Future Crimes

by Marc Goodman

  Ghosts in the Machine

  To measure is to know.

  LORD KELVIN

  One of the greatest challenges we face with our current technological insecurity is that there are often few if any telltale signs of hacker intrusions into our networks and devices. The obvious problem is that you have unwanted guests (whether or not you realize it). The greater conundrum is that you can’t fight what you can’t see. Across our smart phones, laptops, tablets, bank accounts, refrigerators, cars, corporate networks, and electrical grids, there are ghosts in our machines. Keeping out all intruders at all times was a worthy if quaint goal. But in case you hadn’t noted, the proverbial technological republic has fallen. Our technology is riddled with bugs, flaws, and invaders. Today, regretfully, our goal can no longer be purely prevention. We must chase the ghosts from our machines by proactively searching them out and hunting them down. With our time to detection hovering north of two hundred days, clearly there is much work to be done. We need to reduce the time frame to mere hours and eventually minutes and seconds.

  Then there’s the lingering issue with big data: the more you keep, the more you have to protect. But most companies have never cataloged their information assets and thus don’t know what data they’re storing, where they are keeping the data, and which data are the most critical to protect. Importantly, once these threats are detected, we need to begin discussing them—publicly.

  Breaking down the wall of silence that surrounds nearly all cyber attacks is a vital step toward bolstering our common technological security. Companies today know the ramifications of being named publicly as a hacking victim. Beyond the obvious reputational damage, costs can be in the hundreds of millions of dollars from direct losses, customer churn, and litigation. Thus organizations will do all within their power to keep silent when victimized, whether by Crime, Inc. or a foreign espionage service. But this silence is at the very heart of our cyber-security problems. When a person survives a sexual assault but is too embarrassed or ashamed to report it to the police, the assailant will not be found and prosecuted, free to surely victimize others. Though a cyber attack is an entirely different form of crime, its victims too are loath to speak publicly. As a result, these incidents cannot be aggregated and studied, common defenses are not developed, and perpetrators roam free to attack another day. This is a situation we must rectify. Maintaining silence about these risks does not make them go away; it makes them worse, empowering bad actors to operate with impunity. Much like the decision to go to Alcoholics Anonymous, admitting you have a cyber problem is the first and most important step toward getting better.

  Building Resilience: Automating Defenses and Scaling for Good

  New technologies can be used for destructive purposes. The answer is to develop rapid-response systems for new dangers like a bioterrorist creating a new biological virus.

  RAY KURZWEIL

  Cyber attacks happen—they cannot all be stopped. The higher-order question thus must be, how can we construct our rapidly emerging technological world in a way that is much more resilient to attack? It is not an easy question to resolve given the ever-expanding system complexities at play. A resilient system is one that will not fail catastrophically but degrade slowly over time until it can be repaired. A resilient system will continue to perform its most critical functions, though other less important activities may go off-line or cease to operate. Nature has excellent structures in place for this as evidenced by the common lizard. When attacked or grabbed by a predator, a lizard can easily shed and regrow its tail, allowing the critical parts of its body (the brain and reproductive organs) to escape and survive. What is the lizard’s tail of the Internet or your corporate network? It doesn’t exist yet, and that’s something we need to fix.

  Much of our technological infrastructure is subject to common single points of failure, the most obvious of which is power. No electricity, no Internet. Worse, no electricity, no water distribution, food production, financial transactions, communications, or transportation. We need to isolate these singular failure points so that they do not spread and we need to have alternative power sources that can scale to prevent these types of “blackouts”—not just for electricity of course, but for all the technological tools that make our modern civilization possible.

  These risks extend well beyond the power grid and include our most common software systems and the Internet infrastructure itself. Many of the tools that run our techno-world are monocultural in their nature; that is, they run nearly identical software containing the same vulnerabilities. Computer monocultures, like agricultural ones, are subject to catastrophic failure—think Irish potato famine. Today Microsoft Windows drives more than 90 percent of the desktop computers worldwide, and as of early 2014 an amazing 95 percent of the ATMs in the United States were still running Windows XP—an operating system for which Microsoft has ceased all security updates. Technological monocultures are the lifeblood of mass computer exploitation. With one piece of malware, hackers can have profound global impact by getting all copies of the same software process to fail uniformly. As we have seen, known bugs can live in the wild for years before these software holes are plugged by vendors. The moment a breach in one version of Windows 8 or Adobe PDF is detected, the global repair process should begin. Software companies should not just wait for people to manually patch their systems (which we know most never do). Rather, these systems should be self-healing, always reaching out for the latest patched versions of the software to ensure all known doors and windows to our digital lives are locked. Put another way, failing to address known vulnerabilities in tens of millions of versions of the same software program running around the world would be akin to uncovering a mechanical fault that led to the crash of a 747, one that was present in all 747s in operation globally, and letting these aircraft continue to fly.

  We also need to ensure that individual breaches and attacks can be isolated and prevented from spreading. Consider the 2013 hack against the retail giant Target. As mentioned previously, the attackers responsible gained access to Target’s point-of-sale terminals by first exploiting the network of a contractor responsible for maintaining the store’s heating and air-conditioning systems. If that initial breach had been detected, Target’s ensuing corporate security nightmare could have been entirely avoided. We need better and more resilient means of protecting our information. Think air bags for our data. When a data breach occurs, these virtual air bags should go off, enveloping our digital possessions and protecting them from further harm.

  CEOs and boards of directors should ask themselves just how resilient their organizations are. Resiliency means remaining operational in the face of sustained attack by sophisticated opponents. Though you, like the lizard, might lose your tail, the organization must live on. This won’t happen magically and requires preparedness training and exercises. In particular, cyber resilience requires adeptness in responding to an attack and dexterity in rapidly recovering degraded technological capabilities. How to heal quickly after an attack may be the make-or-break issue deciding whether an organization fails or survives. The time to answer these questions is not during the crisis but long before it occurs.

  These more resilient systems that we require must be built from the ground up. Security cannot be an afterthought tossed into the mix after the machines have been built. Systems must be engineered to fail gracefully, not cataclysmically. Secure and trustworthy computing must be the cornerstone of our technological future, lest the whole system come crashing down. This will be especially true as we drive toward the Internet of Things and see the arrival of highly disruptive technologies such as robotics, artificial intelligence, and nanotechnology. We can no longer neglect the public policy, legal, ethical, and social implications of the rapidly emerging technological tools we are developing; we are morally responsible for our inventions.

  There are good examples in history where we as a society have brought together expertise in anticipation of catastrophic risk befor
e it occurred. One such case was the 1975 Asilomar Conference on Recombinant DNA, which was held at Asilomar State Beach in Monterey, California. The event gathered 140 biologists, lawyers, ethicists, and physicians to discuss the potential biohazards of emerging DNA technologies and drew up voluntary safety guidelines. As a result of the event, scientists agreed to stop experiments involving mixing the DNA from different organisms—research at the time that held the potential to have radical, poorly understood, and potentially disastrous consequences. The lessons and successes of Asilomar are well worth repeating. Though we are racing full speed ahead with synthetic biology, artificial intelligence, swarming robotics, and nanotechnology, we are dedicating precious few resources to understanding the concomitant risks of technologies that could replicate beyond our control. Thankfully, in 2009 such a meeting on the future of artificial intelligence was held on the very same beach in Monterey, and more such gatherings are crucial to bolstering the resiliency of a world built on exponential technologies.

  Moving forward, in order to strengthen the safety and security of our society, we must make another change. We need to be able to respond at scale to the challenges we face from a fully automated criminal hacker community. Time and time again, we’ve seen those with ill intent automate their attacks. It is this ability that has led to the paradigm shift in crime, moving from a one-to-one to a one-to-many affair. That is why 1.2 billion account passwords can be gathered by one organized crime group while another launches a remarkable seventy-gigabit-per-second DDoS attack that knocks a dozen financial institutions off-line. The tools to commit evil are scaling exponentially, but our systems for scaling for good are not keeping up. Our defenses are not adapting rapidly enough to match the global systemic risk we face, something our government should be deeply concerned about.

  Reinventing Government: Jump-Starting Innovation

  We can’t solve problems by using the same kind of thinking we used when we created them.

  ALBERT EINSTEIN

  In 2014, only 13 percent of Americans approved of the job Congress was doing, a slight improvement from the all-time low of 9 percent in November 2013. Trust in government is practically nonexistent—whether it’s the money in politics, the government shutdowns, the partisanship, or the dearth of meaningful legislation. While the technological change all around us is proceeding at an exponential pace, the government is decidedly linear in its rate of change. The obvious challenge with such an asymmetry is that we will never solve twenty-first-century problems with nineteenthcentury institutions. We need vastly more adaptive government, one that can respond ten times as fast, and that’s just to keep up. Cabinet secretaries and Supreme Court justices who “don’t do email” simply won’t do anymore.

  The lack of innovation in government permeates not only our legislatures but the organs of our national security and law enforcement apparatus as well. In response to the creativity (albeit diabolical) demonstrated by the terrorists who carried out the 9/11 plot, the government spent billions of dollars and came up with such “innovations” as the Transportation Security Administration. Though frisking four-year-olds and little old ladies in wheelchairs makes for fine “security theater,” we’re going to have to significantly up our game if we hope to prevent future terrorist attacks. Given the pace of technological change, tomorrow’s security threats will not look like those of today—one of the reasons government is struggling mightily in the face of our common cyber insecurity.

  Of course this is not meant to suggest there is no innovation in government. It was government that brought us the Internet and space travel and served as the catalyst to finally decode the human genome. There are pockets of innovation in government everywhere, but we need to get these gems of creativity to replicate and scale in a way that simply is not happening today. One such model is Code for America, a nonprofit organizing citizen volunteers with computer coding skills to make government services much more simple, effective, and easy to use. Another is the well-regarded GovLab at NYU, an innovation laboratory dedicated to using technology to redesign the problem-solving capabilities of government institutions. Backed by both the MacArthur and the Knight Foundations, GovLab is working to use networked technologies to move beyond the centralized top-down control paradigms of yesteryear in favor of more transformational platforms of self-governance, innovation, and citizen engagement.

  Fundamentally, however, if government is to remain relevant in responding to the most pressing and significant challenges the world faces today, we will need to come up with completely new frameworks for problem solving. On this point, we can borrow a page from Silicon Valley and start thinking of our system of governance as the operating system for society. If we can fundamentally change the OS, everything else changes with it. Our legacy institutions are struggling, whether in education, health care, or law enforcement; technology is far outpacing the ability of government to respond. Until this point, much of the government’s approach to technological security has been merely window dressing and missed opportunities. As Internet entrepreneur Bryan Johnson has noted, we need a new operating system for the world, one based on first principles, that matches the exponential changes all around us.

  Fortunately, Johnson has generously donated $100 million of his personal wealth to the effort, creating the OS Fund to promote “quantum leap discoveries” at the operating system level in order to drive “real change for humanity at the global scale.” Today’s government institutions clearly do not have a monopoly on answers to the many problems facing our world, but they can play an important role as convener—bringing together the public and private sectors as a means of finding solutions to some of our grandest challenges.

  Meaningful Public-Private Partnership

  Government efforts to protect the people against everyday cyber crime and security threats have been wholly inadequate. Should we be surprised? The tens of thousands of attacks successfully perpetrated against Washington by foreign adversaries prove the U.S. government can’t even protect itself. The need for more serious and profound collaboration between the public and the private sectors is manifest; without it, we will make little meaningful progress in improving the overall state of our security. The need is particularly vital when it comes to protecting our country’s critical infrastructures, 85 percent of which are in the hands of the private sector. As a nation and as a people, we need government and industry to collaborate in protecting the machinery of our modern world. The question is how.

  Recognizing the need for public-private partnerships (PPP), institutions as diverse as the FBI, the European Union, and the World Economic Forum have established programs to foster greater cooperation among those responsible for running the world’s critical infrastructures. Other initiatives such as Information Sharing and Analysis Centers help to enable specific industries such as financial services, energy, and communications to better collaborate and respond to cyber threats. The Forum of Incident Response and Security Teams has also played an influential role in improving coordination and response among trusted peers in both government and private sector CERTs, or Computer Emergency Response Teams. Initial efforts at public-private partnerships have proven helpful, to be certain, but some PPP efforts have been criticized for having ill-defined goals and few if any specifically articulated objectives beyond “sharing information.”

  There are real problems to be overcome to make public-private information sharing regimes reach their true potential. The private sector generally lacks trust in the government to maintain its confidentiality, particularly when it comes to revealing cyber-threat data to competitors, let alone protect it from antitrust risk. The government too has challenges: it must figure out how to share knowledge of particular cyber risks, many of which are classified, with companies and technical personnel that lack the required clearances to see the classified material. A 2010 Government Accountability Office report determined that less than one-third of companies participating in cyber-security collaborations wit
h the government felt that they were receiving actionable cyber-threat information.

  The exigency of the technological hazards before us means that we must overcome these tribulations with much greater urgency in order to foster meaningful partnerships between the government and the private sector.

  One particularly positive note in this vein has been SINET—the Security Innovation Network—whose goal it is to promote innovation in the field of cyber security by building meaningful bridges between the public and the private sectors. SINET was founded in San Francisco and serves as a connector (an interpreter of sorts between those in Silicon Valley and those inside the Beltway). By bringing together the leading players from both of these worlds, SINET has helped drive entrepreneurship and innovation among all parties working in the cyber-security ecosystem to focus them on the mission at hand. Beyond those in the government and industry who make fighting cyber threats their full-time occupation, another massive force can be brought to bear on the technological challenges we face: a smart and engaged general public.