Is Cybersecurity An Unsolvable Problem?

cover art
Farrar, Straus and Giroux

In November 1988, a graduate student at Cornell University named Robert Morris, Jr. inadvertently sparked a national crisis by unleashing a self-replicating computer worm on a VAX 11/750 computer in the Massachusetts Institute of Technology’s Artificial Intelligence Lab. Morris had no malicious intent; it was merely a scientific experiment to see how many computers he could infect. But he made a grievous error, setting his reinfection rate much too high. The worm spread so rapidly that it brought down the entire computer network at Cornell University, crippled those at several other universities, and even infiltrated the computers at Los Alamos and Livermore National Laboratories.

Making matters worse, his father was a computer scientist and cryptographer who was the chief scientist at the National Security Agency’s National Computer Security Center. Even though it was unintentional and witnesses testified that Morris didn’t have “a fraudulent or dishonest bone in his body,” he was convicted of felonious computer fraud. The judge was merciful during sentencing. Rather than 15–20 years in prison, Morris got three years of probation with community service and had to pay a $10,000 fine. He went on to found Y Combinator with his longtime friend Paul Graham, among other accomplishments.

The “Morris Worm” is just one of five hacking cases that Scott Shapiro highlights in his new book, Fancy Bear Goes Phishing: The Dark History of the Information Age in Five Extraordinary Hacks. Shapiro is a legal philosopher at Yale University, but as a child, his mathematician father—who worked at Bell Labs—sparked an interest in computing by bringing home various components, like microchips, resistors, diodes, LEDs, and breadboards. Their father/son outings included annual attendance at the Institute of Electrical and Electronics Engineers convention in New York City. Then, a classmate in Shapiro’s high school biology class introduced him to programming on the school’s TRS-80, and Shapiro was hooked. He moved on to working on an Apple II and majored in computer science in college but lost interest afterward and went to law school instead.

With his Yale colleague Oona Hathaway, Shapiro co-authored a book called The Internationalists: How a Radical Plan to Outlaw War Remade the World, a sweeping historical analysis of the laws of war that spans from Hugo Grotius, the early 17th century father of international law, all the way to 2014. That experience raised numerous questions about the future of warfare—namely, cyberwar and whether the same “rules” would apply. The topic seemed like a natural choice for his next book, particularly given Shapiro’s background in computer science and coding.

Despite that background, “I honestly had no idea what to say about it,” Shapiro told Ars. “I just found it all extremely confusing.” He was then asked to co-teach a special course, “The Law and Technology of Cyber Conflict,” with Hathaway and Yale’s computer science department. But the equal mix of law students and computer science students trying to learn about two very different highly technical fields proved to be a challenging combination. “It was the worst class I’ve ever taught in my career,” said Shapiro. “At any given time, half the class was bored and the other half was confused. I learned nothing from it, and nor did any of the students.”

That experience goaded Shapiro to spend the next few years trying to crack that particular nut. He brushed up on C, x86 assembly code, and Linux and immersed himself in the history of hacking, achieving his first hack at the age of 52. But he also approached the issue from his field of expertise. “I’m a philosopher, so I like to go to first principles,” he said. “But computer science is only a century old, and hacking, or cybersecurity, is maybe a few decades old. It’s a very young field, and part of the problem is that people haven’t thought it through from first principles.” The result was Fancy Bear Goes Phishing.

The book is a lively, engaging read filled with fascinating stories and colorful characters: the infamous Bulgarian hacker known as Dark Avenger, whose identity is still unknown; Cameron LaCroix, a 16-year-old from south Boston notorious for hacking into Paris Hilton’s Sidekick II in 2005; Paras Jha, a Rutgers student who designed the “Mirai botnet“—apparently to get out of a calculus exam—and nearly destroyed the Internet in 2016 when he hacked Minecraft; and of course, the titular Fancy Bear hack by Russian military intelligence that was so central to the 2016 presidential election. (Fun fact: Shapiro notes that John von Neumann “built a self-reproducing automaton in 1949, decades before any other hacker… [and] he wrote it without a computer.”)

But Shapiro also brings some penetrating insight into why the Internet remains so insecure decades after its invention, as well as how and why hackers do what they do. And his conclusion about what can be done about it might prove a bit controversial: there is no permanent solution to the cybersecurity problem. “Cybersecurity is not a primarily technological problem that requires a primarily engineering solution,” Shapiro writes. “It is a human problem that requires an understanding of human behavior.” That’s his mantra throughout the book: “Hacking is about humans.” And it portends, for Shapiro, “the death of ‘solutionism.'”

Ars spoke with Shapiro to learn more.