Technology researchers estimate that anywhere from 25-50 billion devices, or more than three for every person on the planet, will be connected to the internet by the end of 2020.
And as the internet of things grows, so does the number of threat actors bent on exploiting its ubiquity.
Hackers’ attacks are becoming more sophisticated and targeted as they gain confidence and learn to exploit the many mistakes people make every day in protecting — or rather, failing to protect — their information.
Cyber warfare is uniquely dangerous in that it gives enormous power to nation-states, hacktivists and malicious non-state actors who would normally pose little or no threat to their adversaries. As a result, we are witnessing a new arms race for cyber offensive (and defensive) capabilities.
These capabilities can be stolen or reverse-engineered, however, after they are developed and released into the wild.
“What is a great cyber intelligence tool today is tomorrow’s exploit,” Ray Boisvert, former Director General of the Counter Terrorism program for the Canadian Security Intelligence Service (CSIS), told the highly technical Infiltrate hacking conference in April.
He highlighted Stuxnet, an incredibly powerful computer virus created by the NSA and Israel that Tehran successfully reverse-engineered before turning it into their own cyber-weapon to destroy the servers of Saudi Arabia’s national oil and natural gas company.
Boisvert, who is now a senior associate specializing in cyber and insider threats at Hill+Knowlton Strategies Canada, outlined to Business Insider four major ways that advancements in internet technology could threaten national security.
Cyber advancements allow for asymmetrical warfare
America’s unrivalled military prowess is in danger of becoming irrelevant as foreign actors continue to develop and leverage their technological capabilities to disrupt and destroy critical infrastructure — all from halfway across the world.
“Cyber warfare doesn’t require a significant number of troops or a superior set of bombs,” cybersecurity expert David Kennedy, founder of the security consulting firm TrustedSec, told Business Insider. “Iran was the first to capitalise on that.”
Iran is building its cyber warfare capabilities faster than experts “would have ever imagined.” Attacks by Iranian hackers have targeted the military, oil and gas, energy and utilities, transportation, airlines, airports, hospitals and aerospace industries, among others, and have taken place at over 50 companies in 16 countries — 10 of which have been in the US.
North Korea’s hack of Sony Pictures in December was unprecedented in both size and scope, downing Sony’s system and releasing upwards of 11 terabytes of internal company data. And the State Department is still struggling to purge Russian hackers from its system 6 months after suffering its “worst ever” attack.
Cyber warfare is being incorporated into the military doctrines of nation-states
“In 10 years time, Iran’s cyber capabilities will be more troubling than its nuclear program,” geopolitical expert Ian Bremmer, president of the Eurasia group, tweeted last month.
Iranian President Hassan Rouhani has increased the government’s cybersecurity spending 12-fold since taking office, giving the Islamic Revolutionary Guard Corps (IRGC) an annual cybersecurity budget of roughly $US19.8 million.
China recently increased its cyber warfare spending by 20-30% in what experts say is a major attempt to compete with superior US military cyber capabilities.
“They [the Chinese] have previously devoted substantial resources to cyber espionage and theft,” cyber security expert and former Department of Homeland Security policymaker Paul Rosenzweig told the Free Beacon. “China’s vision of combined operations, with cyber as a strong component of its capability, will significantly challenge American freedom of action in the Pacific.”
And Russia is reportedly building its own cyber command, which “will be responsible for conduction offensive cyber activities, including propaganda operations and inserting malware into enemy command and control systems,” according to a report delivered to the Senate in March by US director of national intelligence, James Clapper.
Boisvert mentioned the 2010 hack of Nasdaq, when Russian-backed hackers inserted malware that could destroy the system from the inside.
“In early January , the NSA presented its conclusions to top national security officials: Elite Russian hackers had breached the stock exchange and inserted a digital bomb,” Michael Riley of Bloomberg Business reported in 2014.
Identity theft is becoming more widespread
The frequency of identity theft has increased dramatically, according to a report released last year by the National Security Agency, and cost Americans $US10 billion more than burglary, car theft, and property theft combined in 2012.
Threat actors ranging from hacktivists to nation-states participate in identity theft, often to ruin an individual’s or company’s reputation, finances, or legal standing.
When it comes to finding security holes in a company’s information system, people hired to hack into a company’s systems start with what is often the biggest and clearest vulnerability — its employees.
At Infiltrate, a professional penetration tester for a major company in Silicon Valley told Business Insider that the easiest way to infiltrate a client’s system is to bait an employee into clicking on an infected link in a seemingly innocuous email.
From there, the hacker for hire can acquire the employee’s username, passwords, and other sensitive information — which can lead a hacker into the company’s system.
This tactic, known as “phishing,” can be executed by unskilled scammers. When executed by a professional, however, phishing becomes a highly targeted tool.
Hackers may begin to target SCADA systems
Last November, the US Department of Homeland Security discovered that SCADA systems controlling various industrial processes (such as the power grid and oil and gas pipelines) had been attacked by Russian hackers using BlackEnergy malware, ABC reported.
It was not the first time hackers tried to cripple vital US infrastructure — in 2012, Schnieder Electric’s SCADA system was reportedly hacked by the Chinese.
SCADA (supervisory control and data acquisition) is a type of industrial control system that monitors and controls key infrastructure in the US and around the world. Processes controlled by SCADA include water treatment and distribution, electricity, heating, and, perhaps most worryingly, aeroplanes and trains.
Boisvert told Infiltrate he was initially concerned that a deadly July 2013 train crash in Spain was caused by a hacker (it turned out to be human error).
Nevertheless, his point remains: As transport systems become more hi-tech, they will also become more vulnerable to attack.
When the UK announced early last month that a new hi-tech rail traffic system would soon control all of Britain’s trains, experts worried aloud whether the system could potentially be hacked to cause a serious crash.
“We know that the risk [of a cyber-attack] will increase as we continue to roll out digital technology across the network,” a spokesman for Network Rail told the BBC.
And some cybersecurity experts fear that hackers aboard an aircraft could bring down the plane using the on-board Wi-Fi many commercial jets now offer to passengers.
“Modern aircraft are increasingly connected to the internet. This interconnectedness can potentially provide unauthorised remote access to aircraft avionics systems,” the US Government Accountability Office (GAO) said in a statement.
Michael B. Kelley contributed to this report.