One minute to midnight: the dangers for pension schemes online

Last month the online world in which we live came within an ace of being unimaginably sabotaged. You probably didn’t even know.

In the everyday way that you or I use the internet, the programming works intuitively and we move as if walking or gliding. We don’t ordinarily think about the how, anymore than we think about how we walk.

But beneath the surface world lies a world of unimaginable complexity, of programs that are fundamental to the building blocks of the internet. At this subatomic level, the programs are maintained in considerable part by volunteers.

Last year, the guardian of one such program was persuaded after a campaign of complaints to transfer responsibility to another person. As is the way online, that new person was anonymous. They go under a Chinese name and work Russian hours. Earlier this year, the program was updated. It was due to be rolled out when someone spotted anomalies and investigated. It turned out that the new version contained a highly sophisticated mechanism by which any computer onto which it landed (that is, any computer) would have been compromised. Much of the world online would have been prey to a skeleton key.

Others far more knowledgeable than me can explain this in more detail. I urge you to read the account linked here. It was, apparently, an attack requiring immense investment, consistent with the power of a sovereign state. You might (and I might) have suspicions about the likely culprit but in truth any of three dozen sovereign states would love to have this kind of power. It’s worth reflecting that the UK had a head start of decades on the use of public key cryptography and allowed an entire industry to grow around it without letting on.

The following points leap out at me from this story.

1.???? The technicalities are far over my head but the plan could not have succeeded if they had not gained human control over the program. In this respect, it is no different from the simple push payment frauds that thousands fall prey to every year.

?2.???? It would be wrong to say that the attack was foiled by chance. Someone smart spotted an anomaly and investigated. But it wasn’t discovered through systematic checks.

?3.???? This has been described as the first such attack. It is unlikely to be the last: the potential prizes are too high. It should more accurately be described as the first such attack that we know of. It must be entirely possible that similar attacks have succeeded in the past and we simply don’t know about them. Yet.

If as a pension scheme trustee you aren’t feeling worried about this, you aren’t paying attention. We are floating on the surface of an ocean with no real concept of its depths or what monsters are beneath us. We are tempting prey.

What can we do? We can invest in countermeasures. We can make sure that we can set up systems to protect ourselves. We can identify the points of weakness in our system and make sure that there is no automaticity over the transfer of data or funds (our twin treasures). We can ensure that the humans engaged on our schemes are trained not to transfer power to others over our systems until agreed checks have been completed. We can keep checking that they are doing that in practice. We can have contingency plans in place and kept up to date should the worst happen.

And we can keep worrying. Because sooner or later, there will be more attacks and even the best-prepared pension scheme will only need to fall short once. Just hope that it isn’t you.