Cybersecurity is a very weird area, mostly out of sight yet potentially very deadly. Anonymous groups can turn off traffic lights, telecom infrastructure, power grids, or disrupt weapons labs, as the US and Israel allegedly did when it used a cyber-weapon to cripple Iranian nuclear facilities in 2010.
Bank regulators have to now consult with top military leaders about whether deposit insurance covers incidents where hackers destroy all bank records, and what that would mean operationally. It’s not obvious whether this stuff is cyberwar, cyberespionage or something else, but everyone knows that the next war will be comprised of new tactics based on hacking the systems of one’s adversary even using code placed in those systems during peacetime!
And that makes the SolarWinds hack last December quite scary, even if we don’t see the full effects right now. While political leaders have considered reprisals against Russia, it’s likely they will not engage in much retaliation we can see on the surface. There is a lot of finger-pointing still going on in the US government and in cybersecurity circles about what happened and why.
There are all of the standard questions that military and cyber lawyers love, like whether this hack is cyberwar, cyberespionage, or something legally ambiguous. The most interesting part of the cybersecurity problem is that it isn’t purely about government capacity at all; private-sector corporations maintain and control critical infrastructure that is in this new “battlespace.”
I’m talking about telecommunications, energy and high tech companies. Private firms like Microsoft, in particular, are being heavily scrutinised because of the prevalence of its Windows OS in many corporate and government offices.
The question remains – why don’t these large firms manage their security problems particularly well? And yet these companies have no actual public obligations, or at least, nothing formal.
They are for-profit entities with little liability for the choices they make that might impose costs onto others. Indeed, cybersecurity risk is probably similar to pollution, a cost that the business itself doesn’t fully bear, but the rest of society does!
The private role in cybersecurity is now brushing up against the libertarian assumptions of much of the policymaking world; national security in a world where private tech companies handle national defence simply cannot long co-exist with our monopoly and financier-dominated corporate world. Any computer brings with it the risk of hacking.
This is true of our computers and smartphones, and it’s also true about all of the Internet-of-Things (IoT) devices that are increasingly part of our lives. These large and small appliances, cars, medical devices, toys and even exercise machines are all computers at their core, and they’re all just as vulnerable.
The risks are serious. We know that the Russians and the Chinese were allegedly regularly eavesdropping on former US president Trump’s phones. Hackers can remotely turn on microphones and cameras, listening in on conversations. They can grab copies of any documents on the device.
They can also use those devices to further infi ltrate government networks, maybe even jumping onto classified networks that the devices connect to.
If the devices have physical capabilities, those can be hacked as well. In 2007, the wireless features of vice president Richard B. Cheney’s pacemaker were disabled out of fears that it could be hacked to assassinate him!
Physically removing features and components works, but the results are increasingly unacceptable. You could rip out or disable the camera, microphone, and Internet connection, and that would make your IoT device more secure — but then it would just be normal! All world leaders and CEOs of major organisations and companies now have Smartphones, tablets, and laptops.
Many have Internet-connected cars and appliances, vacuums, bikes, and doorbells. Every one of those devices is a potential security risk, and all of those people are potential national security targets. But none of those people will get their Internet-connected devices customised unless specifically mandated by their corporate policies or the nation’s security services. That is the real cybersecurity issue. Internet connectivity brings with it features we like. In our cars, it means real-time navigation, entertainment options, automatic diagnostics, and more.
In a pacemaker, it means continuous monitoring by your doctor – and possibly saving your life as a result. In an iPhone or iPad, it means…well, everything. We can search for older, nonnetworked versions of some of these devices, or the NSA can disable connectivity for the privileged few of us. But the result is the same: in Obama’s words, “no fun.” And unconnected options are increasingly hard to find.
Try to find a new car now that doesn’t come with Internet connectivity or Wi-Fi! Similarly, it’s getting harder to find major appliances without a wireless connection. As the price of connectivity continues to drop, more and more things will only be available Internetenabled.
Internet security is national security — not because the US President is personally vulnerable but because we are all part of a single network. Depending on who we are and what we do, we will make different trade-offs between security, fun and privacy. But we all deserve better options.
Regulations that force manufacturers to provide better security for all of us are the only way to do that. We need minimum security standards for computers of all kinds. We need transparency laws that give all of us, from the president on down, sufficient information to make our own security trade-offs. And we need liability laws that hold companies liable when they misrepresent the security of their products and services. I’m not worried about US Presidents or world leaders.
They have security staff to figure out how to balance their personal needs with the national security needs of the country. I am much more concerned about the political activists, journalists, human rights workers, and oppressed minorities around the world who don’t have the money or expertise to secure their technology, or the information that would give them the ability to make informed decisions on which technologies to choose.
Personal information from US citizens found on the Dark Web—ranging from Social Security numbers, stolen credit card numbers, hacked PayPal accounts, and more — is worth just $US10 ($F20) on average as compared to EU countries at $US25 ($F50.9)on average, according to a new report from global tech research firm Comparitech.
Typically after a data breach or successful phishing campaign, much of the stolen personal IDs are sold almost immediately on the darknet – sometimes to cybercriminal brokers.
Cybersecurity experts attributed stolen ID demand and pricing to how different countries and regions were legislating data privacy. For example, it was noted that countries with the highest credential prices were all, in some way, taking steps to make sure all companies are adhering to some sort of data privacy and protection.
This clearly shows that companies – and consumers – need to do better at privacy. We need better regulation, better legislation. And, really, we need more overall awareness of our digital footprint. Close accounts you don’t or won’t use. Delete payment info. Reset passwords to be more than 10 characters. It’s easier to prevent a fire than to put one out.
The pandemic has forced almost every organisation to operate online in some capacity and there has been a corresponding increase in cyber attackers exploiting vulnerabilities found in web applications.
As technology evolves to make life easier and more convenient it comes at a price and sometimes the tradeoffs are not always clear, especially as we become more dependent on digital devices.
As Einstein once said “I fear the day when the technology overlaps with our humanity. The world will only have a generation of idiots.”
As always, you all be blessed, stay safe and well in both digital and physical worlds.
Ilaitia B. Tuisawau is a private cybersecurity consultant. The views expressed in this article are his and not necessarily shared by this newspaper.
Mr Tuisawau can be contacted on ilaitia@cyberbati.com
