The tangled worlds of hacking and academia

With universities targeted incessantly by phishing and ransomware scams, it’s hard to imagine that the first cyberattack on academia was motivated by a young scholar’s intellectual curiosity.

“Robert Morris Jr was not trying to crash the internet but he nearly did,” reflected Scott Shapiro, director of Yale University’s Cybersecurity Lab, on the 22-year-old Cornell University graduate student whose “brilliant project” to access as many computers as possible brought nearly every university computer to a standstill in November 1988.

The so-called Morris worm – for which the PhD student narrowly avoided a lengthy jail term after becoming the first person convicted under the 1986 Computer Fraud and Abuse Act – is one of “five extraordinary hacks” detailed in Professor Shapiro’s new book, Fancy Bear Goes Phishing, which tells the “dark history of the information age” through the lens of cybercrime – with the earliest offences usually centred on universities.

“The internet was basically created by graduate students and early stage academics, and its main nodes were US universities, so it is not surprising that its first hacks involved those in academia,” the Yale Law School philosopher told Times Higher Education. “It wouldn’t be unusual for academics to say ‘write a virus’ for an assignment, even in the early 2000s, because academics are curious and like to experiment and play around with things.”

As Professor Shapiro explains, however, the Morris worm highlighted the vulnerability of the early internet – not just to misguided PhD researchers, but to more malevolent actors. While the military developed formal verification procedures for its internet, the scientific version “operated largely on trust” and “prized availability of information over confidentiality”, he writes in Fancy Bear Goes Phishing. “Researchers…assumed their fellow internet users would be community-minded – altruistic, not destructive,” he continues on the lax end-point security that has become one of the major concerns of our era.

Blaming academia for inventing a delivery system that is prone to hacking is unfair, said Professor Shapiro, who compared it to pointing the finger at free-flowing highways for allowing bank robbers to get away after a heist. But academia’s role in the internet’s design is still clear, and it needs to begin to think more imaginatively about such cybersecurity issues, he said.

“For millennia we’ve given enormous thought about what happens when physical security is breached but we have so little experience of considering breaches of information security,” he said. “This is a really fundamental aspect of how humans live today and we’re just getting to grips with it.”

While his book chronicles several colourful incidents of hacking – from the 16-year-old from Boston who hacked Paris Hilton’s phone and stole nude photos to “get famous” to the feared “Dark Avenger” virus writers of the late 1980s, linked to Bulgaria’s University of Sofia – it also considers new ethical questions thrown up by hacking.

“Normal people feel bad when they hurt others, partly because they can see the hurt they cause, but in the online world, virus writers never see someone crying because they’ve lost their PhD thesis,” he said. “That’s probably why the internet is such a cesspool – because we can’t see each other – but hacking raises other fundamental questions.”

On cyberwarfare, for instance, the idea of creating a powerful weapon able to inflict immense damage to infrastructure is “banal”, explained Professor Shapiro. “What’s interesting is that we’ve created a weapon which can inflict damage that a bomb could never do,” he said.

“Vladimir Putin is engaged in monstrously criminal behaviour but do we want people hacking into Russia’s information systems to cause damage – is this acceptable for governments or private individuals to do? As an individual, you can’t bomb Russia but you could hack its systems – there are some really new questions that we need to think about.”

His book also probes why hackers hack. Money would seem the obvious answer these days, but it is not always the case, said Professor Shapiro.

As the case of Paris Hilton’s hacker demonstrated, “class resentment and wanting to see celebrities get their comeuppance” seemed to be motivating factors, while Bulgaria’s virus writers may have been the unfortunate product of highly trained engineering graduates entering a labour market with no capacity to absorb their skills.

“The idea of the lone hacker working alone is usually wrong and even cybercriminal gangs have divisions of labour and hierarchies that could be studied,” said Professor Shapiro, noting that there is a “natural limit to how big these gangs can get” before they fall prey to disagreements that will cause law enforcement agencies to intervene.

A good way to consider such issues is to learn how to hack, said Professor Shapiro, who teaches law undergraduates to crack security systems to encourage more adventurous thinking on the problems at hand.

“It’s shocking how quickly you can teach someone to hack, even students who know nothing more than email or internet browsing,” he said. “My job is not to create hackers, and students must not use these skills, however tempting, but it’s incumbent on academics to teach in ways that, through students, will make the rest of us more secure.”

jack.grove@timeshighereducation.com