October 29, 2014

Cyber Attacks Likely to Increase

Above-and-Beyond Responses: Part 2

A range of input by some respondents covered ground not related to the themes highlighted above.

Put this in perspective—many things are worse and could have a more devastating effect, including natural disasters and the impacts of rapid online financial transactions

Ben Shneiderman, professor of computer science at the University of Maryland, wrote, “Cyberattacks will grow, but defense will improve, all requiring big investments and creating jobs. Epidemics, tornados, floods, and earthquakes will still be more deadly. Climate change and environmental destruction are by far the greatest threats.”

Jari Arkko, Internet engineer with Ericsson and chair of the Internet Engineering Task Force, answered this question “no,” explaining, “It is hard to predict what will happen. A single financial transaction gone wrong or a single-vehicle accident could cause the damage that you ask about. But I still consider the risk of these events far smaller than many other similar issues, certainly far below financial fraud that we’ve used to seeing from insiders and rogue traders, for instance.”

Brenda Michelson, a self-employed business-technology consultant, responded “yes” and sounded a similar note. “In the case of cyber attacks, the hype of pending calamity is probably a positive, as it increases threat awareness and in turn (hopefully) prompts telecommunications, transportation, energy, water supply, and food-chain infrastructure operators and regulators to engage and invest in risk-mitigation activities, as well as theorize, scenario plan, and test for systemic, cascading implications. If a nation were to fall, or be seriously harmed by cyber attack, it would have to be a highly coordinated attack, simultaneously targeting the nation’s various infrastructure elements; or an attack that could identify and exploit a linchpin element, resulting in cascading failures. This type of destruction is more likely to be brought on by nature—hurricane, tsunami, earthquake, and such. Which, I suppose could be—or certainly hyped as—a 2025 cyber threat, weather hacking.”

A proposal to use decentralized network protocols

Andrew Rens, chief counsel for The Shuttleworth Foundation, wrote, “My answer could equally well be ‘yes unless appropriate changes are made’ or ‘no if appropriate changes are made.’ Whether a major cyber attack causes widespread harm depends on whether some systems are changed in order to prevent not attacks but the likelihood that they will be widespread. It is certainly possible to configure networks so that they are both highly connected (with few links between most modes) and modular with weak links between strongly connected clusters. In the events of disaster, such as attacks, the weak links must be broken so that only specific clusters suffer damage. A cyber attack must be understood from a network architecture perspective as a type of disaster, as are natural disasters and internal system failures. What must be done is in principle obvious, although implementation may prove difficult. 1) End centralization of systems such as control of power grids and instead use decentralized network protocols to manage co-operation. 2) Make networks modular so affected clusters can be isolated. 3) Build in overrides that enable the decoupling of local physical systems from digital systems so humans can operate systems when computers fail. 4) Encourage the creation of robust cities that can generate their own water and power at least in need. 5) Decentralize the financial system so there are not just a few players that are massively dependent on one another but many more players. Reinstate the Glass-Steagal Act so that damage to investment banks doesn’t affect the day-to-day activities of people. While what must be done is obvious it is unlikely that policy makers and business leaders will demonstrate the will to protect their citizens. Instead there is likely to be a proliferation of agencies with draconian powers engaging in intrusive, if no longer universal, surveillance which are unable to prevent or mitigate attacks because the solution is decentralization not policing.”

The concept of the nation-state is being challenged

David Orban, the CEO of Dotsub, wrote, Yes. “Nation-states are under attack from much bigger forces than cyber hacking or from cyber war initiated by other nations. These can and will be waged, and the infrastructure to defend against them will be an important component to be developed and deployed. However, the more radical transformation of all the major components of what is today the raison d’etre of the nation-state is going to have a much more radical impact, transforming the social organization, and the social contract itself, to be based from a centralized hierarchical structure to a distributed, peer-to-peer one. Solar power in energy production, 3D printing in manufacturing, plant labs and meat cultivation for food production, self-directed open learning, personalized health, distributed digital currencies.”

Relatedly, Karen Landis, the user-experience team lead for Belk.com, a department store, said, “People will get used to identity theft and cyber attacks in the way we got used to muggings and bombings. They won’t surprise us and will just be something that is in the news every day. Words like ‘identity’ and ‘nation’ will have to be redefined. How are you part of a ‘nation’ when you are connected globally? If the currency system becomes global (e.g., Bitcoin), nations will not be as necessary.”

Threats could be domestic more than foreign

Craig Watkins, a professor and author based at the University of Texas-Austin, said, “This is something that could happen, but is something that government agencies and corporations are vigorously addressing in their efforts to protect the nation, people, resources, and institutions from such injury. Efforts to inflict such harm are already in progress, hopefully the intelligence communities are designing ways to identify and address such efforts. Also, while we have thought about these attacks from foreign agents, it’s also prudent to consider that it could be internal or domestic threats.”

Defenses can result in vulnerabilities

Estee Beck, a doctoral candidate at Bowling Green State University wrote, “In Nicholas Carr’s recent article in The Atlantic [All Can Be Lost: The Risk of Putting Knowledge in the Hands of Machines], he discusses the occurrences of software malfunctions in computer software systems in aircraft carriers that resulted in loss of life. Even as the American public has learned more about the NSA’s efforts to set up defense systems in cyber systems, some of the very defenses they set up also result in vulnerabilities that can be exploited. While I do not necessarily foresee a widespread dystopian future where an entire cyber network crashes, there are already signs of harm occurring, the Dow Jones flash crash, for example. It is plausible to consider that cyber attacks can result in widespread harm considering past events.”

Quantum computing requires new levels of security

Mattia Crespi, president of Qbit Technologies LLC, responded, “The modeling of complex algorithms and new forms of processing power will determine the need of new levels of security. On the edge on quantum computing, the world is about to face the need of a new standard for security. The bridge from a ‘now relatively secure world’ to a new ‘truly secure world in the quantum era’ will be full of pitfalls and dangers. Terrorist attacks may find their ways in a system adapting its security standards.”

Bigger economic, social, and political issues should get the focus

Marcus Cake, network society content architect and strategist with WisdomNetworks.im, responded, “Major cyber attacks are likely and will cause widespread harm. However, the harm caused by cyber attacks in a network society will be a fraction of the harm caused by hierarchies in the Information Age. Hierarchies in the Information Age cause widespread harm. Harm includes unsustainable income inequality, national insolvency, personal insolvency, war, collapse of global and national financial systems, bank insolvency, high-risk leverage ratios in financial and other institutions, money printing. It is unlikely that distributed structures that provide full transparency, distributed income, productivity, and distributed prosperity with collective wisdom and community participation would lead to many of the harmful events of the Information Age that are possible due to opaque unaccountable hierarchies.”

Stealing an election? The most vulnerable systems might be tied to voting

Barbara Simons, a retired IBM computer scientist, former president of the ACM, and current board chair for Verified Voting, responded, “I don’t know how you measure the value of democracy in financial terms, but if we move to Internet voting, which is a real danger, we run a very serious risk of having elections stolen. Internet voting is vulnerable to attacks by anyone from anywhere, including insider attacks. And of course it’s impossible to conduct a recount to determine whether or not the declared results are correct.”

Digital systems are vulnerable, but they can also be used to advance the public good

Nishant Shah, a visiting professor at The Centre for Digital Cultures at Leuphana University in Germany, responded, “This presumes that there is a disjoint between the digital infrastructure and the national sovereignty, whereas we have only seen that there is symbiotic relationship between the two. As the digital evolves, surely, the very idea of what a nation is, where its territories are, and how it governs itself are also changing. And as nations become more digital in their organization and logic, they will make themselves vulnerable to cyber attacks—but they still own and possess a vast infrastructure of the digital and the cybernetic and will be able to shift attentions and resources in producing defenses which are in the interest of the people.”

The threats are there—so are the problems caused by overreaction to them

Lillie Coney, a legislative director specializing in technology policy for a member of the US House of Representatives, said, “The Internet is like oxygen. If you do something to it in one place it will likely impact the quality of oxygen in other places. An attack may happen but the impact will likely lead to the same reaction to poison gas or chemical weapons that resulted from World War I. My greater concern is an accident or a new application or technology that adversely impacts the way the Internet functions. The other greater threat is to monetize the Internet by controlling who can have websites, use an email address, or communicate. The early days of radio were open and anyone could broadcast. That soon gave way to a regulatory framework that used the cost of licensing to control who could own a station. Innovation became proprietary and it basically stopped making changes. Radio remained essentially the same.”

Marc Brenman, a faculty member at Evergreen State College in Olympia, Washington, wrote, “This is already happening. ‘Sovereignty’ is already becoming an antiquated concept, as borders become permeable and globalization takes command. Anything attached to the Internet or the cloud is vulnerable to remote control and destruction. Just as individuals will have no privacy, corporations and nations will be penetrated. Theft will replace invention and intellectual property. The Chinese and the National Security Agency are already demonstrating this.”

‘We have no idea how bad the situation really is’

Norman Weekes, a volunteer for a nonprofit, responded, Yes. “Crime and attacks will gravitate to and come from parts of the world without investments in cyber defenses: Africa, South America, Eastern Europe etc. The level is under-hyped for the same reason financial institutions don’t talk about successful robberies; it’s bad for business. We have no idea how bad the situation really is.”

Rise of powerful hacker culture

Anita Salem, a design research consultant, responded, “Long before 2025 we’ll see cyber attacks on networked physical infrastructure. Also, weapons systems and information systems are at risk. This is one of the likely disruptors to all of the doom and gloom predictions I’ve made earlier. A large-scale attack may actually lead to less centralized control and more interdependent networks being developed. I expect as technology deepens the economic divide between nations and within the United States, we’ll see the rise of a powerful hacker culture that will expose and take advantage of cyber weaknesses.”

Systems are especially vulnerable

Alison Alexander, a professor at the Grady College at the University of Georgia, wrote, “Quite possibly is my real answer. While I do agree that the level of threat is hyped, the potential is there. Downing the power grid, even messing with traffic control, or wresting control of important systems that are currently automated is frightening and certainly possible. Hackers can do these things. Other threats are just as worrisome: hacking into banks or Social Security databases could result in major monetary losses. Finding digital ways to manipulate world stock markets is all too possible. We can talk about existing vulnerabilities, but the ones that will cost the most are the ones we don’t know.”

Vittorio Veltroni, CEO for Hyppo Corporation, a digital and customer-knowledge consultancy, wrote, “As repetitive, rule-based tasks shift towards machinery, so does the running of complex networks (energy, water, transport, financial transactions). Those will become targets for disruption by external and internal threats alike.”

Cyber attacks will be aimed at powerful nations by the less powerful

Leigh Estabrook, dean and professor emerita at the University of Illinois, wrote, “If the United States continues a foreign policy of domination and threats, some of which have been cyber attacks on other countries, what do small countries with little chance to fight militarily do? I don’t know if a major cyber attack will occur; but it would seem a good possible response of David to Goliath, even in the modern retelling of that tale.”

A long-time scholar and activist focused on the commons said, “Yes, attacks are imminent, especially if governments do not adapt to the networked culture and recognize that top-down coercion without genuine democratic participation and consent (beyond elections) is essential to trust, legitimacy and efficacy in governance. There will always be ‘evil geniuses’ seeking to wage cyber attacks, but some cyber attacks amount to proxies for democratic discontent that political and economic elites, in defending the powerful institutions that they direct, wish to ignore or override.”

The spread of cell phones is the real vulnerability

A retired information science professional observed, “A Rutgers’s University study disclosed that malicious software for cell phones could pose a greater risk for consumer’s personal and financial well-being than computer viruses. People are multitasking with their phones for work, personal life, and finances. The risk of malware is high and the sheer number of phones being used for banking and transfer of work information points to losses that can easily reach the levels of billions of dollars. Banks and other financial institutions are vulnerable to attack especially in regard to debit and credit cards. People felt that PIN numbers gave them an additional layer of security for their accounts but the recent problems at Target stores emphasizes their vulnerability. The Edward Snowden case shows that a cyber attack isn’t the only way to get information that could damage a nation’s sovereignty. Many of our current cyber attacks from outside sources are aimed at our military security but agricultural information can be just as important. Information regarding research and development can have a huge impact in many areas of our economy. Maintaining vigilance will help thwart these attacks. Reading the history of the Stuxnet virus is an interesting view of how malware targeted an industrial system.”

A high-altitude electromagnetic pulse attack could be devastating

The CEO of a software technology company and active participant in Internet standards development, responded, “This is likely to happen and could be either a literal cyber attack or a high-altitude electromagnetic pulse (EMP) attack; the latter would cause longer lasting damage. We are increasingly dependent on complex software systems and the migration to more dynamic virtualized infrastructure makes these even more complex. Governments, banks, and other large infrastructure providers will use highly virtualized systems well before 2025. There have been major outages with cloud-based systems even without a cyber attack—a well organized cyber-incursion could potentially wipe out storage systems that contain application images and data, making recovery long and complex.”

The US is reaping the whirlwind of its surveillance programs

An Internet engineer and machine intelligence researcher wrote, “Cyber attacks will continue. Some will be more effective than others and some will be more publicized than others. The loss of personal privacy has already caused widespread harm to the United States and some other nations. If to defend a nation’s people includes defending the principles that define the nation and the individual rights and freedoms afforded to the people by those principles, then the NSA has mounted the most damaging cyber attack to date, with no apparent consequences. Otherwise, the continuing increase in dependency of the financial sector on electronic transactions and machine intelligence certainly makes them more vulnerable to external and internal (even self-inflicted) cyber attacks.”

There will be ‘digital hostages’ and ‘digital colonies’

Chris Uwaje, president of the Institute of Software Practitioners of Nigeria, wrote, “The 21st century will take digital hostages and there will emerge some digital colonies in the very near future. Some nations will wake up from their deep slumber someday—in the middle of the night—to find out that they have been held hostage digitally. Cyberattack may cause a major national blackout and stampede and indeed may lead to a classical civil war—where drones will become a child’s play. But with a standardized global peace architecture, there will be some confident-trust pathway for sustainable hope.”

The real threat is long-term infiltration and ‘continuous monitoring’

Clifford Lynch, executive director for the Coalition for Networked Information (CNI) and adjunct professor at the School of Information at the University of California-Berkeley, wrote, “The entire information security situation seems to be totally out of control at this point at every level: individual consumers, businesses, critical infrastructure, military systems. Obviously, the kind and degree of vulnerability varies from sector to sector, but it certainly seems clear that non-state actors of various kinds can cause massive damage. I am also concerned that so much of the thinking seems to be focused on ‘attacks’ and ‘data breeches’ and similar events, as opposed to long-term infiltration of systems, continuing monitoring, subtle data corruption, and the insertion of disinformation, which are at least as dangerous.”

The penultimate and hopeful statements

Rashid Bashshur, senior advisor for eHealth for the University of Michigan Health System, observed, “Hopefully, we will have a better understanding of the causes of massive problems of insecurity in personal safety and cyber safety. Mischief, greed, and hostility cannot be ruled out. But they can, and should be, alleviated. We can’t stay dumb forever.”

Fredric Litto, a professor emeritus at the University of Sao Paulo in Brazil, wrote, Yes. “It is very likely; but just as likely is that we will pick ourselves up, rebuild, and continue on our course, just as happened after the Lisbon earthquake, the atomic bombs in Hiroshima and Nagasaki, and the World Trade Center Twin Towers. That type of resilience is something to be proud of.”

And the final, more doleful word

Larry Gell, founder and director of the International Agency for Economic Development (IAED) wrote, “My first job was working for the generals who ran the US Air Force Strategic Air Command. Our protection depends on our strategic rapid reaction to such attacks, and our ability to implement them somewhere at our choosing. What makes you think potential enemies are not thinking likewise?”