Ashley Madison, Adult Friend Finder, Last.fm, Tesco, LinkedIn, MySpace, Three, TalkTalk, Yahoo, Twitter, the National Lottery etc. all share a common feature: over the last few months these corporations have been the target of successful massive hacking operations aimed at stealing customer data. And the list keeps lengthening every day.
Cybersecurity is first and foremost a matter of education – a formerly blank executive training field that the likes of IBM have now penetrated. Human error represents a godsend for all hackers that no antivirus will be able to correct – “up to 90% of cyberattacks take place because computer users are both busy and gullible” writes Misha Glenny from the Financial Times. In September Russian hackers managed to break into the Democratic Party computer systems. The investigation showed that the attack was based on fraudulent emails sent to around a hundred members of the party. Around 20% clicked on the link despite the obvious risks it could entail. Although antispam filters have become increasingly sophisticated over the last few years, one cannot fully trust the machine (yet?) and blindly open messages landing into his inbox. In the same vein, ‘Ponzi 2.0’ chains can only flourish if the ‘links’ are gullible enough to hand money over to an unknown party. Reusing similar (and often benign) passwords on different websites is also a source of trouble – one of the reasons why ‘behavioural biometrics’ are being experimented. More broadly the analysis of human behaviour will become a cornerstone of the cyber war, both on the assailant and defender sides.
The corporate world has become increasingly aware of the threat over the last few years, even if in some cases the learning curve involved paying a high price. Small businesses, which have less budget to spend on ‘cyber-defences’, are particularly targeted. A third of small British businesses suffered a breach in the past year according to a UK government study, while insurer Beazley predicts a 400% increase in ransomware breaches this year – a particularly efficient attack as the corporate target is prevented access to all data unless it pays. In France, cybersecurity consultancy Wavestone showed that 100% of 128 large corporate websites were showing security loopholes, 60% of which could allow the hacker to download a batch of commercially sensitive data. More generally, the emergence of new technologies, such as driverless cars, will greatly rely on the ability of manufacturers to convince the general public that the ‘computer at the wheel’ cannot be corrupted. Poor security infrastructure design, resulting from a lack of time and budget, is pointed out as a root cause. A few days after the news were made public, the French government passed a law requiring all businesses to map their data and ensure appropriate protection and access by May 2018. In the US, a similar directive aimed at the financial services industry – the most affected by data loss – has been issued.
Large institutions are not immune either. Tesco Bank suffered a carefully planned and heavily publicised attack in early November. Money was stolen from 20,000 accounts (out of 136,000) and led all the bank’s customers with no access to their money for more than 24 hours. The investigation subsequently showed that management had been previously ignored warnings from third parties highlighting weaknesses in the Tesco and Tesco Bank mobile apps. Two of Russia’s largest banks suffered DDoS last month. Even the SWIFT messaging system, which governs financial transactions between banks across the world, has faced attacks. French newspaper Les Echos recently highlighted that cyberattacks had little impact on share prices, although this could likely change in the future.
Irrespective of size, the cost of replacing the entire software framework can be prohibitive for a business. Countless firms still run their operations on Windows XP, despite Microsoft not offering any security update since 2014 and security breaches having already been identified since then. For those favourite targets, the aim is less to prevent attacks than making the reward unattractive, by physically isolating critical data in separate infrastructures.
For a long time their basic features and limited memory space made smartphones unlikely candidates for cyberattacks. With the rise of open operating systems (Android and iOS) making devices accessible to third party app designers and the continuous development of new capabilities this is not the case anymore – one could even say that because we spend our life with smartphones in our pockets the potential risk of hackers accessing personal data through these devices is higher. Standard solutions have been recently developed – messenger app Whatsapp now offers encrypted communication protocols – and a handful of brands are now offering ‘military-grade security’ – at a (hefty) price.
The ‘internet of things’ is also adding further risk to the balance. These recently launched devices are numerous (6.2bn today and 20bn by 2020 according to Gartner) and usually designed with a time and money focus on tech specifications and push security into the background (or do not even bring it on their agenda), with no or weak default passwords. In September French web hosting company OVH suffered a ‘Distributed Denial of Service’ (or ‘DDoS’) cyberattack led by a network of more than 140,000 Web-connected video recorders, a significant figure but still very short of the 10m+ devices mobilised on 21st October to create the largest DDoS attack ever recorded.
A pernicious characteristic of successful cyberattacks lies in the fact that very often they remain unspotted. In the Financial Times Violet Blue, a cybersecurity expert, explains for instance that he “keeps a little sticker over the cameras on all my devices to prevent unauthorised spying”. Your camera may be on without you knowing.
For all those reasons, cybersecurity has become a serious matter for intelligence services. In the UK, the government’s National Security Strategy elevated cyber security to the “tier 1” risk category and the MI6 has announced its intention to recruit more than 1,000 new staff by 2020, a 40% rise, primarily to foster their still rudimentary IT capabilities. As mentioned by Nigel Inkster, former director of operations for MI6, in the Financial Times: “The days in which intelligence officers could plausibly adopt different identities and personas are pretty much coming to an end. […] The challenge of having a credible digital footprint is significant.” Cyberattacks could impact traditional warfare; Chinese hackers for example tried to steal military data contained in nuclear-powered aircraft carrier USS Ronald Reagan. As a result, undercover moves usually belonging to the secret sphere emerged last month when US vice-president Biden publicly hinted that the USA could launch a retaliatory cyberattack against Russia while Angela Merkel later warned against this kind of attacks – symptoms of the unbearable tension this new type of war has triggered.
Not far from the debate around cybersecurity lies the one around the veracity of information found on the Web. In a world where anyone can publish and share information across the globe in seconds and where the content of the most visited encyclopaedia can be freely edited, we must become increasingly critical against the flow of data that we receive.
Defence against cyberattacks will represent one of the pillars of individuals’ and businesses’ security in the coming years and possibly decades. Fortunately or not, this post intended to show that we, as Internet users, largely hold the cards in that fight: let us make sure that we use them wisely.