United Nations experts last week called for an investigation into allegations that Saudi Crown Prince Mohammed bin Salman hacked the phone of Jeff Bezos, Amazon’s chief executive, by using malware created by a private cybersecurity company. From the hack of the world’s richest person to data breaches of major companies, Patrick Burkart, a professor in Texas A&M University’s Department of Communication, says the scale and severity of hacking is becoming more and more serious. Burkart, an expert on technology, policy and law, discussed what this means in a society dependent on “trusted technical systems.”
What are some examples of how our social and political realms have been compromised by hacking in recent years?
“Aside from the 2016 election, there are many examples of political and economic hacking, such as the SWIFT international payments system, the Paradise Papers and the Panama Papers (which exposed the secret bank accounts of politicians and other elites from 2014 to 2017), and the ways in which states have targeted journalists and dissidents through hacking. ‘Growth hacks’ have increasingly become a standard business strategy, with political implications. For example, Uber secretly built software tools into its drivers’ smartphone app, which enabled Uber to operate in markets where its services had been banned. Uber’s Android app also sent user data back to the company without the knowledge of users. News Corp hacked voicemail accounts and intercepted private communications to generate sensationalized stories for its News of the World tabloid newspaper — which it then tried to cover up. Finally, Volkswagen hacked software to cover excessive emissions by their diesel vehicles, in clear violation of U.S. and international law. They even sued researchers who had discovered a way to hack the locks on Volkswagen’s cars.”
What are some of the day-to-day challenges that have resulted from hacking becoming more normalized?
“We increasingly rely on networked ‘trusted systems’ for economic activity and cultural access. These systems recreate us as ‘data subjects,’ based on our online activities. The result is that we are under constant surveillance by businesses and have little control over our information. At the same time, since these are digital systems, they offer numerous points of entry, or ‘attack vectors’ for hackers to steal information. It’s likely that hackers have our personally identifiable information; the question is when, and where, they try to use it. We are increasingly forced to use trusted systems, yet the growing awareness of surveillance and hacking risk means we trust them less and less. It certainly heightens general anxiety, which creates markets for products like ‘cyberinsurance’ which may not be worth their cost.”
With an increase in data breaches at institutions ranging from local governments to large companies, and the scale becoming more serious, how has this affected the cybersecurity industry?
“Cybersecurity is a major growth industry. In 2015 alone, the industry was worth $15 billion just in the European Union. By 2021, the global cybersecurity market is estimated to be worth over $202 billion. Obviously, there is serious money to be made, and a ‘revolving door’ exists for those who work in the government and military cybersecurity. Paradoxically, the need for countries and firms to protect their assets through cybersecurity also heightens the need for hacking as a means to gain advantage over their competitors, so hacking and cybersecurity accelerate each other. They also allow countries and firms to influence social activities and organization outside of public view and accountability. Private cybersecurity firms increasingly serve as state proxies for monitoring and policing networks, reflecting the outsourcing of U.S. intelligence and security operations since the George W. Bush administration (Blackwater USA is another example).”
Protecting our democratic elections has also been a concern. What are some of those vulnerabilities, and how do you think this will affect future elections?
“The doxed DNC emails are widely believed to have helped tip the balance of the 2016 U.S. presidential election, together with other important factors (including FBI director James Comey’s investigation of Hillary Clinton’s email security and an information war attributed by U.S. agencies to Russia). The federal government’s attempts to address hacking have been little and late. Moving voting from paper to digital offers countless opportunities for hacking mayhem, as does the insistence of firms like Facebook that they be held harmless, like common-carrier phone companies, for the activities of ‘users.’ While 31 tech companies signed an agreement in April 2018 in which they refused to help any government mount cyberattacks against ‘innocent civilians and enterprises from anywhere,’ Google, Apple and Amazon refused to sign, as did any Chinese or Russian companies. While tech companies may announce intentions to protect against cyberattacks, such agreements place the very tech companies whose security was compromised in charge of enforcing security.”
How has our legal system responded to these threats? What do you think are the most pressing challenges in terms of cybersecurity that it will have to respond to in the near future?
“States and corporations seek to maintain their standing and seek competitive advantage through hacking campaigns. The creation of markets for exploits and cybersecurity also affords new opportunities to develop and exchange commodities. Consequently, to preserve national-security prerogatives and develop global markets for hacking technologies, states have resisted legal regimes to contain hacking by institutions — even as they have enacted vague yet draconian laws against hacking by individuals, such as the CFAA. Just as hacking and cybersecurity reinforce each other, the same is true of laws regarding digital ‘piracy’ and hacking. Copyright industries and cybersecurity interests increasingly promote intellectual property as a national security issue, creating a ‘path dependency’ from piracy law to hacking law.”
Burkart is the co-author of the book Why Hackers Win: Power and Disruption in the Network Society.