Anyone who has ever received an email asking the reader to send money to a Nigerian bank account or confirm a password knows the Internet can be a hazardous place. But these threats are minor compared to what’s now stalking cyberspace.
In the last few years, there has been a huge upsurge in hacker attacks on the Web sites of private businesses, government agencies, intelligence services, banks and other organizations. The Ponemon Institute, which, according to its Web site, “conducts independent research on privacy, data protection and information security policy,” has recently estimated that nine out of 10 US companies have experienced an online attack in the last 12 months. In this year alone, according to Privacy Rights Clearinghouse, online security breaches have compromised the data of more than 22 million people. In addition, the federal government has seen attacks on its computers increase more than six-fold since 2006. The Internet has become a scary place.
Companies and governments are often unprepared for increasingly sophisticated cyber attacks. The giant New York banking company Citigroup was recently hit, and hackers stole data on more than 2 million credit card users, potentially exposing them to disastrous identity theft and fraud. Electronics firm Sony failed to encrypt account information for members of its PlayStation Network and, as a result, hackers recently made off with credit card information, phone numbers, passwords, email addresses and account histories for as many as 10 million people. Sony has estimated this breach will cost the company more than $170 million from loss of revenue, increased spending on security upgrades and legal fees.
In the effort to bolster their cyber defenses, US businesses this year have so far spent approximately $100 billion on cyber security, which is as much as was spent during all of 2010. Last month, a UCLA conference on cyber security was attended by 400 executives, doubling last year’s attendance. The demand for security experts has also risen dramatically, but at this point it is running far ahead of the supply.
The trend toward “cloud computing,” in which companies outsource computing tasks to firms that maintain huge amounts of data on large servers all over the world, is drastically increasing the possible scale of information thefts. This is because hacking a single cloud server can provide access to data from hundreds of companies stored on such a server — a process referred to as “hyperjacking.” The alarming erosion of cyber security is also being driven by the ever-increasing legions of hackers. Some of these outlaws live in developing countries where unemployment is high and programming jobs are scarce. Furthermore, easily obtainable hacking software has automated the hacking process for novices and made it possible for many more people to wreak havoc in cyberspace.
More recently, concerns about the damage that can be caused by computer attacks has moved beyond infiltrated databases and crashed Web sites. Within the last year, the so-called Stuxnet virus, the malicious software or “malware” that attacked Iran’s nuclear program, has demonstrated just how vulnerable machinery can be to a well-designed electronic virus. This virus, which some experts believe was developed and deployed by Israel, targeted computers, controlling the speed of the centrifuges Iran uses to enrich uranium. How many of these centrifuges spun out of control and were damaged is not exactly known, but Stuxnet is clearly a game changer and demonstrates the potential for cyber attacks in disturbing new ways.
Every facet of modern power plants and the electricity grid, water and sewage treatments plants, oil and gas refineries and the heavily automated food-packaging industry is run by computers that use programmable logic controllers, the devices targeted by Stuxnet. This means key pieces of our physical infrastructure are dependent on computers that are vulnerable to malware like Stuxnet. In the July issue of Scientific American, the article “Hacking the lights out” describes a 2004 study that estimated an attack which incapacitated a mere 8 percent of our electricity transmission substations could bring down the entire grid and cause a nationwide blackout.
Stuxnet also demonstrates how humans have now gained the capacity for cyber-warfare. During his recent confirmation hearings, Secretary of Defense Leon Panetta testified there is a “strong likelihood that the next Pearl Harbor [could be] a cyber-attack that cripples” US power grids and pipelines as well as financial and government systems. In his 2010 book, “Cyber War,” former National Security Council adviser Richard A. Clarke describes how Israel may have used radio waves to transmit computer data packets that disrupted the Syrian air defense network during a 2007 bombing of a Syrian nuclear facility. Similarly, the US Navy’s new EA-18 Growler Jets are also thought to have the ability to launch cyber-attacks by transmitting viruses into enemy computers from an altitude of several thousand feet.
Whether humans control technology or technology controls us is the subject of ongoing debate. Either way, we must take urgent action to protect our deteriorating cyber-security.
John Grula, PhD, is affiliated with the Southern California Federation of Scientists.