Gatwick Airport is Britain’s second busiest by passenger volume, and Europe’s eighth. And yet it was brought to a standstill for two days by two people and a single drone.
Its vulnerability reminded me of a conversation I had two years ago, at the Web Summit conference in Lisbon with cybersecurity investor Sergey Gribov of Flint Capital. He was talking up one of his investments, an industrial cybersecurity firm based in Israel called CyberX. Half-bored, I girded myself for his pitch. They usually go like this: “The internet is full of hackers! They want to steal your data and your money! If only companies used my company’s awesome product, we would all be safe!”
- The West’s biggest security weakness is in the old electronics and sensors that control processes in infrastructure and industry.
- It’s not that hard to take an entire country’s internet offline – it has already happened at least twice.
- Hackers used to be most interested in stealing your credit card data. Now they’re looking to hobble major infrastructure like ports, power grids, and cities.
- “The problem people don’t realise is it becomes a weapon of mass destruction. You can take down a whole country. It can be done,” a source tells.
I have heard hundreds of pitches like this.
But my conversation with Gribov was different. It was … extreme. The criminals who break into the web sites of banks or chainstores and steal personal data or money are not the scariest people out there, he told me. The hackers we really ought to be worrying about are the ones trying take entire countries offline. People who are trying to take down the internet, switch the lights off, cut the water supply, disable railways, or blow up factories.
The West’s weakness is in the older electronics and sensors that control processes in infrastructure and industry. Often these electronics were installed decades ago. The security systems controlling them are ancient or non-existent. If a hacker can gain control of a temperature sensor in a factory, he – they’re usually men – can blow the place up, or set it on fire. “The problem people don’t realise is it becomes a weapon of mass destruction. You can take down a whole country. It can be done,” he said.
And then, how do you respond? Does the country that was attacked – the one struggling to get its power grid back online – launch nukes? Probably not, he said, because “you have no idea who did it.”
“You can have a team of five people sitting in a basement and be just as devastating as WMDs,” he said. “It’s really scary. In some sense it’s a matter of time because it’s really easy.”
At the time, I discounted my conversation with Gribov. His VC fund was invested in CyberX, so he had an obvious interest in propagating the idea that the world is full of bad guys.
But in the years since we talked, two unnerving things happened.
- In December 2017, three men pleaded guilty to causing the largest internet outage in history – a distributed “denial of service” attack that blacked out the web across most of the US and large chunks of Northern Europe for about 12 hours. They had disabled Dyn, a company that provides Domain Name System (DNS) services – the web’s directory of addresses, basically – to much of the internet.
- And then, in April 2018, the African country of Mauritania was taken offline for two days when someone cut the single undersea cable that serves its internet.
“Someone is learning how to take down the Internet,” Bruce Schneier, the CTO of IBM Resilient believes
Both attacks were conducted by relatively unsophisticated actors. The Dyn attack was done by three young men who had created some software that they merely hoped would disable a competitor’s company, until it got out of control. The Mauritania attack was probably done by the government of neighbouring Sierra Leone, which was trying to manipulate local election results by crippling the media.
Apparently, it is possible to take the world offline.
It’s not merely that “someone” out there is trying to figure out how to take down the internet. There are multiple someones out there who want that power. In June 2018,Atlanta’s city government was hobbled by an attack that wiped out a third of its software programs. The FBI told earlier this year that it believed terrorists would eventually attempt to take America’s 911 emergency system offline.
“Someone is learning how to take down the Internet,” Bruce Schneier, the CTO of IBM Resilient believes.
Three major power suppliers simultaneously taken over by hackers
Next, I talked to Nir Giller, cofounder and CTO of CyberX. He pointed me to the December 2015 blackout in Ukraine, in which three major power suppliers were simultaneously taken over by hackers. The hackers gained remote control of the stations’ dashboards, and manually switched off about 60 substations, leaving 230,000 Ukrainians in the cold and dark for six straight hours.
The hack was almost certainly done by Russia, whose military had invaded Crimea in the south of the country in 2014.
“It’s a new weapon,” Giller says. “It wasn’t an accident. It was a sophisticated, well-coordinated attack.”
The fact that the hackers targeted a power station was telling. The biggest vulnerabilities in Western infrastructure are older facilities, Giller believes. Factories, energy plants, and water companies all operate using machinery that is often very old. New devices and software are installed alongside the older machinery, often to control or monitor it. This is what the industrial “internet of things” looks like. Hackers don’t need to control an entire plant, the way they did in Ukraine. They only need to control an individual censor on a single machine. “In the best-case scenario you have to get rid of a batch” of product, Giller says. “In the worst case, it’s medicine that is not supervised or produced correctly.”
CyberX has done work for the Carlsbad Desalination Plant in California. It claims to be the largest seawater desalination plant in the US. And it serves an area prone to annual droughts. Giller declined to say exactly how CyberX protects the plant but the implication of the company’s work is clear – before CyberX showed up, it was pretty easy to shut down the water supply to about 400,000 people in San Diego.
2010 was the year that cybersecurity experts really woke up to the idea that you could take down infrastructure, not just individual companies or web sites. That was the year the Stuxnet virus was deployed to take down the Iranian nuclear program.
“Stuxnet in 2010 was groundbreaking”
The principle behind Stuxnet was simple: Like all software viruses, it copied and sent itself to as many computers running Microsoft Windows as it possibly could, invisibly infecting hundreds of thousands of operating systems worldwide. Once installed, Stuxnet looked for Siemens Step7 industrial software. If it found some, Stuxnet then asked itself a question: “Is this software operating a centrifuge that spins at the exact frequency of an Iranian nuclear power plant that is enriching uranium to create nuclear weapons?” If the answer was “yes,” Stuxnet changed the data coming from the centrifuges, giving their operators false information. The centrifuges stopped working properly. And one-fifth of the Iranian nuclear program’s enrichment facilities were ruined.
“Stuxnet in 2010 was groundbreaking,” Giller says.
Groundbreaking, but extremely sophisticated. Some experts believe that the designers of Stuxnet would need access to Microsoft’s original source code – something that only a government like the US or Israel could command.
Russia is another state actor that is growing its anti-infrastructure resources. In April 2017 the US FBI and the British security services warned that Russia had seeded UK wifi routers – the little boxes that serve wireless internet in your living room – with a hack that can read all the internet traffic going through them. It’s not that Vladimir Putin wants to see what you’re looking at on Pornhub. Rather, “What they’re doing there is building capability,” says Andrew Tsonchev, the director of technology at Darktrace Industrial, a London-based cybersecurity firm that specialises in artificially intelligent, proactive security. “They’re building that and investing in that so they can launch attacks from it across the world if and when they need to.”
A simple extortion device disabled Britain’s largest employer in an afternoon
Then, in 2017, the Wannacry virus attack happened. Like Stuxnet, Wannacry also spread itself through the Microsoft Windows ecosystem. Once activated, it locked up a user’s computer and demanded a ransom in bitcoin if the user wanted their data back. It was intended as a way to extort money from people at scale. The Wannacry malware was too successful, however. It affected so many computers at once that it drew attention to itself, and was quickly disabled by a security researcher (who ironically was later accused of being the creator of yet another type of malware).
During its brief life, Wannacry became most infamous for disabling hundreds of computers used by Britain’s National Health Service, and was at one point serious threat to the UK’s ability to deliver healthcare in some hospitals.
The fact that a simple extortion device could disable Britain’s largest employer in an afternoon did not go unnoticed. Previously, something like Stuxnet needed the sophistication of a nation-state. But Wannacry looked like something you could create in your bedroom.
Tsonchev told that Wannacry changed the culture among serious black-hat hackers.
“It managed to swoop across, and burn down huge sectors in different countries for a bit,” he says. “In the course of that, the shipping industry got hit. We had people like Maersk, and other shipping terminals and operators, they went down for a day or two. What happened is the ransomware managed to get into these port terminals and the harbours that control shipping … that intrigued attackers to realise to realise that was something they could deliberately try and do that wasn’t really in their playbook at that point.”
“Oh look, we can actually start to do things like take down manufacturing plants and affect the global shipping industry”
“So this year, we see follow-on attacks specifically targeting shipping terminals and ports. They hit the Port of Barcelona and the Port of San Diego and others. That seemed to follow the methodology of the lessons learned the previous year. ‘Oh look, we can actually start to do things like take down manufacturing plants and affect the global shipping industry.’ A couple years ago they were just thinking about stealing credit card data.”
Another scary thing? The Wannacry attack was in May 2017. By December 2017, the US government confirmed that the North Korean government was responsible for the attack. The North Koreans probably just wanted money. The hermit-communist state is chronically poor.
But it may have taught North Korea something more useful: You don’t need bombs to bring a nation to its knees.
Oddly, you have a role to play in making sure this doesn’t happen. The reason Russia and North Korea and Israel and the US all got such devastating results in their attacks on foreign infrastructure is because ordinary people are bad at updating the security software on their personal computers. People let their security software get old and vulnerable, and then weeks later they’re hosting Stuxnet or Wannacry or Russia’s wifi listening posts.
National security is, somehow, about “the absurdity of the mundane,” says Tsonchev. “These little annoying popups [on your computer] are actually holding the key to national security and people are just ignoring them. Individuals have a small part to play in keeping the whole country safe.”
So if you’re casting about for a New Year’s resolution right now, consider this one: Resolve to keep your phone and laptop up to date with system security software. Your country needs you.