For the past decade, I have had this notion that there must be a Cybersecurity Canon: a list of must-read books where the content is timeless, genuinely represents an aspect of the community that is true and precise and that, if not read, leaves a hole in a cybersecurity professional’s education. I’ll be presenting on this topic at RSA 2014, and between now and then, I’d like to discuss a few of my early candidates for inclusion. I love a good argument, so feel free to let me know what you think.
Fatal System Error: The Hunt For New Crime Lords Who Are Bringing Down the Internet (2010) by Joseph Menn
If you are interested in the evolution of cyber crime, Fatal System Error is a good first reference. The author, Joseph Menn, is able to capture the early years of the cyber criminal community as it was just beginning to productize its cyber business and professionalize it so that it ran more like a business.
Most of this book is about the incipient history of cyber crime. Menn tells the story through two early cybersecurity practitioners: a very young Barrett Lyon—an early cybersecurity services businessman who built one of the first denial of service protection companies called Prolexic Technologies—and Andy Cocker, who at the time was an agent for the UK's National Hi-Tech Crime Unit.
Menn also manages to sprinkle in a discussion of some of the significant cybersecurity milestones from around 1995 to about 2009. He talks about the rise of cyber espionage and one of the first public discoveries of a state-sponsored amateur hacker group called the Chinese Network Crack Program Hacker (NCPH) group.
Menn also describes one of the first and most notorious known organized cyber crime syndicates called the Russian Business Network (RBN) which was virtually untouchable by law enforcement during this period. The owner of the syndicate was the son of a high-placed political official, so even if a Russian police officer felt the urge to arrest this cyber criminal, there were powerful forces within the Kremlin that made it a good idea not to.
Menn also covers the familiar ground of Estonia, Georgia and Kyrgyzstan where attackers first proved that cyber warfare was possible, and he documents some of the first uses of distributed denial of service (DDoS) attacks as an extortion tool. He explains the rise of bulletproof-hosting providers (essentially criminal Internet service providers) and the impotence of US law enforcement when tracking Russian cyber criminals during this period. In fact, Menn almost takes relish in describing the complete lack of respect for the FBI from the cybersecurity community during this time.
These details are side stories. The bulk of the book is about the rise of cyber crime. Lyon’s story is how he was sucked into protecting some less-than-savory companies that dabbled in offshore gambling and porn. Organized crime rings ran most of these operations, and the criminals involved were not above trying to sabotage their competitors’ efforts.
Offshore gambling became popular about the same time that hackers discovered that it was possible to launch DDoS attacks that could take a website or a data center offline by simply bombarding it with random data streams from thousands of computers – a botnet – around the Internet. These new cyber criminals used those kinds of tools against their competitors in an effort to drive them out of business. Lyon’s company owned the technology that could mitigate these kinds of attacks, and the organized crime operators came calling to get his help. Lyon’s story is about how he naively gets involved with these cyber criminals and subsequently tries to get himself out of the situation. It was not easy.
Cocker’s story is a bit different. He was an old-school British police officer frustrated with the inability of law enforcement to break down jurisdictional lines across international borders to arrest known cyber criminals. He and his National Hi-Tech Crime Unit decided to do something about it. Instead of waiting for Russian law enforcement to be compelled by political leaders to cooperate, Cocker went into the Eastern Bloc countries to build relationships with local law enforcement officials who were just as eager to bring these new cyber criminals to justice as he was. He had one tried-and-true method to accomplish this task: drink lots of vodka together. Over time, he built trust and friendships with his Russian counterparts and had amazing success arresting cyber criminals in the area.
Menn got a lot of help writing this book from various prominent cybersecurity researchers and journalists at the time. He singles out important commercial cybersecurity intelligence organizations like iDefense, Team Cymru, and SecureWorks. He pointedly casts disdain on several anti-virus vendors as being ineffective, including Kaspersky Lab and the perception that Russians were falsely persecuted by the rest of the world in terms of who was responsible for cyber crime, cyber hacktivism, and cyber warfare.
I do have a couple of quibbles with Menn’s story. He claims that RBN was the main force responsible for the DDoS attacks against Estonia and Georgia. While it may be true that computers within the RBN botnet system participated in those offensive attacks, I do not find Menn’s evidence compelling that RBN leaders orchestrated the attack on their own.
Both attacks had too much precision—some would say military precision—to be run from a civilian organization. I also do not like the way that Menn jumps back and forth in the timeline. For example, in one chapter, he will talk about events in 2008, jump to events in 2002, and then jump ahead to significant events in 2006. He makes it tough for the reader to understand the narrative arc. I would have appreciated a straight-up timeline to keep everything straight. But these are small quibbles. I do not have any compelling evidence either about who is responsible for the Estonia and Georgia attacks, so who am I to criticize the way that Menn tells this complicated story?
If you are interested in the evolution of cyber crime, Fatal System Error is a good reference. If you read this book and another that I just recently reviewed, Kevin Poulsen’s Kingpin, you will have a fairly thorough understanding of the cyber criminal world. Fatal System Error is a vital historical reference for the cybersecurity community. It is worthy of being a part of the Cybersecurity Canon, and you should have read it by now.