BY MATT VELLA
Hackers have a bad name everywhere, it seems, except in Silicon Valley, founded as it was on the virtues of creatively overcoming technical limits by any means. This tradition produced the likes of Bill Gates, Steve Wozniak and Mark Zuckerberg, who, on the eve of Facebook’s initial public offering four years ago, lamented the “unfairly negative connotation” of the word. Hacking, he wrote, “just means building something quickly or testing the boundaries of what can be done. Like most things, it can be used for good or bad.”
This year will be remembered for the bad. Hardly a week passed without news of some kind of digital breach, somewhere in the world, often establishing some kind of record—for sheer scope, for novel tactics or for setting an ominous new precedent. Hackers broke into the U.S. Department of Justice, the Internal Revenue Service and likely the National Security Agency. They stole or tried to sell data from private companies including Adult FriendFinder, LinkedIn, Mail.ru and Yahoo. They leaked the confidential medical records of elite athletes Simone Biles and Serena and Venus Williams, the private photos of celebrities including comedian Leslie Jones and, along the way, the embarrassing password choices of a billionaire hacker named Zuckerberg.
They blocked millions of Americans from accessing the Internet one day this fall by remotely taking control of legions of web-connected gadgets, such as baby monitors and digital video recorders, to unleash floods of bogus traffic. They shut down the San Francisco municipal railway over Thanksgiving weekend after an IT administrator allegedly clicked one wrong link embedded in a malicious email.
In 2016 hackers took aim at American democracy itself. The presidential campaign coasted on a steady stream of leaked documents and emails stolen in a series of sophisticated digital break-ins. Though there is no indication the machines 128 million American voters used to cast a ballot on Nov. 8 were compromised, the question—could they be?—was repeatedly and credibly raised. Which may have been the whole point. In a nation where every vote is supposed to count, the lesson of the past 12 months was that a few lines of malevolent code can crack open more than a computer system.
There are the good, the bad and every morally ambiguous shade in between
Who are they? “Somebody sitting on their bed that weighs 400 pounds,” as Donald Trump put it in the first presidential debate, somehow forgetting about the black hoodie? Or dead-eyed drones sitting in a windowless room, serving a nation-state?
The truth, as security researchers have shown in recent years, is both more malignant and more mundane. There are the good, the bad and every morally ambiguous shade in between. There are those sponsored by a state or a terrorist organization. There are the freedom fighters, the truth campaigners, the anarchists, the tinkerers. There are criminal kingpins and, yes, even working stiffs. A recent survey of 10,000 hackers in the U.S., U.K. and Germany found that on average the annual salary for hacking was $28,744.
When hackers took an entire Los Angeles hospital hostage in February, the ransom demanded to restore employees’ access to email and patients’ electronic health records was all of $17,000. For individuals hoping to retrieve their hijacked information, the average ransom demand was $679 in 2016, double the average last year. It adds up: the FBI estimates that ransomware—programs that infect a computer or network and hold data hostage until a fee is paid—this year will generate $1 billion for criminals.
Businesses stand to lose much more from hacks—at least $400 billion globally, according to the British insurer Lloyd’s, though that estimate is surely low. Because hacking has a much longer half-life than conventional crime, it’s very likely that this year’s biggest breaches have yet to come to light. That very uncertainty feeds the booming cyberdefense, cyberforensics and cyberinsurance industries, projected to be worth nearly $200 billion annually by the close of the decade.
Yet the bottom line isn’t money but vulnerability and uncertainty. Consider Stuxnet, the computer worm jointly developed by Israeli and U.S. intelligence to infect the Iranian nuclear program seven years ago. Its primary intention was not to destroy lab equipment but to undermine Iranian confidence. “The intent was that the failures should make them feel they were stupid,” an American participant told the New York Times in 2012. To some extent, even if you are not building centrifuges in Iran or running a major Hollywood studio or sending nude selfies, all hackers have the same power over you: to humiliate.
The Democrats got the worst of it. In the most notorious break-ins since Watergate, hackers stole thousands of pages of documents from the Democratic National Committee and the Democratic Congressional Campaign Committee as well as Hillary Clinton’s campaign and the Gmail account of its chairman, John Podesta. Then, using a network of online allies like WikiLeaks and fake websites with names like DC Leaks, information gleaned from the breaches was seemingly deployed to maximally blunt the Democrats’ progress. An easily searchable database of Clinton campaign emails published by WikiLeaks gave the press fodder for round after round of stories about everything from the Clintonian focus testing of jokes to Podesta’s preferred method of cooking a creamy risotto.
True bombshell revelations were few and far between. But that wasn’t the point. In this style of conflict, the objectives are to provide distracting grist, however innocuous, for the media mill and, more important, to sow doubt about the integrity of the electoral system. “As you see the U.S. presidential elections are becoming a farce,” hackers purporting to have breached the DNC crowed after its chairwoman was forced to resign just before the party’s July convention.
When the DNC sought assistance from CrowdStrike, the Irvine, Calif., cybersecurity firm tracked the hacks to two groups, Fancy Bear and Cozy Bear. The first, CrowdStrike said, worked in a way that suggested affiliation with the GRU, the main foreign-intelligence agency of the Russian military. The other was linked to the FSB, successor to the KGB. By the fall, the U.S. government seemed to agree, formally accusing Russia of hacking the Democratic Party and alleging that Moscow was attempting to “interfere” with the election.
Espionage and disinformation have a millennia-long tradition in statecraft. Both the Soviets and the U.S. interfered with foreign elections during the Cold War. What changed in 2016—what made the DNC and its sibling hacks sobering and, to many, terrifying—was Russia’s apparent skill in weaponizing information and aiming it at the foundations of the U.S. system. Russian President Vladimir Putin calls this kind of campaign, with its noxious combinations of fabrication and fact, deniability and distrust, hybrid warfare.
How to fight back, now that the encryption around Pandora’s box has been cracked? Nineteen months ago, CIA Director John Brennan announced the most sweeping reforms of the agency in 69 years, spurred largely by cyberthreats. And on Dec. 1, the FBI and other law-enforcement agencies gained a powerful new legal tool that expands their ability to search multiple computers, phones and other devices across the country, and even overseas, on a single warrant. Private firms, meanwhile, would do well to emphasize security awareness to users and make disclosure of breaches more transparent.
The more fundamental challenge is to societies that have seen their reliance on free information used against them. At the state level, because there is no equivalent to military pageantry in cyberspace, it’s unclear how the U.S. projects its power to the rest of the world. Nor have the rules of engagement been defined. A pact signed last year between China and the U.S. seems to have resulted in fewer government-led hacks, but the efficacy of treaties in this digital frontier may be limited.
Indeed, retaliation seems to be the norm. In December, Russian officials alleged that widespread hacking of their banking infrastructure was American payback for meddling in the election. The country’s central bank said hackers had managed to pilfer 2 billion rubles, about $31 million, this year. No one has said publicly who they were or why they did so.
Where does that leave the rest of us? Grappling with an acutely modern form of disquiet—the suspicion that the information we have become used to creating in mass quantities, almost constantly, may come to light, out of context and as destructive payload.