By George Friedman

A few months ago, I wrote about the hacking of computers belonging to the Democratic National Committee and John Podesta, and made the case that contemporary computers are both primitive and not designed for mission critical functions. The latest wave of attacks on the global computing system reinforces my conviction. The system is incapable of supporting safely the functions that it has been tasked with. In the past, attacks were carried out by vandals. Now we see them being carried out for political reasons and, as in this case, for criminal reasons. Something’s got to give.

The latest attack – which has affected more than 100,000 organizations in over 150 countries according to the European policing agency Europol – is spread by email. Targets receive an email containing a link that, when clicked, launches a program that moves through the computer network encrypting data. A message then appears on the user’s screen, instructing the person to deposit bitcoins, a digital currency, into an apparently anonymous account in order to recover the data. This is what’s known as a “ransomware” attack. The global network of security experts in and out of government have been unable to identify the perpetrators of this crime.

Design Flaw

Consider how such an attack would be carried out step by step. Someone discovers your email address. That person sends you an email. It is now your responsibility, in the course of a busy day with many distractions, to maintain vigilance over incoming emails. The message will be designed with some thought to appearing legitimate. You know many people and are involved in many organizations, and it is not clear that anything is amiss. You click on the link and disaster follows.

This is the legendary “stupid user” case. How could you have been so foolish as to click on a link from someone you didn’t know? The user’s carelessness is therefore to blame. The secret is that all of us, including computer security experts, are careless at times. A system whose security depends on an absence of carelessness is a system designed to fail.

In this attack, hospitals and factories have been hit. Many of them have hundreds or thousands of workers. The probability that not a single employee among thousands will click on a link in a criminal’s email is near zero. Placing the responsibility for preventing these so-called phishing attacks on the vast array of computer users is not only flawed, but it is symptomatic of the irresponsibility of the computer industry.

The “ransomware” attack encrypts the target’s data and demands payment to recover it. Depicted is a screen showing the message announcing the attack at the railway station in Chemnitz, eastern Germany, on May 12, 2017. P. GOETZELT/AFP/Getty Images

Computers are designed to be insecure. A phishing attack is simply an effort to deceive a user into sharing sensitive information, such as usernames and passwords. Computers are made so that poorly designed operating systems can be upgraded and new programs, or music and movies, can be sold and downloaded. The computer is designed to interact with other computers on the internet, sending data while websites deposit cookies on your computer. The computer has no way of knowing whether the interactions being carried out are legitimate. The operating system is in many ways a manager of program calls, but not a judge of them. That judgment is carried out by additional software you may purchase, called virus scanners. They attempt to judge the legitimacy and harmfulness of files by maintaining a library of malicious software. But criminals can readily craft a new attack not yet recorded in a virus scanner’s library. Virus scanners are unlikely to work against a minimally thoughtful vandal or criminal, and they frequently don’t.

Selling computers fully loaded with needed software already installed, with the operating system designed to only let native software function, would raise the bar directly. I would assume that the computer industry would have far better ideas for solving the problem. But it is far less interested in evolving the computer for safety than in introducing new products. Given the economics of computer and software manufacturing, the industry’s acceptance that a poorly considered click on a link might paralyze anything from one person’s laptop to the servers of a large entity is understandable. Security is expensive and consumers are actually reluctant to pay for it as a standalone product. Computing is an intensely competitive industry, and the cost of introducing new computers with few exciting features beyond invisible safeguards is a marketing nightmare.

The computer industry is now in the position of the auto industry in the 1960s. Reluctant to provide seat belts, air bags or other safety features, carmakers encountered government regulation. Then, with the principle of regulation established, the government went far beyond safety. In my view, the computer industry is naive in not thinking about the long-term consequences of its reluctance to evolve in security.

The Problem of Anonymity

Anonymity is one of the roots of the problem. Vandals and criminals are rarely caught because the principle of anonymity is built into the internet. This problem has been compounded by the introduction of bitcoins, a form of financial transaction that attempts to maintain the anonymity of its users. The problem with anonymity is that while fostering freedom, it inevitably enables criminals to use that freedom for their ends. The attackers’ demand for bitcoins in the latest event makes this point clear. This paradox – where the right to act without government scrutiny aligns with the rise of ruthless criminality – isn’t new. As an empirical matter, however, a banking system that does not take responsibility for exposing criminals will find the state taking that role.

This is very much a geopolitical problem. It is not only, as many argue, that the current system enables cyberwarfare between states, but also that it facilitates organized crime on a global level. This problem is aided by an industry that builds products that make cyberwarfare and criminality relatively easy, an internet that makes identifying criminals – and state actors – relatively difficult, and now a banking system that is designed to make the finances of Borgias and Medicis appear the essence of ethics.

As a practical matter, what this situation will lead to is either the ever-deeper corruption of the state and insecurity of personal wealth, or the state imposing itself on the global computing system in as heavy-handed a way as possible. The idea that we are helpless in the face of cyberwar, constant vandalism and now criminal extortion, if true, will lead to the collapse of computing. Computing has become indispensable, but it is its very indispensability, facing constant threat, that will cause its collapse. You cannot be both indispensable and incredibly vulnerable.

As for me, the virtue of legal pads for important matters is becoming manifest.

George Friedman

George Friedman is an internationally recognized geopolitical forecaster and strategist on international affairs and the founder and chairman of Geopolitical Futures.

Dr. Friedman is also a New York Times bestselling author. His most recent book, THE STORM BEFORE THE CALM: America’s Discord, the Coming Crisis of the 2020s, and the Triumph Beyond, published February 25, 2020 describes how “the United States periodically reaches a point of crisis in which it appears to be at war with itself, yet after an extended period it reinvents itself, in a form both faithful to its founding and radically different from what it had been.” The decade 2020-2030 is such a period which will bring dramatic upheaval and reshaping of American government, foreign policy, economics, and culture.

His most popular book, The Next 100 Years, is kept alive by the prescience of its predictions. Other best-selling books include Flashpoints: The Emerging Crisis in Europe, The Next Decade, America’s Secret War, The Future of War and The Intelligence Edge. His books have been translated into more than 20 languages.

Dr. Friedman has briefed numerous military and government organizations in the United States and overseas and appears regularly as an expert on international affairs, foreign policy and intelligence in major media. For almost 20 years before resigning in May 2015, Dr. Friedman was CEO and then chairman of Stratfor, a company he founded in 1996. Friedman received his bachelor’s degree from the City College of the City University of New York and holds a doctorate in government from Cornell University.