Dealing with the new reality of cybercrime will become even more complex as the next big digital advances related to AI develop.
by Thomas P. Vartanian
Public officials in the US and UK were recently elated as they managed to record a 15% reduction in ransomware attacks. Ironically, while both governments issued press releases and boasted of their achievements, a global blitz was underway through a ransomware generated by a group of Russian and Chinese hackers. The attacks infected around 5,000 victims in Europe and the United States with ransomware, proving that in the fight against cyberterrorism, reality is two steps forward and one step back.
A few years ago, the CEO of a major financial institution called me after his company suffered an online attack. When I showed up at his office, customer data was probably already circulating on the dark web. As legal counsel to the company, I had to determine not only what happened, but also what we could tell regulators and clients, and when. It was thought that access to the company's servers was done through an external service provider. In interviewing this vendor, we learned that it had obtained the hardware and software from third parties who had relied on still other parties (some in foreign countries), many of which showed at best a modest sense of responsibility for what had happened.
At that moment I began to understand the fallacy of an Internet that was not built to protect all the data and values on the planet and I also realized how difficult it is to hold accountability for breaches, especially considering the number of involved in the chain and the mistakes that man inevitably makes in the process.
The frequency of serious breaches involving ransomware and cyberattacks on a plethora of public agencies and private companies continues unabated, and raises a fundamental question for business executives: how do we face a virtual future that may contain more threats than profits?
The threats are numerous. In the United States, the computers in one out of every three homes have been infected with malicious software and the personal information of 47% American adults has been exposed to cybercriminals. Perhaps no statistic speaks louder than the government's communicated conclusion that 600,000 Facebook accounts are hacked every day in the United States. We must expect these numbers to continue and even increase. Who will pay for this?
The Biden administration's National Cybersecurity Strategy, released March 2, 2023, seeks to answer that question. In part, he proposes that the way to overcome the Internet's structural deficiencies is to "run faster": essentially, to get ahead of cybercriminals and enforce greater public involvement in cyber regulation. This didn't work and it won't work. It is proposed to impose tougher liability penalties on the private sector for breaches, in order to alter the economic incentives that reward being first and hardly penalize those who chase profits and ignore safety standards. Even if this liability is initially imposed on software vendors, it will no doubt carry over to intermediate companies and end users. Of this we can be sure.
Dealing with this new world of cyber threats will become even more complex as the next big digital advances develop. For example, 100 million users downloaded ChatGPT in just two months to write essays, do research and satisfy their curiosity, without understanding the risks involved. 5G technologies will create ubiquitous human-to-human, machine-to-machine, and human-to-machine connectivity that will enable the creation of a seamless Internet of Things (IoT). The IoT will connect people, pets, household appliances and industrial instruments, making them more capable of operating, communicating, recording, monitoring, regulating and interacting with minimal human intervention. The commercial efficiency of these new tools will be enormous, but so will the risks. Connecting products, people, wearable transmitters and machines will create new and larger databases that can be stored, analysed, used and abused. Anything connected can be hacked, and everything will be connected.
And then there's quantum computing, which threatens to make the current technology we use to protect data and money obsolete. Computer scientists estimate that the 2,048-bit RSA encryption most users currently use to protect data could take today's supercomputers 300 trillion years to crack. By comparison, 4,099-qubit computers of the near future will be able to crack the same code in 10 seconds. Industry experts plan to develop a quantum computer with 1,000 qubits in the next few years, taking us even further down the road of better protecting or further dismantling every digital security system in existence today. Whether quantum computing is ultimately going to be a threat or a clear improvement to the human condition will depend on who gets there first and what they do with it. Not surprisingly, China has plans to get there first and is rapidly outpacing US spending and efforts.
Finally, there is the metaverse, the next generation of the Internet that will raise the stakes and difficulty of ensuring the safety of the online environment, further blurring the line between human and machine consciousness.
Governments cannot solve the Internet security problem on their own, and companies are unlikely to do so until the economic damage of ignoring security aspects outweighs the profits they can make. There are no miracle solutions beyond restructuring the Internet to rely more on new secure private networks, especially for the operation of critical infrastructure. This will require businesses, governments and users in democratic countries to work together to transform the Internet into networks that rely on authenticating people rather than IP addresses, enforcing strict rules of online behavior, and maintaining cyber (human or mechanical) to enforce them.
IT WILL NOT BE AN EASY TASK or popular, but the alternative of cyber chaos and the potential disappearance of energy, money and health services is clearly unacceptable. A new Internet will also require a new form of oversight, rather than the "cops and robbers" style we've had hitherto. This new wave of regulation will require a more decentralized and collegiate form of oversight, where the public and private sectors work together to share data and build policy consensus. All of this will take time and strong leaders to accomplish. At the moment it doesn't look like we have much of either.
Thomas P. Vartanian is the author of The Unhackable Internet: How Rebuilding Cyberspace Can Create Real Security and Prevent Financial Collapse. A former federal banking regulator, consultant and academic, he is currently the executive director of the Financial Technology & Cybersecurity Center.
