I just finished listening to The Hacker and the State by Ben Buchanan, a book about cyberattacks, and the surrounding geopolitics. It’s a great book to start learning about the big state-related cyberattacks of the last two decades. Some big attacks /leaks he describes in details:
Wire-tapping/passive listening efforts from the NSA, the “Five Eyes”, and other countries
The multi-layer backdoors the NSA implanted and used to get around encryption, and that other attackers eventually also used (the insecure “secure random number” trick + some stuff on top of that)
The shadow brokers (that’s a *huge* leak that went completely under my radar at the time)
Russia’s attacks on Ukraine’s infrastructure
Attacks on the private sector for political reasons
Stuxnet
The North Korea attack on Sony when they released a documentary criticizing their leader, and misc North Korean cybercrime (e.g. Wannacry, some bank robberies, …)
The leak of Hillary’s emails and Russian interference in US politics
(and more)
Main takeaways (I’m not sure how much I buy these, I just read one book):
Don’t mess with states too much, and don’t think anything is secret—even if you’re the NSA
The US has a “nobody but us” strategy, which states that it’s fine for the US to use vulnerabilities as long as they are the only one powerful enough to find and use them. This looks somewhat nuts and naive in hindsight. There doesn’t seem to be strong incentives to protect the private sector.
There are a ton of different attack vectors and vulnerabilities, more big attacks than I thought, and a lot more is publicly known than I would have expected. The author just goes into great details about ~10 big secret operations, often speaking as if he was an omniscient narrator.
Even the biggest attacks didn’t inflict that much (direct) damage (never >10B in damage?) Unclear if it’s because states are holding back, if it’s because they suck, or if it’s because it’s hard. It seems that even when attacks aim to do what some people fear the most (e.g. attack infrastructure, …) the effect is super underwhelming.
The bottleneck in cyberattacks is remarkably often the will/the execution, much more than actually finding vulnerabilities/entry points to the victim’s network.
The author describes a space where most of the attacks are led by clowns that don’t seem to have clear plans, and he often seems genuinely confused why they didn’t act with more agency to get what they wanted (does not apply to the NSA, but does apply to a bunch of Russia/Iran/Korea-related attacks)
Cyberattacks are not amazing tools to inflict damage or to threaten enemies if you are a state. The damage is limited, and it really sucks that (usually) once you show your capability, it reduces your capability (unlike conventional weapons). And states don’t like to respond to such small threats. The main effect you can have is scaring off private actors from investing in a country / building ties with a country and its companies, and leaking secrets of political importance.
Don’t leak secrets when the US presidential election is happening if they are unrelated to the election, or nobody will care.
(The author seems to be a big skeptic of “big cyberattacks” / cyberwar, and describes cyber as something that always happens in the background and slowly shapes the big decisions. He doesn’t go into the estimated trillion dollar in damages of everyday cybercrime, nor the potential tail risks of cyber.)
I just finished listening to The Hacker and the State by Ben Buchanan, a book about cyberattacks, and the surrounding geopolitics. It’s a great book to start learning about the big state-related cyberattacks of the last two decades. Some big attacks /leaks he describes in details:
Wire-tapping/passive listening efforts from the NSA, the “Five Eyes”, and other countries
The multi-layer backdoors the NSA implanted and used to get around encryption, and that other attackers eventually also used (the insecure “secure random number” trick + some stuff on top of that)
The shadow brokers (that’s a *huge* leak that went completely under my radar at the time)
Russia’s attacks on Ukraine’s infrastructure
Attacks on the private sector for political reasons
Stuxnet
The North Korea attack on Sony when they released a documentary criticizing their leader, and misc North Korean cybercrime (e.g. Wannacry, some bank robberies, …)
The leak of Hillary’s emails and Russian interference in US politics
(and more)
Main takeaways (I’m not sure how much I buy these, I just read one book):
Don’t mess with states too much, and don’t think anything is secret—even if you’re the NSA
The US has a “nobody but us” strategy, which states that it’s fine for the US to use vulnerabilities as long as they are the only one powerful enough to find and use them. This looks somewhat nuts and naive in hindsight. There doesn’t seem to be strong incentives to protect the private sector.
There are a ton of different attack vectors and vulnerabilities, more big attacks than I thought, and a lot more is publicly known than I would have expected. The author just goes into great details about ~10 big secret operations, often speaking as if he was an omniscient narrator.
Even the biggest attacks didn’t inflict that much (direct) damage (never >10B in damage?) Unclear if it’s because states are holding back, if it’s because they suck, or if it’s because it’s hard. It seems that even when attacks aim to do what some people fear the most (e.g. attack infrastructure, …) the effect is super underwhelming.
The bottleneck in cyberattacks is remarkably often the will/the execution, much more than actually finding vulnerabilities/entry points to the victim’s network.
The author describes a space where most of the attacks are led by clowns that don’t seem to have clear plans, and he often seems genuinely confused why they didn’t act with more agency to get what they wanted (does not apply to the NSA, but does apply to a bunch of Russia/Iran/Korea-related attacks)
Cyberattacks are not amazing tools to inflict damage or to threaten enemies if you are a state. The damage is limited, and it really sucks that (usually) once you show your capability, it reduces your capability (unlike conventional weapons). And states don’t like to respond to such small threats. The main effect you can have is scaring off private actors from investing in a country / building ties with a country and its companies, and leaking secrets of political importance.
Don’t leak secrets when the US presidential election is happening if they are unrelated to the election, or nobody will care.
(The author seems to be a big skeptic of “big cyberattacks” / cyberwar, and describes cyber as something that always happens in the background and slowly shapes the big decisions. He doesn’t go into the estimated trillion dollar in damages of everyday cybercrime, nor the potential tail risks of cyber.)
Thanks! I read and enjoyed the book based on this recommendation