Bill Clinton said the other day that when he took office, ‘only high energy physicists had ever heard of what is called the World Wide Web… Now even my cat [Socks] has its own page.’
This exponential jump, both in computing power (a single iPhone could have run the entire Apollo space progamme) and in reach (from desktop to laptop to phones to the Internet of Things) has touched all of our lives. In 1995, only 0.5% of the world’s population were using the internet, by 2012 that had increased to 39%.
It’s not surprising then that this astonishingly rapid and profound change has had many consequences, some good, a few bad. One of the major downsides has been the growth of cybercrime, which has risen alongside the growth of the connected world, exploiting new vulnerabilities as security fails to keep pace with technology.
The enemy is not only many headed and driven by multiple different goals, but it is also hard to identify. The ‘War of the Invisible Enemy’ has begun. Three elements encourage activity on this new criminal frontier; first, that it’s usually low risk and high return; second, it has the advantage of anonymity; and third, it often isn’t reported to the authorities by companies who worry about the reputational damage they will sustain.
These advantages have drawn large-scale cyber criminals into what they regard as a growth area; small attacks by geeky teenagers are still significant, but less strategically worrying. Nor is it just private sector criminality that we have to worry about; there are plenty of state-sponsored cyber criminals who not only have access to advanced technology, but can also use their activities to generate extra funds through fraud and extortion.
As a nation we need to learn more about the kinds of attack we may face, and how to meet those attacks. For example, the denial of service attacks which are very common on large companies are often used as a smokescreen to conceal the implantation of malware onto their systems. This can then be used later to extort ransoms by threatening to cripple the system. Nokia were recently the victim of such an attack when blackmailers successfully persuaded the company to part with a suitcase containing millions of dollars in exchange for the crucial piece of smart phone software.
If the victims don’t give in to the criminals’ demands, they may find systems data is wiped, their files are encrypted to the point of becoming useless, or their customer information made available to other criminals for use in cybercrime.
Both the public and private sectors are vulnerable to such attacks. In 2014, the banking giant JP Morgan had cyber criminals sitting on their servers for over two months before being detected. In the meantime around 76 million personal accounts were compromised along with seven million business accounts. Only a year earlier CIA contractor Edward Snowden stole an estimated 1.7 million classified documents from the US Government, significantly impacting their counterintelligence capacity.
In the future, new areas of vulnerability are likely to emerge. As IT becomes ever more important to healthcare, the security of the most sensitive patient records is worrying. Currently you can buy medical records on the black market at $2000 per person, but in the future this might become more in line with credit card data, which is on sale on the dark web for as little a dollar.
In addition to health data, even elements of our physical identity could soon be vulnerable to hacking. During 2014, an unknown group of hackers stole 5.6 million sets of fingerprints from the US Office of Personnel Management.
None of this, however, is a counsel of despair. The vulnerabilities that criminals exploit are often relatively easy to tackle.
“The War of the Invisible Enemy has begun”
Companies are, for example, particularly vulnerable to periods of mergers or acquisitions, when they often give new potential partners unparalleled access to their systems. Firms are also bad at vetting employees, especially junior staff like cleaners, but of course it only takes a moment to insert a USB drive into an unattended computer and infect the system with malware. Another problem is employees accessing social media through their work computers, permitting gateway access to potential saboteurs.
Relatively simple changes to security can prevent this kind of incursion. Proper staff vetting, clear procedures to prevent easy access to secure networks, and careful consideration of vulnerabilities through supply chains are a start. More complex software, such as Glasswall, which tracks the movement of documents within an organisation and can identify who has accessed them, may be the future.
At a national level, governments need to accelerate the process, which has already begun, of shifting finite resources away from conventional warfare and policing, and resourcing cyber warfare capacity.
I also believe that there needs to be two significant changes to the law. First, all companies – not just internet service providers as at present – need to have an obligation to report to the relevant authorities when they are hacked. Second, all companies that do business with the Government should have a minimum level of defined cyber security. I accept that this would exclude some smaller firms from government contracts but I believe it’s a price worth paying. Finally, the Government needs to appoint a single minister with overall responsibility for cyber security. This is now too important an area for us to take the risk that it might fall between ministerial responsibilities.
Overall, if we want a society to enjoy the benefits of the extraordinary technological revolution, then we have to protect ourselves against those who would exploit it for their own malicious ends. If the private sector, the Government and individuals all step up and take control of their own cyber security efforts, then I believe that we can and will win the invisible war.