Over the past weekend in North Carolina, the state where I live, only a third of gas stations had fuel available. A cyber attack – carried out through a ransomware – caused the closure of the Colonial pipeline, an important oil pipeline that supplies the distributors of a large part of the east coast. It should be a wake-up call to avert a future catastrophe. But it probably won’t.
Before the pandemic, I dealt with digital security, or rather the absence of digital security. I compared the vulnerability of the technology sector to “building makeshift skyscrapers in an earthquake zone.” Not much has changed since then. On the other hand, the tremors begin to become more numerous. The situation in the world of digital security is similar to that in which global health was before the pandemic.
The Serie Battlestar Galactica helps us understand one of the most important similarities. Systems composed of networks are vulnerable. The premise of the series is that the Galactica is the only ship in the human fleet to have survived an attack by the Cylons (humanoid robots), simply because it was old and preparing to become a museum, and for this reason it had never been connected. to the network. In pandemic terms, Galactica is an island that no one can reach.
Our digital infrastructure is not built with security in mind. This is because much of the system depends on old components, but also because the incentives to prioritize safety have been lacking. It would have been possible to build operating systems with tools like the sandboxing, which allows a program to operate only in a safe area (the sandbox) that no one else can enter. If the program is infected, it can only harm yours sandbox. On a similar principle is based theair gapping, where crucial elements of a network are disconnected from the general infrastructure. It is very difficult to improve the robustness of a system that is already complete and that has been built without taking security into account. We are also surrounded by “technical debt,” programs that work but were hastily created, often decades ago, and should never have operated at the levels at which they operate.
Scotch tape
We do not modify these unstable elements because it would be very expensive and difficult, and there is a risk of bringing everything down. This means that there is a lot of duct tape in our code that holds different programs and their components together. Programs often perform tasks they were not designed for. Our global network is not built with digital security in mind. As I wrote in 2018, the first version of the internet was supposed to connect people who already had some mutual trust, such as university researchers and the military. The network has never had the solidity it would need today. While internet users have grown from a few thousand to more than three billion, attempts to improve security have been hampered by costs, lack of foresight and multiple conflicting interests.
Even leaving aside the security of our networks, the fact remains that the devices we use every day are sold with passwords chosen from a predetermined list, for example password, 1234 e default. In 2019 I explained why all this makes us vulnerable, giving the example of how i baby monitor – devices used to remotely monitor the activities of infants – are used to target infrastructure (for example by disrupting cellular communications in Liberia) or to censor journalists: “Most of our devices depend on generic hardware, mainly manufactured in China and used in products sold all over the world. To do their job, these devices run programs and contain user profiles for configuration. Unfortunately, many manufacturers have decided to enter popular passwords such as password, 1234, admin, default O guest. In such a simple but devastating attack, someone put together 61 username and password combinations and created a program that scours the internet for products that use them. Once the devices have been identified, the program installs itself and deletes all the others malware possibly present, so as to be the only parasite. The malicious program, called Mirai, bundles millions of vulnerable devices into a botnet, a network of infected computers. When so many baby monitors, printers and cameras target a victim simultaneously, the target is overwhelmed and becomes inaccessible, unless it is equipped with very expensive protection ”.
Problems of this type are often not solved, due to what economists call “negative externalities”: marketing programs or devices of that type is free, while plugging holes is very expensive. Furthermore, choosing the most expensive route does not bring immediate benefits. It is like asking factories to choose between polluting freely by dumping waste into the atmosphere or into a river or installing an expensive filtration system, in a context where the pollution would still be imperceptible and invisible. You can imagine what the choice is being made today: companies do not care because they are not forced to do so.
In fact, when you think about how widespread these problems are, it is surprising that cyber attacks are so infrequent. As happened with the pandemic, our digital weakness is rooted in an interconnected network characterized by combined vulnerabilities. Like the biological viruses that follow us on our travels, malware and digital viruses can move across interconnected networks (which are everywhere today, as software is taking over the world). In a system of this type, when a problem arises, others are usually created in cascade.
Before the emergence of cryptocurrencies such as bitcoins, there was no way to monetize these digital offenses. In fact, despite the appearance of unbridled freedom, the global financial sector is adequately regulated. Some are fooled by the ease with which money is transferred within the system, but the truth is that laundering large sums is not that easy, especially if the authorities are determined to block these activities. Of course, money laundering exists, especially by the big drug cartels, but these are complex operations that require a great deal of effort.
Bitcoins change that, or at least create incentives to try to commit crimes. Using bitcoins to transfer large amounts of money out of the system (to buy products or turn them into cash) is not as easy as you might think. Small sums are no problem, but those that would make large-scale fraud tempting would hardly remain hidden. In any case, it is undeniable that bitcoins feed the temptation to try illegal operations, at least for small sums. Many attacks through ransomware do not aim for big gains, and this means that bitcoin and the world of cryptocurrency have provided ransomware with an adaptable business model, at least in the ideas of the “entrepreneurs” of the sector.
Solving this problem is extremely expensive. A solution would require a shift in US government priorities. We would need a regulatory system that can foster more appropriate practices as well as an increase in dedicated resources. Programs should be more reliable, critical functions should be isolated, and external controls should become the norm. Some of the steps to be taken on the financial front – identifying the mechanisms by which people can launder money using cryptocurrencies obtained through illicit activities – may be easy from a practical standpoint, but they would also raise many sensitive questions. Would we finally have cryptocurrency regulation? In this way, would it also emerge that cryptocurrencies have become a speculative tool? This would raise an even more important question, which is how the global economy continues to produce bubbles and huge speculative waves, such as the one that led to the 2008 financial crisis.
It is a problem linked to the concentration of global wealth and the absence of effective controls on its consequences. All this is to say that, just like with technical debt, improvised solutions to solve an immediate crisis do not solve the underlying problems. Finding a remedy for digital insecurity would also mean creating better rules in the tech sector, so that externalities negative problems become internal problems of the various companies, which would be responsible for finding solutions to the problems they have created.
The most likely scenario is that there will be changes on the financial front (it will be more difficult to launder large sums from cryptocurrencies to the legal financial system) and on the governmental front (you can convince another government not to attack your infrastructure, but do it with non-organizations. government is much more complicated). Some attacks ransomware of high level could provide the opportunity to make a sort of warning, identifying those responsible and punishing them with exemplary sentences. It’s not as difficult as it sounds, but it takes resources.
However, if it attacks ransomware will multiply, the punishments would no longer be an effective deterrent, because most of those responsible would still escape justice. This would create a catastrophic lottery for users of the ransomware: most would get away with it, while the few who would get caught would receive harsh punishments.
Again it makes me think of the time before the pandemic, when we knew that there was a serious threat and that our infrastructure was unable to deal with it. Between 2014 and 2016 there was the Ebola crisis, in which we worried more about the risks to the (limited) Americans than about the need to strengthen the global response. In 2003 there was the SARS epidemic, which almost became a pandemic. Even earlier, in the 1980s, there had been the catastrophe linked to the spread of HIV / AIDS, marked by an unjustifiable delay in the global availability of accessible medicines. Have we done anything to address the shortcomings highlighted by those experiences? Absolutely not. In the meantime, there is still petrol in my Honda Civic, so everything is fine for now. But when I think about the future of our interconnected world, I am not at all calm.
(Translation by Andrea Sparacino)
.