May 15, 2017 A system whose security depends on an absence of carelessness is a system designed to fail.
By George Friedman
A few months ago, I wrote about the hacking of computers belonging to the Democratic National Committee and John Podesta, and made the case that contemporary computers are both primitive and not designed for mission critical functions. The latest wave of attacks on the global computing system reinforces my conviction. The system is incapable of supporting safely the functions that it has been tasked with. In the past, attacks were carried out by vandals. Now we see them being carried out for political reasons and, as in this case, for criminal reasons. Something’s got to give.
The latest attack – which has affected more than 100,000 organizations in over 150 countries according to the European policing agency Europol – is spread by email. Targets receive an email containing a link that, when clicked, launches a program that moves through the computer network encrypting data. A message then appears on the user’s screen, instructing the person to deposit bitcoins, a digital currency, into an apparently anonymous account in order to recover the data. This is what’s known as a “ransomware” attack. The global network of security experts in and out of government have been unable to identify the perpetrators of this crime.
Consider how such an attack would be carried out step by step. Someone discovers your email address. That person sends you an email. It is now your responsibility, in the course of a busy day with many distractions, to maintain vigilance over incoming emails. The message will be designed with some thought to appearing legitimate. You know many people and are involved in many organizations, and it is not clear that anything is amiss. You click on the link and disaster follows.
This is the legendary “stupid user” case. How could you have been so foolish as to click on a link from someone you didn’t know? The user’s carelessness is therefore to blame. The secret is that all of us, including computer security experts, are careless at times. A system whose security depends on an absence of carelessness is a system designed to fail.
In this attack, hospitals and factories have been hit. Many of them have hundreds or thousands of workers. The probability that not a single employee among thousands will click on a link in a criminal’s email is near zero. Placing the responsibility for preventing these so-called phishing attacks on the vast array of computer users is not only flawed, but it is symptomatic of the irresponsibility of the computer industry.
Computers are designed to be insecure. A phishing attack is simply an effort to deceive a user into sharing sensitive information, such as usernames and passwords. Computers are made so that poorly designed operating systems can be upgraded and new programs, or music and movies, can be sold and downloaded. The computer is designed to interact with other computers on the internet, sending data while websites deposit cookies on your computer. The computer has no way of knowing whether the interactions being carried out are legitimate. The operating system is in many ways a manager of program calls, but not a judge of them. That judgment is carried out by additional software you may purchase, called virus scanners. They attempt to judge the legitimacy and harmfulness of files by maintaining a library of malicious software. But criminals can readily craft a new attack not yet recorded in a virus scanner’s library. Virus scanners are unlikely to work against a minimally thoughtful vandal or criminal, and they frequently don’t.
Selling computers fully loaded with needed software already installed, with the operating system designed to only let native software function, would raise the bar directly. I would assume that the computer industry would have far better ideas for solving the problem. But it is far less interested in evolving the computer for safety than in introducing new products. Given the economics of computer and software manufacturing, the industry’s acceptance that a poorly considered click on a link might paralyze anything from one person’s laptop to the servers of a large entity is understandable. Security is expensive and consumers are actually reluctant to pay for it as a standalone product. Computing is an intensely competitive industry, and the cost of introducing new computers with few exciting features beyond invisible safeguards is a marketing nightmare.
The computer industry is now in the position of the auto industry in the 1960s. Reluctant to provide seat belts, air bags or other safety features, carmakers encountered government regulation. Then, with the principle of regulation established, the government went far beyond safety. In my view, the computer industry is naive in not thinking about the long-term consequences of its reluctance to evolve in security.
The Problem of Anonymity
Anonymity is one of the roots of the problem. Vandals and criminals are rarely caught because the principle of anonymity is built into the internet. This problem has been compounded by the introduction of bitcoins, a form of financial transaction that attempts to maintain the anonymity of its users. The problem with anonymity is that while fostering freedom, it inevitably enables criminals to use that freedom for their ends. The attackers’ demand for bitcoins in the latest event makes this point clear. This paradox – where the right to act without government scrutiny aligns with the rise of ruthless criminality – isn’t new. As an empirical matter, however, a banking system that does not take responsibility for exposing criminals will find the state taking that role.
This is very much a geopolitical problem. It is not only, as many argue, that the current system enables cyberwarfare between states, but also that it facilitates organized crime on a global level. This problem is aided by an industry that builds products that make cyberwarfare and criminality relatively easy, an internet that makes identifying criminals – and state actors – relatively difficult, and now a banking system that is designed to make the finances of Borgias and Medicis appear the essence of ethics.
As a practical matter, what this situation will lead to is either the ever-deeper corruption of the state and insecurity of personal wealth, or the state imposing itself on the global computing system in as heavy-handed a way as possible. The idea that we are helpless in the face of cyberwar, constant vandalism and now criminal extortion, if true, will lead to the collapse of computing. Computing has become indispensable, but it is its very indispensability, facing constant threat, that will cause its collapse. You cannot be both indispensable and incredibly vulnerable.
As for me, the virtue of legal pads for important matters is becoming manifest.