The cyberattacks of the past year can only hint at the coming weaponization of security flaws
In 2017, the word “cyber” was doing a lot of work.
We learned the details of Russia’s cyber campaign to hack, among others, Hillary Clinton’s presidential campaign and the Democratic Party. We saw the United Kingdom’s National Health Service be taken offline for hours as ransomware rendered their systems useless. Credit-monitoring company Equifax had to eat crow after its systems were infiltrated, potentially exposing the sensitive financial information of hundreds of millions of Americans and Canadians.
And those are just the attacks that make headlines. Phishing schemes and ransomware attacks are the day-to-day reality for millions of victims and the police trying desperately to fight the tide. These cyber threats aren’t going to take a vacation in 2018—and, if anything, they’re going to get worse. “It is the single largest threat to our national security and prosperity today,” says Christian Leuprecht, a professor at the Royal Military College of Canada and Queen’s University.
Email phishing, for instance—where a hacker hopes to trick an unwitting rube into entering their email or banking login details into a fake website—will appear quaint compared to SMSishing, an evolving threat sent directly via text message. Hackers could use this technique to steal from the treasure trove of data on your phone, or to lock and encrypt your phone and hold it for ransom.
“If you lock someone’s smartphone, they’re not going to be happy,” says Benoît Dupont, Canada Research Chair in Cybersecurity at the Université de Montréal. “We trust our smartphones more than we trust generic emails coming from someone we don’t know.” While this threat is looming, phone manufacturers have yet to act to stop it.
There are also an array of security flaws, hiding in plain sight, that could be weaponized in 2018. They’re called zero-day exploits: Flaws in commercial software, from Google Chrome to Adobe Flash Player, that give hackers a window into your system. Many of these exploits are known to governments, who could use them for their own cyber-surveillance technology, or to independent researchers, who could sell of the details of the security flaws to nefarious actors, looking to make some money.
One of those exploits, originally found by the American National Security Agency, was used to hack the U.K.’s health network. The exploit had been stolen by the cyber agency by anonymous hackers, who sold it online to the highest bidder. Other vulnerabilities stolen from the NSA went up for auction over the past year and could still be deployed in 2018. “The NSA and CIA have become the R&D offices of cybercriminals,” says Dupont.
Solving these cyber crimes isn’t easy. These hackers’ skills almost always outpace those of police departments. But it’s not an impossible problem: New technology being used by investigators could help trace bitcoin as it’s traded and help unmask criminals hiding in the darknet. Jurisdictional barriers, too, are being navigated. “On the global level, there is some hope,” says Dupont.
Most of these cyber criminals are motivated by profit and will operate accordingly. Dupont says their “business model” ultimately dictates their target: “It’s not as profitable to steal someone’s data and sell it to someone else. It’s much more profitable to sell them back to the victim.” That’s why ransomware attacks are so effective.
And those criminals are working alone, or in small teams. That, despite the complexity of the technology, makes them beatable. The ransomware that wreaked havoc in the U.K. and elsewhere was neutralized by a 23-year-old security researcher. (In a twist that highlights the nebulous ethics of the hacking world, he was later charged with hacking by the FBI for an unrelated virus and is awaiting trial.)
When it comes to government-level hacking, objectives can be murkier, and teams can be much more robust. Rogue states employ scores of well-financed and highly trained hackers to fund their sanction-plagued countries and to create headaches for their regional adversaries; Pyongyang alone employs some 6,000 cyber experts to that end, and is suspected of being involved in the U.K. ransomware attack. China uses its considerable cyber capacity to ferret out industrial secrets from even its allied nations. Russia deploys its array of hackers—who are often criminals deputized by the state to do the will of the regime—to take aim at NATO and critics within his own country.
To meet this threat, America and its allies have tried to scale up their own defensive operation to meet and thwart government-hacking efforts. Canada, whose systems have been successfully targeted by Beijing and Tehran in the past, has only recently started boosting its cyber game, with plans to recruit and deploy cyber operators and develop cyber weapons that can be used both on and off the battlefield.
But Canada and America, unlike their adversaries, are still adhering the rules of war in the cyber sphere. And while it might seem like the west is fighting with one hand tied behind its back, RMC professor Leuprecht says that’s not necessarily a bad thing. “There’s lots of conversations about how we can do this around the laws of armed conflict,” he told Maclean’s. “It’s important to have this discussion as a democratic society.” And that will likely lead to countries like Canada playing in the “deterrent space,” he says: “When you see bad things happening, it means having to be proactive about taking those out.”
From health care systems to financial institutions, 2017 may have been an unsettling wake-up call to the realities of cyber conflict—but that doesn’t mean there isn’t room for it to get worse. And since the countries and criminals who have shown the most willingness to unleash chaos with their cyber operations in 2017 don’t appear set to scale down in 2018, the big question will be the extent to which their targets intend on defending themselves.