Robert Colvile and Editorial Comment:
Yes, everyone should have up-to-date computer security, but cybercriminals will still find a way through
Afew weeks ago, 15 of Donald Trump’s advisers received an email, apparently from a friend. It contained an invitation to edit a Google spreadsheet. More than half of the recipients clicked on the link. James Comey, then still the FBI director, actually replied to it.
The email in fact came from the website Gizmodo. It wasn’t a hack, though it could have been. It was a stunt, intended to show how vulnerable our systems are to hackers’ number one weapon: human stupidity.
The infection that crippled NHS trusts here, as well as computer networks in dozens of other countries, gained access because of such stupidity: perhaps a single person clicking on a fake link. But it spread because of laziness, penny-pinching and bureaucracy. The NHS hadn’t been willing (or perhaps able) to spend money on updating its systems: the hack relied on a known vulnerability, but IT managers failed to install a patch released two months ago to prevent precisely such an attack. Even if they had, 90 per cent of trusts still use Windows XP, an operating system declared obsolete back in April 2014, and thus lacking any such patches.
To the public, it may seem reprehensible that the NHS was targeted by this “ransomware”, which holds files hostage until payment is made. But for the criminals, endangering lives was a feature, not a bug. As they’d learned with attacks elsewhere, people are more willing to pay up when it’s a matter of life and death.
In explaining how all this happened, the best place to start is with the career of a man called Evgeniy Mikhailovich Bogachev.
Bogachev was a bank robber – a very good one. He and his gang would hijack corporate computers, then empty the associated bank accounts. To cover their tracks, they would then launch a massive attack on the bank’s systems – in effect a digital smoke bomb.
Then, Bogachev had a brainwave. To mount that attack, he needed to infect and hijack tens of thousands of computers. Why not make money from them as well? He started using CryptoLocker, a form of ransomware, demanding $300 or $500 to unencrypt the files on the infected machines. Not only did this provide an extra revenue stream, but issuing 2,000 ransom notes for $500 was less likely to draw attention than a $1million heist.
Bogachev didn’t just come up with the business model for this latest heist. His story tells us why such attacks are so hard to stop.
First, it’s alluringly easy to make money from cybercrime. Bogachev himself got started by selling his bank-robbing software to all comers. Similar programs are available for pennies on the internet.
Second, such crooks can be incredibly hard to track down. Bogachev’s activities first came to the authorities’ attention in 2009. But it took five years, and a concerted international manhunt, to publicly unmask him.
Finally, it illustrates how the involvement of governments has hugely complicated the situation.
Bogachev’s gang was eventually dismantled. But the man himself is still at large. Because, being a patriotic Russian, he was also moonlighting for Vladimir Putin’s security services – which have protected him ever since.
This isn’t the only example of Russian complicity with cyber-crime. The software that infected the NHS used two separate exploits developed by America’s National Security Agency. These were stolen and dumped online by a group called The Shadow Brokers – who are widely suspected to be connected to Russia’s espionage services. (Ironically, Russia has been by far the largest victim of this new attack, with even its interior ministry falling victim.)
Cybercrime, in other words, is such a problem because it is so many problems wrapped into one. You have to deal with human stupidity. You have to deal with a thriving international network of anonymous criminals. You have to deal with rogue governments, and, indeed, friendly ones who let their cyberweapons fall into the wrong hands. And you have to deal with hideously outdated systems: in the US and UK, much of the code and many of the devices running cash machines, air traffic control and even nuclear weapons development date back to the Seventies.
Above all, you have to deal with the fact that the internet and other networks were designed to be open, for computers to talk to each other. And today, it’s not only computers that are online, and potentially vulnerable – it’s fridges, TVs, even light bulbs.
Back in February, Britain opened a new National Cyber Security Centre. Although part of GCHQ, it works in the sun, not the shadows – and its job is to strengthen the UK’s infrastructure against precisely these kind of attacks.
In truth it is a Sisyphean task. Yes, we can – and should – invest far more in cybersecurity, on a national and corporate level. But we can never build perfect defences. All we can hope is that ours are strong enough that attackers seek easier gains elsewhere. And, of course, that people finally learn not to click on the wrong email.