THE COST, DAMAGE, AND THREAT OF CYBERCRIME AND WARFARE
The lines between computer hacking, cybercrime, and cyberwarfare are blurry. They are threats to our national security and also to you. At risk is not only your financial welfare and identity, but also your health and well-being. Cyberwarfare is at a level of threat that has similarities to nuclear weapons in that it can inflict major societal harm and is restrained or deterred only by the threat of retaliatory harm and damage, similar to the mutual assured destruction that deters nuclear war.
This is not an exaggeration, as the book by New York Times cybersecurity reporter, Nicole Perlroth, This Is How They Tell Me the World Ends, [1] makes clear in great detail. She presents the development and evolution of cyber hacking, crime, and warfare since she began reporting on it for the Times in 2013. She also puts it in an historical context of espionage going back to the Cold War and the 1950s and then outlines its transition from human agents to cyber capabilities over the last 40 years. I encourage you to read her 406-page, revealing, convincing, and downright scary book if you are so motivated. I will attempt to summarize it in this and subsequent blog posts.
The scale of computer hacking, cybercrime, and cyberwarfare is much greater than I had any idea it was. The costs to individuals, businesses, governments, and other organizations (such as hospitals) are enormous. A 2018 RAND Corporation report, the most comprehensive study of cyberattacks at the time, estimated that the worldwide losses for the year from cyberattacks were hundreds of billions of dollars. By comparison, the estimated cost of terrorist attacks in 2018 was just $33 billion. Some current estimates put the costs of cyberattacks at over $2 trillion a year and growing.
The number of ransomware attacks, where hackers prevent an organization from accessing its computer systems and data until a ransom is paid, more than doubled from 2019 to 2020, for example. [2] Much of this is done by cyber criminals looking to make money. However, back in May 2017, one of the cyber hacking tools stolen from the U.S. National Security Agency (NSA) (more on this in a subsequent post) was put to use by North Korea in ransomware attacks all around the globe. Within 24 hours, 200,000 organizations in 150 countries were attacked. For example, nearly 50 British hospitals were incapacitated as were Russian railroads and banks, Indian airlines, Germany’s railroads, Spain’s largest telecommunications company, Japanese police, South Korean movie theaters, many gas stations and universities in China, and small electric utilities and Fed Ex in the U.S. Russia and China suffered the most, partially because vulnerable, pirated software was widely used there.
The attack used a vulnerability in Microsoft’s Windows operating system that the NSA had discovered and exploited for years. When knowledge of it was stolen from the NSA and released publicly, the NSA notified Microsoft, but, needless to say, there was not enough time to fix the vulnerability (aka bug) and get the fix onto millions of customers’ computers before the vulnerability was exploited by North Korea and others. Exacerbating the problem, many customers are not always quick to install Microsoft’s Windows updates, particularly at companies using it on computers performing critical functions where software updates must be closely managed to minimize downtime. Making matters worse, many computers, including ones controlling critical infrastructure, were running an old version of Windows that Microsoft had stopped updating three years earlier. Now, Microsoft had to go back and update this software so its users wouldn’t be held hostage by cyberattacks from North Korea or run-of-the-mill cyber criminals.
Microsoft’s President, Brad Smith, was angry; this was not the first time the NSA had put Microsoft in this position. He publicly criticized the NSA for withholding the Windows vulnerability from Microsoft and then, when it became a problem, dumping it in Microsoft’s lap to fix on short notice. At the time, this story got short shrift in the U.S. media because of all the focus on the new Trump administration and the controversies it was generating. The administration was, however, quick to identify North Korea as the culprit, in stark contrast to its failure to out Russia for its cyberattacks, including its meddling in the 2016 U.S. election. (More on this in a subsequent post.)
Initially, government-sponsored cyber hacking, with the U.S. leading the pack, was used for espionage and surveillance of foreign governments and agents. The U.S. has multiple agencies spending billions of dollars developing and using cyber hacking capabilities. It has large teams of computer experts identifying vulnerabilities in computer software. Rather than alerting companies to the vulnerabilities in their products, U.S. intelligence agencies developed the software vulnerabilities into weapons for spying on adversaries (e.g., by stealing data from their computers). This use of cyber hacking is considered defensive as it is used to protect the U.S. and not to harm others.
The U.S. government also bought software vulnerabilities from private hackers who had discovered them, sometimes paying millions of dollars for them. Private computer hackers’ uncovering and selling of software vulnerabilities is a worldwide entrepreneurial business, given that any computer-savvy individual with a computer can do this.
However, as was probably inevitable, computer hacking shifted to being used offensively, to harm adversaries, given that it has the inherent capability to disrupt computer-controlled equipment and communications. In 2008 and 2009, the U.S. government, led by the NSA, probably with Israel’s participation, successfully executed a cyberwarfare attack on Iran’s nuclear enrichment plant. It damaged the centrifuges used to enrich uranium in order to delay Iran’s ability to generate enough, sufficiently enriched uranium to build an atomic bomb. Many experts view this attack as marking the shift of cyberwarfare from espionage and defensive uses to offensive uses.
After a cyberattack, given time, effort, and expertise, the target can almost always identify the source of the attack. So, when U.S. intelligence agencies say they “think” a cyberattack came from say Russia, they know that it came from Russia. Furthermore, they usually know what organization was behind the attack, although sometimes it can be difficult to ascertain whether it was a government-sponsored attack or private hackers physically located say in Russia (or China, Iran, or North Korea, etc.).
After the successful attack on its nuclear enrichment plant, Iran, not surprisingly, was looking for revenge. When it discovered the cyberattack, it also then had possession of the weapon – the software that had been used – and could turn it back on the attacker.
Furthermore, the weapon, as cyber weapons often do, spread itself out from the Iranian centrifuge plant over the Internet and around the globe, eventually reaching the U.S. and infecting computers at Chevron. Fortunately, because it was designed to specifically attack the Iranian centrifuges, it didn’t do a lot of damage at Chevron or at other sites it infected.
Despite this experience, the U.S. government continued to focus on its offensive cyberwarfare programs and largely ignored building cyber defenses. Surprisingly, it ignored the clear vulnerability of U.S. computers and systems to the types of attacks it was undertaking, despite the fact that the U.S. is more dependent on computers and the Internet than other countries, making the U.S. more vulnerable to a cyberattack than anyone else.
In subsequent posts, I will outline the Perlroth book’s reporting on:
· Electronic surveillance in the U.S. and the use of encryption technology to protect privacy,
· Leaks from the NSA, including of its cyberwarfare tools,
· Russia’s cyberattacks on Ukraine,
· The Chinese attack on Google and Google’s response,
· The cyberattacks on U.S. elections and the Trump administration’s response, and
· What can be done to counter cybercrime and warfare at the individual and governmental levels.
[1] Perlroth, N. This Is How They Tell Me the World Ends. Bloomsbury Publishing, NY, NY. 2021.
[2] De Vynck, G., 9/22/21, “Treasury’s fight against hackers targets crypto payments,” The Boston Globe from the Washington Post