The big news coming out of the G7 meeting in Japan will not be about establishing international norms for cyber-security. That will only get an honorable mention at best. But maybe it should get greater attention: the threat is real and growing.
Consider just these four events of the recent past:
- The electric grid in Ukraine was brought down last Dec. 23 by, it is believed, the Russians. Because of its older design, operators were able to restore power with manual overrides of the computer-controlled system.
- The Hollywood Presbyterian Medical Center in Los Angeles was ransomed. This crime takes place when a hacker encrypts your data and demands a ransom, often in untraceable bitcoin, to unlock it. The hospital paid $17,000 rather than risk patients and its ability to operate.
While these ransom attacks are fairly common, this is the first one believed to have been launched against a hospital. Previously, hospitals had thought patient records and payment details were what hackers would want, not control of the operating systems. Some of the ransoms are as low as $3,000, with the criminals clearly betting that the victims would lose much more by not settling immediately, as did the medical center. The extortionists first asked for $3.6 million.
- In a blockbuster heist on the Internet, the Bangladesh central bank was robbed of $81 million. The crooks were able to authorize the Federal Reserve of New York to release the money held in an account there. They would have got away with another $860 million, if it were not for a typing mistake. In this case, the money was wired to fraudulent accounts in the Philippines and Sri Lanka.
- Target, the giant retailer, lost millions of customer records, including credit card details, to an attack in February 2014. Since then, these attacks on retailers to get data have become common. Hackers sell credit card details on what is known as the “black web” to other criminals for big money.
Often the finger is pointed at China, which will not be at the G7. While it may be a perpetrator, it also has victim concerns. There is no reason to think that Chinese commerce is not as vulnerable as that in the West.
China, with the help of the Red Army, is blamed in many attacks, particularly on U.S. government departments. But little is known of attacks Chinese institutions sustain.
Governments want to police the Internet and protect their commerce and citizens, but they are also interested in using it in cyberwar. Additionally, they freely use it in the collection of intelligence and as a tool of war or persuasion. Witness U.S. attempts to impede the operation of the centrifuges in Iran and its acknowledged attacks on the computers of ISIS.
As the Net’s guerilla war intensifies, the U.S. electric utility industry, and those of other countries, is a major source of concern, especially since the Ukraine attack. Scott Aaronson, who heads up the cybersecurity efforts of the Edison Electric Institute, the trade group for private utilities, says the government’s role is essential and the electric companies work closely with the government in bracing their own cyber defenses.
Still, opinions differ dramatically about the vulnerability of the electric grid.
These contrasting opinions were on view at a meeting in Boston last month, when two of the top experts on cyber-security took opposing views of utility vulnerability. Juliette Kayyem, a former assistant secretary for intergovernmental affairs at the Department of Homeland Security who now teaches emergency management at Harvard’s Kennedy School of Government, said she believed the threat to the electric grid was not severe. But Mourad Debbabi, a professor at Concordia University in Montreal, who also has had a career in private industry, thinks the grid is vulnerable — and that vulnerability goes all the way down to new “smart” meters.
The fact is that the grid is the battleground for what Aaronson calls “asymmetrical war” where the enemy is varied in skill, purpose and location, while the victims are the equivalent of a standing army, vigilant and vulnerable. No amount of government collaboration will stop criminals and rogue non-state players from hacking out of greed, or malice, or just plain hacker adventurism.
Governments have double standards, exempting themselves when it suits from the norms they are trying to institutionalize. Cyber mischief and defending against it are both big businesses, and the existential threat is always there.