• News
  • Columns
  • Interviews
  • BW Communities
  • Events
  • BW TV
  • Subscribe to Print
BW Businessworld

Caught In The Cyber Web

Why cybersecurity issue is going to turn into a domestic security issue

In an episode of the popular US TV series Homeland, Vice-President William Walden is killed by a terrorist who hacked into Walden’s heart pacemaker. The hacker raises Walden’s heart rate, pushing him into a serious, inevitable cardiac arrest. Walden’s pacemaker had been connected to the Internet so that his doctors could monitor his health. That was the fatal mistake.

Viewers watched in shock and disbelief, but this assassination plot seemingly out of science fiction was actually not that farfetched. These days, many complicated, critically important medical devices include onboard computers and wireless connectivity. Insulin pumps, glucose monitors, and defibrillators have all joined the Internet of Things. Every year at security conferences, hackers are demonstrating new ways to compromise the devices we rely on to keep us alive. Former U.S. vice-president Dick Cheney famously asked his doctors to disable the wireless connectivity of the pacemaker embedded in his chest. “It seemed to me to be a bad idea for the vice president to have a device that maybe somebody on a rope line or in the next hotel room or downstairs might be able to get into—hack into,” Cheney’s cardiologist, Jonathan Reiner of George Washington University  Hospital in Washington D.C., told 60 Minutes in an interview in October 2013.

We will live simultaneously in an age of wondrous technical marvels and one of perpetual insecurity, and such threats will become more common. Those individuals and groups who wish to do us harm are more empowered than at any time in the past. Blackmail using purloined personal data will skyrocket. We will begin to understand the disadvantages of having devices always collecting information and companies offering products and services for free. Cyber security will move from an abstract threat to an issue of personal safety that will matter to us all.

So be ready for a rough twenty years ahead. But there is some good news. The cyber-security industry is already responding, and technologies that could mitigate these threats are already under development. The next generation of security experts is stepping up to the challenges and creating innovative solutions. Governments, corporations, and entrepreneurs everywhere understand the benefits of solving these issues and are racing ahead with novel approaches and breakthrough methods. Each advance we make will come with setbacks, but we will work through those as we go.

The question is what will we lose in the process?

Citizens Caught in the Cyber Crossfire
The ability to access nearly all of the world’s information from an affordable personal supercomputer in your pocket has unquestionably brought benefits. We can reach loved ones at a moment’s notice, access a rapidly growing list of services instantly, and learn almost anything we want from anywhere.

It’s not just the rich who are benefiting; it is arguable that the greatest gains are being made by the global poor, who can now communicate, collaborate, and bypass some of the institutional barriers that have held them back.

As high-speed, ubiquitous connectivity among all manner of devices binds us more tightly to technology and to the Internet, a crucial and frightening mega trend for the next two decades is that cyber security will become a more important domestic security issue. In 2007, the Stuxnet computer worm sent costly and critically important centrifuges spinning wildly out of control at Natanz, a secret uranium-enrichment facility in Iran.

In a matter of months, American and Israeli security forces were able to remotely destroy 1,000 of the 5,000 centrifuges Iran had spinning at the time to enrich uranium. The government program behind the virus, codenamed “Olympic Games,” was developed during the Bush and Obama administrations.

Stuxnet was the first major publicly reported governmental cyber attack on industrial facilities of another nation.

Then, in 2015, American intelligence services suffered their worst defeat in modern history, at the hands of intruders believed to be from China. The Office of Personnel Management, the government agency responsible for vetting and managing employees, suffered a catastrophic data breach that exposed its full records of more than 21.5 million employees, dating back almost thirty years. The stolen data included more than five million sets of fingerprints, which can never be changed. Even worse, the personal details and secrets of more than four million security-clearance holders were also leaked, forever changing the country’s ability to conduct espionage abroad.

In 2016, hackers, allegedly Russian, compromised e-mail servers of Democratic Party officials and tried to use this information to undermine trust in the U.S. electoral process. And they may have succeeded in swaying the outcome of an election that Donald Trump won by a tiny margin even as he lost the popular vote.

The next major geopolitical crisis will involve not only electronic countermeasures against enemy missiles and communication systems but also attacks over IP networks to cripple or destroy civilian infrastructure. Our personal information and security will be collateral damage in the continuing battle between nations for control.

As we rush headlong into the Internet of Things and connect willy-nilly everything that can be connected, we expose the soft underbelly of our technological systems. Identity theft has intensified significantly in the past two decades, but the public remains in the dark about its growth in sophistication behind the scenes. The next two decades will mark a change from inconvenience to real harm. As we read more about thefts of celebrities’ nude photos and exposure of people’s e-mail, hacking will become something all of us worry a lot more about.

Loss of financial identity is one thing. What is coming now is much uglier—and personal. It is far more difficult to recover from a leak such as the attack on Ashley Madison, a U.S. website dedicated to facilitating adultery.

The publication of e-mail addresses of alleged customers of the service exposed millions of people to ridicule and marked them with a virtual scarlet letter. These suspected cheats are now searchable in a number of databases, and will be forever. It even drove some to suicide. Data breaches don’t take account of nuance; the devastation of their personal and social lives will be unmitigated by whether a couple was going through a rough patch or whether somebody was just looking with no intention to actually engage in infidelity.

It’s not just the things we say or do but also the information that is collected about us that makes up our identity and reputation now. On a typical day as you drive home, cameras mounted on top of police cars and road signs are using automated license-plate recognition technology to make a database of virtually all of your car’s movements. Surveillance cameras on buildings and at traffic stops are constantly snapping pictures and recording video of you everywhere you go. As you pull into your driveway, your home automation system makes a record of exactly when you arrived; to deliver the perfect temperature, your Nest thermostat tracks your movements across the house. The cameras and microphones on your Smart TV listen in to all of your conversations, waiting for you to issue the TV with a command. And that’s all before you launch your web browser.

All Your Weaknesses, in One Place
As we move toward a connected system and toward having our lives tied to our cloud services, we create more and more single points of failure that can grind our existence to a halt. When WIRED magazine reporter (and now BuzzFeed tech editor) Mat Honan had all of his digital belongings deleted, the hackers didn’t use some cutting-edge technology or brute force to make their way in. Instead, they used social engineering to trick Apple  and Amazon customer-support personnel into giving control of Honan’s account to a stranger.

Writes Honan, “In the space of one hour, my entire digital life was destroyed. First my Google account was taken over, then deleted. Next my Twitter account was compromised, and used as a platform to broadcast racist and homophobic messages.

And worst of all, my AppleID account was broken into, and my hackers used it to remotely erase all of the data on my iPhone, iPad, and MacBook.” Some of Honan’s lost items were pictures of his young child that he had forgotten to back up. They’re now lost for good.

Honan was targeted because he had a highly coveted three-letter Twitter handle. There will be many, many more Mat Honans in the next few years, as whole Dropboxes, Google Clouds, and iCloud accounts of many people will be wiped out (at least temporarily) by hackers who turn their victims’ lives upside down, spoil their reputations, and extort money or promises from them. Our own unsuspecting behavior on social media offers only additional surface area for attack. We post pictures of the cars we drive, talk about the places we eat at, publicly reveal our work histories and our personal networks, and publish links to articles on publications we subscribe to without giving a second thought to how that information could be later used to hijack our identities.

In India, in issuing every citizen with an Aadhaar identity number, the government has gone much further than the US has in centralizing identification and creating a single point of failure and compromise that could undermine the personal digital security of an entire nation’s population. The motivation behind Aadhaar is laudable, and the system is reducing fraud; curbing corruption; enhancing efficiency; and making possible a more equitable distribution of subsidized goods, monies, and banking services. But, as they say, the devil is in the details.

Centralized databases and stores of personal information can have risks beyond the financial and social. Medical identify theft is growing rapidly, in which someone can use a stolen social security number to receive health care under your name and pay for it with your insurance. Unfortunately, you may be left paying the doctor’s bill. And as we connect all of our electronic medical records systems and pipe them into larger A.I. systems such as IBM’s Watson, false data about our health becomes harder to expunge from our permanent record.

This tampering could result in poor diagnoses and potentially hazardous treatments or care. Imagine that someone using your insurance fills out a doctor’s office standard form on allergies and claims to have none—and you have a very dangerous drug allergy. If you are in a car accident and that drug is a standard course of treatment for your injury, the latest record might show no allergy. Unconscious and unable to correct the record, you experience a dangerous allergic reaction: tragic, and eminently preventable.

Top themes and market attention on: