Scott Shapiro is the Charles F. Southmayd Professor of Law and Professor of Philosophy at Yale Law School. He is also founding director of Yale’s Cyber Security Lab.
Below, Scott shares five key insights from his new book, Fancy Bear Goes Phishing: The Dark History of the Information Age, in Five Extraordinary Hacks. Listen to the audio version—read by Scott himself—in the Next Big Idea App.
1. Cybersecurity is not an engineering problem.
Hacking is often portrayed as a highly technical act, and for good reason. In many ways, it is. Most hackers are skilled computer programmers who write code to gain unauthorized access to data on the internet. But that doesn’t mean cybersecurity is an engineering problem. To understand why, it’s best to think of code that hackers exploit as a combination of what I call “downcode” and “upcode.”
Downcode is technical computer code. It’s the code that lies below your fingertips. Downcode ranges from device drivers that come with your printer to operating systems such as Windows and iOS. If downcode is what’s below your fingertips, upcode is what’s going on above your fingertips—from the inner operations of the human brain to the outer social, political, and institutional forces that form the world around us. Upcode can include personal beliefs, social norms, legal rules, corporate policies, professional ethics, and website terms of service.
Computers run downcode; humans run upcode. And crucially, upcode shapes downcode. The downcode a hacker might write to steal data from your favorite website is a result of that hacker’s upcode, which inspires the hacking in the first place.
Based on the technical nature of downcode, it may seem intuitive to believe that hacking is an engineering problem. But it is more useful to think of hacking as an upcode problem. Fundamentally, hackers exploit human vulnerabilities, the kinds of upcode bugs that give rise to downcode bugs.
2. If we want to improve cybersecurity, we should fix the upcode.
“Solutionism” is the idea that we should use technology to solve our problems. The solutionist response to famines is irrigation systems. Nuclear disasters? Construct remote-controlled drones to eliminate accidental fallout. Solutionism is ubiquitous in cybersecurity. Every cybersecurity firm promises that its technology can keep your data safe. Companies hype up their “next-generation” firewalls, anti-malware software, and intrusion-detection services as if they’ll solve the issue of cybercrime once and for all.
“We need to figure out how to fix the human and political rules that permit downcode vulnerabilities in the first place.”
But they won’t. Focusing on technical downcode vulnerabilities only takes us so far. To make more substantial improvements to the security of the internet, we need to figure out how to fix the human and political rules that permit downcode vulnerabilities in the first place.
Unfortunately, politicians have embraced the flawed solutionist approach to cybersecurity. Our legal system provides almost no incentives for software developers to write secure downcode, and it imposes few, if any, financial penalties for data breaches. Tech companies therefore lack motivation to take security seriously.
To encourage better downcode, we first need to fix our upcode.
3. Hackers are normal people.
Popular media portrays hackers as brilliant but twisted young men who wear hoodies and live in their parents’ basements.
The truth is more mundane. Hacking is not a dark art, and those who practice it are not 400-pound wizards in their pajamas or idiot savants. Nor are they anonymous shadows. Hackers have names and faces, mothers and fathers, teachers, buddies, girlfriends, and frenemies.
Cybercriminals are, by and large, rational people out to make a living. For most us, they don’t want to read our email or use our webcams to spy on us making dinner. Cybercrime is a business, and businesses exist to turn a profit. As long as you don’t make it incredibly easy for them to hack you, they will most likely leave you alone.
“Cybercriminals are, by and large, rational people out to make a living.”
The financial incentives that motivate cybercrime suggest various upcode changes. Rather than trying to fend off cybercriminals at the downcode level, for example, we should be trying to figure out how to divert them from hacking in the first place. Such diversion programs are an excellent social investment.
4. Hackers exploit metacode.
Hackers do not just hack downcode. They also exploit philosophical principles of computation called metacode.
Alan Turing first laid out the principles of metacode in 1936. Turing showed, for one, that computation is a physical process. When your calculator adds numbers or your visual cortex processes words, physical mechanisms are working: switching circuits, pulses of light, neurochemical reactions, and more.
Because our brains are computation devices just like electronic computers, they are subject to the same laws of physics as all other machines.
“Unfortunately, though, heuristics can sometimes make us act irrationally.”
Human computation, for example, takes time and energy. To save on time and energy, we need to take shortcuts. Psychologists Daniel Kahneman and Amos Tversky, therefore, hypothesized a series of mechanisms, called heuristics, to explain how we conserve resources required for physical computation. Unfortunately, though, heuristics can sometimes make us act irrationally.
Hackers take advantage of these heuristics with techniques like phishing—attempting to obtain sensitive information over email by impersonating a trustworthy person. Phishing isn’t rocket science; in fact, it’s not even computer science. It’s cognitive science. Hackers phish for our passwords and private information by exploiting our mental metacode vulnerabilities.
5. Perfect cybersecurity is impossible.
Without metacode, the philosophical principles that govern all forms of computation, our digital world would not exist: no internet, websites, precision-guided missiles, Zoom meetings, and PowerPoint presentations.
The very principles that make our digital world possible, however, also make hacking possible. Hackers do not just take advantage of upcode and downcode—they exploit metacode vulnerabilities, which are impossible to patch.
There is no such thing as “solving” the “problem” of cybersecurity. There are only trade-offs between different aspects of our information security and between our information and physical securities. We must balance the costs and benefits before we decide whether and how to patch upcode.
For each defensive move taken, the offense changes too. Even at the level of upcode, the cat-and-mouse game never ends. Our aim is to slow the game so that the cat is winning most of the time.
To listen to the audio version read by author Scott Shapiro, download the Next Big Idea App today: