The cyber threat goes beyond hijacking computers. It’s about economics, politics, power and even human psychology. Simon Wilson looks at how we can protect ourselves.
The “WannaCry” mass ransomware attack that disrupted the NHS and other organisations around the globe earlier this month has refocused attention on the issue of cybersecurity; on the role of nation state actors (in this case the US National Security Agency, or NSA) in creating “exploits” that can fall into the wrong hands; and on the internet marketplaces where such exploits can be traded. Western intelligence officials believe the ShadowBrokers hacking group (which released the NSA exploit on which “WannaCry” was based) is part of the Kremlin’s online war on the West.
Others have suggested a North Korean link. There is, however, little evidence for either, and Russia was one of the countries worst hit. But the episode illustrates well the complex, multi-layered nature of the cyber threat. It was ShadowBrokers who released the NSA hacking tool (“EternalBlue”), points out the Financial Times. But it was another individual or group that repurposed it for malign use; and (probably) still another which turned it into ransomware.
What exactly are “exploits”?
An “exploit” is a piece of software, string of data, or sequence of coding commands that exploits a bug, design flaw or other vulnerability in computer software or hardware, so as to cause rogue behaviour in that system. It’s a tool for hackers (or spies) to hijack a computer system, cause it harm, monitor it or otherwise subvert it. Criminals develop exploits for profit; geeks or hacktivists do it for fun or politics; and spies do it because it’s their job. According to The Washington Post, when the NSA developed EternalBlue more than five years ago, staff were stunned by both its unusual power and the havoc it could wreak if it ever got into the wrong hands.
So this was predictable?
Indeed. Some NSA officials even discussed whether the flaw was so dangerous they should reveal it to Microsoft, the company whose software the government was exploiting. Instead, the NSA kept using it, until it was apparently stolen by hackers last August (most experts believe it was an inside job), at which point the NSA did tell Microsoft, who issued a software patch in March.
The exploit was then repackaged by cybercriminals, combined with “worm” code that made it easier to spread, and unleashed on the world in April by the ShadowBrokers. From then, it was only a matter of time before someone put it to use.
Why didn’t the NSA tell Microsoft?
Because spy agencies such as the NSA (or GCHQ in Britain) find the use of such exploits extremely effective in gathering foreign intelligence – hacking into the computers of surveillance targets is a key part of their work. In the case of EternalBlue, the intelligence was “unreal”, according to one ex-NSA official. “It was like fishing with dynamite,” said another.
The whole episode has given more ammunition to critics to question whether US spies can be trusted to develop and protect such potent hacking tools. But Richard Ledgett, who retired in April as NSA deputy director, argues that disclosing all flaws to software vendors would amount to “unilateral disarmament”.
Why is cybersecurity so hard?
Partly, it’s a basic technical issue. We have created astonishing computers, but we haven’t yet worked out how to write bug-free code. A frequently cited estimate by programming guru Steve McConnell is that people writing source code (ie, the instructions that are compiled inside a machine, into executable programs) make between ten and 50 errors in every 1,000 lines.
Careful checking can get that down to about 0.5 per 1,000, he reckons. But given that complex modern operating systems can involve tens of millions of lines of code, that still implies thousands of bugs in each, leaving ample room for exploitation. However, cybersecurity is not just a technical issue.
What else is it?
It’s a problem with deep roots in economics, human psychology, and an immature legal-political framework, says Michael Daniel in the Harvard Business Review. Computer users still find it hard to comprehend and act on the reality that our physical-world mental models simply don’t work in cyberspace. For example, in the physical world, crime and policing are local, and we rely on the government to police our borders. In cyberspace, “everyone’s network is at the border”, says Daniel. We just haven’t realised it yet – and even when we do, that will merely be a very small first step.
What can be done?
In the long run, the response will be driven by economics. Firms are already turning to hacking insurance to pool and mitigate risk; that in turn will (it is hoped) drive better security as insurers demand higher standards. Software makers are also likely to face more pressure to take greater liability for product defects – which again will foster a more secure environment. In the meantime, individuals should use up-to-date software, and accept all updates offered: they often contain lots of patches that fix bugs and close security loopholes. Even better, set your devices to install such updates automatically.
Rise of the cybercriminals
Europol believes that income from cybercrime is now greater than that from illegal drugs, says Sam Jones in the Financial Times. In the “cyber-arms bazaar” that now operates on the “dark web”, hacking platforms are available for almost anyone to access – coding skills are not needed. “Malware” platforms offer drop-down menus where criminals can choose the hacking tools they want to buy, rent or franchise. Some even come with “user support – chat apps that connect buyers with dedicated coders to help them troubleshoot in their efforts to steal or defraud”. Hacking forums even provide eBay-style ratings of malware sellers. “Fraudsters dislike being defrauded.”