legal to do [in Britain]. That’s very important. And take great care about opening emails, because that is the most common form of penetration of your computer, when you open an email that has an attachment. You very quickly learn whether something is from a friend or not because of the language used. About once a week I have to write to a friend saying, “I just received an email from you making it perfectly clear that your computer has been compromised. You have to scrub it, reformat it and completely reload your system. Either that or find someone who can get rid of the virus.”"