1 March 2020

Hackers Are Everywhere. Here’s How Scholars Can Find Them.

By Ben Buchanan 

The world of cyber operations is full of hard national security choices. How do long-held ideas of counterintelligence, deterrence and deception apply in this new arena of competition? How does escalation work with hacking? Who carried out this intrusion, and what was the intention behind it? Most of all, what does any of this mean for geopolitics in the modern age, and how can scholars communicate that to policymakers?

There are a variety of ways to approach these questions. Some scholars have constructed intricate formal models that use game theory to predict how states will behave in cyberspace. Others have used surveys and war games, asking participants to imagine what they would do in various situations of crisis. Still others have expanded the aperture of study, creating vast catalogs of cyber incidents, even comparatively minor ones, and subjecting them to quantitative analysis. All these approaches are valid.

But I want to advocate for a different technique, one that does not replace the others but supplements them: Deeply study the hacks that have taken place. This case study method is out of vogue in political science, which has preferred large-n samples and regression models. But in the world of government hacking operations, where the notable public cases are only a few dozen in number, examining these cases in detail can offer insights that would otherwise be missed—or add support to theories that need it.


This is the approach that I took in my new book, “The Hacker and the State,” which examines how nations have competed in cyberspace over the past two decades. I was continually surprised by what I found. In some cases, a widely accepted narrative about what took place yielded much more nuance and complexity upon deeper analysis. For example, most people think of Stuxnet as a single operation: an attack against Iran’s nuclear program. In reality, it was more like an evolving campaign, beginning first with months—if not years—of reconnaissance and preparation aimed at understanding how the Iranian systems worked and how, with the right attack code, they could break. During this campaign, the hackers abruptly switched tactics, apparently moving from a stealthier piece of malicious code to a more aggressive and potentially more overt one. This change gets almost no scholarly attention but suggests that there may have been shifts in the attackers’ goals or operational constraints, perhaps lining up with unfolding world events. It is only through more technical literature, such as writing by Ralph Langner, that scholars can appreciate what actually happened with Stuxnet—and what we still don’t know.

Other important cases have yet to have narratives form around them. For example, in December 2015, Russian hackers caused a blackout in Ukraine with a cyber attack. It was something scholars and policymakers had feared for decades. A year later, in December 2016, Russia triggered a blackout again. But, curiously, for all the angst and attention the subject had received as a hypothetical, it was mostly overlooked in the scholarly community once it was real.

A closer examination of the technical research and after-action reports show that there were striking differences between the two blackouts. The first was orchestrated manually, while the second showed signs of increasing automation of attack capabilities. In the second case, there were also signs the attackers sought to do much more damage than they managed to bring about. Why and how they didn’t achieve their goals is an important question, one that would help American policymakers determine if the attack was a signal to Ukraine or the United States, a test or a failed attempt at striking a much larger blow.

And sometimes-overlooked cases can shed light on fierce national security debates, too. Consider DualEC, an obscure but important random number generator used as a foundation for cryptographic systems worldwide. It appears the National Security Agency worked in secret to place a backdoor in this generator so that all the cryptography built on top of it would be insecure. Other hackers found the backdoor and turned it to their own ends, potentially gaining access to reams of communications thought to be secure—a fear that many people have long articulated about mandated encryption backdoors for government access. The DualEC case may not conclusively resolve the seemingly endless crypto wars, but it does suggest that a hypothetical argument made by technologists opposed to exceptional access has at least some basis in fact.

It also sheds new light on how states compete with one another in the cryptographic realm. I found strong evidence from private-sector analyses that the foreign hackers who subverted the United States’s backdoor were Chinese, suggesting that the United States has sophisticated adversaries in this area who can track and subvert even advanced intelligence efforts. Yet, for all these important implications, the case has attracted virtually no attention in the community of national security scholars.

So how can scholars find and study the hacks that actually do happen? I found that three sources were comparatively underutilized in national security writing and were vital to assembling case studies. The first is technical literature from other disciplines. The story of the backdoor in DualEC—and how nations compete via math and encryption more generally—is a fascinating one. I sourced vital pieces of it from computer science literature, where cryptographers such as Matthew Green have done terrific work in exploring and explaining what happened. Many cryptographers write largely for other cryptographers, but their work has important implications for national security policy and scholarship.

The second source comes from the private sector. A giant industry of firms—many of which are staffed with top-notch analysts and former intelligence community professionals—exists to track the activities of governments as they hack one another. These firms, like CrowdStrike and FireEye, often have tremendous visibility into what happens in computer networks all over the world. By reading their reports and products, it is possible to gain insight into cyber operations and geopolitical competition that would otherwise be entirely hidden from view. This is a key difference between previous eras of international competition, like the Cold War, and today. There are more ways to get closer to ground truth than ever before.

Government documents are the third source. These files often contain a wealth of information. Some, like Department of Justice indictments of foreign hackers, provide significant insight into how those hackers operate, the kind of insight that normally would be found only within the U.S. intelligence community. Other government documents are publicly available and shed light on how the United States carries out its cyber operations.

It’s worth saying explicitly that I am not advocating for leaks of classified information. Everything I cite in the book can be found online. I wrote nothing that American adversaries like Russia and China do not already know. I argue only that the American national security debate should be as informed as we can make it.

The study of cyber operations is often dry, but it does not need to be. These three sources together offer rich material. When properly tapped, they yield narratives that can bring new forms of geopolitical competition to light and reveal the fascinating spy versus spy stories of the digital age. These are good stories, with important implications for national security policy. Scholars should tell more of them.

No comments: