09/06/2015 | A special report on cyber-security - Defending the digital frontier
The Economist Staff
Companies, markets and countries are increasingly under attack from cyber-criminals, hacktivists and spies. They need to get much better at protecting themselves, says Martin Giles
THE TERM “CYBERSPACE” was coined by William Gibson, a science-fiction writer. He first used it in a short story in 1982, and expanded on it a couple of years later in a novel, “Neuromancer”, whose main character, Henry Dorsett Case, is a troubled computer hacker and drug addict. In the book Mr Gibson describes cyberspace as “a consensual hallucination experienced daily by billions of legitimate operators” and “a graphic representation of data abstracted from the banks of every computer in the human system.”
His literary creation turned out to be remarkably prescient. Cyberspace has become shorthand for the computing devices, networks, fibre-optic cables, wireless links and other infrastructure that bring the internet to billions of people around the world. The myriad connections forged by these technologies have brought tremendous benefits to everyone who uses the web to tap into humanity’s collective store of knowledge every day.
But there is a darker side to this extraordinary invention. Data breaches are becoming ever bigger and more common. Last year over 800m records were lost, mainly through such attacks (see chart 1). Among the most prominent recent victims has been Target, whose chief executive, Gregg Steinhafel, stood down from his job in May, a few months after the giant American retailer revealed that online intruders had stolen millions of digital records about its customers, including credit- and debit-card details. Other well-known firms such as Adobe, a tech company, and eBay, an online marketplace, have also been hit.
The potential damage, though, extends well beyond such commercial incursions. Wider concerns have been raised by the revelations about the mass surveillance carried out by Western intelligence agencies made by Edward Snowden, a contractor to America’s National Security Agency (NSA), as well as by the growing numbers of cyber-warriors being recruited by countries that see cyberspace as a new domain of warfare. America’s president, Barack Obama, said in a White House press release earlier this year that cyberthreats “pose one of the gravest national-security dangers” the country is facing.
Securing cyberspace is hard because the architecture of the internet was designed to promote connectivity, not security. Its founders focused on getting it to work and did not worry much about threats because the network was affiliated with America’s military. As hackers turned up, layers of security, from antivirus programs to firewalls, were added to try to keep them at bay. Gartner, a research firm, reckons that last year organisations around the globe spent $67 billion on information security.
On the whole, these defences have worked reasonably well. For all the talk about the risk of a “cyber 9/11” or a “cybergeddon”, the internet has proved remarkably resilient. Hundreds of millions of people turn on their computers every day and bank online, shop at virtual stores, swap gossip and photos with their friends on social networks and send all kinds of sensitive data over the web without ill effect. Companies and governments are shifting ever more services online.
But the task is becoming harder. Cyber-security, which involves protecting both data and people, is facing multiple threats, notably cybercrime and online industrial espionage, both of which are growing rapidly. A recent estimate by the Centre for Strategic and International Studies (CSIS), a think-tank, puts the annual global cost of digital crime and intellectual-property theft at $445 billion—a sum roughly equivalent to the GDP of a smallish rich European country such as Austria.
To add to the worries, there is also the risk of cyber-sabotage. Terrorists or agents of hostile powers could mount attacks on companies and systems that control vital parts of an economy, including power stations, electrical grids and communications networks. Such attacks are hard to pull off, but not impossible. One precedent is the destruction in 2010 of centrifuges at a nuclear facility in Iran by a computer program known as Stuxnet, the handiwork of American and Israeli software experts.
In another high-profile sabotage incident, in 2012, a computer virus known as Shamoon wiped the hard drives of tens of thousands of computers at Saudi Aramco, a Saudi Arabian oil and natural-gas giant, and left a picture of a burning American flag on the screens of the stricken devices. The assault is widely thought to have been carried out by Iran.
Look for the crooks and spooks
But such events are rare. The biggest day-to-day threats faced by companies and government agencies come from crooks and spooks hoping to steal financial data and trade secrets, so this special report will focus mainly on cybercrime and cyber-espionage. Smarter, better-organised hackers are making life tougher for the cyber-defenders, but the report will argue that even so a number of things can be done to keep everyone safer than they are now.
One is to ensure that organisations get the basics of cyber-security right. All too often breaches are caused by simple blunders, such as failing to separate systems containing sensitive data from those that do not need access to them. Companies also need to get better at anticipating where attacks may be coming from and at adapting their defences swiftly in response to new threats. Technology can help, as can industry initiatives that allow firms to share intelligence about risks with each other.
This report will also argue that there is a need to provide incentives to improve cyber-security, be they carrots or sticks. One idea is to encourage internet-service providers (ISPs), or the companies that manage internet connections, to shoulder more responsibility for identifying and helping to clean up computers infected with malicious software (malware). Another is to find ways to ensure that software developers produce code with fewer flaws in it so that hackers have fewer security holes to exploit.
An additional reason for getting tech companies to give a higher priority to security is that cyberspace is about to undergo another massive change. Over the next few years billions of new devices, from cars to household appliances and medical equipment, will be fitted with tiny computers that connect them to the web and make them more useful. Dubbed “the internet of things”, this is already making it possible, for example, to control home appliances using smartphone apps and to monitor medical devices remotely.
But unless these systems have adequate security protection, the internet of things could easily become the internet of new things to be hacked. Plenty of people are eager to take advantage of any weaknesses they may spot. Hacking used to be about geeky college kids tapping away in their bedrooms to annoy their elders. It has grown up with a vengeance.