In 2010, a malicious virus known as Stuxnet destroyed nearly 1,000 centrifuges in an Iranian uranium enrichment facility. The cyberattack demonstrated the prophetic wisdom of leading computer security expert, Gene Howard Spafford: “The only secure system is one that is powered off, cast in a block of concrete, and sealed in a lead-lined room with armed guards—and even then I have my doubts.”
Stuxnet marked the beginning of a new era in conflict known as cyber warfare.
The changing nature of conflict – From physical to cyber warfare
Cyber warfare democratizes conflict. The nation with the largest military is no longer the most powerful. Physically mobilizing troops, engaging in gunfire, and bombing are replaced with digitally knocking out energy plants and nuclear facilities and shutting down power grids. These will be the new acts of war, and they will be executed from a safe distance. Combined with the anonymity that digital provides, much of the risk associated with physical combat is eliminated, making cyberspace an attractive and accessible battlefield for anyone with a computer.
Many argue that without risk, there is less restraint. Perhaps this is what emboldened hackers to target corporate giants like Amazon, Netflix, and Twitter. In 2016 alone, more than 4.2 billion records were exposed (shattering the previous 2013 record by more than 3 billion). The breaches, affecting everyone from nations to corporations to individuals, showed that no one is immune to cybercrime.
While 2016 was the year of the data breach, analysts predict that 2017 will be the year of cyber warfare. It’s no longer just about stealing information, it’s about crippling operations at a global level.
WannaCry, the biggest ransomware attack in history, infected 300,000 computers across more than 150 countries. WannaCry’s impact was particularly pronounced at the National Health Service (NHS) hospitals in the U.K., where more than 19,000 appointments were cancelled and computers at 600 surgeries were locked down. It was later discovered that with basic IT security, the NHS could have prevented the attack.
On the cyber battlefield, even the smallest weakness in security can bring a country to its knees. Take NotPetya, for instance. The infamous cyberattack disrupted much of Ukraine’s online infrastructure, including energy companies, power grids, airports, public transit, and banks. As damaging as cyberattacks can be, the after effects can be more devastating. Shipping giant Maersk estimates that the disruption NotPetya caused cost the company up to $300 million U.S.—a staggering amount when compared to the paltry $10,000 U.S. hackers are estimated to have earned.
As entire smart cities connect to the Internet of Things (IoT), their online infrastructure—from street lights to power grids—will be vulnerable. With so many insecure connections, the impact of cyberattacks will be costly, far reaching, and capable of leaving entire populations in the dark.
By 2025 the IoT will reach an estimated 80 billion devices (or, ten per person)—more than half of which will have inadequate security. This is unsettling at best when you consider that as our cars and household appliances join the network, cyberattacks could become more frequent and more personal.
While technology, data, and education at the end-user level will help us pre-empt these attacks, device manufacturers and governments will play a crucial role in cybersecurity.
Since cyberattacks are decentralized, nations will need to work together to combat cyber warfare and cybercrime. Much of this will happen through laws, regulations, and policy development. Keeping all of these relevant will be extremely challenging, since technology typically outruns policy.
The Convention on Cybercrime (also referred to as the Budapest Convention) is the first international treaty of its kind designed to protect society against cybercrime. As technology continues to advance and acts of cyber war become more widespread, I would expect to see more governments, and even industries and organizations, coming together to form international alliances to combat cyberattacks and cybercrime—a Geneva Convention for Digital, if you will.
In the near future, when almost everything is online and at risk, security standards and international laws will be critical to ensuring the safety of not only nations and corporations, but also of individuals. But what form will these safety measures take? For example, will we be under constant surveillance by governments for “our own good?” The impact of digital on society will be the topic of my next blog.