Why the Hackers Are Winning

Fatal System Error:
The Hunt for the New Crime Lords
Who Are Bringing Down the Internet
By Joseph Menn
PublicAffairs; $25.95; 281 pp.

Ivan Maksakov was a skinny, shaggy-haired, 21-year-old living with his parents in the nowhere Russian town of Balakovo. Then he taught himself how to break into computers worldwide. When Russian mobsters discovered his talents for crashing gambling Web sites unless they paid up, they made him one of their own. But on July 20, 2004, British and Russian authorities raided houses in three Russian cities and arrested Maksakov. After agreeing to tell all, he later shocked prosecutors by changing his testimony and pleading not guilty. Ultimately, he and two others got eight years of hard labor for their crimes.

Maksakov's tale gets told about halfway through Joseph Menn's excellent book, Fatal System Error: The Hunt for the New Crime Lords Who Are Bringing Down the Internet. What makes the story so chilling is that the successful prosecution of this low-level scamster stands as a climactic achievement of the cybercrime-fighters profiled in the book. Nabbing Maksakov was about the best they could do.

While Menn provides rich detail about a cast of more dangerous criminals, he also illustrates the many reasons so few are brought to justice—lack of cross-border jurisdiction, payoffs to local politicos, and protection from officials more interested in exploiting than punishing hackers' techniques. "The Russian government, and possibly the Chinese government, [have] access to minds capable not only of stealing millions upon millions of dollars, but potentially disrupting the Western economy," writes Menn, a staffer for The Financial Times and a former reporter for Bloomberg News. "Why wouldn't they encourage additional research to nurture such a weapon?"

Such statements may have once sounded outlandish, but no more. Google (GOOG) recently announced that it and dozens of other Western companies had been victims of what may be state-sponsored hacking in China. And Menn makes a compelling case that Moscow knows hackers affiliated with a group called the Russian Business Network were responsible for the shutdown of the Internet in Estonia in 2007 and in the Republic of Georgia just before Russia's invasion in 2008.

All this makes Fatal System Error timely. It's also a rollicking read, built around two unlikely good guys. The first half focuses on Barrett Lyon, a dyslexic computer nerd from California who as a young teen accidentally brought AOL (AOL) to its knees for three days. Soon after, in 2002, he created a company to use his hacking genius to help corporations stave off attacks. Along the way he meets Andrew Crocker, a onetime street tough and boxer who helped create Britain's National Hi-Tech Crime Unit. With Lyon's help, Crocker is able to set up shop in Russia, where he chugs vodka with enough of the right lawmen to win those rare convictions. But time and again, he and a Russian sidekick get agonizingly close to catching big-time bad actors and are foiled by what Crocker believes to be corruption.

Menn's real achievement is that he entertains as he educates. One reason cybercrime persists is that it's too unfathomable to the general public to generate much anger—despite the fact that experts think it could be costing that public as much as $1 trillion a year. Readers may not follow every keystroke of Menn's story, but they'll retain enough to get scared.

The book ends with an uncharacteristically dry account of what should be done to stop cybercrime. Among Menn's ideas: legalize and regulate online gambling; fund school programs to teach safe computer use; and overhaul the Internet itself—possibly including a federal ID program that would prevent people from getting online anonymously.

Menn also calls for more vigilance from everyday Web surfers. "The people who won't let their lawns go uncut out of respect for the neighbors need to realize that turning on a home PC without a strong firewall and without an operating system and antivirus software that each update automatically is like leaving a loaded shotgun on the front porch for passersby," he writes. "It almost guarantees that their computers will be compromised and used for nefarious activities."

    Before it's here, it's on the Bloomberg Terminal.