2016: The hackers’ vintage year
Even giant organisations had their digital defences breached, writes Bill Bennett
In December, US President Barack Obama and the CIA accused Russian hackers of interfering with computer systems to help Donald Trump win the American election. It was a fitting and high-profile climax to a bad year for cyber security.
Earlier in 2016, Yahoo had two serious data breaches. It is one of the world’s largest internet companies and the attacks affected more than a billion people.
October saw a massive denial of service attack take down many of the most popular websites. Twitter, Amazon, PayPal, The New York Times and many other big names were offline for hours. Attackers used a vulnerability in thousands of everyday gadgets connected to the net. It meant they could send waves of junk data blocking legitimate traffic.
Also in 2016, hackers stole the personal details of 20,000 employees from the FBI. Online thieves also took US$80 million from Bangladesh’s central bank. They botched their attack; the haul could have been many times that amount.
These are only the edited highlights. The victims are a list of big, sophisticated organisations. Ones you might expect to have professional defences in place. If hackers can take these sites on and win, imagine how it is for those less able to protect systems and resources.
Experts disagree on how much online crooks stole in 2016. Estimates run from hundreds of billions of dollars to a trillion or more. Yet direct financial loss is only the tip of the iceberg. Successful attacks destroy value, undermine trust and cause untold harm in other ways. And it’s not only business. Effective or not, Russia’s US election hack was an attack on democracy and the Western way of life.
You might wonder how the internet came to be so insecure. It is, after all, the defining technology of our times. The internet was successful in the first place because it didn’t have security baked in. It started as a mechanism for academics to share research data.
In the early days, security was not an issue. When the internet went public, its simplicity and openness helped it grow fast. When commercial interests moved in, the emphasis was on a land-grab. To say worrying about online safety was an afterthought is an understatement.
If the internet’s architects had designed the network for security from the outset, it would have been harder and more expensive to use. This means engineers are fixing the problem in retrospect, bolting-on technologies. Some of these can be clumsy and impose overheads on performance and efficiency. Web developers and companies with web services often resent using security technologies. Some even ignore or undermine them.
Until now, there have not been suitable incentives for developers to put the best security in place. They don’t always pay the highest price when crooks breach a system. Most costs fall on the companies using their products and those companies’ customers.
If anything, things could soon be worse. Much worse. The internet of things, or IoT, connects everything from animal ear-tags to electronic toothbrushes to the internet.
Some estimates say there could be as many as 50 billion connected devices in a few years.
Each of these devices represents a potential way of launching an attack. Most of the gadgets are not built by computer companies which have learned how to make devices secure.
IoT makers focus on keeping costs down. This often means ignoring or downplaying security. The October 2016 attack which took a large slice of the internet offline used the IoT. For that attack, hackers used botnets in innocent-looking devices such as baby monitors to take websites down. Experts say the attack used only a fraction of its potential and was a dry run to test the technique.
Soon, the IoT will connect driverless cars and other vehicles to the internet. This will give hackers a fresh target. It could prove lethal.
Some experts in the industry say there is war going on under the surface and the bad guys are winning. Although there is a grain of truth in this, the situation is not hopeless. An industry has grown to protect individuals and organisations from risks. Information security or infosec is now the fastest-growing information technology sector.
Infosec companies hire many of the smartest brains and use them to build defences. Established technology companies buy in expertise when they don’t have it in-house.
Businesses are learning to be serious about information security. At the same time, governments and regulatory authorities are waking up to the risks. There is a need for new rules that can help limit damage without stifling innovation. There is still work to do making sure the liability for data security sits with the right parties. Yet, after years of brushing online security under the carpet, awareness is growing. And that’s central to solving the problem.
If anything, things could soon be worse. Much worse.