misbehavior” that defies simple analysis. You can’t predict where you might be

misbehavior” that defies simple analysis. You can’t predict where you might be attacked by merely looking at the possible holes in each piece. Rather, it’s the whole system that breeds risks. It acts in ways that the designer could not have predicted in advance. “Clearly the system itself is misbehaving,” the researcher Jeffrey Mogul writes of his study of various cases where networks are cracked in this fashion. “However, none of the components have failed per-se.”!45 The complexity of the systems themselves has been, not surprisingly, mimicked in the design of hacking attacks. What was once done by a single Warez Dude is now handled with division of labor, technical specialization and intensive pre-attack research. Every innovation in “righteous malware” is quickly copied and used in dangerous attack tools. The clever modular design of Stuxnet, for instance, was studied by criminals and was found years later still echoing in weapons aimed at banks, credit card companies and health insurance firms. “We are not experts in military history, doctrine, or philosophy,” cybersecurity researchers Stephen Cobb and Andrew Lee have written, “so we are unaware of the correct word for the following category of weapons: the ones you deliver to your enemies in re-usable form.” Cyberattack systems can be dangerous not least because they boomerang. They are delivered intact, primed for re-use to enemies who may choose to bounce them back at your banks, hospitals and electrical grids. “Righteous malware is unique,” Cobb and Lee conclude. “You are giving away your weapons, tactics and designs simply by using them.” 146 It’s not only American services hunting and using such backdoor keys and battering rams, of course; not only the NSA that sees its viruses retooled and reused. Computer security researchers describe opening up the laptops of unwary business travelers and finding the machines blasted inside by malware and other technical cancers, carefully planted by a half-dozen intelligence agencies and criminal organizations. It’s like discovering a closet full of spies in your house, each being careful not to step on the other’s toes as they watch and listen to your life. Why is my computer so slow, a government official in a Eurasian capital might ask. It is because it has been simultaneously pwned by Americans, Russians, Israelis, Chinese, and maybe a local Mafioso or two - and their code is not running smoothly. A couple of years ago I had a naive moment when | thought, perhaps, it would be possible and in everyone’s interest to go back to those simpler, innocent Hacktic days, when information about vulnerabilities was widely shared and easily discussed - and holes were quickly patched as a result. | was thinking about the problem of cybertension between the US and China and suggested applying an 145 “However”: Jeffrey C. Mogul, “Emergent (Mis)behavior vs. Complex Software Systems”, HP Labs Research Papers, 2006, HPL-2006-2 146 “We are not experts”: Stephen Cobb and Andrew Lee, “Malware is Called Malicious for a Reason: The Risks of Weaponizing Code” in P. Brangetto, M. Maybaum, J. Stinissen eds., 6 Annual Conference on Cyber Conflict (NATO Publications, 2014) 71-82 104 HOUSE_OVERSIGHT_018336