Over the last two weeks, the world got a relatively small preview of the global impact that can be expected in the event of a large-scale internet failure. First there was physical damage to an undersea cable just off the coast of Egypt. Then, last week, millions of people around the world have been affected by slow internet speeds after an unprecedented attack by spammers in Europe. This attack was almost exactly how an expert, last year, predicted it would happen.
To the two incidents mentioned above can be added the apparent co-ordinated cyber attack on South Korean computer networks which paralysed three broadcasters and at least two banks. The attack could possibly be called an “act of war”.
In the run-up to the release of the World Economic Forum’s (WEF) Global Risk Report 2013, which identifies the 50 most prominent global risks, computing professor of the Georgia Institute of Technology, Mustanque Ahamad, warned that “the IT industry puts functionality above security at its peril”.
Ahamad’s interview as part of the WEF Risk Response Network’s 'What if?' series, proved to be almost prophetic and makes fascinating reading against the background of the past two weeks' exposure of global internet vulnerably.
Why is this on your radar at the moment?
What keeps me awake at night is the fact that we don’t have a good understanding of the risks we face, now that more and more people and things are connected to the Internet. Cyber attacks have become very easy to mount, but they are still hard to defend against.
How would the situation unfold?
We could see something like a large-scale Denial of Service attack, an attempt to make the Internet unavailable to people who rely on it (exactly what happened in Europe last week). This sort of attack would involve someone (or a group) who is successful in compromising key Internet infrastructure services or who bombards web servers with a flood of requests, so that they are unable to respond to legitimate queries. When a regular person tries to access the Internet, you would simply see an error message.
Another common form of attack uses malware, which is basically software that you don’t want. By exploiting a vulnerability, an attacker finds a way to send code to your machine, where it starts to run on its own. It could be waiting for a command to steal data, or to send spam. Such compromised machines can also be used to send bogus requests and launch a 'denial of service' attack.
What would the consequences be?
It is not just a question of being unable to check the weather or go on Facebook. It would have huge effects on essential services on which we rely in our daily lives. These could be communication, transportation or the supply of essentials like food, energy and healthcare – everything.
On a simplified level, if the Internet is down and you can’t access electronic medical records in an emergency, people die as a result. There has been a huge convergence between virtual life and the real, physical world: we work, live and play on the Internet, so the consequences of an outage are across the board. And we no longer count on phone lines as a backup: they are increasingly moving to networks that enable the Internet.
Who would be most likely to mount such an attack?
What we have seen recently is that cyber attacks are not irrational; there is always some kind of motivation, whether it is malicious folk, groups with an agenda like Anonymous, criminal gangs who want to monetise their activities or nation states acting in their interests, as we saw with the Stuxnet attack on Iran’s nuclear facilities.
The problem is that when it comes to cyber attacks, there is a lower barrier to launch than a real, physical attack, so we don’t treat it with the same kind of seriousness. More and more countries are looking at cyber arms and they are not hesitant about trying things out, even though these actions could precede a real war.
How likely is an attack of the scale that could take out Internet access?
The Internet is a highly decentralised system, so many experts believe that the risk of an attack taking it down entirely is very, very low but cyber threats should still be taken seriously.
How well prepared are we?
Unfortunately, we are not really well prepared. With security, the basic axiom is that you build it into your system, so risk is already mitigated, whereas the IT industry hasn’t done that.
We value functionality over security. And the threat landscape keeps shifting all the time: take, for example, the rise of cloud computing, which changes the nature of our reliance on connectivity and the way we depend on data. Then there are mobile apps, which people happily download without thinking about any problems. It is hard to know what resources to put into security when technologies evolve so rapidly and the threat is always changing, and hard to quantify.
Who is responsible for tackling this?
The simple answer is all of us: businesses, governments and individuals.
What can we do to mitigate the risks?
We have been largely reactive in the past, whereas now we need to be more proactive in terms of designing more secure systems and improving awareness and education. This is not just a technology problem; there is a large policy component as well. We need more safeguards. We need more networks of people coming together to anticipate threats and dismantle the infrastructure that will be used in mounting large-scale attacks.