CYBERPHOBIA

"We are staking our future on a resource that we have not yet learned to protect."

 George Tenet, director of the Central Intelligence Agency, in 1998

 Modern life depends on the trusting exchange of electronic data. But the computers, networks and systems that we use to do this were not designed with safety and reliability in mind. Much of the time they work amazingly well, but behind the machines’ shiny casings and the glitzy graphics of the software is a ramshackle mess of improvisation and recycling. Modern life, in effect, is dependent on a patchwork of compromises made in the past decades at a time when nobody involved could have realised the consequences of their decisions.

 As consumers, we are partly to blame. We want computers and software to be easy to use, cheap and flexible. We want them to work with anything new that we like, but also to be ‘backwards compatible’ to work with much older programs and machines. We want our computers and networks to be tailored to our needs, but we are unwilling to spend much time learning new tricks and ways of working.

The result of all this is compromises, all of which come at a price. One is reliability. Meeting our expectations most of the time means that the systems fail some of the time. The other is complexity. Computer chips, and the programs which tell them what to do, are now so complicated that no one person can understand them.

 Yet the fundamental principles are simple. Anyone who has ever made a railway journey can understand them. The computer is like a railway. Without instructions, it sits still. It is a machine, but without the ability to run on its own. What brings it to life is software  a set of rules, written in code that machines can understand. When the power comes on, switch on this light.

Then connect to a keyboard and a monitor. Then start up this storage device, and follow the instructions you receive. Even the most complicated tasks can be broken down into simple instructions. The genius of software writers is to analyse a real-life problem and then to solve it with instructions that a machine can understand and implement.

 Software and hardware are in principle interchangeable. Software can be written into a chip when it is made, so that few further instructions are necessary – a good example is the chip in a child’s toy. Pull the string and a small computer inside will play a nursery rhyme. Simple hardware can be made to do a lot of exotic things with the right instructions and inputs of data.

The earliest programmable digital computer was Colossus, built by British technicians at Bletchley Park during the Second World War to help crack German codes. It needed to be programmed by hand, with technicians using switches, plugs and cables. Later, software was loaded on to a computer by punched paper tape, and later from electromagnetic media (readers of my generation may remember loading computer games on to a primitive computer from cassette tapes). Next came ‘floppy disks’, then CDs, and now, in most cases, downloads from the internet. Software has become hugely more complicated, as we will see. But in essence, it is simple.

A railway timetable is a kind of software program. It explains in precise detail who has to do what, where and when. Signals change colour, trains stop and start, points switch back and forth. If the network is the hardware and the timetable the software, the third element in a railway system is the trains themselves. Getting them and their contents from A to B is the point of the whole exercise. On a computer, the equivalent of the trains is data. Imagine, for example, that you take a picture on an electronic camera and transfer it to your computer. That is a trainload of data – an enormous series of 1s and 0s which determine every dot of colour captured by the camera, now to be rendered on the screen or reproduced on a printer. Depending on your computer’s capabilities, the software installed on it and the instructions you give it, that picture can be sent to a friend, posted on the internet, or cropped and tweaked to look better. But a lot of things have to go right for that to happen seamlessly. The picture may be in a format that your computer software cannot read. Or it may be stored on a memory card which your computer cannot deal with. The quantity of data may be too big for a small computer – for example a phone – to deal with. The data may be ‘corrupted’ – meaning that a tiny error in the hardware or the software has affected the information. That is the equivalent of the wrong railway truck ending up in the wrong train: an error that can be trivial or catastrophic depending on the circumstances.

 Most such errors never come to public attention. Computer users are inured to mysterious problems which seem to come and go without rhyme or reason. Most of the time you simply restart your machine and hope that the problem does not return. But some of the errors are so fundamental that they do make headlines. A startling example of this came in September 2014 with news of a mistake, perhaps the worst bug in the history of computing, which was discovered in a crucial part of the ubiquitous UNIX operating system. Most computer users have probably never heard of UNIX, but it is the basis of most big electronic systems. Unlike the software sold by Microsoft and Apple, it does not have a single owner. It is, broadly speaking, available free of charge, and maintained and developed by volunteers.

 ‘Bash’, as it is known, is a crucial bit of code which connects computers running UNIX software to the outside world. For example, it allows users to give their computers instructions, or for the computers that connect with websites to receive them. Bash was first written in 1989. But it contained a flaw, which, in theory, could allow an outsider to deliver a bogus instruction to a computer. The so-called ‘Shellshock’ bug was not the result of attackers’ cleverness or users’ carelessness. It was simply because of an innocent mistake in the software. Millions of users were at risk as a result.1 An outsider, using Shellshock, can take over another person’s computer, give himself all kinds of privileges, steal and corrupt data, and so forth.

 On computers that are run by humans, remedying this flaw is fairly straightforward. But millions of other devices run UNIX-based software, too, such as routers – the small blinking boxes which run home and office wi-fi networks – as well as internet-enabled thermostats, industrial machines and other devices. And these computers (which is what they are) are for the most part designed to operate autonomously. Updating their software is a fiddly task, for which their owners may not have the time or the aptitude. As a result, many of the devices vulnerable to Shellshock may never be patched, and are therefore wide open to outside attack, and will remain so for many years to come.

 We were warned about this.

Now these attacks have become weapons of politics and statecraft, as well as a huge and lucrative criminal business. Activists use attacks on computers as part of their campaigns – against the secretive Scientology cult, for example, or to punish companies whose policies displease them. The attack on Sony was described by one security expert as the company being ‘nuked from inside’.

At the heart of all this is the biggest way in which the online world differs from real life. We have no easy, dependable way of proving who we are; conversely, it is hard for us to know who we are really dealing with. Our single weakest point is our electronic identities: the messy, unreliable, easy-to-forget mixture of logins, passwords, security questions and other means we use to control and authenticate everything we do online. Only a few years ago, these were a small part of our lives. Now the balance has shifted. In modern life, if something goes wrong with your electronic identity, your real life suffers, too. Solutions to this problem exist – but they will require radical changes in the way we use our computers.

Our online identity may feel as secure as a locked door, but it is wide open for an attacker. You may not have heard of ‘n00ds’, but if you are female and famous you are prey to people who steal, collect and exchange these ‘nudes’. In late 2014 it emerged that pictures of celebrities such as The Hunger Games star Jennifer Lawrence, the model Kate Upton and dozens of others had been stolen from computers managed by Apple, and were being traded in an illegal online marketplace. This somewhat chilling (and anonymous) post on an online message board gives some of the details.

• There wasn’t just one hack
•  There isn’t just one leaker
•  There’s been a small underground n00d-trading ring that’s existed for years
•  Why wasn’t it revealed earlier? The only way to join the ring is by buying in with original pics (‘wins’, as they call them) you’ve acquired by yourself
•  Also these guys are greedy fuckers. If you were the only person in the world in possession of jlaw [Jennifer Lawrence] nudes, would you really give them out? For free??
•  These guys conduct individual attacks on celebs through (I presume) a mix of social engineering and (esp for more high-profile targets) straight-up hacking
•  They trade with each other to expand their collections
•  Circle hardly ever widens to include more people  very few people find out about this ring, and fewer still have n00ds to buy in with . . .
•  Except for self-style ‘rich kid’ . . . it appears he bought a few sample pix and blew the lid on this whole operation by sharing them with outsiders for the first time
•  Spotting their chance, and realising that existence of the n00d collections was revealed, a couple of other guys from the circle came out of the woodwork offering up some of their collection for donations

 It is easy to dismiss such people as creeps and perverts, but for their victims it is no laughing matter. Even the most energetic and expensive legal response cannot scrub the stolen photos from the internet. As fast as you persuade or order one site to take them down, another puts them up. You can never be sure that they will not appear again – someone, somewhere, has them on his computer, and publishing them takes just a couple of mouse-clicks.

 One of the first lessons of the computer age was that machines can break down. So users like to make copies of their data, and store them in different locations. But avoiding one kind of problem has created another. The celebrity victims of the attack outlined above did not store their precious photos on just one computer or phone, because together with safety they also wanted convenience. Uploading material to the ‘cloud’ (a big network of computers run by someone else, such as Google or Apple) means that you can get hold of it wherever you are, whenever you want.

 The convenience is a genuine advantage. But the feeling of safety was illusory. It was all too easy for outsiders to get hold of these photos because computer companies in the world had made it astonishingly easy to break into its users’ accounts.

The single biggest danger we face online is to our identity and reputation. These are what make us people. A name is a person’s most fundamental attribute. When you want to dehumanise a captive, you give him or her a number. Reputation what people think about us – is our currency in society. Without a reputation, you are dependent on the trust people offer to strangers. With a bad reputation, your past misdeeds (real or merely believed) dog your steps into the future. Computers, for all the benefits they have brought in other respects, have eroded the integrity of both.

The internet is rife with monocultures  software or technology which is widely used for reasons of convenience or profit, but containing great dangers to the users once they draw the attention of attackers. This is a bit like having a world where every door in every building has the same kind of lock. Once you learn to pick that kind of lock, you can get in anywhere.

The worst kind of monoculture is an invisible one. If you think that you have multiple versions of something important several cars, several bank accounts, several phones – you can still be hit by an attack on the monoculture. Having several cars is no use if there is a petrol shortage (though a bicycle may be a boon).

Multiple bank accounts are no use if a financial crisis shutters them all (but having some cash at home will save you). Multiple phones work only so long as the network does (but having an amateur radio licence may enable you to stay better informed during Armageddon).

One of the deepest internet thinkers, Dan Geer, has outlined the significance of this. The internet was designed for resistance to random faults, not to targeted ones. In other words, he argues, it is immensely resilient to accidents, acts of incompetence, carelessness and technological breakdown. But the same qualities that protect it from random threats make it vulnerable to deliberate attacks.

Digital technology exposes every area of our lives to attacks, and renders outdated our assumptions about safety, which are based on our own and other people’s ability to do physical damage. We have been slow to realise this. The Munich Security Conference – the most important get-together of its kind had its first panel on cyber-security only in 2011. We are still worrying too little about the threats to the networks and computers on which our infrastructure, financial system and public services depend. Nor have we grasped the extraordinary new criminal mercantilism being practised by China, in which the theft of intellectual property from foreign competitors is part of state-owned enterprises’ research and development strategy.

 At a time when we should have been vigilant about these pressing threats, the revelations of Edward Snowden, the fugitive former contractor for the NSA, have corroded trust between the Western democracies (particularly between Europe and America) and also within them: in the fears now harboured by citizens about their authorities. Those fears have also set back the chances of improvements in areas such as medicine (where the intensive study of big anonymised data sets is now hampered by fears about privacy). From having a na?ve and ill-formed view of online privacy, we have moved to a paranoid, but still uninformed, view.

 The result is not more freedom but less. The ‘revelations’ of NSA and GCHQ capabilities which in truth affect only a tiny minority of citizens, and have been exercised under democratic political direction and in accordance with the law – strengthen authoritarian regimes who want to argue that the West’s talk of legality and rules is hypocrisy. The struggle for a free, law-based international order is being waged on a new front: over our computers and networks. And we are losing.

The biggest looming defeat is the breakdown of the internet. For all its shortcomings in the realm of security, our online world has some commendable features. It is universal, open and borderless.