The Hacker and the State: Cyber Attacks and the New Normal of Geopolitics
By Ben Buchanan | Harvard University Press | $73.99 | 432 pages
Despite having become a significant tool in strategic competition between nations, cyber operations are poorly understood. Keyboard warriors engage in daily hand-to-hand combat in cyberspace, yet governments and the public are only slowly coming to grips with their implications and policymakers are struggling to decide how to react.
Partly it’s the secrecy that surrounds cyber operations, which is where Ben Buchanan, a researcher with Georgetown University’s Center for Security and Emerging Technology, comes in. In The Hacker and the State, he charts the rise of cyber operations as a tool of state, using clear and vivid examples from the main players in the cyber contest — the United States, Russia, Iran, China and North Korea — to show us how this armoury is used by governments to advance their goals, and how cyber operations have evolved over time.
In a nutshell, Buchanan’s argument is that cyber operations are good for shaping but not for signalling. In high-stakes international statecraft, cyber capabilities are a versatile way of changing the facts on the ground, altering the balance of power, and seizing the advantage. Like all covert operations, though, they aren’t good for signalling intentions. Even when the effects of a cyber operation are visible, victims are often reluctant to reveal details publicly, and the expertise and time needed to determine who did what makes it difficult to quickly and reliably judge what has happened, who was to blame, and why they did it.
Buchanan shows that cyber operations can be used for different purposes: for espionage, which it has helped vastly expand in scale and scope; for attack, putting at risk critical infrastructure worldwide; and for disruption, making it possible to interfere with elections via keyboard. Cyber operations are not only being used as an everyday tool of statecraft, they are perhaps the most significant of those tools.
In a very real sense, though, the countries in the cyber game don’t just have different playing styles, they are playing different games. Western nations play cricket while our opponents play rugby — different games, with different goals on a different playing field — with the latter a far more robust, physical contest than we’ve been willing to engage in.
In the field of espionage, one example of this mismatch is China’s theft of intellectual property. Western intelligence agencies focus narrowly on military and government intelligence, but Chinese hackers have also sought intellectual property on a scale that has been described as the “greatest transfer of wealth in history.” Chinese military hackers have stolen intellectual property, trade secrets and negotiating positions from Western companies across finance, telecommunications, electronics, medical equipment, resources and more in over a dozen countries. Although this flow of secrets and technology dates back to at least the early 2000s, Western countries have failed to staunch the bleeding.
After covering a series of significant cyber espionage cases, Buchanan describes cyber-attacks on targets including nuclear fuel enrichment facilities, petrochemical plants, casinos and electricity networks. One such incident that shocked the US national security community was the targeting of Sony Pictures Entertainment by North Korean state hackers. To the displeasure of the North Korean regime, Sony was making a satirical movie about the assassination of supreme leader Kim Jung-un. In retaliation, North Korean government hackers breached the company, destroyed computers, leaked several unreleased movies onto the internet and stole emails that they released to damage the studio in a stream of embarrassing media stories.
The US government was stunned by the attack. After all, what are the possible diplomatic or military responses when a movie studio and film release are at stake? But despite the apparent inadequacy of its response — naming and shaming North Korea — the operation turned out to be a failure for the North. After threats of a terrorist attack, The Interview didn’t play in major theatre chains, but in a kind of cyber-Streisand effect it owes most of its fame to the state-sponsored theatrics that accompanied its launch.
Finally, there’s the capacity of cyber operations to destabilise and interfere. Buchanan comprehensively describes how Russia interfered in the 2016 US presidential elections using social media, by hacking Democratic Party institutions and by releasing stolen documents to sway public opinion. The media has often focused on how Russia manipulated social media to stoke division and outrage, but Buchanan looks in detail at not one but two Russian-backed operations working to compromise the Democratic National Convention, and shows how these “traditional” cyber-espionage operations were used to gather material that was leaked to and subsequently amplified by the mainstream media.
Another case with immediate policy relevance is the long saga of what is known as Dual_EC, an encryption standard whose adoption was driven by the National Security Agency, the American intelligence organisation responsible for both signals intelligence and information security (or hacking to gather intelligence and defending against hackers). Buchanan surveys the intriguing — albeit circumstantial — evidence that the NSA deliberately weakened the Dual_EC standard and encouraged its adoption so that it could eavesdrop on communications that relied on the standard. At the very least, a series of curiously poor design choices resulted in commercial products that were — for those who knew how to exploit them — totally insecure.
Whether they were deliberate or accidental, these weaknesses in the implementation of Dual_EC were, in a very subtle way, exploited by hackers in China, according to Buchanan’s sources. Either the NSA, one of the most technically sophisticated intelligence agencies on the planet, was unable to make a backdoor that couldn’t be exploited by its adversaries, or it was unable to produce an encryption algorithm that couldn’t be secretly hijacked by an adversary. Both possibilities highlight the difficulty of designing secure encrypted communications systems: introducing a “secure weakness” — one that can only be used by those with the right legal authorities — is not simple, and may not be possible without opening up poorly recognised vulnerabilities.
Without resorting to sensationalism, and in a measured, clear-eyed way, Ben Buchanan wonderfully describes how states employ cyber operations to advance their goals. But the logical next question is “what is the best way to deal with our adversaries’ cyber operations?”
For the players described in The Hacker and the State the immediate future is clear — they will continue to use cyber operations to advance their interests. China will continue to steal intellectual property. Iran and Russia will continue making occasionally destructive attacks, and Russia will continue to use cyber operations to bolster its global ambitions. North Korea will continue to steal money. The United States will continue to follow International Humanitarian Law and engage in narrowly scoped operations.
Cyber capabilities are relatively cheap and are proliferating as other countries see their value and effectiveness. The risks of malicious behaviour increase as we place ever more of our lives online.
Continuing with the status quo is not an option. Now that we’ve seen how they are used, we need to turn our minds to how they will be deterred. There is another book’s worth of material in that subject. •