The Pew Research Center last week released a report suggesting that cyberattacks in the next 10 years might cause major destruction of human lives and tens of billions of dollars in property damage.
However, the situation might not be as overwhelming as the raw numbers indicate, according to one of the report’s authors, Janna Quitney Anderson, director of the Imagining the Internet Center at Elon University.
In addition to answering “yes” or “no” to the cyberattack question, survey respondents were asked to offer reasons for their answers.
“Some of the people who answered ‘yes’ (six out of 10) and some that answered ‘no’ (four out of 10) in their elaborations said they would have preferred to pick ‘maybe,'” Anderson told the E-Commerce Times.
“Each group also cited reasons why they could be wrong,” she added. “They hedged their bets as people will do, especially when they’re attaching their name to a prediction.”
Bad Tools Better
The report identified a number of themes in the comments from more than 1,600 experts canvassed by Pew. For example, those who predicted a major cyberattack would occur often mentioned how inviting Internet-connected devices were as targets. Tools already exist to mount cyberattacks, they noted, and they’ll be improving over the next decade.
“We’ve seen a huge step up in the number and severity of attacks. It has gone from reasonably unsophisticated attacks in the mid-2000s to extremely sophisticated attacks today,” said Lisa Sotto, head of the global privacy and cybersecurity practice at Hunton & Williams.
Moreover, it’s easier than ever for someone to launch a career in cybercrime.
“You can buy for (US)$59.99 on the Internet a tool that can get you into a system and allow you to suck out tens of millions of credit cards,” she told the E-Commerce Times.
“We do not appear have this under control,” Sotto added. “The bad guys are extremely well organized, so they can really wreak havoc.”
Another theme among predictors of a major attack was the absence of security when designing Internet applications. However, even if security were given a higher priority, chances are good that flaws would remain to provide openings for hackers.
“You can’t see everything, so you’re going to miss things,” said Patrick Beyer, project manager for the Software Assurance Marketplace.
“Software can be inherently vulnerable,” he told the E-Commerce Times.
One theme threading through the comments gathered for the Pew report is this: Major attacks have already happened. The Stuxnet worm damaged Iran’s nuclear development program, for example, and regimes have been felled by protesters organized using Internet tools.
Those who expected major cyberattacks also pointed to the growing number of attacks against businesses and consumers as a sign that a dire event was on the horizon, and they cited the financial and energy sectors as the most vulnerable.
“Both are dominated by legacy systems, with a limited willingness to make the necessary investments in upgrades and, particularly for utilities, limited technical depth in their staff,” Henning Schulzrinne, Internet Hall of Fame member and a professor at Columbia University, comments in the report.
Experts who believed a cybercatastrophe could be averted reflected common themes, too. While vulnerabilities never will go away, the distributed structure of the Internet will prevent the occurrence of an attack that could cause widespread harm, they maintained.
They also argued that deterrence — the threat that a major attack would be met with a major retaliation — will keep bad actors from staging a catastrophic event. Of course, that assumes you can identify the bad actor behind an attack, something that hasn’t proved reliable in the past.
“Just because something hasn’t happened doesn’t mean deterrence is working,” Jeffrey Carr, CEO of Taia Global, told the E-Commerce Times.
“There is no fear of deterrence if an attacker can’t be identified,” he said. “That doesn’t apply to nation states, but it does apply to the groups most at risk for doing widespread harm — small chaotic actors, and religious and political extremists.”
Another theme gleaned from the believers that cybercatastrophes can be averted is that much of the fear generated over cyberattacks comes from people who have the most to gain from that fear.
“Cyberattacks are a boondoggle invented by military-industrial contractors to bilk governments out of billions of dollars,” Mike Caprio, a software engineer with a consulting firm, says in the report. “The infrastructure is not as fragile or attackable as they would claim.”