So what’s it worth to you to prevent world-wide economic collapse, or even a major interruption of essential services, like power or water?
These are not hypothetical questions. Nor will they be caused by the Eurozone disaster, a double-dip recession, the disintegration of institutions deemed “too big to fail,” or government spending run amok.
I am talking about cybergeddon—or the endgame of cyber warfare. A concept well-worn in national security organization conference rooms and the situation rooms of nations around the globe. It is somewhat newer to the front page of The New York Times, which has recently featured several investigative reports regarding Stuxnet and Flame, two potent worms created for international espionage that got loose and went viral.
We all know the hackers are out there. That’s not going to change. The question is this, can we change the dynamic? Or more to the point, can we hire them—a whole lot of them? Simply put, how much should nations pay to build a cyber army (both civilian and military) of “white hat” hackers and talented computer security experts with the skills to out-hack or “out-code” the legions of nation state-sponsored or politically-motivated cyber terrorists sworn to destroy our way of life?
Everywhere we turn, there are reports of public and private sector breaches and compromised data. The SEC requires publicly traded companies disclose data breaches, and especially when intellectual property is stolen. Even when the forces of good arguably get it right, unintended consequences and leaks jeopardize the results.
Stuxnet is just one example. Written by American and Israeli spy agencies to sabotage Iran’s nuclear enrichment facilities, it at least partially succeeded in its mission, The New York Times revealed early this month. Unfortunately, its creators did not account for the possibility that it might escape. It did. In fact, both Stuxnet and Flame escaped. The result is scary: the bad guys have these worms and can use them.
The Stuxnet story became public in 2010 because a programming error enabled it to leap out of its confines and circumnavigate the globe via the Internet.
Two days after the recent Times article, came the report about Flame, another international spy-grade superbug. This one had compromised the Fort Knox of software companies: “Microsoft told customers that the authors of Flame—a highly sophisticated surveillance computer virus discovered on networks in the Middle East and Iran—had figured out how to use Microsoft’s own security system to forge digital security certificates, which then allowed the malicious code to spread undetected by anti-virus programs.”
There are lessons we can draw from these stories. None of them are particularly comforting.
- Hacking and the creation of spying tools that are distributed online are now standard operating procedure for nations large and small. Stuxnet, Flame and the Chinese government’s widely reported collusion with practitioners of corporate espionage, prove that arsenals of powerful cyber weapons exist. This is an arms race where we cannot afford to fall behind. It is being waged in the sanctity of our homes and businesses and bank accounts. The Barbarians are not only at the gate—they are in our computers.
- Hackers are smart, creative and relentless. Given time and resources, they managed to partially shut down a rogue state’s nuclear centrifuges. They’ve also breached the likes of the CIA and the Department of Justice, not to mention thousands of corporations around the globe.
- The code that comprises the hacker arsenal is nearly impossible to control. Even under the best conditions, in a top-secret program run by arguably the world’s best spy agencies, the Stuxnet code leaked to the Internet and nearly caused President Obama to shut the entire operation down.
No one really knows how this story will play out, but the trends all seem to be heading in a pretty scary direction. One thing is clear: The Cold War concept that Mutual Assured Destruction keeps super-power missiles in their silos doesn’t apply here.
I have one recurring nightmare: What if an anti-everything organization (let’s not pick on anyone unnecessarily) managed to create a network of believable hackers and pay them well, and these hackers, the best in the world, were joined together to shut down part or all of our critical infrastructure? There would be an economic meltdown the likes of which has never been seen.
After almost a decade of increasingly sophisticated and large data breaches, hackers are sitting on a huge amount of information about you and me, literally hundreds of millions of records—our names, passwords, contacts, account numbers, and everything else needed to destroy a person’s professional and financial life. They know where we live, and they can drain bank accounts, turn off the lights and max out our credit cards with the tap of a key. And what’s to stop a consortium of like-minded anti-everythings from hitting that key?
Furthermore, some well placed sources have told me that the Department of Homeland Security struggles to recruit talented people who are US citizens and can pass the rigorous background screening required to obtain the appropriate security clearance because historically more bucks and bragging rights are on the side of institutional breaches than in public service (This 2010 study from the Center for Strategic & International Studies elaborates on these struggles). Maybe it’s time to pay so much money that loyalty is assured from non-citizen warriors.
Unlike the China, India, Pakistan, and Eastern European nations, who may at some point be aligned against our interests and where the problem is taken very seriously, according to international standardized test scores, the United States is not making the appropriate investment to encourage our kids to get into the hard sciences, math, engineering and critical thinking academic disciplines which are fundamentally essential to fight this digital war.
If we’re serious about getting the best and the brightest, we must do what it always takes to get the best of the best: educate them, nurture them and pay them top dollar. One friend told me many years ago that you can’t beat Wall Street social irresponsibility; you can only join the club. Right now, our society pays a king’s ransom to the wizards of finance and social networking, but nowhere near enough to the real engineers who are so desperately needed. And without the latter, there will be no need for the former.
Wouldn’t you agree that appropriately educating, nurturing and hiring the world’s best hackers to protect us from those with similar skill sets is at least as important to the world economy as hiring wunderkind lawyers to protect America’s corporations?
There is simply no alternative. How long could the world economic system last without the Internet? Without electricity? Let’s stop screwing around and seriously invest in top hacking talent now, so we never have to find out.
Image: mikael altemark, via Flickr