Cyber Wars, book review: High-profile hacks, deconstructed

Tech journalist Charles Arthur picks apart some notorious cyber attacks, examining the nature of the security failures, their antecedents, and the lessons to be drawn from them.
Written by Wendy M Grossman, Contributor

Cyber Wars: Hacks That Shocked the Business World • By Charles Arthur • Kogan Page • 229 pages • ISBN: 978-0-749-48200-8 • £14.99/$19.95

The hack that shocks the most is always the one that's the first of its kind. The 1988 internet worm, for example, was a huge shock in its day, because it exposed two new things: first, the internet's general vulnerability, and second, the importance of a network that most people had never heard of before then.

A few years later, the Lawrence Berkeley National Laboratory astronomer Clifford Stoll caused a similar sensation with his book The Cuckoo's Egg, which documented the first known case of nation-state sponsored hacking. In that case, a $0.75 discrepancy in accounting for computing time led to the discovery that a West German hacker named Markus Hess was selling the results of his break-ins to the KGB.

And we think this stuff is all new.

In Cyber Wars: Hacks That Shocked the Business World, Charles Arthur, who was active in reporting on hacking before 'hacker' became synonymous with 'criminal' (his journalistic history includes lengthy stints at New Scientist, The Independent, and The Guardian), focuses on cases that, like TSB's high-impact meltdown, are either already on business school curricula or will be soon.

Chances are you've already read at least something about all of these cases: Sony Pictures, TalkTalk, Clinton campaign chair John Podesta's emails, the WannaCry ransomware, the Mirai botnet. In each copiously referenced case, Arthur discusses the nature of the security failure, explains its antecedents, and summarises the lessons. He concludes with a few thoughts about the future of hacking. Noting the rise of ransomware, nation-state hacking, and the Internet of Things, Arthur isn't sure he can find much good news. TL;DR: maybe collective action can solve it.

A perfect storm

One of Arthur's main points is that it can take a long time for an idea to meet the actors, circumstances and other technologies to make it dangerous. Ransomware, for example, represents the merger of several different existing ideas and technologies, all with longer roots than most of us recognise. The idea of charging people to regain access to their data dates to 1989 and Joseph Popp's AIDS diskettes; Adam Young and Moti Yung published the first version of malicious cryptography in 1996. But it took increasing internet penetration, advances in computing power, and the rise of cryptocurrencies (which themselves also date to the 1980s and David Chaum's Digicash) to make it scalable into the fast-rising scourge of the past five years. Arthur explores, therefore, not only the hacks themselves but their origins.

See: Hacking the Nazis: The secret story of the women who broke Hitler's codes (cover story PDF)

In many cases business decisions opened vulnerabilities. Arthur's best example of this is TJX, whose many acquisitions smashed networks together into a kludge that no-one inside the company really understood. The Mirai botnet found its foothold in IoT devices with sloppy -- or no -- security, bought by millions of households because they were cheap and functional. TalkTalk's vulnerability lay in an outsourced call centre. As for John Podesta, Arthur reminds us to use two-factor authentication, swap out email for encrypted communications like Signal if possible, and learn what phishing looks like.

And finally, should you become famous, assume that your email may be hacked and widely distributed.


Cyber security: We need a better plan to deter hacker attacks says US
Stopping digital attacks by rival states has proved impossible up to now; can a new cyber deterrence strategy help fix that?

Security fail? One in three companies think paying hackers is worth the risk
Too many companies are taking a short term view when it comes to security.

State-sponsored cyber attacks deserve tougher responses: ASPI report
Naming and shaming isn't enough. Deterrence in cyberspace requires consequences. Potential adversaries should put on notice about what's unacceptable, and what will happen if they cross the cyber line.

Internet security: Slaying the botnet beast and the DDoS dragon
Botnets and DDoS attacks continue to grow in scale. Tackling them is no easy task.

What is malware? Everything you need to know about viruses, trojans and malicious software
Cyber attacks and malware are one of the biggest threats on the internet. Learn about the different types of malware - and how to avoid falling victim to attacks.

What is the CIO's role in cybersecurity leadership? (TechRepublic)
At the 2018 MIT CIO Symposium, Equinix's Lance Weaver described why the CIO must help guide enterprise cybersecurity policies.

Read more book reviews

Editorial standards