Between the ongoing revelations about NSA surveillance and the usual drumbeat of security warnings about everything from Android smartphones to cars, it's a good time for a primer on what's actually going on.
This slim volume — in an All That Matters series that usually covers religion, philosophy and Shakespeare — aims to cover both the history and the scale of cyber-crime, cyber-espionage, cyber-warfare and a handful of related online threats. Leaving aside the irony of newspaper journalists (Peter Warren and Michael Streeter) writing about hacking, this is a useful introduction to the state of play for anyone who hasn't been paying attention.
From the very beginning of the book, the vagueness of the term 'cyber-crime' is clear. Are 'hacktivism', file sharing, using social media to organise protests against a government you consider oppressive, or against state surveillance, crimes? Generally, Cyber Crime & Warfare avoids the usual mainstream scaremongering, although there is the odd reference to online criminals scurrying around in Dickensian back alleys. And while it's impossible to put an exact figure on the extent of cyber crime, the authors quote some statistics to put things in context: at $300 billion, the annual worth of the computer security industry is almost an order of magnitude bigger than the $485 million annual cost of reported computer crime in the US.
It all started with World War 2 codebreakers and MIT students exploring the phone system. Although Steven Levy's Hackers is still the classic read on the original meaning of 'hackers', it's nice to see mention here (including the amusing trivia that both Tim Berners-Lee and Bill Gates were banned from using school computers for hacking). Authors Warren and Streeter point out that it wasn't until phone hacker John Draper was sent to prison that criminals got to see phone phreaking in action. However, it wasn't until the 90s that there were juicy enough targets to get them really interested in computer hacking.
This section is a potted history of how hacks progressed from breaking into Prince Philip's mailbox on the Prestel service, to Russian criminals recruiting local hackers who knew how to break into banks, to political and activist hacking in eastern Europe aimed at giving people free access to information, to the rise of viruses and malware as mass vandalism in the 90s, and the beginnings of large-scale criminal attacks.
Even if you've followed security issues for a while, there are interesting nuggets: the idea of a self-replicating program goes all the way back to computer pioneer John von Neumann, for example, while the first virus 'in the wild' was for the Apple II.
The history of cyber-espionage is also a good overview, majoring on reports from intelligence services covering the large-scale, organised attacks that are supposed to be taking over from small, targeted break-ins at specific companies. Are Russia and China hoovering up IP from Western countries in a concerted attempt to exploit our R&D work? One MI5 report mentions two (unnamed) companies that have lost money or business opportunities through intellectual property theft.
The authors make several useful points about how everyone needs to be aware of hacking. Security hardware company RSA got hacked because the attackers targeted their recruitment team with social engineering techniques, for example. Sharing your personal data online puts you at risk of identity theft (52 percent of us share details that show up as security questions, a recent Intel survey points out). And if you wonder why so many malicious Android apps in Google Play only turn out to hoovering up the contents of your address book, it might be to check email addresses scraped from websites to see if it's worth sending them spam.
These are the familiar old crimes, attacks, protests and acts of vandalism — but committed using modern tools. That makes them easier to commit, harder to get caught at and likely to have more widespread or more serious effects.
After this much common sense, the chapter on botnets is strangely melodramatic. Of all the online threats, why do these reek of science fiction? With few known examples of cyber-criminals and cyber-spies, we get an odd section contrasting Bill Gates with free software champion Richard Stallman, and a list of universities where you can study cyber-spying to get a job in counter-intelligence. The brief mention of 'cyber mules' who collect the proceeds of many online crimes disguises the fact that the go-betweens receiving the goods ordered with your stolen credit card might be the real reason it's so hard to stop these kind of thefts.
Apart from the well-known attacks on Estonia and Georgia — which are the same kind of denial-of-service we've seen used as a blackmail technique repeatedly — and the very targeted attacks behind Stuxnet, Flame and Gauss, there are few examples of actual cyber-warfare. That means the authors can't do much more than give a brief survey, explain which agencies are responsible for what in the UK and US, and add some alarming predictions.
The section on child safety sits a little oddly with the rest of the book — but Warren has a background in covering child pornography, and it does mean the book covers almost the full range of security issues. The common-sense point that you have to both teach children to be careful and practice good computer security yourself is also welcome.
Old crimes, new tools
The rest of book is a good overview of the history and issues in computer security, without any real conclusions — beyond one very useful point that's the key to making sense of why cyber-crime happens at all.
These are the familiar old crimes, attacks, protests and acts of vandalism — but committed using modern tools. That makes them easier to commit, harder to get caught at and likely to have more widespread or more serious effects. However, "the essence of the crimes remains the same: bad people wanting your money, individuals wanting to victimize others or societies and companies wanting to steal their competitors' secrets".
Once you've finished Cyber Crime & Warfare (it's a quick and easy read), it should be clear that online threats are important because we're now so dependent on technology. But you still have to make up your own mind as to quite how dangerous those threats are. If you have a friend or family member who doesn't take computer security seriously enough, or who is worrying unduly, this would be a good present to educate them with.