Half of the world’s population use the internet. More than 200 billion emails are being sent each day, but very few understand how they reach their destination. Most of us are afraid of complicated technical language and do not realise the issues at stake. Edward Lucas tackles this ‘cyberphobia’ in his recent book, which made me both more aware and interested. The internet, invented in 1989, was designed without any governing body, for flexibility and openness, and not security and reliability.
While we are wise enough to not lock our house with a child’s padlock, we do not have the same judgement online. We may think our online identity is secure as a locked door, but for an attacker it is wide open.
Lucas brilliantly illustrates the problem: a computer is in fact like a house where you do not know how many doors or windows exist, or how they are secured. The law enforcement authorities do not know either, nor does the architect. Worse, your house is connected to lots of other houses the intruder can get through. Infection is another analogy; as an immediate victim you may have no idea that you have been infected, it might not even do you particularly damage, but great harm to others, and similar if you take precautions you protect not only your own computer but everybody else’s too. To add, people claiming to sell remedies may in fact be trying to harm, not heal. In public health we swiftly act on a pandemic virus outbreak, but online we do not even report when our computers show symptoms. We tend to judge road transport to be inherently risky, but we worry little about flying. A lone driver can cause an accident in which dozens of people get hurt, aviation can kill hundreds. But a misused computer can help destroy the lives of countless numbers.
We may think ‘why attack me, I am not famous nor rich’, but you may be attacked simply because of your proximity to someone else that the criminals are after. Someone quickly borrowing your phone can easily download a program that will redirect your messages or send them remotely in your name (even outgoing emails can be instantly deleted and emptied from the trash without one even noticing). Other sources of infection can be USB sticks and ports, routers, Bluetooth’s and all sorts of ‘Internet of things’. In 2014 a researcher discovered 7.000 infected thermostats connected to the Internet. Just a few days ago 900.000 German customers had their broadband disconnected due to their routers being hacked.
Attackers online can steal without setting the foot in the victim’s country and compared to burglars in real life they leave few or no traces, therefore they are rarely prosecuted. Cyber attacks has become a huge and lucrative criminal business. In 2002 I myself figured someone was using my Swedish card details to buy things online in Germany, while I was living in Canada. In 2013 two banks in the Middle East lost 45 million American dollars in a few hours. Stolen identities are a commodity, to be bought and sold, and cyber attacks are being used as weapons of politics and statecraft. We only know how to deal with weapons as long as they are not too small to notice. Stuxnet, an ingenious computer bug developed by the American and Israeli government launched in 2010, destroyed many hundreds of Iranian centrifuges used to enrich uranium, setting the Iranian nuclear programme back several years. And in end of last year state-sponsored Russian hackers caused a power cut in the homes of 80.000 Ukraine’s.
We focus a lot on the right to be anonymous and private, and less on the right to identify yourself and know what data others are holding about you. We have no good way of proving who we are, and in the same way is it hard for us to know who we are dealing with. Even if we give our identity details to someone we trust, they may be too careless to store them properly. While identity theft is quite difficult in real life, it is easy online. Iranian attackers had since 2011 used more than a dozen elaborate fake identities such as Facebook, Twitter and LinkedIn to trap at least 2,000 victims. Lucas warns that accepting contacts request from people you do not know may help give the makers of invented identities an appearance of legitimacy.
We have created a system in which we expect people to use passwords that are too hard for humans to remember, but which are too easy for computers to guess. In 2012 6.5 million LinkedIn passwords was leaked, Jeremi Gosney of Stricture Consulting Group broke 1.3 million in thirty seconds and four million within a day. Furthermore, we give away a lot of useful details about ourselves on our social networks such as Facebook, which makes it easy to try to guess a password.
Our anti-virus software and firewalls defend us only against yesterday’s threat, not tomorrow’s, and our dependence on computers is growing faster than our ability to understand them, concludes Lucas. Although he provides a few basic advices of what you can easily do in order to not be such an easy target:
- Firstly, always update your software, out-of-date ones are a gift for attackers.
- Secondly, practice password hygiene and never use the same one on different sites. If you can, use a two-step authentication (e.g. see Google).
- Thirdly, states should follow the model of Estonia that have put in place a secure electronic ID system for all their citizens, which is the strongest available encryption.
Final point made by Lucas that lingered with me is that just like the nature aim for diversity (perfectly described in this amazing podcast), should we aim for diversity in our life, online as well as offline. A monoculture is hard to protect and easy to penetrate.