State-sponsored cyberwarriors are infiltrating nuclear power plants. Hacking gangs are breaking in to ATMs. Sickos are hijacking baby monitors, just to freak out parents. Has the Internet ever seemed scarier? Maybe not, but wait. Yes, elite professionals are finding ingenious ways to gain entry to government, industrial and financial networks. And it’s true that careless users can expose themselves to garden-variety thieves (as some people forget to lock their cars). But in the vast middle, where people rely on the security of bank accounts, credit cards and e-mail, the good guys actually have the upper hand.
In April, Web denizens went into a panic after security researchers discovered Heartbleed, a software flaw that left passwords and other personal information on websites exposed. The actual damage? Only a little that anybody could document. The number of websites affected was 500,000, not the hundreds of millions that researchers estimated. Big Web properties like Google and Facebook fixed the flaw before the public knew about it. In May, Target pushed out its chief executive officer, Gregg Steinhafel, amid revelations the retailer ignored warnings that could have prevented the theft of 40 million payment-card numbers. Mostly, though, the numbers were useless to the thieves because the PIN codes were encrypted and banks swiftly cancelled most compromised accounts. Beyond the Target breach, most stolen cards are canceled before they can be used or are flagged by fraud-detection algorithms that stop unauthorized sales. The U.S. relationship with China is still reeling from the U.S. indictment of five Chinese military officials on charges that they hacked into U.S. companies and stole trade secrets. A crucial detail was omitted from the court papers: The FBI was watching every keystroke and was in a position to block cybersabotage. Experts issued stern warnings of more mayhem to come after a security company reported in June that cyber-attackers had disrupted a hedge fund’s high-speed trading network and stolen its data. On closer inspection? The attack never happened.
The first famous hacker was Robert Tappan Morris, the son of a National Security Agency computer scientist, who in 1988 unleashed an Internet attack that crashed thousands of computers. He said a research project got out of control. More than 20 years later, a computer worm called Stuxnet disabled almost 1,000 centrifuges at an Iranian nuclear facility. It was traced to U.S. and Israeli intelligence. Now hackers and the governments that hunt them buy programming code on the same global black markets. Talented hackers can make hundreds of thousands of dollars or more selling a single, well-crafted attack program. Still, breaches like Stuxnet are beyond the capacity of all but the most elite specialty hacker, usually state-sponsored, and the vast majority of threats can be blocked.
With the security industry bigger than ever and venture capital flowing in, technology has been developed to stop low- and medium-level threats. It can’t do much to neutralize inattentive people who use rudimentary passwords easy for hackers to steal. Symantec, the world’s biggest cybersecurity company, recently acknowledged something that security professionals have known for years: Its antivirus software no longer stops the most advanced attacks. Still, plenty of other technology works. One of Target’s security vendors alerted the company to the presence of hackers on its network before they were able to abscond with the stolen payment-card numbers. (It was the humans who failed.) Banks can reverse or block fraudulent charges instantly so consumers can keep spending. PIN codes are now so hard to steal that cybergangs employ Hollywood-style stunts to install special chips and software inside ATMs. So what is the current state of cybersecurity? It’s both the worst it’s ever been — and the best it’s ever been.
The Reference Shelf
- Bloomberg News articles describe U.S. military preparations for cyberwar and Chinese hacking into U.S. utilities.
- A Bloomberg Visual Data chart shows the scale of big data breaches since 2009.
- Bloomberg Businessweek chronicled a 2010 attack on Nasdaq computers and the U.S. government’s response.
- The New York Times traced the origin of the Stuxnet attack against Iran and the National Security Agency’s penetration of the Chinese network-equipment maker Huawei.
- The security expert Bruce Schneier blogs about cyberwar and online espionage.