Americans Now Defenseless, Exposed to Lethal Cyberattacks
Hacking capabilities cross life-or-death threshold, government incapable of prevention
Setting aside all of the national security issues surrounding the Shadow Brokers leak of the hacking tools developed by the NSA, which have resulted in a series of global cyberattacks in recent weeks, an even larger issue looms.
The distinction between physical and cyberattacks is blurring. Instead of just interrupting personal computers and corporate networks used for accounting and billing, the WannaCry attack targeted hospitals and pharmacies, causing canceled procedures and a massive rescheduling of appointments for medical procedures.
What we are left with is this strange feeling of exposed vulnerability, where the supposed strongest nation on earth is essentially defenseless.
The same malicious code was used in the Sony Pictures hack and may have been used to ransom the latest release of the Pirates of the Caribbean movie. Now, civilians along with state actors have access to the same grade of online weaponry that our own NSA has been using for years to disrupt events inside our foreign adversaries’ governments and military operations.
If we haven’t yet crossed the line to a more traditional form of retaliation, we might well do so in the coming months. Then what?
Attribution is virtually impossible, and applying the rules of war to the internet age, determining who is responsible and how to respond, is making foreign policy far more complex than it has ever been.
Whether WannaCry was the first global nation-state attack or not, and whether it thrusts this ransomware pandemic into the sphere of North Korea’s cyberactivity, are notions still up for grabs. But what it did do was enable a glimpse into what is now possible when cyberattacks are conducted on a large-scale. We can extrapolate consequences to life-or-death scenarios in operating rooms, recovery facilities, and medical devices used for post-operative treatments such as pacemakers and defibrillators, drug delivery systems, and organ monitors. But even these targets are only a tiny fraction of the myriad of attack possibilities in our new Internet-connected world.
The Internet of Things, or IoT, is rapidly coming online and creating a dramatically expanded attack surface for anyone with a few bucks and an active curiosity. Take the recent case of the 11-year-old who demonstrated to a hall full of stunned security experts how easily he could manipulate a robotic toy bear.
He simply used his mini-laptop to scan the hall for available Bluetooth-enabled devices, downloaded dozens of numbers, and then proceeded to direct the robotic toy bear to light up and record and send messages. That mini-laptop, by the way, set him back $35.
Whether it’s the Bluetooth functionality that most internet-connected devices use or some future replacement technology, we will soon be overwhelmed with millions of devices all sharing the same vulnerabilities as that robotic teddy bear. Imagine your home appliances, TVs, cars, airplanes, and everything else that can be connected to the internet as a huge attack surface, wherein criminals with an 11-year-old’s education, a fistful of dollars, and malicious intent, can spy, damage, or hold for ransom conveniences or necessities that are all now part of our everyday lives.
Because our responses to cyberattacks are still passive, and it is nearly impossible to anticipate a cyberattack or trace the source back to the actual perpetrator, we are placed in a difficult and frustrating position relative to combating this class of warfare in the future. Attackers frequently hijack innocent systems and use them as ‘zombies’ in conducting their attacks, not just to obfuscate the actual source but to bait the victim into a misdirected counterattack. We can’t really declare war on what we think is the responsible actor only to discover later that the threats are originating elsewhere.
What we are left with is this strange feeling of exposed vulnerability, with which the supposed strongest nation on earth is essentially defenseless when it comes to what may be the most significant threat in modern warfare. Oddly, we continue to embrace and enthusiastically consume the latest internet-connected thing while continuing to ignore the cumulative risk. It’s akin to saying that we know stuff is dangerous, but we also know that our government will protect us if something goes wrong.
Well, something is wrong, and there is no evidence that our government can protect us. On the contrary, there is mounting evidence that we have no overarching cyberdefense plan or capability, and, in fact, our government is actually playing a major role in contributing to the threat. The latest White House executive order underscores this reality.
In our minds, we continue to draw this imaginary line between online things and offline things. We one-click our way to tweets that shape global political relations, Uber ourselves a taxi, and cause vast amounts of stuff to arrive at our doorstep one day later. That line is an illusion. As we will soon see with the advent of connected everything, future online wars will not be confined to Starbucks outages or hospital appointment booking failures.
Steve King is the COO and CTO of Netswitch Technology Management.