The insecurity of things
Slowly but surely, the internet is becoming a hostile place.
As wondrous as the internet is – with its three billion global users – increasingly, danger lurks. Armies of hackers maraud for personal data. Unknown forces invade privacy, installing hidden bugs. Nations engage in low-grade versions of cyber warfare.
Those who believe that some sort of disaster may be in the offing have coined the phrases “Cyber 9/11” and “Digital Pearl Harbor” to suggest a surprise attack that might change our world. Maybe it’ll be terrorists threatening to bring down the power grid. Or hackers monkeying with November election results.
Are the fears warranted? Some experts say they’re overblown. Yet the issue reflects how the internet has become the world’s superstructure, knitting the citizenry together. The “internet of things” is swiftly evolving: the thermostat, the smart TV, the toaster, the locks on doors, all interconnected. Then there are cars. An estimated 70 percent of automobiles will be connected to the internet by the end of the decade.
If cyber security is not fortified, experts say, aggression and hostility could steadily overtake the web. The “internet of things” may morph, as one recent study forecasts, into the “weaponization of everything.” Imagine elevators going haywire, or pacemakers under the control of extortionists.
Other scenarios are possible, of course. The internet is in its infancy. Like other technologies, simple but firm steps may make it safer.
The development of the automotive industry, in fact, could provide a map forward.
“People were driving cars on the road for 100 years before the first seat-belt law was introduced in 1968. After that law, the number of crashes that ended in fatalities dropped sharply,” said Jeremy N. Galloway, a cyber security expert with Atlassian, an Australian software firm. “The internet is very similar.”
“We haven't invented the cyber version of the seat belt yet, so we have many more painful accidents to come. We are progressing incrementally, getting better security every day, but fundamentally, the internet is a place where you need to be cautious, careful, and skeptical.”
For many users, the risks appear remote when weighed with the benefits.
“The equation is still clear. For every one of us, the advantages of the internet are much bigger than the potential risk,” said Amichai Shulman, co-founder of Imperva, a data security company with headquarters in Redwood Shores, California.
We haven't invented the cyber version of the seat belt yet, so we have many more painful accidents to come.
Jeremy N. Galloway, a cyber security expert
Yet the power of cyberattacks to hurt companies – and even governments – is already apparent. Israel and the United States are believed to have been behind the sophisticated Stuxnet virus that took down key components of Iran’s nuclear weapons program.
When the film studio Sony Pictures Entertainment was hacked in 2014, U.S. intelligence officials within a month blamed North Korea.
Hackers in mid-2015 carried off the greatest theft of personal data in history, stealing vast troves from the Office of Personnel Management on some 21 million current and former federal employees, their relatives and contractors.
The Kremlin has been blamed in the news media for the theft of some 20,000 emails from the Democratic National Committee, or DNC, that first came to light in June, forcing Rep. Debbie Wasserman Schultz from the chair of the DNC and leading to fears of Russian meddling in U.S. elections. House Minority Leader Nancy Pelosi, D-Calif., called the hack an “electronic Watergate,” evoking the legendary break-in that helped lead former President Richard Nixon to resign in 1974.
Barely a day goes by now without reports of an attack. This month, cybercriminals breached cash register software offered by computer giant Oracle, and other hackers stole credit card data from guests at 20 hotels in 10 states, including Hyatt, Sheraton, Marriott, Westin and others.
Even hardened targets get hit amid signs of global cyber conflict. The nation’s top-secret National Security Agency suffered an apparent breach, and the alleged hackers last weekend published some of its most secret cyber tools and weapons on the internet, a major embarrassment. In Moscow, the government-financed RT television network, once known as Russia Today, said it had faced “massive attacks” this week in sustained digital assaults intended to overwhelm its computer networks.
Concerned about ever bigger cyberattacks, Microsoft in June called for establishment of a global U.N.-type body of technical experts from governments, the private sector, academics and civil society to ascertain who is behind major cyberattacks.
21 billion Number of objects and devices that will be connected to the internet by 2020
Those paid to track cyber intrusions and hack attacks say that the hostility that pervades the internet is vast. Despite the problems, they say it is not yet beyond repair.
“We can combat the bad stuff. We can defend the resources we have. We can adapt where needed. We can’t, however, do nothing. If we give up on protecting resources, data and people on the Internet, then we will end up with an irreparable, and ultimately historical, internet,” said Tim Erlin, senior director for security and risk strategy at Tripwire, a Portland, Oregon-based company that provides threat protection software tools.
Some see the web as reaching an inflection point at which concerted action must be taken by individuals, private companies and governments around the world.
The internet has tremendous potential, but that potential’s dark side is just starting to rear its ugly head. We need to act now.
Former Homeland Security Secretary Michael Chertoff
“The internet has tremendous potential, but that potential’s dark side is just starting to rear its ugly head. We need to act now,” former Homeland Security Secretary Michael Chertoff wrote in a blog post on the website of the Council on Foreign Relations this month.
Lior Div, a former member of the Israeli military’s elite cyber security Unit 8200, knows a thing or two about cyber’s dark side. Let your imagination run wild, and Div says it’s already a reality.
“What I don’t like to do is spread fear,” cautioned Div, who is chief executive of Cybereason, a Boston-based company that offers military-grade cyber detection. Div spoke on the sidelines of the Black Hat hackers’ convention in Las Vegas earlier this month.
Div said hostile actions are rampant on the internet but noted that large-scale attacks – ones designed to blow out power grids or carry out major disruptions that could leave hundreds of fatalities – haven’t occurred.
“People are thinking of cyber as an atomic bomb. . . . The thing about cyber is you can be much more precise and exact,” he said.
Oddly, the threat of “mutually assured disruption” may mitigate cyberattack, as nations keep a lid on the full possibilities of cyber weapons and recoil at the unpredictable directions a cyber conflict might take, just as the United States and Soviet Union feared “mutually assured destruction” from a full-scale nuclear exchange during the Cold War.
Yet smaller scale disruptions are an increasing part of modern life, eroding at public confidence in the security of information. Criminals have seen their force magnify on the web.
Overseas hackers knocked out Australia’s census website Aug. 9 on the day the nation was conducting its every-five-years census. Millions of Australians were prevented from taking part.
Extortion, theft of personal data, espionage and surveillance all seem pervasive. Last week, Phoenix-based Banner Health notified 3.7 million patients, doctors and other health providers that it was the “victim of a sophisticated cyberattack” targeting credit card purchases at its coffee shops and cafeterias in Alaska, Arizona, Colorado and Wyoming.
People are thinking of cyber as an atomic bomb. … The thing about cyber is you can be much more precise and exact.
Lior Div, chief executive of the Cybereason security firm
Cyber criminals have attacked at least six U.S. hospital systems this year. In the attacks, criminals encrypt hospital computer systems and demand ransom payments in exchange for the code to decrypt the locked files.
Bank robberies have also entered a scarier cyber era. Hackers stole $81 million from the central bank of Bangladesh in February, months after hitting banks in Vietnam and Ecuador.
Cybercrime is taking a heavy toll on the global economy.
“The cost of cybercrime in 2016 may be as high as $445 billion. That figure could grow as high as $2 trillion a year in 2019 and continue to increase to as much as $3 trillion annually by 2020,” says a report, One Internet, released in June by the Global Commission on Internet Governance, a panel formed by Canadian and British nonprofit think tanks.
That report called for immediate action to safeguard the internet.
“The internet has indeed reached a crossroads,” it said.
And the dangers are only likely to increase. The developed world already is hurtling toward a proliferation of objects and devices, like smoke detectors, clothing and windows, that are connected to the internet. Gartner Inc., an information technology research firm, says the 6.4 billion devices connected to the internet this year will climb to nearly 21 billion by 2020
“Go buy a refrigerator without a computer in it. You can’t. Go try to buy a car without a navigation system. I had a friend who tried. She couldn’t. Go try to buy a cell phone that is not a smart phone. Good luck,” said Bruce Schneier, the chief technology officer at Resilient, an IBM company.
“The basic problem is,” Schneier added, “that we’re moving the insecurity of computers onto everything, which are cars and thermostats and refrigerators, and things in our cities and voting machines and airplanes.”
Cyber security is something that is going to be with us forever and ever and ever.
Herbert Lin, cyber expert at Hoover Institution
Advances in software are far faster than the regulation designed to keep things safe, he said, and few companies see incentives to focus on cyber security.
“What happens when there is ransomware against your car, ransomware against your thermostat? Someone demonstrated that last week. ‘Hi. You’re on vacation. Your pipes are going to freeze unless you send me $200,’ ” Schneier said.
Herbert Lin, a physicist educated at the Massachusetts Institute of Technology, is one of 12 people President Barack Obama named in February to sit on the nonpartisan Commission on Enhancing National Cybersecurity. The commission is expected to issue recommendations by the end of the year.
“We don’t let people drive without putting them through a test,” said Lin, who is now a research fellow at the Hoover Institution. “What’s the analogy for the internet? . . . Should everybody understand what accounts for safe behavior on the internet? Absolutely.”
The One Internet report offered a list of steps to ensure that the internet remain open and unfettered. It called on governments to declare some potential targets of cyberattack as off-limits, halt interception of data for political control, and desist from requiring third parties to weaken encryption standards through hidden “backdoors” in their technology. It suggested nations enact laws that require robust public reporting of data breaches, and private companies assume greater liability for data breaches.
Lin said such measures might be short-term solutions.
“Cybersecurity is something that is going to be with us forever and ever and ever,” Lin said. “People think you can fix the problem once and for all. You can’t do it.”
It may take some serious wake-up calls before citizens demand action, clamoring for the digital version of the automotive seat belt. Analogies with America’s car culture keep arising.
“If bridges were collapsing all the time, no one would drive across them. We’re arriving at the same point in software,” said Joshua Corman, head of the Cyber Statecraft Initiative at the Atlantic Council, a think tank. “Sometimes it takes catastrophic failure to trigger collective action.”
“We as a society are much better at fixing things once they have already happened,” said Schneier, the technology officer. “I think it’s going to take some disasters.”
Tim Johnson: 202-383-6028, @timjohnson4