The director of the FBI compares this moment to 9/11: A time of reckoning about a threat that’s increasingly proven its ability to destabilize society.
He’s referring to cyberattacks.
Recent digital ransom attacks have accelerated an acknowledgment in Washington that the current trajectory is untenable.
That’s after meat plants were shuttered temporarily including in Canada this week; after cars lined up at empty U.S. gas stations when a major pipeline was hacked.
A hacker recently tampered with chemical levels at a water-treatment plant in Florida. Nuclear and other power facilities, voting systems, political parties, hospitals and governments have all been compromised.
“This is our new normal,” said Nicole Perlroth, a cybersecurity reporter at The New York Times and author of a new book on the history of cyberattacks.
Unless governments start taking the threat more seriously, she said in an interview: “This is only going to keep happening.”
The issue appears on the U.S. political agenda now.
U.S. lawmakers next week will grill the CEO of Colonial Pipeline, the company at the centre of a recent cyber attack, at two separate hearings in the House and Senate. The Justice Department has labelled the threat as on par with terrorism.
U.S. President Joe Biden intends to raise hacking in his first meeting with Russian President Vladimir Putin later this month.
The Biden administration is also reportedly mulling cyberattacks of its own against Russians, enraged at ransomware attacks from that country.
Yet Americans must weigh such attack plans against the reality that in a tit-for-tat exchange, their highly connected nation is as exposed as any on Earth and filled with potential targets for reprisal.
Meanwhile international talks are inching along at the United Nations toward a so-called digital Geneva Convention — a global pact on what cybercrimes must be off-limits.
That effort remains a long way off and human rights groups are wary of the Russian-led initiative, fearing authoritarian governments might use it to crack down on political dissent.
Perlroth’s new book, This Is How They Tell Me The World Ends, explores two key questions: How did we get here? And where do we go next?
How a market was born
It begins with programmers in the 1990s who hacked as a hobby, probing software for security flaws and trying to alert companies.
They were treated as a nuisance or worse by companies like Microsoft that resented their products being picked apart.
Eventually, an entrepreneurial Texan had an insight: Why not monetize this work?
John Watters bought a cash-strapped tech company and began paying hackers for what they discovered in the early 2000s, then published their findings in security reports he sold to corporate clients.
A market was born.
It involved a brand new commodity, the discovery and sale of so-called zero-days — software flaws that allow intruders to inflict damage with zero warning.
Intelligence agencies came calling. Perlroth writes that deep-pocketed buyers affiliated with the U.S. government transformed the market.
Zero-days Watters once bought for $400 were suddenly going for $150,000 to U.S. government contractors; employees at the National Security Agency were quitting government jobs and doubling their annual salary by selling just one hack.
WATCH | The rising cost of a ransomware attack:
The power of military cyberweapons came to public light in a 2010 attack on an Iranian uranium plant that slowed Iran’s nuclear program.
Foreign states and criminal gangs awoke to the possibilities of stockpiling zero-days. Unknown buyers were now offering hackers multimillion-dollar paydays.
‘This would only end badly’
Perlroth’s book describes a hacking conference in Vancouver a decade ago where one NSA veteran scanned a room filled with attendees from all over the world and shook his head, realizing that the United States was about to lose control of weapons it helped create.
“This, the man told himself, would only end badly,” she writes.
Catastrophe struck a few years later, in the aftermath of the public revelations by Edward Snowden of the NSA’s programs.
Suspected Russian hackers dumped online the NSA’s stockpile of zero-days, which have since been used around the world in countless criminal attacks.
The 2017 WannaCry attack, for example, using the NSA’s tools knocked hundreds of thousands of computers offline.
Criminals demanded ransom payments and disrupted hospitals in Britain, numerous government offices and companies in 150 countries, in sectors including automobiles, rail, and package-delivery.
The economic damage from cyberattacks had already far surpassed the economic toll of terrorism, Perlroth writes.
A 2018 paper from the Rand Corporation think-tank estimated cyberattacks had already cost the global economy trillions of dollars.
Fuming at Moscow
U.S. officials fume that Russia has given cybercriminals carte blanche to operate on its soil, even using them as allies against the West.
Putin has compared Russian hackers to talented artists.
Perlroth’s book says Putin laid down two rules for Russia’s hackers: First, no attacks against Russians, and second, when the Kremlin asks for a favour, do it.
WATCH | Cyberattack targets major U.S. pipeline:
An official who led cybersecurity operations for the Obama White House said in an interview that he recalls one ground-shifting moment in 2014.
It occurred even before attacks on the U.S. election, which the Mueller report blamed on the Russian government.
As U.S.-Russia tensions escalated after the invasion of Ukraine in 2014, American officials found Russian hackers in numerous federal networks, says Michael Daniel.
An unusual thing happened when American IT kicked them off the networks: Instead of hiding their tracks and disappearing, they kept popping up.
“They came back. And they contested control of the network,” says Daniel, now president and CEO of the Cyber Threat Alliance, who was the White House cybersecurity coordinator from 2012 to 2017.
“[They] were willing to be upfront and brazen in a way we had not seen before. And that was very much a signal that I think that things had changed.”
So what now?
A recent U.S. ambassador to Russia, Michael McFaul, says don’t expect much from the Putin-Biden summit on June 16. He says the Russian leader has no interest in better relations with the West.
On the domestic front, Biden issued executive orders this month aimed at upping America’s cybersecurity game.
One on May 12 calls for changes in federal contracting so that companies doing business with the U.S. government abide by stricter security protocols like two-factor authentication, use cloud storage, and keep records for every login.
WATCH | Concerns hackers are trying to disrupt COVID-19 vaccine supply chain:
It also created a digital equivalent of the National Transportation Safety Board: as the NTSB investigates plane crashes, the new Cyber Safety Review Board would review computer incidents.
Cryptocurrency is another concern.
Multimillion-dollar ransoms are being paid in digital currencies not subject to the same identity disclosure and money-laundering requirements as standard financial transactions.
Perlroth says she’s frustrated that people are slow to run software updates. After the NSA weapons were unleashed in 2017, for example, software companies released updates; she says too many people failed to download the patches.
She wants the U.S. Congress to pass new laws making cyber-hygiene a requirement for companies.
What’s causing sleepless nights
She also urges more funding for research like the Pentagon-supported program studying the design of new microchips that stop suspicious code from spreading.
Her book says covering cyberwarfare has caused her numerous sleepless nights. Asked what sort of attack keeps her awake, she says it’s not just one thing, like signs of hacking into voting systems and computers at nuclear plants.
At the very moment she sat for an interview with CBC News last week, she saw a headline pop up about a ransomware attack on the Nantucket Ferry.
Instead of a digital Pearl Harbor attack, she says, we’re witnessing a slow-rolling plague: theft of intellectual property, public agencies paralyzed, infrastructure, even democracies, more vulnerable.
“What else is left?” she said.