Defending the digital frontier - The Economist · net to billions of people around the world. The...

JULY 12th 2014

S P E C I A L R E P O R T

CYBER-S ECUR I TY

Defending the digital frontier

20140712_SRcyber.indd 1 30/06/2014 16:56

The Economist July 12th 2014 1

CYBER-SECURIT Y

SPECIAL REPOR T

A list of sources is atEconomist.com/specialreports

An audio interview with the author is atEconomist.com/audiovideo/specialreports

CONTENTS

3 CybercrimeHackers Inc

3 VulnerabilitiesZero-day game

5 BusinessDigital disease control

6 Critical infrastructureCrashing the system

7 Market failuresNot my problem

8 The internet of thingsHome, hacked home

10 RemediesPrevention is better thancure

1

THE TERM “CYBERSPACE” was coined by William Gibson, a science-fic-tion writer. He first used it in a short story in 1982, and expanded on it acouple of years later in a novel, “Neuromancer”, whose main character,Henry Dorsett Case, is a troubled computer hacker and drug addict. Inthe bookMrGibson describes cyberspace as “a consensual hallucinationexperienced daily by billions of legitimate operators” and “a graphic rep-resentation of data abstracted from the banks of every computer in thehuman system.”

His literary creation turned out to be remarkably prescient. Cyber-space has become shorthand for the computing devices, networks, fibre-optic cables, wireless links and other infrastructure that bring the inter-net to billions of people around the world. The myriad connectionsforged by these technologies have brought tremendous benefits to every-one who uses the web to tap into humanity’s collective store of knowl-edge every day.

But there is a darker side to this extraordinary invention. Databreaches are becoming ever bigger and more common. Last year over800m records were lost, mainly through such attacks (see chart 1, nextpage). Among the most prominent recent victims has been Target, whosechief executive, Gregg Steinhafel, stood down from his job in May, a fewmonths after the giant American retailer revealed that online intrudershad stolen millions ofdigital records about its customers, including cred-it- and debit-card details. Other well-known firms such as Adobe, a techcompany, and eBay, an online marketplace, have also been hit.

The potential damage, though, extends well beyond such commer-cial incursions. Wider concerns have been raised by the revelationsabout the mass surveillance carried out by Western intelligence agenciesmade by Edward Snowden, a contractor to America’s National SecurityAgency (NSA), as well as by the growing numbers of cyber-warriors be-ing recruited by countries that see cyberspace as a new domain of war-

Defending the digitalfrontier

Companies, markets and countries are increasingly under attackfrom cyber-criminals, hacktivists and spies. They need to getmuch better at protecting themselves, says Martin Giles

ACKNOWLEDGMENT S

Apart from those mentioned in thetext, the author would like to thankthe following for their help withpreparing this report: Rohyt Belani,Dave Clemente, David DeWalt, NeilGershenfeld, Ellen Giblin, RajivGupta, Eugene Kaspersky, JamesLewis, Jarno Limnell, Alain Louchez,Marc Maiffret, Barmak Meftah, BrentRowe, Phyllis Schneck and PaulSwarbrick.

2 The Economist July 12th 2014

SPECIAL REPOR TCYBER-SECURIT Y

2 fare. America’s president, Barack Obama, said in a White Housepress release earlier this year that cyberthreats “pose one of thegravest national-security dangers” the country is facing.

Securing cyberspace is hard because the architecture of theinternet was designed to promote connectivity, not security. Itsfounders focused on getting it to work and did not worry muchabout threats because the networkwas affiliated with America’smilitary. As hackers turned up, layers of security, from antivirusprograms to firewalls, were added to try to keep them at bay.Gartner, a research firm, reckons that last year organisationsaround the globe spent $67 billion on information security.

On the whole, these defences have worked reasonablywell. For all the talk about the risk of a “cyber 9/11” or a “cyber-geddon”, the internethasproved remarkably resilient. Hundredsof millions of people turn on their computers every day andbankonline, shop at virtual stores, swap gossip and photos withtheir friends on social networks and send all kinds of sensitive

data over the web without ill effect. Companies and govern-ments are shifting ever more services online.

But the task is becoming harder. Cyber-security, which in-volvesprotectingboth data and people, is facingmultiple threats,notably cybercrime and online industrial espionage, both ofwhich are growing rapidly. A recent estimate by the Centre forStrategic and International Studies (CSIS), a think-tank, puts theannual global costofdigital crime and intellectual-property theftat $445 billion—a sum roughly equivalent to the GDP of a small-ish rich European country such as Austria.

To add to the worries, there is also the risk of cyber-sabo-tage. Terrorists or agents of hostile powers could mount attackson companies and systems that control vital parts of an econ-omy, including power stations, electrical grids and communica-tions networks. Such attacks are hard to pull off, but not impos-sible. One precedent is the destruction in 2010 of centrifuges at anuclearfacility in Iran bya computerprogram known asStuxnet,the handiworkofAmerican and Israeli software experts.

In another high-profile sabotage incident, in 2012, a com-puter virus known as Shamoon wiped the hard drives of tens ofthousands of computers at Saudi Aramco, a Saudi Arabian oiland natural-gas giant, and left a picture of a burning Americanflag on the screens of the stricken devices. The assault is widelythought to have been carried out by Iran.

Look for the crooks and spooks

But such events are rare. The biggest day-to-day threatsfaced by companies and government agencies come from crooksand spooks hoping to steal financial data and trade secrets, sothis special report will focus mainly on cybercrime and cyber-es-pionage. Smarter, better-organised hackers are making lifetougher for the cyber-defenders, but the report will argue thateven so a number of things can be done to keep everyone saferthan they are now.

One is to ensure that organisations get the basics of cyber-security right. All too often breaches are caused by simple blun-ders, such as failing to separate systems containing sensitive datafrom those that do not need access to them. Companies alsoneed to get better at anticipating where attacks may be comingfrom and at adapting their defences swiftly in response to newthreats. Technology can help, as can industry initiatives that al-low firms to share intelligence about risks with each other.

This report will also argue that there is a need to provide in-centives to improve cyber-security, be they carrots or sticks. Oneidea is to encourage internet-service providers (ISPs), or the com-panies that manage internet connections, to shoulder more re-sponsibility for identifying and helping to clean up computersinfected with malicious software (malware). Another is to findways to ensure that software developers produce code with few-er flaws in it so that hackers have fewer security holes to exploit.

An additional reason for getting tech companies to give ahigher priority to security is that cyberspace is about to undergoanother massive change. Over the next few years billions ofnewdevices, from cars to household appliances and medical equip-ment, will be fitted with tiny computers that connect them to theweb and make them more useful. Dubbed “the internet ofthings”, this is already making it possible, for example, to controlhome appliances using smartphone apps and to monitor medi-cal devices remotely.

But unless these systems have adequate security protec-tion, the internet of things could easily become the internet ofnew things to be hacked. Plenty of people are eager to take ad-vantage of any weaknesses they may spot. Hacking used to beabout geeky college kids tapping away in their bedrooms to an-noy their elders. It has grown up with a vengeance. 7

1A world of insecurity

Average cost of data breach per record, by industry, 2013, $

*Estimate †Forecast

Worldwide

Breached recordsm

Information-security spending$bn

Sources: Gartner; Risk Based Security; Ponemon Institute

0

20

40

60

80

2009* 10 11 12 13 14†

0

200

400

600

800

1,000

2009 10 11 12 13 14

Q1

0 100 200 300 400

Health care

Education

Pharmaceutical

Financial

Communications

Industrial

Consumer

Services

Energy

Technology

Media

Hospitality

Transport

Retail


CYBER-SECURIT Y

1

AT 2PM ON March 20th 2013 the hard drives of tens of thou-sands of computers in South Korea were suddenly wiped

clean in a massive cyber-attack. The main targetswere banks andnews agencies. At first the assault looked like a case of cyber-van-dalism. But as they probed deeper, the computer sleuths investi-gating it came to a different conclusion.

The operation, which they dubbed “Dark Seoul”, had beencarefully planned. The hackers had found their way into the tar-gets’ systems a couple of months earlier and inserted the soft-ware needed to wipe drives. Justbefore the attackthey added thecode needed to trigger it. Looking at the methods the intruders

used, the investigators from McAfee, a cyber-security firm,thought that the attackmight have been carried out by a group ofhackers known for targeting South Korean military information.

But they could not be sure. Tracing the exact source ofan at-tackcan be next to impossible if the assailantswant to cover theirtracks. Over the past decade or so various techniques have beendeveloped to mask the location of web users. For example, atechnology known as Tor anonymises internet connections bybouncing data around the globe, encrypting and re-encryptingthem until their original sender can no longer be traced.

Conversely, some hackers are only too happy to let theworld know what they have been up to. Groups such as Anony-mous and LulzSec hack for fun (“lulz” in web jargon) or to drawattention to an issue, typically by defacingwebsites or launchingdistributed-denial-of-service (DDoS) attacks, which involvesending huge amounts of traffic to websites to knock them off-line. Anonymous also has a track record of leaking e-mails andother material from some of its targets.

Criminal hackers are responsible for by far the largest num-ber of attacks in cyberspace and have become arguably the big-gest threat facingcompanies. Some groups have organised them-

Cybercrime

Hackers Inc

Cyber-attackers have multiplied and become far moreprofessional

“HOW DO YOU protect what you want toexploit?” asks Scott Charney, an executive atMicrosoft. He highlights a dilemma. In-telligence agencies look for programmingmistakes in software so they can use them tospy on terrorists and other targets. But ifthey leave open these security holes, knownin tech jargon as “vulnerabilities”, they runthe risk that hostile hackers will also find andexploit them.

Academics, security researchers andteams from software firms unearth hundredsof vulnerabilities each year. One recentdiscovery was the Heartbleed bug, a flaw in awidely used encryption system. Software-makers encourage anyone who finds a flaw tolet them know immediately so they can issue“patches” for their programs before hackerscan take advantage of them. That is how mostvulnerabilities are dealt with. Some firmseven run “bug bounty” schemes that reward

people for pointing out flaws.But there will always be “zero-days”, or

brand new vulnerabilities that softwaremakers do not know about and for which nopatch yet exists. Hackers who can get theirhands on the source code of a program canuse various tools to try to find holes in it.Another technique is “fuzzing”, which in-volves pushing random data into the inputsof a program. If it crashes or signals ananomaly, that indicates a bug is presentwhich may offer a way in.

Zero-days are rare, and can often beused for some time before someone elsespots them. Two researchers at Symantec, acyber-security firm, studied 18 zero-daysfound by the firm’s software in 2008-10 andconcluded that the flaws remained undetect-ed for an average of ten months.

The use of such vulnerabilities byWestern intelligence agencies has sparked a

Zero-day game

Wielding a controversial cyber-weapon

debate about the wisdom of stockpilingdigital weapons that weaken the security ofcyberspace. But zero-days may occasionallybe needed to uncover information crucial tonational security, so a few have to be kept tohand. In America, a report by a presidentialpanel to review cyber-security after EdwardSnowden’s revelations, published last De-cember, urged the government not in any wayto “subvert, undermine, weaken or makevulnerable” generally available commercialsoftware, and to fix zero-day vulnerabilitiesquickly, with rare exceptions.

In April Michael Daniel, the WhiteHouse’s adviser on cyber-security, an-nounced that the NSA’s future policy onexploiting zero-days would have a “bias”towards disclosing them unless there was aclear need to retain them on national-securi-ty or law-enforcement grounds. But whatmight constitute such a need was left unsaid.

SPECIAL REPOR T



2 selves so thoroughly that they resemble mini-multinationals.Earlier this year a joint operation by police from a number ofcountries brought down the cybercrime ring behind a piece ofmalware called Blackshades, which had infected more than halfa million computers in over100 countries. The police found thatthe group was paying salaries to its staff and had hired a market-ing director to tout its software to hackers. It even maintained acustomer-support team.

Such organised hacking empires are becoming more com-mon. “Crime has changed dramatically as a result of the inter-net,” says Andy Archibald, the head of Britain’s National CyberCrime Unit. Criminal hackers are involved in two broad sets ofscams. In the first, they help carry out traditional crimes. Lastyear police in the Netherlands and Belgium broke up a drug-smuggling ring that had hired a couple of computer experts tobeef up its logistics. The gang hid drugs in legitimate shipmentsof goods destined for the port of Antwerp, using the hackers tobreak into the IT systems of shipping companies at the port andsteal the security codes for the containers so the crooks couldhaul them away before their owners arrived.

Economies of scale

The second type of crime takes place entirely online. InJune American authorities issued charges against the Russianmastermind behind the GameOver Zeus botnet, a sophisticatedpiece of malware that steals login details for people’s bank ac-counts from infected computers and uses them to drain cashfrom their accounts. The FBI puts the losses at over $100m. “Rob-bing one person at a time using a knife or gun doesn’t scale well.But now one person can rob millions at the click of a button,”says Marc Goodman of the Future Crimes Institute.

In the past yearorso police have scored some other notablevictories against digital crooks. These include the arrest of theman behind Silk Road, a notorious online bazaar that sold guns,drugs and stolen credit-card records, and a raid on servers host-ingCryptolocker, a “ransomware” program which encryptscom-puter files, decrypting them only on payment ofa ransom.

Cybercrimes often involve multiple jurisdictions, whichmakes investigations complicated and time-consuming. Andgood cybersleuths are hard to find, because the sort of peoplewho are up to the job are also much in demand by companies,which usually offer higher pay. Mr Archibald says he is trying toget more private firms to send him com-puter-savvy employees on secondment.

Crooks are generally after money.The motives of state-sponsored or state-tolerated hackers are harder to categorise,ranging from a wish to cause chaos to pil-fering industrial secrets. The Syrian Elec-tronic Army, for example, generates pub-licity by defacing the websites of media companies. Last year ithijacked the Twitteraccount ofthe Associated Press and posted atweet falsely claiming that the White House had been bombed.

Other groups that have caught security people’s attentioninclude Operation Hangover, based in India and focused onPakistani targets, and the Elderwood Group, a Chinese hackeroutfit that was behind a series of attacks in 2009 on Americantech companies such as Google. Such groups have become col-lectively known by a new acronym, APTs, or advanced persis-tent threats. “These hackers are smart and they wage long-termcampaigns,” says Mike Fey, McAfee’s chief technology officer.

Unlike criminals, who typically scatter malware far andwide to infect as many targets as possible, APT groups concen-trate on specific targets. They often use “spear-phishing” attacks,trying to trick people into divulging passwords and other sensi-

tive information, to get access to networks. And once inside, theysometimes lie low for weeks or months before striking.

Government spies typically use the same tactics, so it canbe hard to tell the difference between state-run spying and theprivate sort. When Mandiant, a cyber-security firm, published areport last year about China’s industrial-espionage activities, itlabelled it “APT1”. The report claimed that Chinese hackers fromUnit 61398, a Shanghai-based arm of the People’s LiberationArmy, had broken into dozens of corporate networks over anumber of years, paying special attention to industries such astechnology and aerospace that China sees as strategic (see chart2). In May America’s Justice Department indicted five Chinesehackers from the unit in absentia for attacks on the networks ofsome American firms and a trade union.

China is not the only country involved in extensive cyber-espionage. Edward Snowden’s leaks have shown that America’sNSA ran surveillance programmes that collected information di-rect from the servers of big tech firms, including Microsoft andFacebook, and that it eavesdropped on executives at Huawei, alarge Chinese telecoms firm. American officials like to claim thatthe NSA’s spying is not designed to be of direct benefit to Ameri-can firms, though it has certainly sought intelligence on issuessuch as trade negotiations thatare likely to be helpful to all Amer-ican companies.

Blocking sophisticated and highly targeted attacks is ex-tremelydifficult. Defendersare like the batsmen in a cricket gamewho must deflect every ball heading for the stumps; hackers justneed to knock off the bails once to win. But the defence wouldgreatly improve its chances by getting a few basic things right. 7

2From China with maliceOrganisations targeted by one Chinese group of hackers*

By industry

Source: Mandiant *Dots represent earliest date when a new organisation was targeted

Public administrationConstruction and manufacturingAerospaceEducationHealth careMetals and mining

Information technologyTransportHigh-tech electronicsFinancial servicesNavigationLegal servicesEngineeringMedia, advertising and entertainmentFood and agricultureSatellites and telecomsChemicalsEnergyInternational organisationsScientific research

2006 07 08 09 10 11 12

Total

Cybercrimes often involve multiple jurisdictions, whichmakes investigations complicated and time-consuming.And good cybersleuths are hard to find


CYBER-SECURIT Y

1

SAFEGUARDING CYBER-SECURITY is a bit like trying tokeep an infectiousdisease atbay. Nastysoftware can spread

swiftly to large populations, so it has to be identified quickly andinformation passed on immediately to ensure that others canprotect themselves. Ideally, organisations should avoid catchingan infection in the first place—but that requires them to get betterat basic security hygiene.

The story of the hackers who hit the bull’s eye at Target is re-vealing. They are thought to have broken into the computers ofaheating, ventilation and air-conditioning firm that was a suppli-er to Target and had access to login details for the retailer’s sys-tems. Once inside, the hackers were able to install malware onTarget’s point-of-sale system that captured credit- and debit-carddetails at tills before the data were encrypted. This scam affectedsome 40m customers.

The debacle showed up several flaws in Target’s securitythat the company has since fixed. It has strengthened internal fi-rewalls to make itharderforhackers to move across its networkifthey find a way in. It has also developed “whitelisting” rules forits point-of-sale system, which will flag up any attempt to installsoftware that has not been pre-approved. And it has reinforcedsecurity around passwords used by its staffand contractors.

At eBay, cyber-attackers were able to get their hands on thelogin details of some employees and used these to gain access toa database containing encrypted customer passwords and othernon-financial data. The firm asked all its 145m users to changetheir passwords as a precaution, but says it has seen no evidenceof any spike in fraudulent activity. It also reassured customersthat their financial and credit-card data were held in encryptedform in databases not affected by the attack.

Both of these cases high-light the need to think careful-ly about how data are storedand who has access to them.They also demonstrate the im-portance ofencryption. WhenMr Snowden addresses con-ference audiences (which hedoes via video link from Rus-sia), he often reminds themthat strong encryption canfrustrate even the NSA. That iswhy a number of technologycompanies, including Micro-soft, Yahoo and Google, arenow encrypting far more ofthe data that flow across theirnetworks, and between them-selves and their customers.

Educating employeesabout security risks is equallyimportant. In particular, theyneed to be aware ofthe dangerof spear-phishing attacks,which often use false e-mail

addresses and websites. Kaspersky Lab, a cyber-security firm,found that globally an average of102,000 people a day were hitby phishing attacks in the year to April 2013. Security softwarehas got better at weeding out suspect mail, but hackers are con-stantly trying new tactics.

Your birthday won’t do

Their job would be made harder if people picked more ro-bust password��erizon, a telecoms company, studied 621 data

breaches in 2012 in which 44m records were lost and found thatin four out of five cases where hackers had struck they had beenable to guess passwords easily—or had stolen them. There haslong been talk of using biometric identifiers such as fingerprintsor face-recognition technology to add an extra layer of security,but these have yet to catch on widely.

And even if they were to become more widespread, theywould not protect firms from rogue staff. As Mr Snowden hasshown, insiders bent on leaking sensitive data can cause hugedamage. This can involve large sums of money. A study by re-searchers at Carnegie Mellon University of 103 cases of intellec-tual-property theft by corporate insiders in America between2001 and 2013 found that almost half involved losses of morethan $1m. Many were in the IT and financial-services industries(see chart 3). Insiders sometimes turn to this kind of crime afterbecoming disgruntled with an employer. “An insider threat is athousand times worse than a hacker threat because it is so hardto defend against,” says Chris Hadnagy, a security expert.

Technology can help. Darktrace, a British startup, is one ofseveral firms touting continuous network monitoring software.This uses complex algorithms and mathematical models to mapwhat normal daily behaviour on a network looks like and thenflags up anomalies, such as a computer that suddenly startsdownloading unusually large data files. The technology can alsohelp spot hackers at work inside a system. Andrew France, Dark-trace’s boss, says firms need “immune systems” that can auto-matically react to any intrusion.

This is becoming even more important as skilled hackersare getting better at covering their tracks. In the APT cases Man-diant was asked to workon last year, the security firm found thatthe median time hackers were able to operate inside systems be-fore being discovered was 229 days. The known record was heldby a group of digital ninjas who dodged detection for over six

Business

Digital disease control

Basic security hygiene goes a long way

3Whom can you trust?

Source: Carnegie Mellon CERT

Intellectual-property theft inAmerica by insidersBy industry, % of total

0 10 20 30 40

IT

Banking andfinance

Chemical

Criticalmanufacturing

Commercialfacilities

Energy

Defenceindustrial base

Health care andpublic health

Transport

Communications

SPECIAL REPOR T



2

1

years. And these numbers cover onlycases in which intruders were eventuallyspotted, so the real damage done may bemuch worse than they suggest.

To catch hackers early and create de-fences to keep them out, some companiesare systematically studying the habits ofhighly organised groups. “You need to tryand get ahead of threats, not just react tothem,” says Phil Venables, the chief infor-mation-security officer (CISO) of Gold-man Sachs, a big American investmentbank. Goldman has built a threat-man-agement centre staffed by ex-spooks whoscan cyberspace for anything that couldpose a risk to the bank and then tweak itsdefences accordingly.

Facebook, a prime target for hackersand spammers, has built ThreatData, acomputer system that sucks in vastamounts of information about threatsfrom a wide range of sources, includinglists of malicious websites. Details ofthese sites are automatically fed into ablacklist used to protect Facebook.comand the firm’s corporate network. Joe Sul-livan, the social network’s CISO, saysthreats are now changing so fast that aninstant response is essential.

If precautions have failed, it is stillworth trying to zap a threat at an earlystage. After the Target debacle a group ofretailers including Nike, Gap and Target it-self set up an Information Sharing andAnalysis Centre, or ISAC, with an opera-tions centre that will share informationabout cyberthreats among its members.

Big banks in America have been do-ing this for some time; indeed, the retail-ers’ ISAC is modelled after the financial-services version, FS-ISAC, which was setup in 1999. The finance group now has4,700 members and in recent years hashelped co-ordinate banks’ defencesagainstmassive DDoS attacks. Bill Nelson,who heads it, says it is spending $4.5m onbuilding a platform that will allow banksusing it to adapt their defences almost in-stantly to intelligence about new threats.

The British government has takenthis idea even further. JamesQuinault, thehead of the Office ofCyber Security and Information Assurance,which leads the government’s strategic thinkingon cyber-securi-ty issues, says it has created an electronic platform, or “social net-work for defenders”, that lets its 450-plus members share threatinformation. The group includes companies from a wide rangeof industries including defence, financial services, energy andpharmaceuticals. The idea is to make it as diverse as possible sodata about threats travel fast across the country’s industrial base.The network also has a group of spooks and industry expertswho spot intelligence that could be useful to firms in other sec-tors and pass it on, having first obtained permission.

Sharing information is extremely helpful, but some largecompanies are now assuming that truly determined hackerscannot be kept out. So they are putting more emphasis on build-

ing resilience—the ability to bounce back fast in the event of abreach. It is essential to have a well-conceived recovery plan andto test it regularly, says Ed Powers ofDeloitte, a consulting firm. Infinancial services, where a problem at one company could easilytrigger a system-wide crisis, regulators are urging banks and oth-er firms to consider resilience across markets.

A war game run last July by America’s securities industry,Quantum Dawn 2, simulated a widespread attack by hackers in-tent on stealing large amounts of money and disrupting thestockmarket. As part of the game, the assailants corrupted thesource code of a popular equities software program, hacked asystem that let them issue fraudulent press releases and mount-ed DDoS attacks on government networks. Among the lessonslearnt from the exercise was that business and tech people need

IN THE HIGH desert some 50 miles west ofIdaho Falls, the terrain is so rugged thatthe vehicle in which your correspondentwas touring the facilities at Idaho NationalLaboratory (INL) ended up with two shred-ded tyres. Originally set up in the 1940s totest naval artillery, the high-securitygovernment lab now worries about weap-ons of a different kind. Some of its eliteengineers help protect power grids, tele-coms networks and other critical infra-structure in America against cyber-attacksand other threats.

The lab boasts its own 61-mile (98km)electrical grid and seven substations. Italso has a wireless network and an explo-sives test bed. These can all be used bygovernment agencies and businesses to runexperiments that would be hard or impos-sible to conduct in an operational setting.“There are not many places in the worldwhere you can crash a power system with-out incident,” says Ron Fisher, who over-sees the Department of Homeland Securi-ty’s programme office at the lab.

The tour covers the site of a 2006experiment that subsequently got a lot ofattention. Known as the Aurora test, itdemonstrated how it was possible to launcha cyber-attack on a big diesel generator byexploiting a weakness in a supervisorycontrol and data acquisition (SCADA) sys-tem. Such systems are used to monitor andcontrol physical equipment in everythingfrom power stations to water-treatmentplants. In a video of the att��ouTube,bits can be seen flying off the generator,followed by black smoke.

Teams from the INL and other engi-neers have since been advising utilities onhow to secure SCADA systems. Many of thesewere designed to work in obscurity on

closed networks, so have only lightweightsecurity defences. But utilities and othercompanies have been hooking them up tothe web in order to improve efficiency. Thishas made them visible to search enginessuch as SHODAN, which trawls the internetlooking for devices that have been connect-ed to it. SHODANwas designed for securityresearchers, but a malicious hacker coulduse it to find a target.

The worry is that a terrorist may breakinto a control system and use it to bringdown a power grid or damage an oil pipe-line. This is much harder to do than itsounds, which explains why so far Americahas seen no power outages triggered by acyber-attack. Squirrels and fallen brancheshave done more damage.

Nevertheless, the case of Stuxnetshows what is possible. In 2010 the ma-licious code was used to attack the systemthat controlled centrifuges for enrichinguranium at Iran’s nuclear facility in Natanz,causing them to spin out of control. To pullthis off, however, the masterminds behindStuxnet had to find a way to smuggle thecode into the facility, possibly on a USBstick, because the system had been keptisolated from the internet.

As more control systems are connect-ed to the web, more vulnerabilities willinevitably appear. Already security re-searchers are discovering flaws in thingssuch as communications protocols thatgovern the flow of data between utilities’SCADA systems and the remote substationsthey control. Hence talk about defence-in-depth strategies, which ensure that vitalareas are covered by a number of back-upsystems. Multiple bulwarks greatly increasethe cost of security, but that may be a pricethe companies have to pay.

Crashing the system

How to protect critical infrastructure from cyber-attacks


CYBER-SECURIT Y

2

1

HEATHER ADKINS, GOOGLE’S security chief, has whatshe calls a “monthly patch day”, when she updates the soft-

ware running on all of the electronic devices in her home. Ifeverybody were like Ms Adkins, cyber-security would be muchless of a problem. But even with the best of intentions, peopleforget to update software, install antivirus programs and so on.

The problem is that by weakening their own defences, theydo not just make themselves more vulnerable to being hacked;they may also cause harm to other web users by making it pos-sible, say, for an intruder surreptitiously to take over their deviceand use it to attack other computers. The same holds true in thecorporate world. Target spent a fortune each year on cyber-secu-rity, but was attacked via a heatingand air-conditioning supplierwhose defences were apparently not ro-bust enough to keep hackers out.

Companies are often reluctant to ad-mit that they have been hacked. This maymake sense for them because disclosurecould lay them open to litigation and puttheir customers off doing business withthem, but it increases the risk that othercompanies which could have learnedfrom their experience will be attacked inthe same way. All these are examples ofwhat economists call negative external-ities, which come about when individ-uals or firms do not incur the full cost oftheir decisions.

Another reason for slip-ups is theway computer code is produced. Compa-nies that make software have an incen-tive to ship it as fast as they can to get ahead of their rivals, andthen patch any flaws as and when they are discovered. But fixesare not always delivered swiftly, which means customers’ sys-tems are left vulnerable to hackers.

Such cases suggest that there is a market failure in cyber-se-curity. Solutions being suggested or tried include increasingtransparency about data losses; helping consumers and firms tomake more informed decisions about cyber-security; shedding

more light on how internet-service providers (ISPs) tackle mal-ware infections they spot on customers’ computers; and using li-ability laws to force software companies to produce safer code.

On transparency, America has led the way. Almost allAmerican states now have data-breach laws that require firms toreveal any loss ofsensitive customer information. In Europe tele-comsfirmshave been obliged to notifycustomersofbreaches forsome time now, and there are plans to extend reporting to a wid-er range of industries. A draft European Union directive ap-proved by the European Parliament would require firms in othercritical-infrastructure industries, such aspowercompanies, to re-port breaches to the authorities.

The sky is the limit

Breach laws have encouraged insurance companies to offercoverage against potential losses. This is helpful because they arein a position to gather and share information about best prac-tices across a wide range of companies. Mike Donovan of Bea-zley, a cyber-insurer, says that his firm advises companies on de-fensive tactics, but also on how to minimise the damage ifsomething goes wrong.

Tyler Moore of Southern Methodist University suggeststhat the American government should create a cyber-equivalentof the National Transportation Safety Board, which investigatesserious accidents and shares information about them. He sayssuch a body could look into all breaches that cost over, say, $50mand make sure the lessons are shared widely.

But insurers are likely to remain wary of taking on broaderrisks because the costs associated with a serious cyber-incidentcould be astronomic. “Insurers can deal with acts ofGod, but notactsofAnonymousoractsofIran,” saysAllan Friedman, a cyber-security researcher at George Washington University. This ex-plains why the overall cyber-insurance market is still small: onerecent estimate puts it at $2 billion.

Governments are weighing in, too, not least by supportingprivate-sector efforts to clean up “botnets”, or networks of com-promised computers controlled by hackers. These networks,which are prevalent in countries such as America and China (seechart 4, next page), can be used to launch DDoS attacks and

spread malware. In Germany an initiative called Bot-Frei, whichhelps people clean up their infected computers, received govern-ment support to get started, though it is now self-financing. TheAmerican government has also worked closely with privatefirms such as Microsoft to bring down large botnets.

Another strategy involves issuing standards to encourageimproved security. In February America’s National Institute ofStandards and Technology published a set of voluntary guide-lines forcompanies in critical-infrastructure sectors such as ener-gy and transport. And last month Britain launched a schemecalled “cyber-essentials” underwhich firmscan applyfora certif-icate showing they comply with certain minimum security stan-dards. Applicants undergo an external audit and, if successful,are awarded a badge which they can use on marketingmaterials.Whether governments are best placed to set minimum stan-dards is debatable, but they have certainly raised awareness ofcyber-security as an issue that needs attention.

They could also help to get more information into the pub-

Market failures

Not my problem

Providing incentives for good behaviour

There is a market failure in cyber-security, made worseby the trouble firms have in getting reliable informationabout the threats they face

to workmore closely together, and that they need to get better atjudging whether an attackcould sparka systemic crisis.

Such exercises are helpful to improve cyber-defences, butnot nearly as helpful as a much simpler remedy: to put in place aset of basic precautions. The Australian Signals Directorate, theequivalent of Britain’s Government Communications Head-quarters (GCHQ), says that at least 85% of targeted breaches itsees could be prevented by just four measures: whitelisting soft-ware applications; regularlypatchingwidelyused software suchas PDF viewers, web browsers and Microsoft Office; doing thesame for operating systems; and restricting administrator privi-leges (granting control over a system) to those who really needthem to do their job. So why do companies so often fail to adoptthem? Economics provides some of the answers. 7

SPECIAL REPOR T



2

1

lic domain. Mr Moore, Ross Anderson, a professor ofsecurity en-gineering at Cambridge University, and other researchers haveargued persuasively that collecting and publishing data aboutthe quantity ofspam and other bad traffic handled by ISPs couldencourage the worst performers to do more to tackle the pro-blem, thus improving overall security.

Another debate has revolved around getting software com-panies to produce code with fewerflaws in it. One idea is to makethem liable for damage caused when, say, hackers exploit aweakness in a software program. Most software companies cur-rently insist customersacceptend-user licensingagreements thatspecifically protect firms from legal claims unless local laws pro-hibit such exclusions.

The snag is that imposing blanket liability could have achilling effect on innovation. “Companies that are selling mil-lions of copies of programs might take fright at the potential ex-posure and leave the business,” cautions Brad Templeton of theElectronic Frontier Foundation, a consumer-rights group. PaulRosenzweig of Red Branch Consulting suggests that strict liabil-ity be applied only to firms which produce software that cannotbe patched if a security flaw is found. There is quite a lot of thatsort ofcode around.

Mr Anderson reckons that the software industry is boundto come under pressure to produce more secure code, just as inthe 1970s the car industry was forced to improve the safety ofve-hicles after campaigns mounted by consumer activists such asRalph Nader. This process could take time, but the move to linkall kinds ofhousehold devices to the internet is likely to be a wa-tershed moment.

Europe already has laws requiring device manufacturers tocertify that their products are safe for use. Mr Anderson thinksthat, as part of this process, firms should also be required to self-certify that the software in them is designed to be secure and canbe patched swiftly if a flaw is found. “

�ou want to be sure that

your connected TV cannot be recruited into a botnet,” he says.There are already signs that hackers are finding ways to exploitdevices around the home. 7

Source: Symantec

Malicious activity by source: Bot population 2012-13, % of world total

Danger spots

PERU

United States

20.0

China

9.1

Italy6.0

Taiwan6.0

Brazil5.7

Japan4.3

Hungary4.2

Germany4.2

Spain3.9

Canada3.5

4

ONE NIGHT IN April a couple in Ohio was woken by thesound of a man shouting, “Wake up, baby!” When the hus-

band went to investigate, he found the noise was coming from aweb-connected camera they had set up to monitor their youngdaughterwhile she slept. Ashe entered herbedroom, the camerarotated to face him and a string ofobscenities poured forth.

The webcam was made by a company called Foscam, andlast year a family in Houston had a similar experience with oneof their products. After that episode, Foscam urged users to up-grade the software on their devices and to make sure they hadchanged the factory-issued password. The couple in Ohio hadnot done so. The problem arose even though Foscam had takenall the right steps in response to the initial breach, which showshow hard it is to protect devices hooked up to the internet.

There will soon be a great many more of them. Cisco, a techcompany, reckons that by the end of this decade there could besome 50 billion things with web connections (see chart 5, nextpage). Among them will be lots of consumer gear, from camerasto cars, fridges and televisions.

Smart or foolish?

This new network is already turning out to be very useful.Smart cars are able to read e-mails and text messages to driverson the move; smart fridgescarefullymanage the energy they use;smart medical devices allow doctors to monitor patients fromafar; and smart screens in the home display all kinds of useful in-formation. Entire cities in South Korea are already rushing to linktheir infrastructure to the web to make it more efficient and im-prove services.

But security experts are sounding the alarm. “There is a bigdifference between the internet of things and other security is-sues,” says Joshua Corman of I Am The Cavalry, a group of secu-rity specialists trying to promote greater awareness of emergingrisks to public safety. “If my PC is hit by a cyber-attack, it is a nui-sance; ifmy car is attacked, it could kill me.”

The internet of things

Home, hacked home

The perils of connected devices


CYBER-SECURIT Y

2 This may smack of scaremongering, but researchers havealready demonstrated that some vehicles are vulnerable tocyber-attacks. Modern cars are essentially a collection of com-puters on wheels, packed with many microcontrollers that gov-ern their engines, brakes and so forth. Researchers such as ChrisValasek and Mathew Solnik have shown that it is possible tohack into these systems and take over a vehicle.

Their experiments, which include steering wheels sudden-ly being wrenched to one side and engines being switched offwithout warning, have caught the attention of carmakers. Thetechniques used to hack the vehicles’ controls are sophisticated,and many require physical access to the engine, so for the mo-ment this is unlikely to happen to your car. But technologymoves fast: at an event in Singapore earlier this year two re-searchers showed offa car-hacking tool the size ofa smartphonethat cost less than $25 to build.

Some medical devices, including several types of insulinpump, have also been hacked in public demonstrations. Jay Rad-cliffe, a security researcher who happens to be diabetic, madeheadlines a few years ago when he discovered that his comput-erised insulin pump could be attacked by remotely entering thewireless-communications system that controlled it. A malicioushackercould have changed the amountofinsulin beingadminis-tered. In a recentblogpost, MrRadcliffe gave warning thatemerg-ing medical technology is often ill-equipped to deal with threats

arising in an interconnected world.Other researchers agree. “There are

just super simple flaws in some medicaldevices,” says Billy Rios of Qualys, acyber-securityfirm. Lastyearhe and a col-league found “back doors” into variousbits of medical equipment. These arepasswords used by technicians fromfirms that sell the devices to update thesoftware that runs them. A hacker with aback door could use it to, say, adjust an X-ray machine so that it administers a farhigher dosage than its display shows. MrRios took his findings to regulators andworked with them and with the compa-nies involved to fix the flaws.

It all sounds rather worrying, but sofar there has been no known case of acyber-attack in which a car has beenforced off the road or a medical device

misappropriated. Mr Rios accepts that some people think his re-search is designed to drum up sales for the cyber-security indus-try, but he insists that the risks are real.

Many items, including mundane things like light bulbs anddoor locks, are being hooked up to the internet by putting tinycomputers into them and adding wireless connectivity. The pro-blem is that these computers do not have enough processingpower to handle antivirusand otherdefences found on a PC. Themargins on them are wafer-thin, so manufacturers have littlescope for spending on security. And the systems are being pro-duced in vast quantities, so hackers finding a flaw in one will beable to get into many others too.

This is already happening with some home wireless rou-ters. Earlier this year Team Cymru, an American cyber-securityfirm, found a network of 300,000 compromised routers in va-rious countries, including America, India, Italy an��ietnam. In2012 crooks in Brazil tookcontrol of4.5m routers, using the stoleninformation to plunder a large number ofbankaccounts.

Watch that fridge

A lot more devices with little computers inside them willend up in people’s homes, often connected to one another viahome-automation systems. That will make them tempting tar-gets for cyber-attackers. In January Proofpoint, a security firm,claimed it had found evidence that a group of compromised de-vices, including home routers, televisions and a refrigerator, hadbeen commandeered by hackers and were being used to pumpout spam. That is annoying enough, but what if a tech-savvy ar-sonist were to find a way of, say, taking control of home boilersand turn them up so much that they burst into flames? Mr Rioshas already found tens of thousands of corporate heating, air-conditioning and ventilation systems online, many with vulner-abilities in their software that a hacker could exploit.

Some companies are now trying to build security into theirproducts from the start. Broadcom, a chipmaker, recently un-veiled a microchip specially designed for web-connected de-vices thathasencryption capabilitiesbaked into it, and Cisco haslaunched a competition offering prizes for the best ideas for se-curing the internet of things. But many firms plunging into thismarket are small startups which may not have much experienceofcyber-security.

Mr Corman worries that it may take a catastrophic event toget makers to focus on the need for better security in connecteddevices. But optimists believe that pressure from customers willbe enough to force their hand. 7

5The 50 billion question

Source: Cisco *Includes military and aerospace

Worldwide number of internet-connected devices, forecast, bn

0

10

20

30

40

50

2013 14 15 16 17 18 19 20

Fixed communications

Mobile communications

Computers

Consumer electronicsand medical devices

Industrial devices*

Automotive

SPECIAL REPOR T

Bruce Schneier, a securityexpert, has suggested that crime-fighting is a better analogy thanwarfare. This is a useful idea. Po-lice are needed to go after crimi-nals, but people can help pre-vent crimes in the first place bytaking sensible precautions.And although extraordinarypowers of investigation and ar-rest are sometimes needed toapprehend wrongdoers, theyare subject to robust legal protec-tions for citizens.

Applied to cyberspace, thismeans that, far from being pow-erless against hackers, compa-nies can do a lot to help them-selves. Simply ensuring thatonly approved programs canrun on their systems, regularlypatching all software, educatingemployees about cyber-risksand constantly monitoring net-works would help keep most in-truders out. Yet too many com-panies fail to do these things, ordo them consistently.

Tackling cybercrime oftenrequires international co-opera-tion. In recent years this hasbeen getting better, partlythanks to agreements such as the Council of Europe’s Conven-tion on Cybercrime, whose members assist each other in inter-national investigations. More resources forcrime-fighting outfits,including teams on secondment from the private sector, wouldclear out more crooks.

That still leaves the job ofdealingwith the most sophisticat-ed hackers, whose motivesoften have nothingto do with money.Getting broader agreement on norms of behaviour in cyber-space is crucial, but it will not be easy. Forging a consensus onwhat bits of critical infrastructure should be off-limits to a cyber-attackwould be an excellent start.

Making sure that fewer bugs crop up in software in the firstplace would also be helpful, particularly as the internet of thingsis about to take off and opportunities for breaches will multiply

manifold. The best method would be forcompanies to come up with robust pro-posals of their own for securing the newconnected devices. In March a group offirms including Cisco, IBM and GE set upthe Industrial Internet Consortium,which among other things will look at in-novative approaches to security in web-connected industrial gear. Somethingsimilar is needed in the consumer field.

The internet has turned out to beone ofthe biggest forces forprogress in thehistory of mankind. Having started life asa gathering place for a small bunch ofgeeks and academics in the early 1970s, itis now at the heart of the global economy.Mr Gibson’s “consensual hallucination”has become a worldwide success story. Itmust be kept in good working order. 7



Offer to readers

Reprints of this special report are available. A minimum order of five copies is required.Please contact: Jill Kaletha at Foster Printing Tel +00(1) 219 879 9144e-mail: [email protected]

Corporate offer

Corporate orders of 100 copies or more are available. We also offer a customisation service. Please contact us to discuss your requirements.Tel +44 (0)20 7576 8148e-mail: [email protected]

For more information on how to order special reports, reprints or any copyright queries you may have, please contact:

The Rights and Syndication Department20 Cabot SquareLondon E14 4QWTel +44 (0)20 7576 8148Fax +44 (0)20 7576 8492e-mail: [email protected]/rights

Future special reports

Previous special reports and a list of forthcoming ones can be found online: economist.com/specialreports

Advertising and technologySeptember 13thThe world economy October 4thIran October 25thThe Pacific Rim November 15th

CYBERSPACE WILL NE��

be completely secure. Thethreats posed by what Sir David Omand, an academic and

former head of Britain’s GCHQ intelligence agency, calls “thecesspit of modernity”—online crime, espionage, sabotage andsubversion—are not going to disappear. Nor is the temptation forgovernments to treat the internet as a new combat zone, along-side land, sea, air and space.

In 1996 John Perry Barlow, a cyber-libertarian, issued a“Declaration of the Independence of Cyberspace” addressed togovernments, insisting: “You have no moral right to rule us, nordo you possess any methods of enforcement we have true rea-son to fear.” He turned out to be wrong. Governments haveshown in a variety of ways—from the theft of industrial secretsby Chinese spies to the mass surveillance conducted by Westernones—that they are determined to make cyberspace their own.

Political leaders are fond of saying that they want their citi-zens to benefit from the huge opportunities that a secure and reli-able internet can offer, and that they are determined to protectthem from crime and terrorism online. Yet they do not hesitate touse the web for their own purposes, be it by exploiting vulnera-bilities in software or launching cyber-weapons such as Stuxnet,without worrying too much about the collateral damage done tocompanies and individuals. Some of the trends pinpointed inthis special report, includingthe rise oforganised crime on the in-ternet and the imminent arrival of the internet of things, willonly increase concerns about a widening security gap.

A plain man’s guide

So what can be done? The first thing is to change the tone ofthe debate about cyber-security, which is typically pepperedwith military metaphors. These tend to suggest that companiesand individuals are powerless to help themselves, giving gov-ernments latitude to infringe their citizens’ privacy. “The internetis the most transformative innovation since Gutenberg and theprinting press,” says Jason Healey of the Atlantic Council, anAmerican think-tank. “Yet we’re treating it as a war zone.”

Remedies

Prevention is betterthan cureMore vigilance and better defences can makecyberspace a lot safer

Far frombeingpowerlessagainsthackers,companiescan do a lotto helpthemselves

Defending the digital frontier - The Economist · net to billions of people around the world. The...

Documents

Transcript of Defending the digital frontier - The Economist · net to billions of people around the world. The...