How hackers could hold the world to ransom
Is the internet a weapon of mass destruction? The announcement yesterday of a cyber attack on a major American pipeline has highlighted the vulnerability of our super-connected world.
There was consternation at the HQ of the giant US energy company. First, there had been mysterious disruptions on its key pipeline; now the reason seemed all too clear: its corporate computer systems had been hit by a ransomware attack. Unless Colonial paid a huge sum of money, said the hackers, they would wreak havoc on its operations. The company decided it must close the pipeline down.
In terms of national infrastructure, the Colonial Pipeline was a major target. Running for 5,500 miles, it carries petrol and jet fuel from Houston, Texas to New York’s harbour and major airports. With a capacity of 2.5 million barrels a day, it accounts for 45% of fuel supplies to America’s East Coast.
How much damage the hackers could do remains unclear. Experts believe that they managed to penetrate Colonial’s administrative system, affecting such things as emails and invoices. But this should be entirely separate from the system controlling the pipeline, so the decision to shut it down was surprising. Colonial will not say whether it is planning to pay a ransom.
The US government is treating the incident as a matter of grave concern, and is expected to introduce measures shortly to improve national infrastructure security. Ageing systems which have been connected to the internet without proper precautions are a particular cause for anxiety.
A nightmare scenario would include hackers paralysing cities by disrupting electricity and water supplies and sending traffic lights haywire. Worse still, they could start a war by gaining control of weapons systems.
But some people think governments have only themselves to blame. A new book by Nicole Perlroth called This Is How They Tell Me the World Ends: The Cyberweapons Arms Race explains why.
The core of the book is an investigation into “zero-days”. These are flaws in computer software or hardware for which there is no patch, and which can be exploited by hackers to infiltrate a system. The name reflects the fact that once the weakness is discovered, the computer company responsible has no time at all to come up with a defence.
Instead of simply trying to solve the problem, Perlroth says, governments came to see the flaws as weapons to use against their enemies. Rather than crack down on the hackers, they paid them to find zero-days that could be exploited. Some of these are valued at millions of dollars.
By 2013, America’s National Security Agency had acquired “a vast library of invisible backdoors” into almost every major app, smartphone, laptop, social-media platform and antivirus defence. But disastrously, in 2017, a group of hackers broke into the library and stole the contents
The following month, North Korean hackers used these zero-days to demand ransoms from a host of targets including US electric companies, British hospitals, Russian banks and the Japanese police. The cost is estimated at almost $10bn.
Is the internet a weapon of mass destruction?
WWW equals WMD?
Some say, no: it is part of the tapestry of life, like food or water or air. There are even movements to make access to it a fundamental human right. It has enabled unimaginable progress in all kinds of fields, from medicine to astronomy. Vital infrastructure is generally well protected: the Colonial Pipeline case has made headlines precisely because it is so rare.
Others point out that, unlike natural resources, the internet is dominated by a few giant companies, poses direct competition to human intelligence and is vulnerable to takeover by hostile forces. We have become so dependent on it that there is no limit to the damage hackers could do – including poisoning a city’s water supply or launching a nuclear war.
- If you were in charge of the Colonial Pipeline, would you pay the ransom demanded?
- Unlike most criminals, hackers can physically harm others without risking injury. Should they therefore face corporal punishment?
- Imagine that you have been warned of an imminent cyber attack on your school. As a team, make a list of everything it might affect, and decide what you should prioritise in mounting a defence.
- In pairs, interview people you know who were adults before the internet became part of daily life. Write a magazine article about the difference it has made to the world.
Some People Say...
“The Internet is the first thing that humanity has built that humanity doesn't understand, the largest experiment in anarchy that we have ever had.”Eric Schmidt (1955 – ), American IT tycoon
What do you think?
Q & A
- What do we know?
- It is generally agreed that it is far too easy for hackers to extort money. There is no law in the US or Britain against paying ransom money, except to named groups such as terrorist organisations. Most large companies have insurance against being hacked, and the insurance companies generally pay up without demur, so there is little incentive to refuse ransom demands. Experts believe that there are far more ransomware cases than ever get reported.
- What do we not know?
- One main area of debate is around whether a foreign government was involved in the Colonial Pipeline hack. Experts believe that it came from Russia, but are not sure whether the Kremlin was behind it or simply a criminal gang. A major attack last year on the American IT company SolarWinds and its customers is thought to have been the work of Russia’s foreign-intelligence service. Russia and the US are both reported to have hacked into each other’s electricity grids.
- Anxiety which causes mental confusion. It derives from a Latin verb meaning to throw down.
- The basic systems and services that a country needs to keep it going, such as electrical grids, roads, railways and sewers.
- A barrel of oil is equivalent to 42 US gallons, 35 British gallons or 159 litres.
- The bills companies send out to request payment. One theory is that the pipeline was shut down because Colonial could not keep track of what was being delivered to its customers.
- Proper precautions
- A briefly successful hack on a water plant in Florida a few weeks ago was blamed on its use of outdated technology.
- An imaginary situation. The word was originally Italian and referred to the plot of a stage drama.
- A change to a computer programme to update it or make it more secure.