In mid-April, the ‘Shadow Hackers’ online group made public some malicious software known as ‘EternalBlue’ that had been stolen from the US government’s National Security Agency, which develops hacking tools to gather intelligence.
About a month later, ‘ransomware’ incorporating the bugs penetrated perhaps 300,000 computers running outdated Microsoft software in an estimated 150 countries.
Luckily the ransomware, dubbed WannaCry, was quickly defused. But the speed and extent by which the malware spread, WannaCry’s household-name business victims such as Nissan and Renault, its disruption of the UK’s medical services and its ability to destroy data made the ransomware the most chilling cyberattack ever. But it’s perhaps not the most significant cyberattack ever. Many claim that emails hacked from Hillary Clinton’s presidential campaign and released via Wikileaks helped Donald Trump become US president.
Other notorious incidents of cybercrime in recent years include attacks on the US Chipotle restaurant chain, the central Bangladesh Bank, Yahoo, Sony Pictures Entertainment, eBay, The Home Depot of the US and Target in the US. Verizon says that the number of data breaches around the world where at least 100 million identities were exposed numbered 15 in 2016, 13 in 2015 and 11 in 2014. Cybercrime, according to some estimates, is already a US$1 trillion industry worldwide. In the US, the FBI says that reported ransoms paid to hackers jumped from US$24 million in 2015 to US$209 million in the first three months of 2016.
Whatever the true figures, identification theft, fraudulent online transfers, payment-card frauds, network assaults, denial-of-service attacks by malicious networks of computers (botnets), ransomware, cyberbullying, trolling and online child pornography are too common. They show that nothing is safe on the internet – apart from criminals, it seems. It is incredibly difficult to protect computers, networks and the internet from vandals, pranksters, criminals, terrorists, rogue governments and government-protected agents because networks are too widely used, too complex, too fragmented and too vulnerable to coding mistakes, ignorance and complacency, and too open to be defended. Governments engaged in cyberwarfare – the US military intelligence built EternalBlue – are possibly making the internet less safe. The growth in the cloud and the ‘Internet of Things’ magnify vulnerabilities. While the most likely outcome is that people will accept the crime risks of using the internet, a catastrophic attack that snaps the public’s faith in cybersecurity cannot be ruled out.
If people, businesses, governments and other bodies including hospitals can’t trust the internet to protect data, share files, host websites, seamlessly send and receive messages and make payments, an internet slowed by protections and precautions could assume a lower profile in everyday life – or fall well short of its potential anyway. But that won’t happen without a fight. Policymakers are making cybersecurity a top priority while an industry has sprung up to protect cyberspace. The fight to maintain the public’s trust in the security of internet will be never-ending.
To be sure, billions of interactions happen every day on the internet without hassle. A cyberattack is yet to trigger a catastrophe. Firewalls, virus antidotes and sophisticated behavioural defences help protect systems. Better protection is a key benefit of cloud computing. The payments companies, namely American Express, MasterCard, PayPal and Visa, have never suffered a significant breach, even though they are under constant attack. Neither have the big digital platforms and now the big cloud companies Amazon, Facebook, Google and Microsoft of the US and Alibaba and Baidu of China. The core problems, though, are that the foundations of the internet are insecure and making the internet safer from criminals makes it safer for villains too – encryption software and other efforts to legitimately protect privacy are prime examples of this dilemma. Cybersecurity will be an unwinnable war that taxes society. The challenge is to keep these costs well in check so that the internet remains a massive net benefit for the world. This goal is achievable, if cybersecurity receives the priority it is due.
Fragile and flawed
Networking hardware can offer cybercriminals a way into a network either by accident or by design. When new cutting-edge equipment is released, it is usually beyond the abilities of cybercriminals to exploit. Unfortunately, cybercriminals generally have time on their side because the expensive task of upgrading networking equipment is done sparingly by businesses. Older hardware is more vulnerable to attack. Hackers can exploit cracks in the links between different networking products from multiple companies. Finally, networking hardware companies may secretly provide ‘back doors’ for their governments to exploit. Criminals and others may take advantage should the government lose control of this information as happened with WannaCry.
Software may be even more vulnerable because each application consists of millions of lines of code. All programs contain coding mistakes and inefficiencies when launched. Software makers issue ‘patches’ for these errors, if they find them. This takes time and effort, which often only the largest software firms can afford. Even when patches are released, many users fail to install them in a timely manner, if at all. Companies sometimes avoid upgrading software because the latest versions might be incompatible with bespoke applications built internally or purchased from other vendors. The outcome is that much of the internet lies unprotected.
Once a software or hardware vulnerability is found and hackers seek to exploit it, to succeed, they first need to find a flaw that gives them an opening to embed into a computer some malicious digital instructions. This often doesn’t require advanced computer literacy, only a knowledge of human psychology. All it can take is one person to be fooled by an innocuous-looking ‘phishing’ email, click on a malicious web-based ad or download from a compromised site.
Hackers were around in the early days of computers but perhaps many were just geeks causing trouble for kicks. Nowadays, cybercriminal gangs run websites with drop-down crime menus, offer chat-app technical services to help would-be hackers and manage call centres to help victims pay ransoms. These felons are often protected by governments. They have access to cheap and easy-to-use tools that hack past password protections, even biometrics such as voice recognition, fingerprints and iris scanning.
Much criminal activity takes place on the ‘darknet’. This term describes a distributed anonymous network within the ‘deep web’ that takes special software to access and is beyond the reach of authorities (and search engines). Thanks to technological advancements that allow for mass criminal activity while protecting anonymity, cybercrime is lucrative, hard to detect and even harder to prosecute.
Negligent users or conflicted developers?
To help protect networks, governments including Australia’s have set up cybersecurity centres (acsc.gov.au) that pool knowledge from police, the military, academia and the private sector. An industry has sprung up to help mitigate cybercrime. Check Point Software Technologies, Cisco Systems, FireEye, Palo Alto Networks and Symantec are among the biggest listed cybersecurity companies. ‘Bug hunters’ are another source of internet protection. These are geeks who receive bounties from companies for finding flaws that can be fixed. Insurers are offering (partial) protection against cybercrime.
A major responsibility for keeping the internet safe, however, lies with the operating-system developers such as Apple, Google and Microsoft, due to their huge number of users.
Microsoft software products include Windows XP, the model that WannaCry exploited. As is typical for software companies, Microsoft puts a finite life on its software versions when released. In the case of Windows, it is generally 10 years, well beyond the life of a PC on which it would run. In the case of Windows XP, Microsoft provided free support for more than 12 years. Microsoft needs an ‘end of life’ date on software because it is costly to update and patch a software version.
Despite the negligence of enterprises that still use Windows XP while refusing to pay for support after its ‘end of life’, in the aftermath of the WannaCry attack, Microsoft stood accused of holding back on issuing a free repair for Windows XP that could have protected users. (Almost perversely, such attacks boost software and security revenue for Microsoft and its peers.)
Critics suggest that Microsoft would have provided support if not for its profit motive to sell software patches, and that it has an incentive to avoid providing security updates on old software, to force people to buy the latest versions. A bugbear for many people is that companies such as Microsoft bear little or no responsibility under US law if their software is vulnerable to attack.
Expect big political fights about the liabilities of software makers in coming years as cybercrime costs mount. Stricter regulation around cybersecurity, though, could stifle innovation.
Invisible but lethal
While governments are giving greater priority to cybersecurity, the most likely catastrophic assault on the internet is by a state-sponsored cyberwarfare attack.
Western countries are especially vulnerable. They depend on the computer-based global financial system and their electric grids, emergency services, mobile communications and water services are operated by computers. Vast swathes of a country including major cities could suddenly be without power, water, the internet and emergency services.
While rogue governments are adept at cyberattacks, western democracies engage in the practice too. The ‘Hiroshima moment’ or watershed event for cyberwarfare arrived in 2010 when the US and Israel allegedly deployed the Stuxnet cyber virus to destroy centrifuges at an Iranian nuclear facility.
Cyberwarfare is likely to be a never-ending arms race. Democratic governments need to develop cyberwarfare technology to gather intelligence to protect their populations. The more weapons they create the more insecure adversaries feel, which prompts them to step up efforts. Another quandary is that intelligence agencies must decide whether or not to warn software manufacturers about flaws in their code. If they inform software makers (and they often do), intelligence agencies risk making worthless their cyberweaponary edge. Another conundrum is that technology companies don’t like that governments develop and hold cyberweaponary, yet they have refused to co-operate when terrorists use their platforms or encryption. Underlying all this is that cyberweapon technology can be easy to steal.
The Shadow Hackers’ release of the EternalBlue malware that turned up as WannaCry is the most obvious example of stolen cyberwarfare technology ending up with villains. And this episode isn’t over. Shadow Hackers has promised to release more malware stolen from US intelligence. The battle between cybercriminals and cybersecurity agents will be endless.
by Michael Collins, Investment Specialist at Magellan
For further insights from Magellan, including the full versrion of this article, please click here