The hack that shocks the most is always the one that's the first of its kind. The 1988 internet worm, for example, was a huge shock in its day, because it exposed two new things: first, the internet's general vulnerability, and second, the importance of a network that most people had never heard of before then.
A few years later, the Lawrence Berkeley National Laboratory astronomer Clifford Stoll caused a similar sensation with his book The Cuckoo's Egg, which documented the first known case of nation-state sponsored hacking. In that case, a $0.75 discrepancy in accounting for computing time led to the discovery that a West German hacker named Markus Hess was selling the results of his break-ins to the KGB.
And we think this stuff is all new.
In Cyber Wars: Hacks That Shocked the Business World, Charles Arthur, who was active in reporting on hacking before 'hacker' became synonymous with 'criminal' (his journalistic history includes lengthy stints at New Scientist, The Independent, and The Guardian), focuses on cases that, like TSB's high-impact meltdown, are either already on business school curricula or will be soon.
Chances are you've already read at least something about all of these cases: Sony Pictures, TalkTalk, Clinton campaign chair John Podesta's emails, the WannaCry ransomware, the Mirai botnet. In each copiously referenced case, Arthur discusses the nature of the security failure, explains its antecedents, and summarises the lessons. He concludes with a few thoughts about the future of hacking. Noting the rise of ransomware, nation-state hacking, and the Internet of Things, Arthur isn't sure he can find much good news. TL;DR: maybe collective action can solve it.
A perfect storm
One of Arthur's main points is that it can take a long time for an idea to meet the actors, circumstances and other technologies to make it dangerous. Ransomware, for example, represents the merger of several different existing ideas and technologies, all with longer roots than most of us recognise. The idea of charging people to regain access to their data dates to 1989 and Joseph Popp's AIDS diskettes; Adam Young and Moti Yung published the first version of malicious cryptography in 1996. But it took increasing internet penetration, advances in computing power, and the rise of cryptocurrencies (which themselves also date to the 1980s and David Chaum's Digicash) to make it scalable into the fast-rising scourge of the past five years. Arthur explores, therefore, not only the hacks themselves but their origins.
In many cases business decisions opened vulnerabilities. Arthur's best example of this is TJX, whose many acquisitions smashed networks together into a kludge that no-one inside the company really understood. The Mirai botnet found its foothold in IoT devices with sloppy -- or no -- security, bought by millions of households because they were cheap and functional. TalkTalk's vulnerability lay in an outsourced call centre. As for John Podesta, Arthur reminds us to use two-factor authentication, swap out email for encrypted communications like Signal if possible, and learn what phishing looks like.
And finally, should you become famous, assume that your email may be hacked and widely distributed.