The bolt from the blue
We won’t take cyber security seriously until it’s too late
A recent poll suggested that Americans disagree what the greatest threat facing them is, with Republicans naming armed terrorists and Democrats naming armed citizens. Both are rather missing the main point. As are Canadians.
The biggest danger is in your pocket right now, or very possibly your hand. Yes. Your smartphone. Also your computer, and increasingly your fridge and furnace and baby monitor. And certainly your electric plant. It’s the Internet.
The problem is not that Skynet is about to become self-aware. It’s that everything is connected to, and dependent on, a marvellous, flexible, open high- tech communications network that is not remotely secure and neither are the things connected to it. Going from email as a novelty to wired fridges is an unprecedented achievement. But also reckless, especially given how careless we are about these novel, often baffling security risks.
Banks, government departments, retailers, even Mattel’s new Barbie are not merely vulnerable, they seem almost unprotected, as though banks had not locked their vaults or posted guards in the good old days when it took a sedan and a tommy gun to rob them. And the more wired we get, the more systemic and ominous the risk.
Whitfield Diffie, co-creator 40 years ago of public key cryptography, just told NBC, “To my mind, the most critical thing is our grand vulnerability is not to physical terrorism, but to a cyber attack on our critical infrastructure … power … gas and water, transportation, banking, communications …. opponents who have real capability to survey these systems stand a chance of developing a technique for causing them to collapse.”
Physical terrorism is appalling, and might yet achieve some hideous triumph with weapons of mass destruction. But our main strategic weakness, to groups like ISIL or state actors from Moscow to Beijing to Tehran, lies in a cyber Pearl Harbor where everything from electricity to communications goes dead. It wouldn’t just expose us to conventional attack, it would make one superfluous. How many Canadians would die if our power plants shut down destructively in mid-winter, or just our grocery store distribution chain?
The Ashley Madison hack got our attention briefly. Of course it did — it involved illicit sex. But the stories come and go and there’s so much social networking to do that they all just blur and fade. Remember when someone stole a Google security certificate in 2011? No, of course not. There have been so many. Michaels. Target. Forty per cent of all South Koreans’ credit card data. Sony. JPMorgan Chase. Home Depot. Kmart. Dairy Queen. Supervalu. Neiman Marcus. And that’s all in the last five years and it’s just the ones we know about.
As for governments, NATO got hacked. So did the U. S. State Department, and Canada’s National Research Council. And on and on. What exciting surprises might the future hold? Plenty.
Remember Heartbleed? It wasn’t even a virus, just a basic flaw in the open cryptographic system widely used on the Transport Layer Security protocol. Whatever that is. Indeed, can the typical citizen, banker, or politician explain even now what Heartbleed did even in general terms, or why the vulnerability to it was so widespread?
Throughout human history, people generally got to be in charge of everything from cows to castles because they knew how they worked. Today, those who’ve spent decades climbing to the top of an enterprise know less about the key technological aspects of a business than the teenagers selling them fast food burgers.
There is no going back. The Internet is not merely hugely convenient. It is a boon for the environment as well as the economy. But 15 years ago CSIS warned that nations such as Russia, China, or even Iran would be capable of a crippling cyberattack within a decade. That decade has come and gone with no such attack. But the threat has been growing since, in terms of their capacities and our vulnerability. How much malware is already embedded in North America’s critical infrastructure, waiting to shut down the power grid, send traffic systems haywire, or disrupt government communications at the flick of a switch halfway around the world?
The situation is bleak but not hopeless. Computer giants like Apple to Microsoft to Adobe, as well as specialized software security firms, are working frantically to improve security and if we follow simple directions on passwords, hotspots, two-factor authentication and so on we can make ourselves a lot safer in small things.
The problem is, government is also on the job, and in the most vital areas. So if you want to know how safe you are, watch how politicians utter smugly soothing blather while they and the bureaucracy fumble simple files even on trivial stuff you do understand.
Terrorism still matters, as does crime. But if we are hit by a bolt from the blue, the odds are increasingly that it will be digital. We should govern ourselves accordingly.