How hackers exploit our stupidity
Countries must invest far more in cybersecurity, both at the national and corporate level, because cybercrime is many problems wrapped into one
he infection that crippled National Health Service (NHS) trusts in Britain, as well as computer networks in dozens of other countries, gained access because of stupidity: Perhaps a single person clicking on a fake link. But it spread because of laziness, penny-pinching and bureaucracy. The NHS hadn’t been willing (or perhaps able) to spend money on updating its systems: The hack relied on a known vulnerability, but IT managers failed to install a patch released two months ago to prevent precisely such an attack. Even if they had, 90 per cent of trusts still use Windows XP, an operating system declared obsolete back in April 2014, and thus lacking any such patches. To the public, it may seem reprehensible that the NHS was targeted by this “ransomware”, which holds files hostage until payment is made.
But for the criminals, endangering lives was a feature, not a bug. As they’d learnt with attacks elsewhere, people are more willing to pay up when it’s a matter of life and death. In explaining how all this happened, the best place to start is with the career of a man called Evgeniy Mikhailovich Bogachev. Bogachev was a bank robber — a very good one. He and his gang would hijack corporate computers, then empty the associated bank accounts. To cover their tracks, they would then launch a massive attack on the bank’s systems — in effect a digital smoke bomb. Then, Bogachev had a brainwave. To mount that attack, he needed to infect and hijack tens of thousands of computers. Why not make money from them as well?
He started using CryptoLocker, a form of ransomware, demanding $300 (Dh1,103) or $500 to unencrypt the files on the infected machines. Not only did this provide an extra revenue stream, but issuing 2,000 ransom notes for $500 was less likely to draw attention than a $1 million heist. Bogachev didn’t just come up with the business model for this latest heist. His story tells us why such attacks are so hard to stop.
First, it’s alluringly easy to make money from cybercrime. Bogachev himself got started by selling his bank-robbing software to all comers. Similar programmes are available for pennies on the internet. Second, such crooks can be incredibly hard to track down. Bogachev’s activities first came to the authorities’ attention in 2009. But it took five years, and a concerted international manhunt, to publicly unmask him. Finally, it illustrates how the involvement of governments has hugely complicated the situation. Bogachev’s gang was eventually dismantled, but the man himself is still at large. Because, being a patriotic Russian, he was also moonlighting for Russian President Vladimir Putin’s security services — which has protected him ever since.
Cybercrime, in other words, is such a problem because it is so many problems wrapped into one. You have to deal with human stupidity. You have to deal with a thriving international network of anonymous criminals. You have to deal with rogue governments, and, indeed, friendly ones who let their cyberweapons fall into the wrong hands. And you have to deal with hideously outdated systems: In the United States and United Kingdom, much of the code and many of the devices running cash machines, air traffic control and even nuclear weapons development date back to the 1970s.
Above all, you have to deal with the fact that the internet and other networks were designed to be open, for computers to talk to each other. And today, it’s not only computers that are online, and potentially vulnerable — it’s fridges, TVs, even light bulbs.
Yes, we can — and should — invest far more in cybersecurity, on a national and corporate level, but we can never build perfect defences. All we can hope is that ours are strong enough that attackers seek easier gains elsewhere. And, of course, that people finally learn not to click on the wrong email. Robert Colvile is editor of CapX.
www.gulfnews.com/opinions