In mid-April, the 'Shadow Hackers' online group made public some malicious software that had been stolen from the US government’s National Security Agency. A month later, 'ransomware' dubbed WannaCry that incorporated the bugs pilfered from US intelligence penetrated perhaps 300,000 computers running outdated Microsoft software in an estimated 150 countries.
While that might well be the most chilling cyberattack ever, it’s perhaps not the most significant because hackers have tried to influence elections, most notably the US election last year. While it will never be established how much the hacked emails from Hillary Clinton’s campaign helped Donald Trump, it’s apparent that cybercrime is all too common. It is already a US$1 trillion-industry worldwide, according to some estimates.
Nothing is safe on the internet
Whatever the true figure, identification theft, fraudulent online transfers, payment-card frauds, network assaults, denial-of-service attacks by malicious networks of computers (botnets), ransomware, cyberbullying, trolling and online child pornography are too common. They show that nothing is safe on the internet – apart from criminals, it seems.
If people, businesses, governments and other bodies including hospitals can’t trust the internet to protect data, share files, host websites, seamlessly send and receive messages and make payments, an internet slowed by protections and precautions could assume a lower profile in everyday life – or fall well short of its potential anyway. To maintain the public’s trust in the internet, policymakers are making cybersecurity a top priority while an industry has sprung up to protect cyberspace. It will be a never-ending battle.
To be sure, billions of interactions happen every day on the internet without hassle. A cyberattack is yet to trigger a catastrophe. Firewalls, virus antidotes and sophisticated behavioural defences help protect systems. The payments companies have never suffered a significant breach. Neither have the big digital-platforms. That may not last. The core problem is that the foundations of the internet are insecure. After all, they were designed to allow a few trusted parties to communicate, not billions worldwide.
Fragile and flawed
Amateur hackers were around in the early days of computers. Nowadays, cybercriminals operate in sophisticated packs. Thanks to technological advancements that allow for mass criminal activity while protecting anonymity, cybercrime is lucrative, hard to detect and even harder to prosecute.
Government, businesses and households are taking cybersecurity more seriously with each attack. The major responsibility for keeping the internet safe, however, lies with the operating system developers such as Apple, Google and Microsoft.
Microsoft software products include Windows XP, the model that WannaCry exploited. As is typical, Microsoft puts a finite life on its software versions because software is costly to update and patch.
Despite the negligence of enterprises that still use Windows XP while refusing to pay for support after its ‘end of life’, in the aftermath of the WannaCry attack, Microsoft stood accused of holding back on issuing a free repair for Windows XP that could have protected users.
Critics suggest that Microsoft would have provided support if not for its profit motive to sell software patches, and that it has an incentive to avoid providing security updates on old software, to force people to buy the latest versions. A bugbear for many people is that companies such as Microsoft bear little or no responsibility under US law if their software is vulnerable to attack.
Invisible but lethal
While governments are giving greater priority to cybersecurity, the most likely catastrophic assault on the internet is by a state-sponsored cyberwarfare attack.
Rogue governments are adept at cyberattacks, and cyberwarfare is likely to be a never-ending arms race. Democratic governments need to develop cyberwarfare technology to gather intelligence to protect their populations. The more weapons they create the more insecure adversaries feel, which prompts them to step up efforts. Another quandary is that intelligence agencies must decide whether or not to warn software manufacturers about flaws in their code. If they inform software makers (and they often do), intelligence agencies risk making worthless their cyberweaponary edge. Another concern is that cyberweapon technology is easy to steal.
Such are the unending challenges of guarding the internet against the next WannaCry.
Michael Collins is an Investment Specialist at Magellan Asset Management. Magellan is a sponsor of Cuffelinks.