We recently witnessed a cyber attack which left individuals and organisations virtually crippled. The WannaCry ransomware cyber-attack hit over 200,000 computers in 150 countries demanding up to $600 per ransom. From the Indian Police stations to French car manufacturers and UK Hospitals, it seems as if disruption was the primary aim for these hackers. With the importance of cyber security reemerging in the mainstream public domain, it’s worth spending some time explaining what all the fuss was about. What is ransomware and why did its intrusion in computer systems result in patients being turned away from hospitals and factories being shut down?
In a nutshell, ransomware is the use of technology to extort money from victims. Its scale varies from it preventing you from being able to access Windows to encrypting files so that you cannot use them to stopping certain applications such as web browser from functioning. Simply put, your files and data have been taken hostage and you are unable to use your PC until you pay up. Typically, you have to pay in bitcoins since this cypto-currency is untraceable by law enforcement (for now) and there is always a time-limit adding another level of psychological despair to this extortion.
As with any hostage situation, there is no guarantee that by paying the ransom, you will be granted access to your PC; by paying on time, you may be able to access your files again. Missing the deadline could result in the ransom amount increasing or all of your files being deleted or released into the public domain.
The history of ransomware dates back to 1989 when the AIDS Trojan was spread via the floppy disk. In order to get access to your data, you had to send $189 to a post office box in Panama. It has definitely advanced a bit since then…
It is not only your home PC which can be targeted. In fact, after realising how lucrative this business was, ransomware creators and distributors moved onto bigger targets such as business networks, city councils, hospitals, and police servers. Public institutions have huge databases of confidential information which if leaked can cause immeasurable damage. The NHS in the UK has experienced the most attacks on its servers than any other public agency with a noteable one in 2016 which resulted in a 4-day IT shutdown and non-urgent appointments and treatments being cancelled. Last weeks attack has been described as even worse. Attackers know that these institutions often use older software and equipment which is easy to infiltrate (the NHS still operates predominantly on Windows XP!). When it comes to businesses, cyber criminals also know that businesses have money and that their ransomware will cause major disruption, therefore increasing the likelihood of them being paid. They also realise that businesses fear legal or reputational consequences so will probably not report the attack. That being said, since 2016, ransomware has seen a 50% increase in both homes and enterprises. Is this due to more cybercrime or more reporting? There is no clear cause.
Many crime TV shows such as 24 (a personal favourite) have stimulated the imagination showing us how criminals are able to infiltrate network utilities such as water and electricity, right the way to nuclear reactor sites holding these hostage until a demand has been met. It would be naive to think that this is not yet a possibility and perhaps even something that the security services have already grappled with.
On the flipside, there is something to be said about the entrepreneurial spirit of ransomware creators and distributors. They’re business-oriented, know where their opportunities lie and are daring in their pursuits.
To prevent your own computer from being taken hostage, there is not much you can do apart from the obvious – don’t open suspicious emails (even SMS messages!), don’t use untrusted WiFi connections etc. More importantly, always keep a backup!
The Office for National Statistics estimates that there were 2.46 million cyber incidents and 2.11 million victims of cyber crime in the UK in 2015. There are simple ways to improve the security of your personal data and that of your business, from the mouth of industry and government experts.
Ben Buchanan, author of the Cybersecurity Dilemma and Fellow at Harvard University’s Belfer Center Cybersecurity Project told the War on the Rocks Podcast his tips for improving personal cybersecurity.
Two Factor Authentication – a notification you receive when you log into your account from an unfamiliar device. He says, “John Podesta will spend the rest of his life wishing he had it.” Google already offers it on Gmail, but there are apps such as Duo and Entrust Identity Guard.
Password managers like KeePass, Dashlane, 1password help you create unique, secure passwords for every website you visit on an easy, encrypted platform.
Don’t open unfamiliar attachments, he lastly suggests, to . He says that even the most sophisticated, high-end attacks often begin with a dangerous email attachment. In our ever-connected world, “It’s an irony of international politics that one of the most powerful tools of statecraft is being able to write a message someone else opens,” he said.
Ciaran Martin, GCHQ’s director general of Cybersecurity told WIRED his top tips.
Accept the inevitable – “You need a playbook ready for how you will react when an incident occurs,” says Martin. “You may not be able to hold off a breach but, by having procedures in place, you can quarantine them, isolate the damage and keep the organisation running.”
Guard your interior – “Perimeter defence is just about rising the barrier for entry into your system so that you’re not an easy target,” Martin asserts. “You need both perimeter defence and active internal monitoring to look for spikes, or unusual patterns of activity.”
Collaborate – “There needs to be information sharing between companies who are normally competitors.” Martin contends. “The financial sector has made great strides because they face a measurable financial threat every day, so they’ve set aside commercial rivalries to pool their data.”
Keep things human – “System administrators are your key vulnerability,” Martin says. “If they’re compromised then systems like encryption offer no further protection.” Yet malicious insider activity is less of a threat than accidental breaches. Make the procedures for everyone simple and accessible to minimize this risk.
The National Cyber Security Center put together a comprehensive white paper outlining how to respond to and reduce the impact of common cyber attacks. Providing a simple lexicon for the types of actors and attacks involved makes their 10 Steps to Cyber Security an easy paper to understand vulnerabilities. The document states, “doing nothing is no longer an option; protect your organisation and your reputation by establishing some basic cyber defenses to ensure that your name is not added to the growing list of victims.”
Encryption is essentially the process of turning information into code that prevents snoops, criminals, and spies from accessing it. Apps like Signal, Whatsapp, Aloo, Duo and Confide are bringing this technology to the masses but are posing problems to the aims of law enforcement and intelligence services worldwide. What we’re seeing today is an absolutist clash that is based on ideological binaries. Privacy and security are complicated ideas in the digital age, especially when faced with cases such as Apple vs. FBI in 2016.
After the San Bernadino shootings in December 2015, the encryption debate entered the public arena when the FBI submitted a federal court order for Apple to create code unlocking the iPhone of one of the shooters in order to obtain information for further investigations. An open letter to Apple from FBI director James Comey argued they do not desire to “break anyone’s encryption or set a master key loose on the land.” The security features of the iPhone software prevents the FBI from automatically testing passwords, or using “brute force” for risk of the device locking them out permanently. For a more technical explanation from a cryptographer, go here.
However, Apple and the anti-exceptional access camp worry that customers will lose faith in the security of their products. The risks involving building ‘back doors’ are varied, but the main arguments arise from economic comparative advantage and erosion of cybersecurity. For security, it could change the norm of having one-time use decryption keys, which protects past and future communications. Additionally, it would augment system complexity, whereby additional code creates new potentialities for vulnerability. Lastly, the storage of exceptional access keys by tech companies becomes a target for attack, risking high-volume theft of user data.
The questions posed by the encryption debate are therefore twofold:
Do we desire a world of end-to-end encryption?
Should authorities be able to still intercept decrypted signals while holding up security and privacy objectives?
Creating an internet where surveillance is technically impossible also forms a vast ungoverned space, which is appealing to the techno-anarchist type. Not only would your data be protected from state actors, but non-state criminal hackers. However, Benjamin Wittes, a senior fellow at the Brookings Institution urges one to, “consider the comparable argument in physical space: the creation of a city in which authorities are entirely dependent on citizen reporting of bad conduct but have no direct visibility onto what happens on the streets and no ability to conduct search warrants (even with court orders) or to patrol parks or street corners.”
As the encryption-security-privacy saga continues into 2017, more actors and cases will bring this subject to head. The case of Apple vs. FBI was unique because it involved domestic terrorism, which allowed the FBI to appeal to the public with a sense of urgency. But lawmakers and companies must think of the long-term implications over the immediate gains. James Comey ends his letter by saying: “And in that sober spirit, I also hope all Americans will participate in the long conversation we must have about how to both embrace the technology we love and get the safety we need.” Until then, it is likely we will see the public struggle over encryption on an ad-hoc and very partisan basis.
Much of the current excitement on the Internet of Things (IoT) revolves around a focus on how we as individuals increasingly embed the use of internet-dependent devices to make our lives easier. However, there is a much more prevalent, but less discussed of late, practice of using this same IoT to run our cities. This IoT automates our traffic systems, runs our metros, surveys our streets bringing us ever closer to the Smart Cities of the future. Although, unlike the use of the IoT by individuals this does not involve an active choice, by say the purchase of this IoT technology for a household, the wider public does not have a say in the increasing digitisation of the city.
In the same way that individuals increased acceptance of the IoT into their lives involves greater security risks so too does a city’s use of this technology herald increased risks. You don’t need to look far for examples of this. Last November the San Francisco Municipal Transportation Agency was hacked by ransomware, extorting the San Francisco Municipality for the safe return of its rail system. The result of this hack allowed riders of the light transit system to ride for free. Whilst, being an economic issue for the San Francisco Municipal Transportation, the hack was generally not threatening for railway users. However, the hacking of Ukraine’s power grid last year provides a more nefarious example of threats to cities. Whilst, the identity of the hackers is unclear, given the scale of the operation and a simple Cui Bono explanation would quickly point the finger to the Russian state or patriotic hackers who have a vested interest in the Ukraine’s demise. This attack was able to knock out 30 substations leaving 230,000 residents without power for close to 6 hours. It is easy to say that this is a result of weak investment in cyber security in Ukraine and a case and point of poor cyber hygiene, but it is worth noting that according to sources for Wired magazine, “the control systems in Ukraine were more secure than some in the US”.
Cities have thought about aspects of this potentiality by ‘air-gapping’ the use of certain IoT systems’ or using an intranet to prevent direct contact with the internet, for example. For their part, the San Francisco Municipal Transport Agency will wish that they had backup systems NOT connected to the internet. However, with the closing of the gap between what is provided by the public sector and what is provided by the private sector in cities, there is a need to ensure consistent security standards across internet-dependent systems, particularly those that are automated. This can come about through the use of security regulatory agencies, education on good cyber hygiene and the use of regular security audits.
Ultimately, all technological advances present opportunities as they do challenges. The increasing digitisation offers increased efficiency and opportunity into our lives but it is clear that the challenges in the form of intrusion vulnerabilities must be mitigated. Unlike, an individual’s use of the IoT, a city’s increased use of the IoT cannot be managed single-handedly. It requires active engagement by residents and security professional to bring about not just smart cities but secure cities.