Pandora’s Botnet How the cyber visionaries are sticking us with the bill
Cybersecurity is mentioned so often that it has become a cliché like climate change, with the other thing they have in common being a disagreement on what solutions are required, who is responsible for them and whether there is a responsibility in changing behaviour so as to minimize these risks. All of these difficult questions are left unanswered not just by the conceptual breadth and diversity of the issue at hand, but also by the ease with which dilettantes and people with agendas can spot facile solutions that obviate the need for difficult questions and answers.
The race between protectors and malefactors is always geared towards the latter in such a fluid situation, and the impetuousness of mass adoption and the effervescence in the adoption and diversification of the digital is steadily making things worse.
The boundless optimism of the Information Age, accompanied by irrational exuberance in markets, as well as technologically savvy evangelists preaching a brighter future through technology, has served to accelerate the mass adoption of cyber technologies whose flaws and vulnerabilities present significant opportunities for random as well as deliberate breakdowns. Regulators and users have a hard time keeping up with the evolving security landscape, made worse by emergent problems deriving from the interplay between complex systems, organizations and behaviours mediated by the communications afforded by cyber capabilities. The race between protectors and malefactors is always geared towards the latter in such a fluid situation, and the impetuousness of mass adoption and the effervescence in the adoption and diversification of the digital is steadily making things worse.
The easiest element to comprehend are the adversarial relations made possible by the cyber environment. Nations may attack each other’s militaries or legitimate targets through networks, state and non-state actors may perform acts of terrorism, cyber criminals may steal, disrupt or exploit and random virtuosos may sow chaos for personal gratification and promotion.
Nations may attack each other’s militaries or legitimate targets through networks, state and non-state actors may perform acts of terrorism, cyber criminals may steal, disrupt or exploit and random virtuosos may sow chaos for personal gratification and promotion.
The harder elements are those which relate to the changes in our societies wrought from evolving cyber connections. Social networks and hierarchies are remade quickly and threaten the social fabric that was once limited by geography, transport and cultural barriers. Notions of privacy and intimacy are also steadily subverted, not just as adaptation to the new possibilities, but also through cynical encouragement from those who see profit to be made in this way. Law enforcement and protection are outclassed not just by the act of cyber disruption, but also from the way in which the legal realm has remained forty paces behind the reality of these issues. One should especially highlight the cross-border complexities engendered by the irrelevance of geography in cyber security problems. Jurisdictional issues abound, as well as complexities in trying to establish any sort of regulatory environment, with the obvious conclusion that countries may be “condemned to cooperate” at International levels for appropriate governance of these issues. This is easier said than done.
Cyber protection starts in-house, with each user and organization maintaining their own first line of defines, both literally and figuratively, through elements of security culture.
And, finally, we are forging full speed ahead into a situation where the average person may not be able to wash his clothing without an imprint in the digital environment, creating “valuable” data for some company or another, as well as opportunities for mischief. Driverless cars may be on their way, though one should maintain a level of technical and legal scepticism with regards to their mass adoption. Automated transport ships for global production and supply chains are also coming, and they will be easier to implement and possible even easier to use to cause mass disruption. Vast amounts of data that we unwittingly create serve to generate an online persona that is less protected than our physical selves have ever been. And, more importantly, all of these changes are taking place in an environment so well connected, that one can scarcely imagine the couplings that may propagate an (un)intentional breakdown throughout the entire system-of-systems. Longing for simpler times is going to become more than a saying or a cliché under these conditions.
How vulnerable are we?
The ubiquity of cyber raises the number of targets, as well as the number of channels for the propagation of the effects of an attack.
Our vulnerability to cyber disruptions of all kinds is staggering and increasing daily. Compounding these issues is the understandable lag between the capacity of organizations to formulate and adopt cyber protection and prevention strategies and adapt them to the rapidly changing environment. One must also underline the fact that cyber protection starts in-house, with each user and organization maintaining their own first line of defines, both literally and figuratively, through elements of security culture. This is before one may even start to discuss what the state, the judiciary or some third party or the military may do for you, which is generally limited to responding to issues after the fact or proactively addressing a limited number of threats – particular groups, casefiles, targets, means of assault (embedded and unresolved vulnerabilities) and so on. There is also a significant asymmetry of information between cyber users and would-be cyber protectors. It is not enough to say that the military is using cyber capabilities to protect its country and its allies, when actual system architectures are unique and no single organization can centralize expertise in all of these. An actor called upon to actively and passively protect both industrial control systems, administrative databases, communication lines and underlining infrastructure will do neither of those things properly.
There is a growing gap between the needs of the cyber security sector and the actual resources, which only a decade long concerted effort at training, followed by continuing education programs, can possibly cover.
It is not enough to simply run through a list of domains which have undergone a cyber transition of the first order and, sometimes, second or third orders (through the underlying cyber vulnerabilities of processes such as financialization, globalization, conglomeration, decentralization). We need to illustrate the boggling realities of cyber issues:
- According to the Herjavec Group’s 2017 Cybercrime Report, compiled by Cybersecurity Ventures, there will be 6 billion Internet users by 2022 and more than 7.5 billion Internet users by 2030, amounting to 90% of people over 6 years of age. There were 3.8 billion users in 2017, up from 2 billion in 2015. The growth in number of users and derivative targets (website, groups, infrastructures etc.) accounts for the likely increase in cyber threats, just as the growth in the general population leads to more crimes, if not higher crime rates;
- The first website launched in 1991, while, in 2016, there were 2 billion websites;
- Microsoft believes that online data volumes will be 50 times higher in 2020 compared to 2016;
- Digital content alone will have expanded from 4 Zettabytes annually to 96 Zettabytes, where a Zettabyte is 1,000 billion Gb;
- The Internet of Things will take off, as 2 billion wirelessly communicating smart devices in 2006 will have become 200 billion by 2020, according to Intel;
- The recent craze in wearable devices for fitness or medicine already amounts to 310 million devices sold yearly in 2017 and 500 million in 2021, according to Gartner;
- The hopeful disappearances of passwords in favour of biometrics has been exaggerated – 300 billion passwords will have to be secured in 2020;
- The 111 billion lines of code added to software each year will make it even more likely that simple human error, unanticipated interactions, planned or unplanned vulnerabilities will increase the risk to networked systems;
- Cybersecurity Ventures quotes industry officials that 90% of cars will be connected to the Internet in some way or another by 2020, up from 2% in 2012, and 20 million cars will be sold yearly with integrated cybersecurity defences on-board;
- In 20 years, over 45 trillion sensors will be connected to the World Wide Web, in every imaginable circumstance, from environmental surveillance to social and inside the body of patients or individuals in general;
- Lastly, the area of the Internet which is not indexed by search engines and is specifically labelled as “dark” is already 5,000 times larger than the visible Internet, according to the US Congressional Research Service in a March 2010 report.
Cybersecurity Ventures calls these phenomena, together, the “expanding attack surface of the cyber environment”, which creates new opportunities for mischief and mishaps. Surprisingly, a Cisco study revealed that 40% of manufacturing firms still do not have a strategic approach to cybersecurity.
There is a general debate as to whether captured hackers belong in jail or on the payroll of the organizations they have hacked. Institutions like the military are having to reconcile their standards with regards to discipline, indoctrination and leadership culture with the reality of the type of individuals they would have to employ.
One must also realize that, as scifi author William Gibson said, the future is here, but it is not evenly distributed. Some places or some domains therein are less penetrated by cyber protection issues. For instance, a less developed country will have found it easier to ensure rapid communications adoption of cyber, while finding it more difficult to upgrade its industrial base so that it may use the latest industrial control systems. This makes it less vulnerable, even as it remains less productive or efficient. At the same time, the lag may very well be recorded in the field of cyber protection, with countries rushing to encourage digitalization without a corresponding awareness of the dangers and the need to invest in protection.
Our brave new future?
Our growing reliance on the cyber substrate used to coordinate society is also affected by key trends, some of them new and some old.
The military cyber corps of tomorrow would be full of people with “blue hair”: “the Americans with the best cyber talent may not meet military and appearance standards — they might be out of shape, overweight, have facial tattoos, or some other disqualifying factor […] the military needs an entirely new approach to the cyber domain that ‘effectively breaks all the personnel rules and shreds all accepted norms of rank, seniority, and deference that currently characterize what it means to be in the military’”.
The first is the still extant democratization of digital skills and knowledge, combined with the low-cost barrier to take digital action. The rapid innovation in the field was engendered by the possibility that young people working “in garages” with few resources, could be able to generate and sustain disruptive technological change. While the maturing of the Internet era enterprises has reduced the extent to which garage firms are viable players, the possibility that motivated and skilled individuals can punch above their weight remains. This applies to hacking as well, where profit, ideology and daredevilry may inspire individuals or small groups to take on and win against much better resourced organizations. The profound capacity of the cyber system to permit the proliferation of “weaponry” and other forms of pre-made cyber tools, as evidenced by the Wikileaks reveal of the CIA data breaches which saw its arsenal lost online, also raises the stakes in the field.
The second is the rise of “cloud computing”. This is not just the latest buzzword, but also a systemic transformation of staggering proportions, because, in the name of cost and efficiency, it divorces the end user from having to maintain his own processing capability or data storage. This centralization makes sense in a world of perfect security, but it compounds the risks associated with the interruption of communication. A computer which is not connected to the Internet may still continue to function and be usable. But a simple work station connected to a centralized processing and data storage hub will be useless in the event of a communications collapse or attack against that critical node. The logic of cyber-attacks also changes and their scope rises, as the first (and unintentional) cloud computing applications (email services) show, since a single attack may affect, as in the case of the recent Yahoo attacks, over 3 billion users in a single swipe. Any sort of centralization vastly increases the potential payout of an attack or theft, while not necessarily raising its cost, as the consistent and constant revelations of security neglect show.
Thirdly, the ubiquity of cyber raises the number of targets, as well as the number of channels for the propagation of the effects of an attack. It is one thing to fear that one’s own devices may be hacked and damaged, or their data stolen and it is another entirely to even imagine the second and third order effects of a cyber-attack on a component for a tightly integrated critical infrastructure system physically spread out all over the world. The cascading disruption is difficult to anticipate and potential victims find it hard to register the risk. For instance, a hacker may attack the control system of an oil pipeline, forcing a reduction in deliveries, thereby generating an energy crisis with the potential to affect numerous consumers.
The whole area of cybercrime, which easily fits into transborder organized crime and is hard to tackle for many of the same jurisdictional reasons, has been steadily professionalizing.
Fourthly, the aging state of existing infrastructures and systems leads to several possibilities. The first is that some of these systems may become intertwined with cyber issues in a way that mixes different generations of control systems, creating new vulnerabilities. This is especially prevalent in the energy and industrial sectors, where long lived assets have gone through several upgrades. The second is that pre-digital systems are either neglected, excluded or replaced with the more efficient and productive systems, leaving a capacity gap which a cyber-attack will highlight. We can compare, for instance, the system of road transport as it is now, before the advent of the mass adoption of driverless cars, with the system that may develop in the future. Several economists have claimed that the success of driverless cars will lead to the rapid reduction of actual driving, since insurance companies will incentivize the shift to driverless. At every step in the road to full adoption, the disruptive potential of a cyber-attack increases to the point where, from a relatively resilient system, which could even maintain itself in the context of a breakdown of the traffic light system or GPS navigation, we will have arrived at a totally unworkable system of mass driverless transport.
The human factor
In Europe, “mean ‘dwell time’ — the time between compromise and detection — was 469 days, versus a global average of 146 days”.
Lastly, we must consider the human element of the cyber equation. There is a growing gap between the needs of the cyber security sector and the actual resources, which only a decade long concerted effort at training, followed by continuing education programs, can possibly cover. The cybersecurity related employment needs of individual organizations far outweigh the needs of the organizations that create and manage the cyber tools which generate the security issues. In the meantime, interesting choices abound for policymakers and various organizations. The tolerance of malicious hackers turned to “whitehats” is one. There is a general debate as to whether captured hackers belong in jail or on the payroll of the organizations they have hacked. Institutions like the military are having to reconcile their standards with regards to discipline, indoctrination and leadership culture with the reality of the type of individuals they would have to employ. A recent article titled “Strategic outpost debates a cyber corps” in “War on the rocks”, a military discussions website, proclaimed that the military cyber corps of tomorrow would be full of people with “blue hair”: “the Americans with the best cyber talent may not meet military and appearance standards — they might be out of shape, overweight, have facial tattoos, or some other disqualifying factor”. It quoted an argument along the lines that “the military needs an entirely new approach to the cyber domain that ‘effectively breaks all the personnel rules and shreds all accepted norms of rank, seniority, and deference that currently characterize what it means to be in the military’”.
If the military will not find enough talent it can mould according to its standards, and it may come to rely on civilian contractors, then it will be faced with many of the same problems that the intelligence agencies faced by outsourcing key data analysis operations, namely security risks related to security culture, ideology and the lack of control over individual contractors (the famous Edward Snowden, at the time of his data theft, was working as a private contractor). The military has other issues, specifically related to chain of command, the ability to move people around and to integrate with other services, since cyber is now a domain of warfare. Putting some hackers in uniform may also be necessary “to legitimately and legally conduct offensive cyber operations — the kind of cyber-attacks whose cascading effects could readily inflict grievous harm and death. These cyber warriors need to be subject to the Uniformed Code of Military Justice, so they are held accountable for their actions and legally protected from liability. Putting them in uniform also clearly identifies them as lawful combatants under the Law of Armed Conflict, and, though it may seem quaint, offers them certain rights under the Geneva Conventions”.
The burden of cybercrime
While it may seem appealing to debate the issue of hybrid and asymmetric warfare and what cyber-attacks mean from the standpoint of warfare, the more prosaic field of cybercrime holds some of the best examples of the related dangers. Cybersecurity Ventures estimated that the cost of cybercrime would total 6 trillion dollars in 2020, up from 3 trillion in 2015, which is a staggering amount compared to a world GDP in 2017 of 78 trillion dollars.
According to Forbes, a business fall prey to a cyber-attack every 40 seconds, which will fall 19 seconds by 2020. A new and important area of the cybercrime business is ransomware, which is basically a protection racket for the digital age. Ransom payments have reached 1 billion dollars annually, according to the FBI. Global ransomware costs exceeded 5 billion dollars in 2017, marking a 15-fold increase in just two years. The fact that 1.4 million phishing websites are created every month is also indicative of the breadth of the business.
Only 12% of intrusions were discovered via notification from a state agency in Europe, as opposed to 53% in the US, which raises the question of whether the number of intrusions is severely undercounted.
The whole area of cybercrime, which easily fits into transborder organized crime and is hard to tackle for many of the same jurisdictional reasons, has been steadily professionalizing, according to the Fortinet Cybercrime Report, thereby mirroring legitimate businesses. Rather than doing everything by oneself, it is possible to contract with providers for any conceivable cybercrime service, including setting up attacks, creating bespoke attack tools, data theft, crashing systems and so on. There is also an organizational structure of crime-as-a-service, with executives, recruiters, infantry and help wanted ads. Meanwhile, new business models proliferate – pay-per-click, pay-per-install, pay-per-purchase, ransomware. One can rent, buy or lease botnets, remote access, exploit kits, crypters, source code. Finally, the money management side of things is also intertwined with white collar crime, which cybercrime often resembles. These were some of the prices quoted, though they have likely gone down in the intervening period due to development and competition:
- Consulting services such as botnet setup ($350-$400);
- Infection/spreading services (~$100 per 1,000 installs);
- Botnets & Rentals – Direct Denial of Service (DDoS) $535 for 5 hours a day for one week, email spam ($40 / 20K emails) and Webspam ($2/30 posts);
- Quality Assurance vs. Detection (Crypters, Scanners - $10 per month);
- Affiliate Programs ($5,000 per day is possible);
- Virtual Private Servers ($6 per month);
- Blackhat Search Engine Optimization(SEO) ($80 for 20,000 spammed backlinks);
- Inter-Carrier Money Exchange & Mule services (25% commission, probably less now with cryptocurrency transfers);
- CAPTCHA Breaking ($1/1000 CAPTCHAs) – done through recruited humans and machine learning;
- Crimeware Upgrade Modules: using Zeus Modules as an example, range anywhere from $500 to $10,000.
According to the FBI’s Internet Crime Complaint Center (IC3), the BEC (Business Email Compromise) scam has seen a 13-fold increase in identified exposed losses, worth 3 billion dollars, between 2015 and 2017, while Cisco reports place losses at 5 billion between 2013 and 2016.
According to the Herjavec report, “the average size of distributed denial-of-service (DDoS) attacks is 4X larger than what cybercriminals were launching two years ago — and more than 42 percent of DDoS incidents in 2017 exceed a whopping 50Gbps, up from 10 percent of cases in 2015. Cybersecurity Ventures predicts that newly reported zero-day exploits will rise from one-per-week in 2015 to one-per-day by 2021”.
Cybercrime is related to other forms of cybersecurity issues. For one, it provides much of the tools, infrastructure, services and knowledge to conduct cyberterrorism operations or easily denied state cyber-attack operations. Avoiding fingerprints and also being able to conduct operations without having to insource much of the work are appealing advantages. At the same time, we should remember that the effect of crime itself is to undermine organizations by creating and cultivating exploits, whether through corruption or cyber-attacks. There is the possibility that, through anti-fragility, an organization undermined in this way may take the required measures to become more resilient, but we have already established that this should be the exception, not the rule.
According to the 2017 Marsh & McLennan Cyber Risk Report, the European cybercrime scene mostly targets the most developed economies, especially companies in manufacturing, finance and telecom. According to the report, in Europe, “mean ‘dwell time’ — the time between compromise and detection — was 469 days, versus a global average of 146 days”. The links between organizations and government are also not as good – only 12% of intrusions were discovered via notification from a state agency in Europe, as opposed to 53% in the US, which raises the question of whether the number of intrusions is severely undercounted.
Figure 1 – Targeted malware detection across Europe during January - September 2016 (source: 2017 Marsh & McLennan Cyber Risk Report)
It is vitally important that the authorities and other actors, such as the military, become proactive with regards to cyber threats, as concerns issues which only they are authorized to handle, such as prosecution, deterrence, regulations and offensive action, though some companies have been known to contract for retaliatory services.
However, companies themselves must take the first steps in their own protection. The MMC Cyber Handbook gives an overview of the measures that may be taken and how industry representatives have responded to pointed questions regarding preparedness levels. The main strategic steps are, from a business perspective:
- Seek to quantify cyber risk in terms of capital and earnings at risk;
- Anchor all cyber risk governance through risk appetite;
- Ensure effectiveness of independent cyber risk oversight using specialized skills;
- Comprehensively map and test controls, especially for the third-party interactions;
- Develop and exercise incident management playbooks.
Figure 2 – Steps for cyber protection of businesses, aligned with the NIST – National Institute of Standards and Technology – framework (source: MMC Cyber Handbook)
The uncertainties surrounding the future development of the domain call for an adaptive framework for security which brings together the important stakeholders and promotes an appropriate division of labour, in line with needs, competencies and authority. Ultimately, the one solution not yet taken under consideration for reasons of ideology, competitiveness and status jockeying is the possibility of intentionally creating resilience in the system by diminishing the reliance on intricately networked systems and ensuring adequate redundancies and substitutive capabilities.