Authors: Al Gore
In 2010, U.S. secretary of defense Robert Gates labeled cyberspace as the “
fifth domain” for potential military conflict—alongside land, sea, air, and space. In 2012, Rear Admiral Samuel Cox, the director of intelligence at the U.S. Cyber Command (established in 2009), said that we are now witnessing “
a global cyber arms race.” Other experts have noted that at this stage in the development of
cybersecurity technology, offense has the advantage over defense.
Securing the secrecy of important communications has always been a struggle. It was first mentioned by “the father of history,” Herodotus, in his description of the “secret writing” that he said was responsible for the Greek victory in the Battle of Thermopylae,
which prevented ancient Greece’s conquest by Persia. A Greek living in Persia, Demaratus,
witnessed the preparations for what the leader of Persia, Xerxes, intended as a surprise invasion and sent an elaborately hidden warning to Sparta. Later during the same war, a Greek leader shaved his messenger’s head, wrote what he wished to convey
on the messenger’s scalp, and then “waited for the hair to regrow.” From the use of “invisible ink” in the Middle Ages to Nazi Germany’s use of the Enigma machine during World War II,
cryptography in its various forms has often been recognized as crucial to the survival of nations.
The speed with which the Internet proliferated made it difficult for its original architects to remedy the lack of truly secure encryption—which they quickly recognized in the Internet’s early days as a structural problem. “
The system kind of got loose,” said Vint Cerf.
‡
It is theoretically possible to develop new and more effective protections for the security of Internet data flows, and many engineers and information scientists are working to solve the problem. However, the rapidity with which Earth Inc. adapted to and coalesced around the Internet has made industry and commerce so dependent on its current architecture that any effort to change its design radically would be fraught with difficulty. And the extent to which billions of people have adapted their daily lives to the constant use of the Internet would also complicate efforts to fundamentally change its architecture.
McKinsey, the global management consulting firm, concluded in a recent report that
four trends have converged to make cybersecurity a problem:
• Value continues to migrate online and digital data has become more pervasive;
• Corporations are now expected to be more “open” than ever before;
• Supply chains are increasingly interconnected; and
• Malevolent actors are becoming more sophisticated.
As a result, this radical transformation of the global economy has created what most experts describe as a massive cybersecurity threat to almost all companies that are using the Internet as part of their core business strategy. Particular attention has been focused on what appears to be a highly organized and persistent effort by organizations in China to steal highly sensitive information from
corporations, government agencies, and organizations that have links to one or both categories.
U.S. intelligence agencies have long been assumed to conduct surveillance of foreign governments, including through cybertools to take information from computers if they have reason to believe that U.S. security is threatened. What is different about the apparent Chinese effort is that it seems to be driven not only by military and national intelligence concerns, but also by a mercantilist effort to confer advantage on Chinese businesses. “There’s a big difference,” says Richard Clarke, the former counterterrorism czar. “We don’t hack our way into a Chinese computer company like Huawei and provide the secrets of Huawei technology to their American competitor Cisco.
We don’t do that.”
There is no doubt that U.S. companies are being regularly and persistently attacked. Recent research published by the Aspen Institute indicates that the U.S. economy is losing more than
373,000 jobs each year—and $16 billion in lost earnings—from the theft of intellectual property. Shawn Henry, formerly a top official in the FBI’s cybercrime unit, reported that one U.S. company lost a decade’s worth of research and development—
worth $1 billion—in a single night.
Mike McConnell, a former director of national intelligence, said recently, “In looking at computer systems of consequence—in government,
Congress, at the Department of Defense, aerospace, companies with valuable trade secrets—we’ve not
examined one yet that has not been infected by an advanced persistent threat.” The U.S. Secret Service testified in 2010 that “
nearly four times the amount of data collected in the archives of the Library of Congress” was stolen from the United States. The director of the FBI testified that cybersecurity will soon overtake terrorism: “The
cyberthreat will be the number one threat to the country.”
Another digital security company, McAfee, reported that a 2010 series of cyberattacks (called “Operation Shady RAT”) resulted in the infiltration of highly secure computer systems in not only the United States, but also Taiwan, South Korea, Vietnam, Canada, Japan, Switzerland, the United Kingdom, Indonesia, Denmark, Singapore, Hong Kong, Germany, India, the International Olympic Committee,
thirteen U.S. defense contractors, and a large number of other corporations—none of them in China.
But the United States—as the nation whose commerce has migrated online more than that of any other nation—is most at risk. The United States Chamber of Commerce was informed by the FBI that some of its Asia policy experts who regularly visit China had been hacked, but before the Chamber was able to secure its network, the hackers had stolen
six weeks’ worth of emails between the Chamber and most of the largest U.S. corporations. Long afterward, the Chamber found out that one of its office printers and one of its thermostats in a corporate apartment were
still sending information over the Internet to China.
Along with printers and thermostats, billions of other devices are now connected to the Internet of Things, ranging from refrigerators, lights, furnaces, and air conditioners to cars, trucks, planes, trains, and ships to the small embedded systems inside the machinery of factories to the
individual packages containing the products they produce. Some
dairy farmers in Switzerland are even connecting the genitals of their cows to the Internet with a device that monitors their estrous cycles and sends a text when a cow is ready to be bred. Interspecies “sexting”?
T
HE PERVASIVENESS AND
significance of the Internet of Things has clearly raised the possibility that cyberattacks can not only pose risks to the security of important information with commercial, intelligence, and
military value, but can also have kinetic impacts. With so many Internet-connected computerized devices now controlling water and electric systems, power plants and refineries, transportation grids and other crucial systems, it is not difficult to conjure scenarios in which a coordinated attack on a nation’s vital infrastructure could do real physical harm.
According to John O. Brennan, the White House official in charge of counterterrorism, “Last year alone [2011] there were nearly 200 known attempted or successful cyberintrusions of the
control systems that run these facilities, a nearly fivefold increase from 2010.” In the spring of 2012, Iran announced that it had been forced to sever the Internet connections of major Iranian oil terminals on the Persian Gulf, oil rigs, and the Tehran offices of the Oil Ministry because of
repeated cyberattacks from an unknown source. Later that year, Saudi Arabia’s state-owned oil company,
Aramco, was the victim of cyberattacks that U.S. security officials said were almost certainly launched by Iran, which announced in 2011 that it had established a special military “cybercorps” after one of its nuclear enrichment facilities, in Natanz, was attacked by a computer virus.
The attack on Aramco, which replaced all of the data on 75 percent of the firm’s computers with an image of a burning American flag, demonstrated, in the words of former national counterterrorism czar Richard Clarke, that “you don’t have to be sophisticated to do a lot of damage.”
The Stuxnet computer worm, which was probably set loose by Israel and the U.S. working together, found its way—as intended—into a small Siemens industrial control system connected to the motors running the
Iranian gas centrifuges that were enriching uranium as part of their nuclear program. When the Stuxnet worm confirmed that it was inside the specific piece of equipment it was looking for, it turned itself on and began to vary the speeds of the motors powering the Iranian centrifuges and desynchronize them in a way that caused them to break apart and destroy themselves. In 2010, an even more sophisticated software worm, called Flame, which analysts said “dwarfs Stuxnet” in the amount of code it contains, reportedly
began infecting computers in Iran and several other nations in the Middle East and North Africa.
Although the result of the Stuxnet attack, which slowed down the Iranian effort to develop weapons-grade nuclear material, was cheered in much of the world, many experts have expressed concern that the sophisticated code involved—much of it now downloaded on the Internet—could be used for
destructive attacks against Internet-connected machinery and
systems in industrial countries. Some have already been
inadvertently infected by Stuxnet. After a wave of cyberattacks against U.S. financial institutions in late 2012 that security officials said they believed were launched by Iran, U.S. Defense Secretary
Leon Panetta publicly warned that a “cyber–Pearl Harbor” could do serious damage to U.S. infrastructure.
Because computer viruses, worms, and other threats can be resent from remote servers located in almost any country around the world, the original source of the attack is often virtually impossible to identify. Even when circumstantial evidence overwhelmingly points toward a single country—China, for example—it is difficult to identify what organization or individuals within that country are responsible for the attack, much less whether the Chinese government or a specific corporation or group was ultimately responsible. According to Scott Aken, a former counterintelligence agent and expert in cybercrime, “In most cases, companies don’t realize they’ve been burned until years later when a foreign competitor puts out their very same product—
only they’re making it 30 percent cheaper.”
While organizations in China have apparently been the principal offenders in this category, a large number of Western corporations have engaged in similar activities against their competitors. A division of News Corporation engaged in supermarket display advertising was found to have hacked into the private emails of its principal competitor to steal its intellectual property and
then steal some of its most valuable customers. Another division of News Corp admitted to hacking into
emails of individuals to gather information for news stories. And employees at yet another division have pled guilty to
hacking into the telephone voicemails of thousands of individuals in the United Kingdom.
The constant reliance on Internet-connected digital devices has created a false sense of comfort that has led to the extreme vulnerability of almost all communications over the Internet. Experts generally agree that the weakest link in any security system is the role of human behavior. Independent hackers have demonstrated how easily they can
hack into supposedly secure videoconferences held by venture capital companies, law firms, oil and pharmaceutical companies—even the boardroom of Goldman Sachs—because the people in charge of the videoconferencing systems forgot to, or did not know how to, use the complicated privacy settings. Many commercial targets of cybercrime have been reluctant to acknowledge the
theft of important information because they
have a financial incentive to keep the theft secret. Even some companies that have been explicitly warned that they are
targets have failed to take action to protect themselves.
Other companies are routinely
collecting information about their own customers and users—often without permission. Social media sites like Facebook and search engines like Google are among the many companies whose business models are based on advertising revenue and who maximize the effectiveness of advertising by constantly collecting information on each user in order to personalize and
tailor advertising to match each person’s individual collection of interests.
Many Internet sites, in effect, treat their customers as their products. That is, the revenue they receive from voluminous files of information about each user is simply too valuable for them to give up. The use of Facebook’s “like” button automatically “allows” the site to track users’
online interests without offering them an opportunity to give their consent. In a sense, this is yet another manifestation of the underlying cyber-Faustian bargain. The revenue that is earned from the targeted advertising made possible by all of those “cookies” (small software programs placed—often surreptitiously—on a user’s computer during its interaction with a website) supports the “free” distribution of voluminous amounts of valuable content on the Internet. Most Internet users seem to feel that the tradeoff is an acceptable one. After all, the advertisements they are exposed to are ones they are more likely to be interested in. The tracking technologies are, in the words of one analyst, “
simply tools to improve the grip strength of the Invisible Hand.”
There are generational differences in the acceptance of this tradeoff where social media sites like Facebook and Twitter are concerned. Many in my generation, for example, are often surprised at the amount of personal information shared on Facebook by those who are younger. Already, some social media users who have left school to enter the workforce have been surprised when potential employers routinely access all of their posts and sometimes
discover information that one would not necessarily want a potential employer to see. More recently, some employers have demanded that job applicants provide the password to
their Facebook accounts so that private sites can also be accessed. (Facebook,
to its credit, has reiterated that its
policy is to never give out such passwords, and they urge their users not to do so. However, in a tough job market, the pressure to expand potential employers’ visibility into their online lives is obviously more acceptable to some than others.) It is also noteworthy that, after being hired,
many employees have been subjected to cybersurveillance by their employers.