A Hacker's Mind: How the Powerful Bend Society's Rules, and How to Bend them Back

by Bruce Schneier

The obvious security fix—patching—is stymied by the industry’s aggressive push for normalization. This is accomplished through lobbying and also through regulatory capture: the common tendency for a regulatory agency to become dominated by the industry it is regulating, and to begin functioning in ways that benefit the industry rather than the public interest. The banking industry also does this by hacking the legislative process itself. The financial services industry spent $7.4 billion on lobbying between 1998 and 2016, with banks alone spending at least $1.2 billion.

If patching isn’t a viable solution, we have to find vulnerabilities before they’re hacked—and, more importantly, before they become entrenched in the underlying system and lobbyists start pushing for them to be normalized. In financial systems, government agencies could engage in red-teaming by hiring accountants and attorneys to study the systems as they evolve, and to improve regulations while they are still in draft.

Andy Lo

On the other hand, lobbyists can abuse the comment process to pressure regulators to leave loopholes alone, or even to create new loopholes where there weren’t any before. Creating a governing system like the comment process just shifts hackers’ attention from the target itself to the target’s governing system, which must be wary and nimble to avoid becoming just another soft underbelly for attackers to exploit.

Stock markets, commodities exchanges, and other financial trading systems are also ripe for hacking. This has been true since their beginning, and it’s even more so as those systems have become computerized and automated.

Hackers in this domain target information. When a financial exchange is working properly, traders with better information get better results because they buy lower and sell higher. Hacks subvert this mechanism in two basic ways. First, they leverage not-yet-public information to make lucrative trades before anyone else. Second, they disseminate false information that drives the market, then make profitable trades before everyone else realizes that they’re being duped. Both of these hacks subvert market fairness: the notion that investors have equal access to information about the market.

Pump and Dump

The most obvious hack of the first type is insider trading, illegal for so long that it’s not even a hack anymore. Generally, insider trading involves buying or selling a security on the basis of nonpublic information. The trader could be a CFO who knows his company’s sales figures before they’re disclosed, the PR person writing the financial report, or the printer who reads that report before it’s published. The harms of insider trading are twofold: (1) it comes at the expense of everyone else who doesn’t have the critical information, and (2) it leads people to mistrust the fairness of the market system.

In the US, insider trading was criminalized by the Securities Exchange Act of 1934, affirmed and refined over the years in US Supreme Court rulings. In 2021, three people were charged with insider trading for buying stock in the Long Island Iced Tea Co. just before it changed its name to the Long Blo...

Front running is yet another hack that leverages secret information. If you’re a broker, and you know about a big trade that’s about to happen, you can make a smaller trade for yourself immediately beforehand. Then you execute your client’s trade. It moves the market, and you make an instant profit for yourself. Like insider trading, this has been declared illegal.

Some hacking of financial markets and networks will target informational systems surrounding those networks. For example, in 2015, the SEC indicted two Ukrainian hackers who broke into Business Wire and PRNewswire’s networks and stole more than 100,000 unreleased press releases for publicly traded companies. These were then distributed to a network of traders, who used the advance knowledge to place informed bets on the authoring companies’ stocks, much like an insider trading scheme.

The second type of hack involves the creation of disinformation. An old example is the pump-and-dump. Perpetrators buy a stock, preferably an obscure one. (The penny stock market is notorious for pump-and-dumping.) Then, they recommend the stock to others, using false and misleading statements about the potential profit to be made. If others ...

Traditionally, this scheme involved calling potential investors on the telephone. Today, it more often involves online trading message boards, social media groups, and spam emails. Whether it’s ringleaders on the Reddit finance forum r/WallStreetBets pushing retail investors to send GameStop’s price “to the moon” or Elon Musk tweeting about his bitcoin buys to millions of online followers, investors can use online communications to manipulate invest...

The advent of online trading has made this particular hack even more profitable. Mostly, pump-and-dump is illegal, and there are heavy fines if you get caught. On the other hand, prosecution can be difficult. Neither Musk nor anyone invo...

Spoofing is another hack that involves the dissemination of disinformation. Here, a trader places millions of dollars of orders, then cancels them after other traders have noticed and reacted to them. This, too...

Fake news—that is, deliberately deceptive reports masquerading as journalism—is another increasingly prevalent method of hacking the market through disinformation. This hack is most often used to misrepresent companies’ valuation, allo...

Other hacks of financial changes involve finding new ways to reduce risk, often involving loopholes in financial regulations. Hedge funds have been doing this since their inception in the 1960s, first by “hedging”—or offsetting—risks against each other, then by using diverse investment strategies, then by engaging in computer-assisted trading.

The very existence of hedge funds relies on hacking the financial regulatory system. Since their inception, hedge funds have been protected by a series of legislative loopholes that exempt them from SEC oversight. Because they only accept high-net-worth and institutional investors as clients, hedge funds are exempt from oversight under the Securities Act of 1933, which is designed to protect individual buyers in the market.

By toeing the line on criteria outlined in the Investment Company Act of 1940, hedge funds exempt themselves from bans on investment techniques that are applied to registered investment companies—most notably, shorting. In 2010, the Dodd-Frank Act brought hedge funds under the oversight of the SEC, but they remain ...

Over the decades, hedge funds have taken advantage of one legal loophole after another. Sometimes the loopholes are closed after their discoverer makes a lot of money. Sometimes the rules are changed to legitimize the hack. Most of the time they are just used, and eventually accepted as normal....

This is all relatively complex hacking, against multiple systems at multiple levels of generality. Some hacks operate at the technical level: spoofing and front running are hacks that make use of computer speed and automation. Some operate at the level of the financial markets. Some operate at the legislative level: vulnerabilities in securities laws, for example. This is all a microcosm of the hacks that will be described in chapters to come.

Tying automated trading to “sentiment analysis”—so that trading programs buy when a stock becomes a meme or sell when bad news goes viral—can make pump-and-dumps and smear campaigns much more profitable. But the most virulent of all modern exchange hacks is high-frequency trading, or HFT. Instead of making use of true, albeit secret, information or disseminating disinformation, HFT exploits public information at lightning speed.

HFT is a form of algorithmic trading that exploits the price differentials that occur when large trade orders are placed, usually by pension funds or insurance companies. (These massive orders can have a significant impact on stock prices.) HFT algorithms detect these orders, as well other events that are likely to affect stock prices, and then profit from them.

Here is probably a good place to employ secure systems design. We can design our financial systems to reduce the volatility that comes from high-frequency trading. Already many markets have “circuit breakers” that automatically halt trading temporarily if stock prices change by a certain percentage. We could do a lot more.

In London, New York, Vancouver, and many other major cities worldwide, the luxury real estate market doesn’t behave like it used to. It’s not about rich people buying homes, or even second homes. It’s a money-laundering machine.

First, you purchase a superexpensive condo in a city where you have no intention of living. You make the purchase through a shell company to obscure your personal involvement (technically called “beneficial ownership”). You then use that property as collateral to qualify for bank loans.

This is how Andrey Borodin, having fled Russia on charges of defrauding his own bank, ended up owning a £140 million flat in London. He’s not alone. A 2015 report from Transparency International identified 160 UK properties, together worth £4.4 billion, all owned by what they called “high-corruption-risk individuals.”

Cities like New York and Miami are filled with untenanted luxury condominiums. One luxury building examined by the New York Times had 80% of its units owned by shell corporations in 2014.

This same trick works even if you’re not trying to launder your money, albeit not as well. Real estate is still a good way to park money and acquire collateral, and rising real estate prices ...

This directly damages the real estate market for people who want to live in the neighborhoods where this is prevalent. It also destroys the commercial real estate market in these neighborhoods, because there are fewer people around. Retail stores in neighborhoods like Mayfair in London have collapsed, because 30% of the homes are vacant due to offshore money launderers.

The fixes are as obvious as the vulnerability: regulatory changes that bring real estate in line with other financial systems. In 2016, the US Treasury Department implemented a pilot program in twelve cities (known as a “geographic targeting order”) requiring LLCs to reveal their beneficial owners when they are created. This resulted in a 70% drop in cash purchases of real estate by LLCs. This requirement could be made permanent and nationwide; in fact, geographic targeting orders have recently been renewed and expanded to encompass new real estate markets.

The federal government could extend the banking “Know Your Customer Rule” to include shell companies’ beneficial owners. And the federal government could get rid of the “temporary exemption” from detailed customer scrutiny for real estate that lobbyists were able...

In every case, the vulnerability was discovered by researchers or the manufacturer itself, privately disclosed to the system designers, patched by the designers, and only afterwards published along with the fact that the system was no longer vulnerable. In computer security, we have a name for this: “responsible disclosure.” The opposite of that is a “zero-day vulnerability.” This is a vulnerability that is first discovered in secret, by criminals, governments, or hackers that sell to criminals or governments—and the organization in charge of the system doesn’t learn about it until it’s used in the wild. No one receives any advance warning in those cases.

There was no responsible disclosure with any of the hacks we discussed in preceding chapters, nor with most of the other examples throughout this book. In noncomputer systems, that’s more normal. When a hedge fund manager discovers a profitable hack against a financial system, he doesn’t alert the regulator so it can get fixed. He uses it to his advantage until a government body forces him not to.

At some point, the system’s governing body learns about the hack. That governing body can do one of two things. One, it can modify the rules of the system to prevent the hack, patching the system. Or two, it can incorporate the hack into the system, essentially normalizing it. After normalization, the hack sometimes dies a natural death once everyone does it and any competitive advantage is lost.

The history of financial hacks is a history of normalization. Someone invents a hack and makes a huge amount of money. Others copy that individual and also reap windfalls. Then the regulators notice and step in. Sometimes they declare the hack illegal and convict the hackers. But most of the time, they retroactively approve the hacks.

Normalization isn’t a new phenomenon, and neither is the cat-and-mouse game between hackers and regulators. In the Middle Ages, both Catholic and secular authorities had very strict restrictions on interest-bearing loans because they were regarded as sinful. As banking developed as a profession, wealthy bankers avoided those restrictions through a series of increasingly sophisticated methods. This included fudging the record books, misleadingly classifying a prohibited usurious loan as a permitted one, and disguising the interest on a loan as a gift from the borrower. One hack was a “dry sea loan,” which turned a prohibited loan into an allowed “sea loan” by linking it to arbitrary sea voyages.

Normalization seems to be common today. I’m sure most high-frequency trading hacks would have been declared illegal if they had been invented a hundred years ago. I’m equally certain insider trading would be legal if it had been invented in recent decades.

Market hacks exploit vulnerabilities in the process by which we make and sell goods and services; that is, the normal logic of supply and demand, consumer choice, how businesses enter and leave the market, and what kinds of products get offered in the first place.

Market capitalism—the free market—is an economic system with unique advantages over the mercantile system it replaced. In contrast to central planning systems like communism, market capitalism is not controlled by any one entity. Individuals make individual decisions in their own best interest, capital flows where it can be used most profitably, and out of that chaos an efficient market emerges, at least in a perfect world.

Markets need three things to be successful: information, choice, and agency. Buyers need information about products and services in order to make intelligent buying decisions: their merits and problems, their prices, their specs, and so on. Buyers need to have multiple sellers from which to choose, otherwise there is no competition to control prices and spur innovation.

Monopolies eliminate choice. Monopolies aren’t new, and pre-capitalism they weren’t a hack. But in a market system composed of sellers competing for buyers, they subvert the market mechanism. Adam Smith wrote about this in 1776, explaining that the economic interests of businessmen are often misaligned with public interests.

the phoebus cartel and libor

The goal of businessmen—and, of course, business enterprises—is to maximize profits. The goal of the public is to (more or less) maximize product quantity, quality, variety, and innovation, and minimize prices. Lack of competition means that sellers no longer fear losing buyers, and thus have no incentive to provide any of those things the public wants.

Lock-in reduces our agency to freely choose among competing products. Someone might drink a Coke today, and if it doesn’t appeal to him, he can drink a Pepsi tomorrow. But if that same person has a bad experience today with his cell phone plan, or email provider, or credit card, he’s probably still going to have the same cell phone plan, email provider, and credit card tomor...

And the hack part comes from all the different ways of enforcing lock-in: proprietary file formats that make it much more expensive to switch audio players or book readers, customizations that make it harder for you to switch business applications, social networking sites that won’t let you continue to access your friends’ accounts if...

An economic system based on greed and self-interest only works when those properties can’t destroy the underlying system. And “Move fast and break things”—Mark Zuckerberg’s famous motto for Facebook—is only okay when it’s your own things you’re putting at risk. When someone else’s things are involved, then maybe you should think twice—or be forced to fix what you’ve broken.

The phrase “too big to fail” captures a critical vulnerability in our market economy. If you are so large that your failure is a systemic risk to the economy, you are free to take bigger risks because you know you won’t be allowed to fail.

In the aftermath of the 2008 financial crisis, the US government bailed out several major Wall Street banks and other financial institutions after their managers made years of bad business decisions. This was done through the Troubled Asset Relief Program, which authorized the government to purchase floundering companies’ assets and stock, including mortgage-backed securities. It was thought that the $700 billion bailout was essential to protect the overall US economy. The fear was that absent a bailout, it would all collapse.

This isn’t the first time the US government bailed out “too big to fail” companies. The Federal Deposit Insurance Corporation was created in the 1930s, following a torrent of bank failures, in order to monitor banks and protect consumer deposits. In 1979, the government bailed out Chrysler Corporation. It was a smaller bailout—only $1.5 billion—but the justifications were similar. National security was invoked; the company was building the M1 Abrams tank during the height of the Cold War. The economy was invoked; it was necessary to save 700,000 jobs in Detroit and beyond. And the US was in the middle of an automotive trade war with Japan. The bailout was successful; Chrysler paid the loan back early and with interest.

The 2010 Dodd-Frank banking reforms reduced the threat of “too big to fail” institutions, but those were mostly rendered ineffectual as the bill made its way through Congress, or were neutered in subsequent tax reform legislation.

One way to protect against the “too big to fail” hack is to not bail out the mega-corporations directly. The US government had at least two other courses of action in 2008. It could have conditioned any bailouts on restructuring mortgages to eliminate what was a wave of defaults. And it could have bailed out the big banks only if they passed the money on to the borrowers. Both were rejected by then National Economic Council director Larry Summers. The 2008 bank bailouts provide another example of how wealth protects hacks used by the wealthy.

The most effective way to secure an economic system against companies that are too big to fail would be to ensure that there aren’t any in the first place. In 2009, sociologist Duncan Watts wrote an essay: “Too Big to Fail? How About Too Big to Exist?” He argued that some companies are so large and powerful that they can effectively use the governme...