October 29, 2014

Cyber Attacks Likely to Increase

Above-and-Beyond Responses: Part 1

A variety of views in regard to this issue are reflected in these big thinkers’ imaginings of what may happen by 2025.

Look for losses in intellectual property and via ‘data pollution’

Vint Cerf, Google vice president and co-inventor of the Internet Protocol, responded, “Yes, while it has been predicted for a long time, there is no question that intellectual property theft is an increasingly serious problem and the potential hazard of data pollution looms. Estonia is the prototypical example. A lot will have been done by 2025 to increase security and safety online but there will still be exploitable vulnerabilities. Systems that observe their own behavior and the behavior of users may be able to detect anomalies and attacks. There may well be some serious damage in the financial sector especially (identity theft is still a problem, etc.). The use of things like Bitcoin, if prevalent, will produce wildly gyrating values and high risks.”

Many attacks will have a ‘cyber add-on’ component

Jamais Cascio, a writer and futurist specializing in possible futures scenario outcomes, wrote, “Depending upon how it’s understood, this could also be a ‘yes’ or ‘no’ answer. We’ll likely see a major attack that has a cyber component, but less likely to see a major cyber-only attack. In this cyber-add-on scenario, other forms of attack (from simple bombing to infrastructure damage to bioweapons) are enhanced by digital or electronic assaults meant to hamper our ability to recognize and respond to the main thrust of the attack. Cyber is a force-multiplier, in strategic terms, but not necessarily a useful solo vector. Here’s why: hitting a system large enough and pervasive enough that its loss will have major, widespread harmful consequences would take an extraordinary combination of time, coordination, sophistication and luck. Networked systems already exist in a hostile environment, and attention/resources are already being directed to system security—there’s a greater likelihood of a complex assault being spotted. Furthermore, redundancy, backups, and ready alternatives can mitigate the harm of a cyber infrastructure attack, and it’s hard to say from simple observation, which systems will be or won’t be supported in this way. This doesn’t make a sophisticated attack impossible by any means, but it makes such an attack much more difficult, and the results less certain. A hostile actor will want greater certainty of outcome and less of a potential to be caught. A cyber-only attack is possible, but less efficient (and likely less effective) than simpler attacks.”

‘Collaboration and cooperation’ among all parties are essential

Amy Webb, digital media futurist and founder of Webbmedia Group, wrote, “It’s quite possible. One big challenge is that in the digital space, typical geographic boundaries don’t apply. If you have a credit card, that company is likely using Amazon Web Services with servers in multiple countries. Amazon protects itself, but individual countries establish laws describing what constitutes a crime and how cybercrime will be punished. There is no overarching law that rules everyone, and some culturally different activities are more accepted than others. Likewise, depending on the person, her knowledge, and where she lives in the world, she may regularly pass along security bugs and viruses that could, along with many other users, contribute to a widespread outage. In order for us all to be safe and protected, collaboration and cooperation among governments, businesses, and individuals is necessary.”

Jeff Jarvis, director of the Tow-Knight Center for Entrepreneurial Journalism at the City University of New York Graduate School of Journalism, wrote, “There will be continuing attacks bringing continuing damage. The question is how big an industry that will spawn in securing systems against such danger and mitigating risk. But security comes not only from government and industry. It also comes from the huge forces of collaboration and volunteerism that can coalesce around open source as a means of assuring that many eyes will watch for vulnerabilities and many hands will fix the faults that are found.”

‘Far too much of the world’s computing capacity is defenseless’

Jerry Michalski, founder of REX, the Relationship Economy eXpedition, wrote, “A tremendous proportion of the devices on the Net—personal computers as well as devices—have been compromised already, or will be compromised in the near future. Any device that isn’t attended to regularly to keep it from being vulnerable should be written off as part of the darknet. Targeted attacks should rise, as should dysfunctional ideas (memes), spread to sew discord or doubt. Far too much of the world’s computing capacity is defenseless. Anything with firmware that can’t be upgraded securely in the field is vulnerable. Loss of life may be more difficult than loss of property, as property becomes ones and zeroes. National boundaries will matter less and less, despite countries’ attempts to secure those boundaries and control their populations. People will join ‘nations of choice,’ giving their allegiance to loose organizations that have principles they love, such as Burning Man, the Tea Party, Occupy, and others that will emerge in the next few years.”

We must adjust our obsession with efficiency to also focus on ‘resilience’

David Brin, author and futurist, wrote, “We must move from the 1990s obsession with ‘efficient’ production—e.g., just-in-time manufacturing. That proved disastrous after Fukushima. In nature, resilience is just as important as efficiency. If we work on it, our resilience will make a crucial difference making such attacks futile.”

Natural disasters cause more devastation

Hal Varian, chief economist for Google, predicted, “There will certainly continue to be cyber attacks around the world. However, I don’t think that such attacks will involve losses of tens of billions of dollars. For that to happen we would have to see systems down for several days. Katrina was the costliest US hurricane and it did about $100 billion of damages. Most hurricanes have been in the $20 billion range. I don’t see cyber attacks coming anywhere close to hurricanes in terms of the associated property losses.”

Security awareness and actions ‘will become a necessary part of life’

Jim Hendler, a professor of Computer Science at Rensselaer Polytechnic Institute, wrote, “I don’t believe a single major cyber attack of this kind will be a key event, rather there will be a growing number of smaller attacks and crime which cause increased awareness and willingness of people to take better cyber security—security online will become a necessary part of life, varying by where in cyberspace one is—much the way home security or car security is today.”

The worst events might be caused by accident

Joel Halpern, a distinguished engineer at Ericsson, wrote, “Any response to this is very much a guess, as what will happen depends both on what can happen and on what people choose to do. I would not be surprised if there was a network-based event which caused tens of billions of dollars in damage. I would expect that it is more likely to occur by accident than it is by deliberate action. This is based on the observation that random coincidental failures are much harder to plan for than human intention.”

‘On balance, it is a nail-biter’

Paul Saffo on the future of cyber attacks

Paul Saffo, managing director at Discern Analytics and consulting associate professor at Stanford University, replied, “The question is missing the button I wanted to push: ‘Maybe.’ This is a classic wild-card issue: uncertain probability but potentially enormous impact. We will certainly have a steadily increasing number of cyber attacks by both state and non-state actors. The uncertain part is the scale of effects, and that is time-dependent: there is a race on between cyber defense tools and cyberattack capability, and at any given moment, one is slightly ahead of the other. On balance, it is a nail-biter. It is a close call, but I think we will have a bunch of scares, but will squeak through. More generally, my fear is that we are neglecting the risk of ‘cyber errors’ in creating wild disruptions. Stupidity is always more common than evil.”

Look for cyber treaties before things get too far out of hand

Fred Baker, Internet pioneer, longtime leader in the IETF and Cisco Systems Fellow, responded, “This is a little like asking whether the existence of a nuclear arsenal implies the eventuality of nuclear attack. I do believe that it is possible to perpetrate such attacks now, and we have seen tete-a-tete between nation-state actors in Eastern Europe, the Middle East, Asia, and North America. However, the perpetration of an attack that causes ‘significant loss of life or property losses/damage/theft at the levels of tens of billions of dollars’ is likely to draw a comparable retaliation, and like the outcomes of nuclear assault, become its own counter-measure. It may, like nuclear arsenals, become a matter of treaty discussion.”

The digital ‘immune system’ will respond

Seth Finkelstein, a programmer, consultant and EFF Pioneer of the Electronic Frontier Award winner, wrote, “In general, for critical infrastructure, I’d say there’s enough low-level threat from ongoing minor attacks to make it difficult to pull off a really major attack. Much of this entwines with credit card security. Grabbing a bunch of credit card numbers is both far more profitable and far easier to do than massive disruption. So defending against that type of ongoing crime is sort of like an immune system challenge that helps guard against even more harmful attacks.”

Fixing privacy problems will also make things more secure

Marcel Bullinga, a futurist and trend watcher, predicted, “The answer is connected to the privacy-enhanced infrastructure. If you have accomplished that, you have a safe infrastructure as well, not so vulnerable to cyber attacks. I guess a wildcard will do the trick of speeding up the creation of a safe infrastructure—the explosion of a nuclear reactor or the theft of $200 billion in one second caused by a cyber attack.”

There will be a large-scale manipulation of the Web but ‘we will overcome it.’

Tiffany Shlain on the future of cyber attacks

Tiffany Shlain, filmmaker, host of the AOL series The Future Starts Here and founder of The Webby Awards, observed, “There will be attacks, but just as quickly as they happen, we will figure out how to combat them. The Web is merely an extension of us as humans. We are good and bad and everything in between. But ultimately, I believe we are good. The Web will at some point have large-scale manipulation with malicious intent, but we will learn from it and overcome it.”

Doc Searls, director of ProjectVRM at Harvard University’s Berkman Center for Internet & Society, wrote at length on this issue:

“I imagine that Iran would already claim that it has suffered harm through the (alleged but widely acknowledged) Stuxnet attack by the US and Israel on Iranian nuclear facilities. No doubt other forms of cyber warfare are ready for deployment by the U.S., Russia, China and other countries. Since what can be done will be done, sooner or later, it is reasonable to expect harm in $billions (at current valuation)—to some country, or number of countries. On the other hand, the whole world is now one big system, and it will be very hard to contain the effects of a cyber attack, as we discovered (predictably) with Stuxnet.

Two questions need to be asked: 1) Who in a country is most capable of cyber-warfare? Is it the government or the hackers? 2) Is it in the national interest of a country to attack another with which it enjoys a high degree of business and other dealings? In business today, many old enemies are now close friends, at least in business.

In Russia today the concentration of techno-experts making money through botnets off of the (mostly U.S.-based) $many-billion advertising industry is very high. Is there a higher concentration of experts inside the Russian government? Almost certainly not, given the billions being made in Russia’s clandestine botnet business.

My point here is that actors in the private sector, especially the bad-guy ones, may have stronger cyber warfare skills than their own governments. And they are already doing damage in the form of many billions of dollars siphoned off the flow of advertising money through Google and other companies.

What happens when the online advertising business, which has many characteristics of mania and bubble, starts to fail? If one doubts that failure will happen, consider this: more than 61% of traffic on the Net already isn’t human, and a third of that number is busy impersonating human traffic, no doubt for fraudulent purposes. Also, according to Michael Tiffany of White Ops, ‘at least 15 percent of American broadband households are participating in a botnet right now.’ And the numbers are going up.

Both cryptography and cracking it continue to get more sophisticated. Those who are good at it won’t stop. And all the countries capable of cyber warfare—China, the US, Russia, India, the UK, Israel and so on—are not going to stop preparing for it and doing everything they can to stay ahead of both their friends and their enemies, real and perceived. This constitutes a cold war of sorts. Likewise, spying also won’t end. Spy agencies will do what they were created to do. They have always been, by nature and charter, outside the laws of both their own countries and those they spy on.

So we have this broad class of things we know—notably the level of cyber crime happening constantly, and its effects on the whole Internet—and a narrow class of things we don’t, which is what the spy agencies know but won’t say. (Yes, Snowdens come along from time to time, but the spying will continue.)

To sum up, I believe we can safely predict that cyber crime will be one of the daggers that burst the online advertising bubble, the collapse of which will cause harm to some industries (e.g., online publishing). But all bets are off for what will happen in cyber warfare. The one clear thing is that national boundaries and interests are far more blurred than they ever were when wars happened in the physical world alone.”