Five years ago, I jotted here about The Internationalists, an engaging book from Professors Oona Hathaway and Scott Shapiro about the changing nature of war in the twentieth century. Professor Shapiro continues that inquiry in Fancy Bear Goes Phishing, published in May 2023. As some might tell from the word “phishing,” the book engages with hacking, a twenty-first century form of warfare with roots in the last decades of the twentieth. The book’s origins in his work with Hathaway are made clear in first pages: “Does cyberwar make a departure from traditional warfare, or are they both war, just with different weapons?” (P. 8). Shapiro worked in the software industry for several years after college before pursuing his JD and PhD in philosophy. He confesses that despite his initial confidence, delving into contemporary realities of software and cyberia, not to mention AI, made him realize that he “had slept through the revolution, only to wake up, several decades later, disoriented and clueless.” Nonetheless, his final product is a marvel to read, equal parts, computer science, philosophy, and law (both international and comparative), and a thing we should all like lots.
Consistent with its clever title, the book is well written and engaging. Five case studies are its foundation, and they rise above the anecdotal to the operatic and thought-provoking. Scott first tells us about the Morris Worm, let loose by a hapless Cornell graduate student Robert Morris, Jr., that brought down the Internet in 1988 and led to his conviction for hacking. We next meet the Dark Avenger, a Bulgarian hacker who, responding to a challenge from a cybersecurity researcher, devised a “mutating virus engine” that infected antivirus software. And what narrative of Internet woes would be complete without Paris Hilton, whose cellphone was hacked by an enthusiastic teenager, unleashing countless nude photos and a counterattack by Ms. Hilton against Lindsay Lohan? After entertaining us with the Hilton hack, Scott brings the eponymous Fancy Bear onto the stage with his leak of the infamous Hilary Clinton emails from the compromised servers of the Democratic National Committee. Finally, we learn about how a student’s attempt to erase his scores on the online game Minecraft, and perhaps also his Calculus grade, crashed the servers at Rutgers University.
So, what do these stories of technology-run-amok have to do with International and Comparative Law, or any body of law for that matter? Professor Shapiro quickly reminds us of the global context for these various shenanigans and the legal wranglings to control them. Those familiar with law and technology will sense quickly the battle between the regulatory power of computer code and that of legal code. But we find a more nuanced discussion of “code versus code” in these pages. Shapiro teaches us about Alan Turing’s idea of metacode, computer code that governs computer code, a concept that pays off elegantly at the end of the book, and to which I return at the end of this jot. In explaining how many of these hacks work, Shapiro draws a distinction between code and data. Code is the instruction for the machine on how to operate on data. Computer viruses propagate in part by the hacker inputting code as data causing a program to operate on itself in a self-destructive way. As I explain below, the code-data dichotomy has important parallels to the law-fact distinction.
We also learn from Professor Shapiro about upcode and downcode, each offering an oft neglected gloss on the conventional “code versus code” dichotomy. Upcode is human level code, the rules, norms, and practices that shape interactions among humans and between humans and machines. Downcode consists of the computer programs that guide the machines. A key lesson of the book is that too often policy makers, pundits, and market leaders turn our attention to tinkering with the downcode to cure the technical defects that permit hacking. The real problem is with the upcode, the lack of proper practices, governing norms, and legal interventions that allow humans to be the victims of hacks. Identifying upcode points us to the law, including international and comparative law. Professor Shapiro’s attention to the details of upcode is what makes this book one we should all like lots.
Upcode’s failure appears from mapping the five case studies of the book onto three legal categories and their attendant legal interventions. These three are cybercrimes, espionage, and warfare. According to Professor Shapiro, the Morris Worm, the leak of Hilton’s nude photos, the attack on Minecraft, and Dark Avenger’s mutating virus are examples of cybercrimes. Fancy Bear presents an example of espionage and warfare. Each of these legal categories highlights gaps in the upcode inviting legal reform.
For cybercrime, Professor Shapiro advocates reforms designed around what he calls the three P’s: “pathways to cybercrime, payments for cybercrime, and penalties for vulnerable software.” These reforms invite changes to domestic law and, more importantly, international coordination. University of Cambridge researcher Alice Hutchings found, through survey and ethnographic research, that hackers as a group view themselves as moral agents “possessing a sense of justice, purpose, and unity” (P. 293). Professor Shapiro proposes that policy makers recognize this and try to rechannel that sense of purpose. Such behavior is facilitated through financial platforms, such as cybercurrency, which create incentives and support for hackers globally. Coordinated international regulation of cybercurrency could aid in limiting how hacking activities are promoted. Finally, international coordination to regulate the software industry through imposition of liability for poorly designed software is needed to overcome the immunity that software companies enjoy.
Cyberespionage poses a bigger challenge for international legal reform of upcode. As Professor Shapiro points out, international law recognizes espionage of one country by another as lawful and acceptable. As between countries, espionage is an upcode feature, a recognized practice for learning information for political and diplomatic reasons. But Shapiro advocates for reforms that target international espionage for pure economic gain as opposed to the use of longstanding use of spies to uncover state secrets. Furthermore, government surveillance of its own citizens to quell dissent and single out whistleblowers (like Daniel Elsberg) should be condemned. Professor Shapiro points to Snowden’s revelations as evidence of overreach by the government in obtaining information beyond what is currently permitted under FISA. Whistleblowing can serve to reveal the overreach and promote the need for more stringent warrant requirements. Cyberespionage, in short, needs to be more precisely defined to limit the state’s power in quelling dissidents.
Finally, there is the problem of cyberwar, the motivating question for this book. Do established principles of the international law of warfare apply to cyber-dependent warfare, meaning the harnessing of the software that weaponizes the Internet to harm a state and its citizens? For Professor Shapiro, conventional international law applies when cyber-dependent warfare has “kinetic effects,” meaning physical harm to property or persons. A hack of a country’s hospital systems that results in the death of patients or of a country’s electricity grid that results in the downing of airplanes, or the crashing of trains would be examples of kinetic effects that violate international law. Under this view, Fancy Bear may not have engaged in an act of war by hacking into the DNC servers releasing Senator Clinton’s emails. But this hacking, Shapiro argues, still violates prohibitions under international norms against interference in a country’s elections and domestic governance. However, Professor Shapiro recognizes that norms under international law for cyber-dependent warfare are currently vague. He recommends nation-states to engage in treaty making or the creation of “clubs” for the development and propagation of norms in the contemporary world of cyberwarfare.
Fancy Bear Goes Phishing is a provocative book and invites further critique and investigation. The line between upcode and downcode, for example, is far from clear. The proposal to impose liability on software companies for defective code sounds like a change in upcode. But the ultimate target seems to be downcode. One could ask whether reforms to upcode are just ways of identifying necessary changes to downcode. In addition, Shapiro’s analysis at points rests on distinction between code and data, a distinction discussed previously in this jot. But as with the gray line between law and fact, upcode can often bleed into data, making it difficult to hinge reform solely on upcode. Finally, “kinetic effects” seems to provide a tangible touchstone for identifying violation of the law, but it seems to ignore readily recognizable effects, such as harms to reputation, the existential fear of terrorist attacks, or mental stress from the threat of hacks. Perhaps treaties can address these problems. But see the discussion in his book with Hathaway and my previous jot on the lack of success of the Briand-Kellogg treaty outlawing war.
Nevertheless, there is a compelling takeaway from this book in curing us of any sanguine notion that technology will solve the problems that technology has wrought. Professor Shapiro calls this notion “solutionism,” taking the phrase from social critic Evgeny Morozov. Put bluntly: there is no killer app to be found. If there is any doubt, Scott Shapiro presents elegant proof of this proposition in his Epilogue, building on Alan Turing’s work on metacode. Shapiro’s proof shows how the existence of such an app that can cure all technical woes leads to a contradiction. I cannot do justice to his proof here, distilled from Turing’s demonstration that there are questions that no computing system can answer. Shapiro’s argument against solutionism echoes Kurt Godel’s proof of the incompleteness of axiomatic systems and Kenneth Arrow’s proof of the impossibility of rational group preferences. As with those famous theorems, that argument against solutionism reminds us of the role of political deliberation and humanism in resolving technical problems.
I began the Summer of 2023 by reading Fancy Bear. I ended the Summer by watching Oppenheimer and Barbie. The former, about the original killer app, so to speak, reminded me of Shapiro’s appeal to upcode as the film depicted its total failure. The latter movie shows how competing upcodes interface with the data of fantasy and life. Maybe someone should make a movie out of Fancy Bear with its enchanting case studies and mind-blowing synthesis of law, philosophy, and technology. However, be prepared if that movie ends more like Oppenheimer than like Barbie.
