Cyber crime casts an evil net
Five questions for cyber security expert Ben Rubenstein
The world depends on the internet, that tangle of interconnected wires and cables girdling the Earth and penetrating ever deeper into the fabric of our lives. But it is also a jungle.
1. For years now we have heard about cyber criminal attacks on individuals, banks, companies and nations. Just how concerned should we be about the security threats we face on the internet?
I think a lot does not get reported. Companies don’t always want to advertise an attack, especially not banks. They generally have very good cyber security, and support customers who have suffered credit card loss through cyber fraud. Australia does not have a very big cyber security industry but the banks do quite a bit. I don’t know what banks report on losses from cyber crime but we know its impact in Australia is huge; globally many billions of dollars.
Governments are reticent, too. The Australian Government has never reported a large hack. The US Department of Defense has reported being broken into and military equipment designs stolen. US investment in cyber security is quite large; about 28 times more per capita – about 400 times greater as a nation-spend – than the $250 million over four years that Australia invests. The US is a prime target, but so is Australia. Attacks are not only for money. There is potentially strategic value in a country hacking into the systems of another and I think they all do it. I think there have been attacks on Australian Government systems, but we don’t hear about them.
2. Where initially there was a limit of 4 billion internet addresses, now the number is almost infinite to handle the rising demand of the Internet of Things (which connects everyday items and devices, such as home appliances, to a network). Is it growing too fast for us to keep secure?
Developers of IoT devices may not necessarily think about security. Their device might have a vulnerability but it takes time for security to catch up. That’s a worry, too. With IoT, billions more things are connected to the internet, which means there is some kind of an attack vector. It may not really matter if your IoT connected refrigerator fails to order more milk, but think about critical sensors in transport networks and medical devices, such as pacemakers or glucose monitors for diabetics. If a technical glitch or a cyber ransom demand interfered with those it could be pretty bad.
3. Could a “black hat” state stun the economy of another nation or group of nations – deprive people of water, food or energy – by attacking such a network?
I definitely think they can. The stock market is very much connected to the internet with significant high frequency trading, which relies on having a machine close to the exchange so that with low latency you can make small trades very quickly and make money. But an attack on the computer system of a stock exchange could hurt a national economy. Affecting a power station, even without disrupting production for very long, could affect industries and consumers.
The international banking industry has a system called SWIFT (Society for Worldwide Interbank Financial Telecommunication) used to identify banks in money transfers. Banks have a special machine running SWIFT’s software that is supposed to be separate from other machines in the bank, but some banks are less rigorous than others. Earlier this year Bangladesh’s central bank SWIFT system was hacked because their SWIFT machine was being used for other functions. A large amount of money was lost.
In Ukraine last year a power station was hacked, turning off power to a huge number of homes and businesses. In Germany a furnace in a steel mill was badly damaged by a cyber attack. It’s not just about turning things off or on. If there is a control system that is in some way connected to the internet or connected to another thing connected to the internet, damage can be done. It might be connected to a computer where an email attachment is opened, or a thumb drive connection from which a worm or a virus is inserted to override the control system and make a process or machine go outside its design limitations. Even for critical infrastructure, where you would expect to see close oversight, there could be vulnerability because of the IoT.
4. So what about the suburban grandmother with an iPad who does her internet banking, swaps emails and makes FaceTime calls to her friends and relatives? You hear of all sorts of scams preying on people like her. How big is that?
Phishing – as it is called – and other social engineering exploits are among the most serious issues in cyber security, for individuals and companies. Companies put their employees through security awareness training; how to spot phishing emails and other scams. Phishing can be general – fake letters from banks, fake offers of prizes and other come-ons – but it also can appear to come from, say, a company manager and be aimed at an individual whose identity has been obtained from a social network or other internet source. The email might ask for information or have an attachment that carries malware, say a keystroke logger by which the criminal can obtain passwords and key information. Be cautious. Mouse over the link and see if it is genuine. Think about content; don’t accept what looks like a bank letterhead.
The national cyber security plan recommended adoption of an awareness strategy to train people to be cautious and recognise threats – ‘Don’t Take the Bait’. Software should be regularly updated to get the latest security patches, applied to emails and phone calls – would Microsoft or Telstra make such a call, would PayPal send such an email? Never disclose a password or an ID.
5. So it’s a constant battle between the good guys and the criminals. Who is winning?
It is easy to overhype, but the threat is there and growing. Cyber crime presents very real, hard problems. Defence is difficult because of the asymmetry between attackers and defenders. The attacker needs only to find one way in, one door to break down, but the attacked must defend everything. As long as there is an economic or political incentive for criminals or a country to attack a system, they will.
The IoT is only going to make the problem bigger. Self-driving cars will make it bigger. Everything becoming digital and systems becoming more connected to increase productivity – and the kinds of insights you get from data – means it is easy to break into a system, jump between systems and make lateral movements. Services such as Gmail have very good spam filters that don’t just look at content, but sources. They have a big view of the internet and can gather a lot of intelligence. But it’s an arms race and that makes it a wicked problem.
By Garry Barker