Cyberwarfare at a Global Scale
By Nancy K. Herther
Russia’s president, Vladimir Putin, and U.S. president Barack Obama met for 90 minutes during September’s G20 summit in Hangzhou, China, at a time when at least some American officials believed that Russia conducted several cyberattacks on the Democratic National Committee and voter registration systems in the U.S. Obama specifically told the gathering of world leaders that the U.S. is prepared to respond to any attacks. However, given the number and depth of the assaults on both the U.S. and other countries, it is hard to imagine that our systems are truly safe today.
Cyberattacks are the deliberate breaching of a computer system with the intent of stealing intellectual property or financial assets or causing damage or disruption to the system by disabling, wiping out, or manipulating a computer or net work. These attacks have become a major concern for citizens, businesses, and governments across the globe. Obama has called such a threat “one of the most serious economic and national security challenges we face as a nation.”
As Old as Technology Itself
Attacks on technology aren’t new, and, in fact, the first instance of such an act can be traced back more than 110 years ago to Nevil Maskelyne, a British music hall magician. Maskelyne was also an inventor who was self-taught in the principles of wireless communication. Three years before Guglielmo Marconi’s demonstration of Morse code over wireless telegraphy, Maskelyne had sent a wireless message between a ground station and a balloon 10 miles away.
The book Wireless, by Sungook Hong, describes how Maskelyne was so frustrated at the terms of the patent that Marconi was able to get—which, in effect, guaranteed a windfall for Marconi and cut off any serious competition—that he disrupted Marconi’s demonstration of his “secure and private” wireless telegraphy system in 1903, with a message repeating the word “rats” and then a series of insults to Marconi. In a newspaper letter published a few days later, Maskelyne admitted his role in the stunt, defending his actions as providing proof that Marconi’s system was neither secure nor private and thus a public concern. Maskelyne’s demonstration failed to stop Marconi’s venture, but it represents an ominous early warning of how technology could be used for good or otherwise.
Siege on Higher Education
In 2015, David Shipley, director of strategic initiatives for IT services at the University of New Brunswick and a cybersecurity expert, wrote the article, “The Cyber Siege of Higher Education in North America,” for EDUCAUSE Review. In a recent interview, I asked him if he saw things as better or worse since he wrote the article. “I think things are about to get a lot worse for universities and colleges around the world before they get better and it’s going to cause a whole new level of disruption and expense,” he said. “The University of Calgary ransomware attack [in which the school paid $20,000 in untraceable Bitcoins to hackers who were able to lock up its computers in June 2016] highlights the new business model of ransomware extortion that is exponentially increasing in popularity as a direct result of the decline in the value of credit card and personal identifiable information data on the cyber black market.”
Shipley continued, “It’s become increasingly difficult to maintain ‘profit margins’ for cybercriminals and to find buyers given the deluge of information available for sale.Ransomware and extortion solve this issue in two ways: One because you have a built-in buyer—your victim; two, because the value of the data is intrinsic to the victim and it doesn’t suffer from flood of supply into a market.”
Given the rise of crimeware and crime-as-a-service (CaaS) cloud offerings that provide less tech-savvy cybercriminals with ready-made malware and other hacking tools (with some including money-back guarantees and 24/7 chat support), Shipley said, “We’re seeing a massive growth in cybercriminal entrepreneurism. The expansion of ransomware means that even universities and colleges/researchers not in the [STEM] spaces will be increasingly targeted, as again it’s not so much about the external value of data. And then there’s the rise of DDoS (distributed denial of service) extortions, and if Rutgers is any example, this will be an incredibly expensive and painful issue for universities and colleges.” Rutgers University was the target of several DDoS attacks, starting in November 2014, which brought down a few of the school’s networks and websites.
The Danger to Our Power Grids
Martine Chlela, a McGill University researcher and doctoral student, has studied the tenuous state of our power grids and says that we need to look beyond computer systems in terms of our cybersecurity. “There exist different types of cyberattacks that not only jeopardize the privacy of humans, but could also threaten their physical security,” she says. “The chemical, nuclear, healthcare, financial services, transportation and energy sectors are all endangered. In the same way, cyberattackers can gain unauthorized access to governmental and military data and could change the trajectory of trains, planes, or even missiles.”
Chlela cites John McAfee, developer of the first antivirus program, who said that “the next major war will not be fought with guns, ships and missiles. It will be a cyber war with far more devastation than could possibly be achieved by our combined nuclear arsenals. Or if conventional weapons are used, they are likely to be our own turned against ourselves.”
Chlela lists some key attacks that occurred recently: “Stuxnet which infected 50,000 to 100,000 computers in Iran, Indonesia, India and Azerbaijan; the Canadian federal government websites and the Canadian Security Intelligence Service (CSIS) and Service Canada were compromised by a denial-of-service cyberattack in 2015; 46 major financial institutions including the New York Stock Exchange, Bank of America and Capital One have been the target of attackers. ... In addition to all the previously mentioned events, in 2015, a cyberattack targeted the Ukrainian power grid and left 700,000 people without electricity for several hours. The attackers were able to find a vulnerable access point to the Ukrainian power grid although industry standards for cyber security were employed. North American experts claim that the U.S. power grid is not protected against such breaches and the Ukrainian attack is easily repeatable.”
What About the Internet of Things?
There is a great deal of buzz surrounding the Internet of Things (IoT) and security, according to Scott Shackelford, an author and assistant professor of business law and ethics. It is “the notion, simply put, that nearly everything not currently connected to the internet, from gym shorts to streetlights, soon will be. The rise of ‘smart products’ holds the promise to revolutionize business and society. Applications are seemingly endless.”
“From 2013 to 2020,” Shackelford says, “Microsoft has estimated that the number of internet-enabled devices is expected to increase from 11 to 50 billion, though estimates vary with Morgan Stanley predicting 75 billion such devices in existence by 2020. To substantiate the coming wave, Samsung recently announced that all of its products would be connected to the Internet by 2020. Such statistics are mind-boggling, especially to the average consumer. We need to be aware that all of these devices come with gains in efficiency, but at the cost of producing voluminous amounts of data about a huge array of our daily activities. These data are insecure, and should be treated that way.”
Shackelford believes that a polycentric approach is necessary. “This is a multi-level, multi-stakeholder system of governance propounded by Nobel laureate Elinor Ostrom and her colleagues at Indiana University and elsewhere, which recognizes the important role of bottom-up self-organization in addressing global problems like climate change and cyberattacks,” he says. “In short, what we need is an all of the above response to cyber insecurity, as we’re beginning to see with forums including the G2, G7, G20, NATO, and the private sector making important headway on cybersecurity norm building.”
It isn’t just technology-based solutions that Shackelford has in mind, though. There are also human-based solutions to think about. “On the human side, we need a comprehensive legal framework for the successful investigation and prosecution of cybercriminals,” he says. “There’s only one current international framework for cybercrime—the Budapest Convention—and it’s mostly the EU with a few countries including Canada and the US, but doesn’t cover hotbeds of cybercriminal activity including Brazil, Russia and China.”
Shipley says, “On the technology side, we need a more secure global internet where security is baked in, not bolted on as an after-thought. We’ve built this entire vital part of the modern global economy as an as-we-go approach and that has created the perfect conditions of insecurity. We need to look at cybersecurity from the ground-up, starting with the protocols we use to transmit data to the mechanisms in which we build and verify trust relationships.” This is especially important with the rise of IoT in the areas of transportation and medicine, he says.
Changing Human Behavior
“Individuals should learn from these experiences and understand the fragility of data,” Chlela advises, especially “the vulnerabilities of the technologically advanced infrastructures to cyberattacks threatening their physical and cybersecurity.”
“The number of cyber events that have been recently happening in the past couple of years is increasing exponentially,” Chlela says. “The reason behind the extensive occurrence of such cyber events is that the majority of cyberattacks are inexpensive, easy to launch, effective, and have a low risk of detection. Plans for prevention, protection, mitigation and post-attack recovery need to be put in place; only at that point we could become cautiously hopeful of a more secure future.”
Shackelford also sees a major role for each of us in the new form of warfare. “Social engineering is a huge part of the multi-faceted cyber threat,” he says. “But it is merely an updated version of an age-old scam that manipulates people into divulging sensitive information, but those updates make it cutting edge. Today’s attackers often research a user’s web history, perhaps accessing his Facebook, Twitter, or LinkedIn account to learn about him and tailor attacks. In response, organizations at all levels need to educate their employees about how to detect social engineering attacks, such as by running regular spoof tests to see the percentage of employees that click on a given link.
William C. Banks is the director of the Institute for National Security and Counterterrorism and a law professor at Syracuse University. “Privacy itself is not a well-developed idea in the cyber realm,” he says. “Most people are trying to protect anonymity. The law and our culture will have to develop what privacy means in the digital age more fully. Solutions will come from multiple sources—international agreements (e.g., US and China on espionage); new treaties, possibly; [and] adaptations by private sector actors.”
Shipley recently developed a new four-pronged approach to his institution’s security, which has a major focus on better educating students, faculty members, and staffers. It also includes a new design for network and security architecture that Shipley hopes will create a single working system he likens to a “digital immune system.”
“I sincerely believe we are rapidly approaching [the] tipping point when it comes to cybersecurity,” Shipley says. “Either industries of all types will get truly serious about protecting personal information and frankly personal safety of individuals, or individuals will either demand increased government regulation and standards or move towards brands and organizations that clearly demonstrate they do take cybersecurity seriously.”
“It’s incredibly sad that it has taken so much to get cybersecurity into the public space as an issue,” Shipley says. “It’s estimated that 1 out of every 3 Americans have had their personal health information breached and that more than half of all households have suffered a privacy breach of some kind.” So how will this work out in the end? Shipley says that “the most likely outcome is a combination of increased regulation and market rewards for improved cybersecurity. Right now market forces are failing to provide enough incentives on their own for organizations to take cybersecurity seriously.”
Hope for the Future?
“Even if we can’t stop cyberattacks,” Shackelford concludes, “we can certainly manage them more effectively, such as by taking a networked and distributed approach to a networked and distributed problem, in the words of Robert Knake.” Knake is a former director of cybersecurity policy for the National Security Council.
Neil Rowe, a professor of computer science at the Naval Postgraduate School and an expert on cyberattacks, sees a major role for the computer industry in the future. “Many of the increased threats come from increasing use of computer networks,” he says. “The public should realize that networking has a downside.”
“A major part of the problem is the low quality of software combined with its increasing size and greater likelihood of bugs,” says Rowe. “Unless software vendors can start guaranteeing their products against defects, cyber exploits will continue to grow. Microsoft and Adobe have made no major advances with their software in the last 10 years, yet the size of their products continues to grow. Almost all the growth has added little to the quality of the product.”
“I believe humanity will eventually get a handle on the cybercrime epidemic,” Shipley says. “But it’s going to take another decade, and sadly it’s likely going to take actual deaths (caused by medical device tampering, power outages affecting vulnerable people during hot or cold weather cycles, unsafe connected cars), before things truly get better.”
In July 2016, a senior executive from Google said that the company is notifying customers about 4,000 state-sponsored cyberattacks each month. With such a staggering assault, no one can ignore the dangers lurking from within and without of our internet society.