With each new headline, we learn of some new cyber-danger that imperils our privacy, our finances, and our security. We are told that these threats originate from Shanghai, St. Petersburg, Tehran, Islamabad, and Laurel, Maryland, home to the National Security Agency (NSA). Tens of millions of accounts at retailers, insurance and healthcare companies, and at the Office of Personnel Management have been hacked, and terabytes of information stolen. We have been offered “LifeLock,” told to “think before you click,” and advised just to adopt the mantra of Alfred E. Neuman, “What? Me Worry?” But what is the truth? Are these threats real? Are we at war, and if so, with whom?
According to the website “Hackmageddon” that compiles statistics about publicly disclosed cyberattacks, May 2015 was a very active month . The United States is, not surprisingly, the most prevalent target of worldwide cyberattacks – because the US is highly Internet-integrated, and a large and wealthy economy. As shown in the breakdown, cybercrime is the leading motivation for all attacks world-wide.
The types of organizations targeted by cyber-attackers reflect the prevalence of criminal orientation, as well.
Of continuing concern is the wide variety of techniques used in cyber-mischief.
The take-aways from this snapshot are simple: We have built, in the Internet and our computing systems, an edifice so complex that we are unable to fully understand its operation, or the failure modes that it encompasses. Were the Internet a car, it would be a 1963 Corvair… “unsafe at any speed.”
It is now time, as Vint Cerf, one of the designers of the underlying TCP/IP architecture that operates the Internet has stated, to redesign our systems to be both trusted and trustworthy. This will require Manhattan Project levels of dedication and resources, but it is as critical to our ability to win the cyberwar as that project proved to be to the “kinetic” war of the 1940s. This complex effort, however, will make the intricacies of the atom bomb look like a Lego project.
It should be clear that China, Russia, Iran and non-state as well as state-affiliated actors are hard at work. It should also be clear that our own NSA and the UK’s GCHQ have programs of their own, some of which may have unintentionally weakened Internet security. We have not yet met all of the enemies, but some of them are us – our own security agencies, and our unwillingness to invest in our own security. There’s a war on. We should behave like there is.