You’ve probably encountered phishing emails or computer viruses. Or maybe one or more of your accounts has been hacked or compromised. How and why do hackers hack and what are they generally seeking? Our guest this week points out that understanding the answers to those questions is essential for making sense of the psychological, economic, political and social motivations for and effects of cybercrime. Scott Shapiro is Southmayd Professor of Law and Professor of Philosophy at Yale Law School. He is the author of a new book called, “Fancy Bear Goes Phishing: The Dark History of the Information Age, in Five Extraordinary Hacks.” The book dives into five historical examples, one of which involves its namesake, Fancy Bear, a Russian cyberintelligence unit responsible for hacking the Democratic National Convention. Shapiro joins WITHpod to discuss some of the biggest inflection points in the history of hacking, why the internet is so vulnerable, the role that generative AI may place in future cybercrime and his thoughts on if we should really be concerned about cyberwar.
Note: This is a rough transcript — please excuse any typos.
Scott Shapiro: One of the things I like to tell people is, like, hackers are just not that into you. They don't care about you per se. They just care to make some money by infecting your laptop so that it's connected to your security camera, so that it can be part of a big botnet or something like that. They'll maybe want to get your credit card information and then you have a pain in the neck, changing things.
And, you know, there are attacks where you lose access to the internet, but almost nobody dies from cyberattacks and there's an (ph) awful lot of money that exchanges hands. There's no question about that. And that's a serious problem as social problems go, but it's not the kind of existential threat that, I think, climate change is or the problem of kinetic war is, in general.
Chris Hayes: Hello and welcome to "Why Is This Happening?" with me, your host, Chris Hayes.
You know, for the last 40 years or so, maybe 30 years, I think people talk about us living in what's called the information age. It's a little unclear who first coined that term. It crops up a bunch. Alvin Toffler who wrote a book called "Future Shock," and then in a subsequent book that, you know, got a lot of press, uses that term. A bunch of people have used that term.
The basic idea of the information age, right, is that like it's, you know, human society for a very long time, then we have the Industrial Revolution. We're in the industrial age where we figure out how to use fossil fuels. The fossil fuels provide mechanization, industrialization. We have this period that's of unbelievably rapid economic growth unlike anything that humans have ever seen before.
And then we cross over from the industrial age to the information age where increasingly it's the case that our economic, social, institutional activity is centered not on physical production but on the movement of information, right? Bits, not atoms, and that we all now live in that age. And there's a whole bunch of things attendant (ph) to that in terms of how our economies are structured, who can get jobs and who can't, the difference between folks that have college degrees and don't, and this is a sort of recurring theme of the way we think about things.
But when you think about the information age, like, information is a very strange thing. It's (ph) a very pliable thing. Like, if you are a hunter-gatherer in, say, the Amazon, or, you know, in some other environment, like, you have a lot of information, a ton of information, in fact, basically a theoretically boundless level of information, like every leaf on every tree that you have to process.
So when we're talking about information and particularly when we're talking about, like, big data or secret information, right? Or people having access to your information, privacy, all these questions, they have to do with this strange thing at the core of that we invoke and know.
We know what information is, but it's a little under theorized. Like, what exactly do we mean by information? It's not the information of the natural world. It's not necessarily the information that's contained in, say, a person in front of you crying, right? That's another form of information, right? You're getting information from them.
It's this kind of synthetic information, right? It's information that is produced for some processes, whether it's credit card demographic profile into a database for campaigns, whatever it is, it's information that's produced and stored for some informational purpose generally, right? It's an input to an output.
And that information can either be useless and meaningless, or it can be incredibly powerful. And it's also sort of under theorized and weird to think about which is which, right? Like, which information is important and which information isn't?
And the reason I bring all this up is because, you know, one of the things that we saw in 2016 when Donald Trump was elected, was that secret information or putatively secret information had a kind of rhetorical power and force that public information didn't.
And the best example of this is Donald Trump gets up in front of a camera and says, Russia, if you're listening, I would like you to hack Hillary Clinton's emails. Doesn't quite say hack her emails, but basically says that. And it wasn't really a scandal. It was like, oh, is he joking? We later found out from the Mueller report that actually they tried to hack her emails that night in Russia.
But the hacked emails from the DNC and (ph) the Russian saboteurs were able to get did have this kind of power, that information, because it was not meant for us to see, because it was meant to be secret, had this sort of narrative power that ended up having a huge effect, I think, on the coverage of that campaign and ultimately its outcome. And this speaks to why people might want to take information that's not theirs. There is a special kind of power in secret information that is different than public information, which brings us to the topic of today's show.
Hackers are people that take information that is not theirs through subterfuge or some sort of means, and hacking is actually, according to my guest today, is kind of the key way to understand the information age, because it's in the hack that you understand what the value of information is, what the bound between public and private is, what's meant to be secret or not meant to be secret, what it is we're actually doing when we say we're living in the information age.
The book is called "Fancy Bear Goes Phishing: The Dark History of the Information Age, in Five Extraordinary Hacks." And Fancy Bear, of course, is one of the Russian GRU units that did hack the DNC and Hillary Clinton's emails. The author of that is Scott Shapiro. He's a Southmayd Professor of Law and Professor of Philosophy at Yale Law School. And Scott joins me now.
Great to have you on the program.
Scott Shapiro: Thank you so much for having me, Chris. Great to be here.
Chris Hayes: This is such a delightful, strange book. I really enjoyed it. The history of the information age in five hacks is a great subtitle. That really piqued my attention. Your last book was, like, on humanitarian law and war. You're a philosophy and law professor. Why do you want to write a book about hacking?
Scott Shapiro: Yeah. Thank you (ph).
(LAUGHTER)
Yeah, why did I? So the reason why I got into this was I had written a book called "The Internationalists," as you mentioned, with my colleague Oona Hathaway, and it was about the history of war and the regulation of war from 1600 to 2014. And so, when I came out with it and we would go around talking about it, of course, everyone wanted to know about after 2014. That is, what about cyber war? And I thought to myself, yeah, well, what about cyber war?
And I had a very strong technical background. I had coded for 10 years. I studied computer science in college. I had a computer company. And then when (ph) I thought, okay, I could figure it out.
And I went back, and I started reading about hacking. I started reading about various exploits. And I thought to myself, I don't understand what anyone's talking about. And how could it be the case that I don't understand it? Because I understood the history of war, I understood how computers work, how operating systems work and the like, and yet I had no idea what anybody was talking about.
And so I wanted to figure that out and, you know, yada, yada, yada, five years later, "Fancy Bear Goes Phishing" was published.
Chris Hayes: So Fancy Bear is one of the hacks, that's the hack of the DNC and the inbox of John Podesta. So that's one of the hacks. But they're all sort of interesting. If you would be down, I'd love to just, like, have you walk us through the five hacks because they're super interesting. Let's start with the first one.
Scott Shapiro: Yeah. So the first one is the first internet hack when Robert Morris, Jr., who was at the time a first-year graduate student at Cornell, as a science experiment, created and released a self-replicating computer program, now known as a computer worm. And he crashed the Internet. And he had to tell his dad that he had done that, who was the head of Cybersecurity for the National Security Agency. So, it must have been unbelievably embarrassing.
The second one was the Bulgarian virus factory of the early 1990s. I was really, really interested: why is Bulgaria the capital of virus writing in the world in the early 1990s; and who is the best virus writer in the world, who at the time was called Dark Avenger, who was this person or people?
The third is the hack of Paris Hilton's cell phone in 2005, when a 16-year-old boy from South Boston invaded her cell phone and exfiltrated intimate photos and then posted them on the internet.
The fourth is the Fancy Bear hack of the Democratic National Committee. And there, I was really, really interested in: how could this have happened? Why did it take so long for the FBI to get the information about the Russians to the Democratic National Committee and why the Democratic National Committee takes so long in responding?
And I think there's a really interesting story that has nothing to do with incompetence. It has to do with the very strange nature of intelligence in the FBI and the United States.
And finally, is the hack of the Mirai group. Mirai was a Internet-of-Things botnet, which was so powerful that on October 21, 2016, it took the internet offline. I don't know if you remember this, but, like, there was a day that none of us could use the internet.
So everyone thought it was Russia. It had to be Russia. It was two weeks before the election. But, in fact, it turned out to be three teenage boys had created this giant botnet and then were basically in a war with three Israeli teenagers.
I mean, every one of the stories has just, kind of, this comic element to all these things, where people are doing kind of crazy, weird things and very bizarre things come out of it.
Chris Hayes: Well, in a few of those cases, I think actually four of the five, and you talk about this, like, let's talk about, like, what is a hacker? What's the motive for being a hacker? One of the things that comes through is, like, kind of for the hell of it is a huge motivator --
(LAUGHTER)
Scott Shapiro: Yeah.
Chris Hayes: -- for a lot of these.
Scott Shapiro: Yeah, absolutely. So I think that there's this stereotype of a hacker who is, you know, very overweight, lives in the basement of their mother's house, wears a hoodie and is extremely antisocial. And that is not true. Hackers tend to be extremely social. They're just social online.
And so much of their hacking activity is designed to increase their clout, to increase their prestige so that they're known as an elite hacker. So, you see this kind of one-upsmanship and attempt to play cyber king of the mountain to impress your friends. That's one very important reason why hackers do what they do.
They also do what they do sometimes because they're very bored, sometimes because they want to make money. I mean, that's, in fact, the reason why most of hacking takes place is because they want to make money. And they want to make money because where they live, they don't have a very well-developed tech economy. There's no Google to go to. There's no Meta --
Chris Hayes: Right.
Scott Shapiro: -- to go to. So they start, you know, making money on the side or at night, as a side hustle, and those are the phishing emails that we get routinely.
Chris Hayes: The first one which is the worm that is sort of the first worm and kind of the early version of what we would come to call like a virus or like self-replicating, like, tell the story of how he kind of stumbles into that.
Scott Shapiro: Yeah. So just a background, he and I are roughly the same age. Our dads worked at Bell Labs together in the same place in New Jersey. And we were both very obsessed, I didn't know him, of course, but both of us were very obsessed with Unix, which is the operating system that was developed by Bell Labs and basically is in every computer system in the world.
And his father, who was a mathematical cryptographer, would eventually become the chief scientist for the National Security Agency. They used to talk all the time about computer security. His father had written lots of articles about computer security, how to hack. And then he's an undergraduate at Harvard, and then he meets Paul Graham. Paul Graham would go on to found Y Combinator, the venture capital firm that funded Dropbox and Airbnb. He's (ph) extraordinarily successful entrepreneur.
He and Robert Morris, Jr. are friends. And Robert Morris says to Paul, you know, I have this idea for this self-replicating program that will see how many hosts on the internet it can get on.
And Paul is like, this is great. This should be your thesis. And Robert gets a little too ahead of himself and releases it. And one of the most poignant parts of the trial transcript, because Robert crashes the internet and he gets prosecuted, and ultimately got (ph) --
Chris Hayes: Prosecuted, yeah.
Scott Shapiro: -- yeah, and convicted of violating the Computer Fraud and Abuse Act. He's at the trial, Paul Graham is testifying. And when he finds out that Robert had crashed the internet, his first response was, you idiot, you idiot, you blew it. You could have done this the right way and infected the entire internet, but you had some bugs in your program and you screwed it up. Not you screwed it up because you are now going to jail, or he doesn't actually go to jail but, really, he's convicted of one count of the Computer Fraud and Abuse Act and he could go to jail for 10 years, and he gets community service instead.
Chris Hayes: The sort of "you blew it" speaks to the kind of challenge, right, like, conceiving of a thing. The thing that programming and hacking allows you to do in a way that very few things allow you to do, unless you're very, very adept at, like, physical construction, and even that usually takes more time, is like conceive of a thing and then make it happen.
There's an incredible rush to that, that I think animates a lot of what's in your book, that you can think of a thing and do it. And I think anyone who's ever coded, it's a really thrilling experience. And particularly if you're doing it against people who don't want you to and you can best them, there's a kind of like thrill and ego combined that you see in the worm story. Like, can I do it? I can.
Scott Shapiro: Yeah, oh absolutely. It's like, you know, we ask ourselves whether we could, we didn't ask ourselves whether we should, that Jeff Goldblum line.
But I'll just tell you a story from my own background. So when I first started learning how to hack, I was able to hack the Yale Law Library website. And I was going to do a demo of this vulnerability and exploit at a cybersecurity conference, and I didn't want to tell anybody.
And my partner at that time said, don't you think you should tell I.T.? And I said, no, I don't want to burn my exploit. And he said, do you think it's, like, good to your colleagues if you, you know, show this big error in front of everyone when you could have told them right away? And I thought to myself, oh my God, you're right, I've become a monster.
(LAUGHTER)
This is something that I was selfishly hoarding because I was really proud of myself and that was really, really bad of me.
I immediately, once he spoke sense to me, I understood it. And then I called my dean and I said to my dean, I hacked the Yale website. Her response was, why not Harvard?
(LAUGHTER)
I would just say that she said that completely as a joke, completely as a joke.
Chris Hayes: Well, can you talk through, I want to talk about the Paris Hilton hack because I think that's a really important one as well. But what is hack? Like, when you say like my exploit, like, you do a pretty good job of sort of describing how some of these hacks work. Like, can you give a lay version of that?
Scott Shapiro: Yeah, sure. Yeah. So hacking is when you defeat or undermine some mechanism that's designed to prevent you from gaining access. So if you walk by and I see your emails and I start to read them, that is not hacking because you haven't done anything to stop me from doing that. But if I break into your office, well, that would be a kind of hacking. It would be a physical hack because I broke into your office.
But, you know, things like password guessing, things like using, what I described in the book, SQL injections. And what you do is instead of typing in data into a web form, you actually type in commands which, because of some weakness, some vulnerability in the webpage, the webpage will actually execute the script that you enter. So if you're able to gain access to information that you're not entitled to, that would be hacking because you're defeating a mechanism that is security-based.
Chris Hayes: And phishing is one of the most notorious and obviously is in the title of your book and is what ends up happening to John Podesta. Describe what phishing is.
Scott Shapiro: Yeah. So phishing is sending of deceptive emails. The idea is to convince you that these emails are real. Phishing is just normal cold sending of emails. Spear phishing is when you're trying to get somebody specific. Whaling is when you're trying to get somebody really, really important. You know, this should never happen, but if somebody were to hack you, for example, that would be whaling.
Chris Hayes: Mm-hmm.
Scott Shapiro: So when they went after John Podesta, and you were talking about secret information, one of the most explosive information that came out of the John Podesta hack was his shrimp risotto recipe. And so even, like, what I wanted to just echo what you had said before, which is that secret information, even when it's not relevant, is made to seem extremely relevant. So phishing, and spear phishing, and whaling is all attempts to get people's credentials so you can then take over their accounts. And that's what happened when Fancy Bear phished the DNC.
Chris Hayes: And there's an amazing thing where, like, Podesta forwards it to his I.T. people and is like, I don't know about this. And then they ended up writing back saying click on it, but they meant to write back saying don't click on it.
(LAUGHTER)
Scott Shapiro: Yeah. It's just, I mean, really, the biggest screw up in cybersecurity history, he says, this is a legitimate email. And he meant to write this is not a legitimate email.
Chris Hayes: Yes, exactly, that's it.
(LAUGHTER)
Scott Shapiro: I mean, just as bad as it gets.
Chris Hayes: And how does it work? So, I've noticed that phishing emails have gotten way, way better. There's a few I've gotten that I've been really tempted. One of them is like a Netflix one, like your Netflix account has been suspended, which I think is smart because you're like, oh God, no, I need to stream my shows.
Scott Shapiro: Right.
Chris Hayes: Like, I can't let that happen. Why does phishing work and is it getting better?
Scott Shapiro: Yeah. Let me just say phishing normally does not work, that is most of the phishes that we get are caught by our spam filter --
Chris Hayes: Mm-hmm.
Scott Shapiro: -- are caught by our employer, or we just delete it. What people don't realize about phishing itself is that it's designed to be as absurd as possible. That is, they're going to spin up some crazy story about, you know, a Nigerian prince because they want people who have some common sense not to click. Why? Because if you start engaging them, eventually you're going to figure out that this is a scam.
Chris Hayes: Right. Right, right.
Scott Shapiro: They really want the really --
Chris Hayes: The most gullible. Yes --
Scott Shapiro: Yeah --
Chris Hayes: -- the most smart (ph).
Scott Shapiro: -- the most gullible out there. So phishing tends to be extremely unconvincing by design. Now, in spear phishing, when you're trying to get somebody specifically, or whaling, then you really need it to be tailored to the person you're trying to trick because you're really going after that person. That's your target.
This is all going to change. I would be surprised if it hasn't changed already. As I mentioned before, the reason why so many people hack, why cybercrime is so high, is because a lot of these people who do that, who commit the crimes are from countries and from economies that don't have well-developed tech sectors.
Chris Hayes: Right.
Scott Shapiro: So they're not from the United States. It's hard for them to get to the United States. They're overeducated, they're underemployed. And so they don't have great command over the English language, and so when they actually try to get you, we can tell because the language is not --
Chris Hayes: There's something off in the syntax. Yeah.
Scott Shapiro: Right, just something off. It just doesn't seem right. Well, that's what ChatGPT is for, which is to --
Chris Hayes: Right. Right.
Scott Shapiro: -- let them kind of write really, really, fluid, clear, grammatical, idiomatic, deceptive emails.
Chris Hayes: I hadn't thought of that.
Scott Shapiro: Yeah. Yeah, that's one way in which I think generative A.I. is going to really change cybersecurity. I also think that, you know, all the various forms of biometric authentication that we use, that's also going to change. People are going to use deepfakes. They're going to use voice cloning. They're going to use fingerprint generation.
Chris Hayes: Right.
Scott Shapiro: There's going to be a lot, a lot, a lot of changes.
Chris Hayes: More of our conversation after this quick break.
(ADVERTISEMENT)
Chris Hayes: Let's talk about the Paris Hilton hack which is also recounted in your book because that to me is like, again, another combination of sort of like adolescent hijinks, enormous real-world consequences, and also like a profound invasion of privacy that is kind of nightmare fuel, but also, I think, is like more and more common, and not necessarily through hacks.
I mean, people disseminate instead, you know, intimate videos or intimate pictures of people, or they share them with people that they're not supposed to share them with. And so that was sort of this early point in what has become a kind of nefarious cultural phenomenon, but also like was understood at that time, I think, as a kind of like cultural turning point.
Scott Shapiro: Oh, absolutely. I mean, so maybe not all listeners remember, but Paris Hilton was, in 2005, probably the most famous person on the planet. She was just everywhere. And I was just really incredibly curious, like she's the most famous person on the planet. She's surrounded by paparazzi. She's surrounded by bodyguards. How did anybody get to her cell phone?
And what I discovered was that in 2005, data was no longer kept on cell phones or not just on cell phones, that they had invented this new thing that we now call the cloud.
Chris Hayes: Right.
Scott Shapiro: And the person who hacked her phone was a 16-year-old boy from South Boston named Cameron Lacroix. I got to know him a bit, writing the story. I mean, he had a very, very difficult childhood. His mother died of an opioid overdose when he was 1-year-old. He had to take care of his brother. He had depression. And when he was 15, the FBI had raided his home and taken his cell phone.
And as I had mentioned, hackers tend to be very, very social. And when his cell phone was taken from him, he had no way of contacting all of his friends, and that led to a series of him trying to get a new phone and then trying to get a T-Mobile account so he could use the phone. T-Mobile at that time was the sponsor, was the provider for the Sidekick 2, which was like the iPhone before the iPhone.
Chris Hayes: Yep.
Scott Shapiro: And so what Cameron wanted to do was he wanted to get a T-Mobile account. So he calls up the T-Mobile store in California and says, hi, we're calling from Corporate Central. We're very interested in the outages that you've been having. The manager is like, there's no outage. He goes, no, we've heard that too. Can you please just give us your username and password? And the manager gives him the username and password to the T-Mobile system.
Cameron remembers seeing Paris Hilton on a T-Mobile commercial. So he looks up her number and he finds her number. And he discovers that if he tells the browser to pretend it's the Sidekick, T-Mobile will assume that you are who you say you are. So he pretends to be Paris Hilton. And when he gets into her account, he's astonished because all her pictures show up and he's like, how are the pictures showing up on my computer?
Chris Hayes: Yes.
Scott Shapiro: Yeah. And then he realized, oh my goodness, all the photographs are now on the web and it was a surprise to him and it was a surprise to many, many people.
Chris Hayes: The FBI, just to clarify, they take his phone not for another hack, right? For other stuff.
Scott Shapiro: Yeah.
Chris Hayes: Yeah.
Scott Shapiro: Yeah, they take it for an AOL (ph) hack. He does these things called mumble attacks, which are brilliant. So I had never heard of a mumble attack before Cameron told me about it. But basically, what you do is you call up customer service and you say, like, I lost my password. And then they say, well, can you authenticate yourself? And you just say, yes, my name is so and so, and my password is 503544. And they were like, what? You know, my name is so and so, and the number is 443, and just keep on mumbling over and over and over again until the other side gives up and resets everything for you.
And it was those sorts of attacks that the FBI went and raided his room and his house and set in motion this attack on Paris Hilton.
Chris Hayes: So he realizes, oh my goodness, I now have access. I'm inside. Paris Hilton, again at that time, arguably the most famous person on earth, one of the most famous people, I'm inside her phone.
Scott Shapiro: Yes. So, he's like, first thing he yells at is jackpot because, like, if you are trying to impress your friends, getting topless photos of the most famous person on the planet really rates high.
Chris Hayes: Yes. He's a 16-year-old boy. Yeah.
Scott Shapiro: Yeah, yes.
(LAUGHTER)
No, right (ph). Right. That is, if you were to do it, Chris, I would not be impressed.
Chris Hayes: Yes. Right.
Scott Shapiro: But for a 16-year-old boy, it really is about as good as you get. And he then tells his friends, and they just throw it up on the web. And the Secret Service comes in, they try to shut it down and they discover that you can't shut things down when they go up on the web. It's just a whack-a-mole.
And so, people want to know who did it. And I have to say one of the most upsetting, depressing parts of doing research for the book is to see how often the news media is wrong, that is they say things not that are wrong because the media people report facts and sometimes facts, you know, the facts change or the reporting changes.
So, if people just say really wild things that just turned out not to be true, and I was able to find out the true story only two weeks before the book went to press, because Cameron had been arrested and went to jail. And because he called in a bomb threat once, he was not let out for COVID.
So, I thought, you know, he might die in prison because he was stuck there, and then he went to a halfway house and I was able to get him two weeks before the book, I had to send it off, and he told me the story, how it actually happened.
Chris Hayes: How did you find him?
Scott Shapiro: Oh, you know, we have this advanced hacking tool called Google. And so, I found him, and I kept on missing him. Google told me that he was working in a U-Haul and then I contacted U-Haul and he had just gotten arrested. Then I would try to reach him in prison, and he had just been let out. And I eventually found him on LinkedIn because, you know, he had his stories of his hacks on his LinkedIn page. And I remember saying to him, Cameron, like, why do you have evidence of your criminality on your LinkedIn page?
So, one of the things I teach in law school, and I often give students, you know, career advice you know about going to law firms. I said, you know, Cameron, I'm not your lawyer and I'm not your career advisor, but, really, you should take that off your page. It's really sending the wrong signal. And he said, I thought I was trying to send a signal that I had these great skills. I said --
Chris Hayes: Right.
Scott Shapiro: -- well, you really are sending a signal, but not the right one. And so, you know, he's really gotten his life together. I think he's aged out of cybercrime. And he's a really nice guy. I really enjoyed talking to him for the couple hours that I did.
Chris Hayes: I mean, I can understand when you are that age and particularly with this famous person who doesn't really feel like a real human being, like, and the game of it. But, like, there's a deep violation that happens here, a profound one. And now, again, like I said before, the kind of violation that I think is more and more common, not through hacking, but through other means, and I'm just curious about how you think about that moment and that violation, and what it meant and how it's reverberated, and how he thinks about it.
Scott Shapiro: So I will just say that he claims that he's very sorry.
Chris Hayes: Right.
Scott Shapiro: I believe he is very sorry. I think you have to be somewhat psychopathic not to feel regret for such an incredible invasion of privacy. One of the most poignant things I think is that he went on "The TODAY Show" and they did a segment with him. And the interviewer says to him, you know, if you could say anything to Paris Hilton, what would you say? And he says, I'm sorry, Paris, that I did that to you. I would not want it done to me.
Then they cut to Matt Lauer and Matt Lauer says, wow, that apology just did not seem sincere to me, you know. And I thought that that was kind of poignant because he himself would go on to make an apology, which a lot of people did not find that sincere.
I personally found what Cameron had said to be quite sincere and I think it was one of those things where, you know, Paris Hilton is the most famous person in the world at that time, you know half the world hates her and the other half the world loves her. I think even people that like didn't like her image, which was not like a particularly wholesome image --
Chris Hayes: Right.
Scott Shapiro: -- even they felt bad for her --
Chris Hayes: Yes.
Scott Shapiro: -- because it was just a terrible, terrible invasion of privacy.
Chris Hayes: So that hack, I think, sets a kind of cultural moment of like the exposure of the private and sort of salacious and celebrity, and we will sort of see further examples of that, like, through the years.
The 2016 Fancy Bear phishing attack is, like, that same thing but on the level of, like, geopolitical --
Scott Shapiro: Right.
Chris Hayes: -- like quasi war maybe. I mean, it is state-to-state action, criminal sabotage to, you know, try to manipulate the democratic elections in a country. It's not a small thing. How do you think about it? To go back to where this book started, like, the hack by the Russian GRU units of the DNC and of Podesta's emails, how do you think of them? How would you characterize them in a sort of along the spectrum of war or state-to-state actions?
Scott Shapiro: Yeah, sure. So, I would say the first thing is that states hack other states all the time. I mean, that goes without saying, it's actually legal according to international law to engage in espionage, one state to another. So, we have to just assume that Fancy Bear is continuing to attack the United States.
Chris Hayes: Yep.
Scott Shapiro: The NSA is continuing to attack Russia and every other country in the world, our allies included. The United States is the biggest hacker on the planet. So, it's not the hacking per se. What was really different is that standard practice was to hack another nation-state and to take that information and to keep it --
Chris Hayes: Right.
Scott Shapiro: -- because you don't want to do the hard work for your rival. You know, you're not going to release it.
And I think one of the mysteries that people have had about the hack of the DNC was the government, the intelligence community, and the FBI knew that the Russians had gotten into the DNC a year earlier, another group from the SVR, which is Russian Foreign Intelligence, known code name as Cozy Bear.
And it takes a very long time, takes about a year for the FBI to get in touch in a substantive way with the DNC. And the DNC is kind of routinely ignoring what the FBI is telling them. Now, why is that?
Well, first of all, you have to understand is that, like, the FBI is telling everybody that the Russians have hacked them. They're not just saying this to the DNC. They're telling Brookings Institute.
Chris Hayes: Right.
Scott Shapiro: They're telling Purdue Political Science Department. They're telling everybody, and that's because it's like, you know, dog bites man, news at 11:00. It's not that interesting. It just kind of goes without saying.
Now, the other thing from the other side is the FBI is a very strange organization in kind of the scheme of the world. In the United States, the FBI plays two roles. One is, it's a law enforcement organization and the other one is a counterintelligence organization.
Chris Hayes: Yup.
Scott Shapiro: And they operate at the same time together, though there's a separation, there's a wall between them because very different rules apply. So, when the FBI contacts the DNC, the DNC thinks that this is about Hillary's emails.
Chris Hayes: Hmm.
Scott Shapiro: And one of the really interesting rules is that FBI prosecutors are not allowed to lie, FBI agents are. So, if an FBI agent is calling up and wants to know about your servers and about emails you're getting, you don't know, if you are the DNC, whether this is real or this is part of the --
Chris Hayes: Email, oh, wow (ph).
Scott Shapiro: -- yeah, the email thing. And so, from both perspectives, you know, from the DNC, they don't want to deal with the FBI because they're afraid it's about Hillary. The FBI is not that concerned about the DNC because, okay, so Fancy Bear is inside the DNC, what are they going to do with that information? Nobody expected it to be weaponized in the way that it did.
And in fact, I think this has changed the rules of geopolitics. I mean, think about the run-up to the Russian invasion of Ukraine. What the intelligence community was doing was not keeping this information to themselves. They were blabbing (ph) it.
Chris Hayes: Disseminating it.
Scott Shapiro: They were disseminating it. So I really think this idea of hack and leak, where you hack information, then you leak it, you weaponize it, you use it in the informational ecosphere. I think this was a real innovation of Fancy Bear and something that we've now taken up.
Chris Hayes: Yeah. I've also wondered how much it's going to be; I think I expected there to be more of this. You know, like, there's two examples. There's a Sony hack where, you know, we think North Korea successfully hacked Sony Pictures and they released a lot of really embarrassing emails. You know, some people lost their jobs and things like that.
There's some back and forth when the UAE and Qatar were back and forth in this fight, where they were clearly hacking each other's emails. There's all these emails going on. Is this (ph) this diplomat's email and that diplomat's email.
Scott Shapiro: Right.
Chris Hayes: But I think I thought after 2016, I was like, oh, in the same way that I think I thought after 9/11, like, oh, I think this is going to just be part of our lives now. We'll see attacks like this. And that, thank God, didn't really bear out, certainly not the scale or regularity that I think I thought are my worst moments, a lot I did after 9/11. I think I thought, after 2016, a similar thing and it also hasn't quite born out. Why?
Scott Shapiro: Yeah. First of all, that's a great question. One of the things that people tend not to realize is how unbelievably difficult it is to lock down a political campaign. And the reason is because you have volunteers. You know, people come --
Chris Hayes: So many people.
Scott Shapiro: Yeah, so many people. I mean, so you give them a secure email for their campaign role. But, I mean, they have Twitter accounts. They have Instagram accounts. They have Gmail. They have their other job. They have Slack channels. They have just tons of things. And in 2016, who thought you needed to, like, lock this down. In 2020, there was a very, very strong effort to lock down phones, lock down digital devices.
Chris Hayes: Yeah.
Scott Shapiro: And so it turned out to be 2016 actually was a hardening event, where people started thinking, well, if I'm going to work in a political campaign, I really, really have to take care of my digital devices.
Chris Hayes: So that, you think that's a big part of it?
Scott Shapiro: Yeah, I do think it's a big part of it. I also just think in this political ecosystem, I don't know, how do you shock anyone with --
Chris Hayes: That's true. Yeah, I think there's something to that, and I also think there's a kind of diminishing returns issue, which is the first time this happened, it had its biggest effect in each subsequent time, to the extent that it happens, there'll be less of it, you know, but --
Scott Shapiro: Right.
Chris Hayes: But I think there's something to that, like, it'll be hard to replicate the kind of outsize impact of the hack and leak operation in 2016 in any other context.
Scott Shapiro: Yeah, that's right. It's like the novel attack where people are not able to figure out what are the stakes here.
Chris Hayes: Yes.
Scott Shapiro: And we can all just kind of jump up and go, oh my God, oh my God, oh my God, it's very destabilizing. But then the second time it happens, you're like, oh, like that. Having said that, you know, who knows what horrors await us in 2024.
Chris Hayes: We'll be right back after we take this quick break.
(ADVERTISEMENT)
Chris Hayes: Do you worry about, you know, Stuxnet is probably the, which you write about in the book, Stuxnet is probably the single one that we know of, the most successful use of cyber capabilities as a sort of act of, like, physical destruction, where basically the U.S. was able to insert a malignant virus in the hardware of Iranian nuclear facilities that basically caused the thing to, like, destruct.
Scott Shapiro: Yeah. Right, exactly.
Chris Hayes: That was another one. When that reporting came out, which is remarkable reporting, I mean, I couldn't believe I was reading it. I couldn't believe they pulled this off. I still don't know what to think about it. Like, whew, was that like really clever or is that like super dangerous, and thank God, like, that shouldn't be done again?
Scott Shapiro: I would say the following, I started this project, as mentioned before, because I was interested in cyber war, and I now tend to think that cyber war is, like, not like a thing.
Chris Hayes: Yeah.
Scott Shapiro: Let me tell you what I mean by that. Obviously, cyber is part of every military conflict now because air defense radar, any sophisticated munitions, they're all going to be computer-guided and there's going to be hacking to stop this kind of kinetic attack. It's going to try to stop the air defense radar. It's going to try to affect projectiles and things like that. When people talk about cyber war, they don't mean that. What they mean is using computers and only computers as the weapon.
In Stuxnet, Stuxnet was just code that was, as you said, was slipped into Natanz nuclear reactor and it led to over a thousand centrifuges being destroyed. That's using the weapon itself, the computer code itself as the weapon.
Chris Hayes: Yes.
Scott Shapiro: I think you're not going to see that kind of all-cyber conflict maybe ever. I remember when Russia invaded Ukraine and everyone was saying, oh my God, now we're going to see the biggest cyber --
Chris Hayes: Yes.
Scott Shapiro: -- attacks ever. And I said numerous times on various podcasts and stuff, this is not going to happen. Why do you need cyber weapons when you have bombs, when you have hundred thousand troops on the ground, when you have tanks? I think that cyber weapons are actually not great weapons, notice that they can't be used to hold territory.
Chris Hayes: Yep.
Scott Shapiro: It's extraordinarily difficult to kill people with cyber weapons. And I think that they're mainly weapons of the weak. They are weapons that are used to harass, to sabotage, but ultimately have very little strategic value.
Chris Hayes: There's a sort of geostrategic use of hacking and, you know, cyber capabilities for either espionage or military activity, and then there's the financial aspect of hacking. I mean, ransomware really does seem to be an enormous growth area and a huge problem.
Again, you write about this in the book, like, WannaCry was one of the big ones. And again, we never really got to the bottom of that. But, I mean, there were school districts locked up for weeks. I mean, that seems like, in some ways, the much more, like, present threat is people basically using ransomware to extract huge payments from large institutions, which they have successfully done in many cases.
Scott Shapiro: Yeah. I really wish I had an answer to ransomware, but it may be the problem from hell because, first of all, as you pointed out, you go after schools, go after hospitals, go after municipal services. This is a really big threat. There's no question about it. People can really die from ransomware attacks of this form.
What's so evil about ransomware, aside from like doing this to hospitals, which is like attacking the most vulnerable, the most vulnerable people, but the really terrible thing about it is that you can't even say, oh, I have backups, sure, keep my data encrypted. Do whatever you want. I have backups. Because what they do now is they threaten to extort you, what they say is, okay, if you're not going to pay the ransom, we're going to start releasing your information.
Chris Hayes: Right.
Scott Shapiro: And so, the fact that you have a backup does not help. And so, it's a really, really devilishly difficult problem to solve.
Chris Hayes: One of the things I sort of came away from your book is like hacking, as long as we have, you know, a digital culture in information age, we're going to have hacking. But in the end, like, your point about cyber war is interesting. Like, I came away from the book thinking in a weird way, this is less an existential threat than maybe I thought.
Scott Shapiro: Yeah, I agree with that. I think that part of the reason why I wrote the book was I want to explain things to people, but I also wanted them to explain that, like, it's not the end of the world. You know, cyber books either are like eat your vegetables and, you know, never reuse your passwords and all these things which are good advice, but they're kind of schoolmarmish. And then there's the other kind of cyber book which is, like, we're all going to die.
Chris Hayes: Right.
Scott Shapiro: And I think things are really in the middle. It's a new threat. Crime, basically, has become cybercrime. Crime is moving from the real world onto our digital space. You know, what would you rather do be mugged and lose your money or hacked and lose your money? You know, maybe you'd rather be hacked.
Chris Hayes: Right. That's a good point, yeah, if you put it that way.
Scott Shapiro: Yeah. Right. So I think that with the digitalization of the world, you know, software eating the world, that everything is software, it means that the attack surface is enormous. But really one of the things I like to tell people is, like, hackers are just not that into you. They don't care about you per se. They just care to make some money by infecting your laptop so that it's connected to your security camera, so that it can be part of a big botnet or something like that. They maybe want to get your credit card information, and then you have pain in the neck, changing things.
Chris Hayes: Right.
Scott Shapiro: And, you know, there are attacks where you lose access to the internet, but almost nobody dies from cyberattacks and there's an (ph) lawful lot of money that exchanges hands. There's no question about that, and that's a serious problem as social problems go. But it's not the kind of existential threat that, I think, climate changes or the problem of kinetic war is in general.
Chris Hayes: Scott Shapiro is a Southmayd Professor of Law and Professor of Philosophy at Yale Law School. His latest book which we were just discussing is called "Fancy Bear Goes Phishing: The Dark History of the Information Age, in Five Extraordinary Hacks." I learned a lot from the book. Scott, thanks so much.
Scott Shapiro: Thank you so much, Chris, for having me. This was a lot of fun.
Chris Hayes: Once again, great thanks to Scott Shapiro. The book is called "Fancy Bear Goes Phishing: The Dark History of the Information Age, in Five Extraordinary Hacks."
Send us your feedback. Please don't try to hack us, but we'd love to hear what you think. Tweet us with the hashtag #WITHpod, email WITHpod@gmail.com and be sure to follow us on TikTok by searching for WITHpod.
"Why Is This Happening?" is presented by MSNBC and NBC News, produced by Doni Holloway and Brendan O'Melia, engineered by Bob Mallory and featuring music by Eddie Cooper. You can see more of our work, including links to things we mentioned here, by going to nbcnews.com/whyisthishappening.
Tweet us with the hashtag #WITHpod, email WITHpod@gmail.com. Follow us on TikTok by searching for WITHpod. “Why Is This Happening?” is presented by MSNBC and NBC News, produced by Doni Holloway and Brendan O'Melia, engineered by Bob Mallory and features music by Eddie Cooper. You can see more of our work, including links to things we mentioned here, by going to nbcnews.com/whyisthishappening.