The renowned author Yuval Noah Harari is worried that the next global pandemic will be a digitally inspired catastrophe. Is he right to be concerned about cybergeddon, or is he just the latest cyber doomsayer?
According to author Yuval Noah Harari, science and technology have, for the first time in history, enabled mankind to effectively manage a global pandemic. Writing in the Financial Times in February 2021, Harari, who is known for best-selling works such as Sapiens and Homo Deus, makes the case for technology during Covid-19. He cites biotechnology, which has enabled us to sequence the virus genome and develop vaccines to defeat it. Digitisation and automation have enabled trade and agriculture to continue with direct input from very few human beings. Information technology has enabled us to monitor the spread of the virus and to isolate outbreaks. Financial markets have continued to function, and many of us have been able to work remotely. Humanity has thus avoided economic meltdown and the slowdowns that will follow are likely to be recessions rather than depressions. Such tools were not available during the three other pandemics to have occurred since 1918. Previous generations had no choice other than to go to their offices and factories.
Whilst the article is decidedly optimistic, Harari also points out that we are now perilously dependent upon the internet and the digital infrastructures built upon it. Known for the disturbing accuracy of his predictions, Harari suggests that the prime candidate for the next global catastrophe is an attack on the very technology that has enabled us to manage Covid-19. In making this apocalyptic assertion Harari is entering a crowded market. The pantheon of cyber doomsayers includes hacking collectives, Government officials and tech luminaries, most of whom have been ignored. The dangers were first pointed out to Congress in 1998 by hackers Brian Oblivion, Kingpin, Mudge, Space Rogue, Stefan von Neumann, Tan and Weld Pond. Collectively known as L0pht Heavy Industries, the group famously testified that they would be able to disable the internet, a network of networks designed to withstand a nuclear war, within thirty minutes. Those predicting cybergeddon — that is to say digitally created chaos, destruction and societal breakdown — are, happily, still waiting for their told-you-so moment. Leon Panetta’s cyber Pearl Harbour has failed to materialise, leading many to conclude that our fears are overblown.
Twenty years on from L0pht
Nearly twenty years after their testimony to Congress, some of the original L0pht founders re-grouped for a seminar hosted by the Congressional internet Caucus — A Disaster Foretold and Ignored: Revisiting the First-Ever Congressional Cybersecurity Hearing — by which time most of them had either worked at DARPA or Google, or were holding C-level positions at corporations such as IBM, Veracode and Stripe. They concluded that while many of the same issues and risks that existed twenty years ago persisted, progress had been made.
Cyber security is now mainstream, and hackers now routinely work with vendors, which was unheard of in 1998 (hence the pseudonyms, which were a means to avoid lawsuits from vendors whose vulnerabilities were being exposed by L0pht). Less positive developments include the proliferation of the nation-state threat, which they cited as the predominant threat facing many organisations. Another issue is the diversification of threat actors and their access to nation state cyber weapons. As if that isn’t enough to worry about, the exponential increase in the attack surface thanks to the advent of the Internet of Things, or IoT, is creating new opportunities for attackers to take control of hardware devices, allowing them to gain access to networks, to hijack them for other purposes, or to simply destroy them.
The L0pht testimony demands that we take Harari and others labelled as Cyber Cassandras seriously, and forces us to ask fundamental questions about the likelihood, impact and mitigations for such an eventuality: is cybergeddon feasible, what would be its consequences, how likely is it, and what can be done to either mitigate or prevent its occurrence?
The obvious place to start is the internet. A sustained attack against the internet would, if successful and widespread, be catastrophic. Many smart energy grids would fail, as would electronic payments and other financial systems. Cloud storage would be unavailable and remote working would no longer be possible. Social media and mobile apps would be offline, as would most TV. Markets, trade and transportation would cease. Hospitals and other essential services would be unable to function. Without the internet modern life would grind to a halt. As Harari points out, this is because we would struggle to fall back onto analogue infrastructures, many of which have either been removed completely or, where they still exist, lack the capacity to provide continuity. Organisations entirely dependent upon the internet for their operation would be forced to close while attempting to make the reverse transition from digital to analogue. If the internet was likely to be unavailable for any significant length of time this trend would be repeated across the economy. The resultant societal turmoil would potentially be overwhelming.
Thankfully, disabling the internet would not be so easy today. Whilst the choke points in its architecture were clearly vulnerable to attack in 1998, the internet has grown up being attacked. Today’s internet is highly resilient, as Covid-19 has demonstrated. If an actor was intent upon causing cybergeddon there would be easier things to attack and, for as long as the world shares a common internet, any attack against it would be an attack against us all, including the attackers. An attack against the internet would therefore be the ultimate act of nihilism.
If, therefore, relative to other cybergeddon scenarios, there is less likelihood of the internet being disabled, a more plausible scenario might be a sustained, large-scale attack against the infrastructures that are built upon it. A shortlist of pertinent historical examples includes: Russian attacks against the energy grid in Ukraine in 2015 and 2016; the unattributed destruction of a German blast furnace in 2016, reported by German media as belonging to a ThyssenKrupp facility in Duisburg; the Iranian-attributed Shamoon attacks of 2012, resulting in damage to Qatar’s Rasgas and the destruction of Saudi Aramco’s corporate network, comprising 33,000 machines; the Russian-attributed NotPetya attacks which crippled Danish shipping giant Maersk in 2017; the Russian-attributed Sunburst/C2 attack against SolarWinds customers in 2020; and the Chinese-attributed attack against Microsoft Exchange customers in 2021.
This list is far from complete. In economic terms these attacks represent trillions of dollars’ worth of damage, largely hidden from view. In media terms they are little more than a string of increasingly unnewsworthy headlines. The consequences of these attacks, were they to arrive simultaneously, are potentially imponderable. Thanks to the network phenomenon by which small inputs can create large outputs, such attacks might not even need to occur simultaneously in order to have disastrous consequences. In 2015 Lloyds of London and Cambridge University published a study to examine the insurance implications of a cyber-attack on the US power grid. In this case the scenario involved shutting down just 50 strategic generators — fewer than were shut down in Ukraine in December of that same year — which would cost the US economy an estimated $243bn, rising to $1trn in the most extreme version of the scenario. This list of attacks is a breadcrumb trail that offers us hints of the calamity that could befall us.
That such attacks have already taken place demonstrates their feasibility. That such attacks have not occurred concurrently as a coordinated large-scale campaign is, as Jason Healey suggests, evidence that there is a de facto norm, albeit an unsatisfactory one, emerging between the great cyber powers: a ‘cyber peace’ based upon mutual vulnerability. Nation states are aware that anything they do in cyberspace can be reciprocated, potentially with devastating consequences for their own digital infrastructures. This perhaps explains why, to date, most cyber powers have restricted their sustained or persistent attacks to information gathering, information operations, espionage and theft. Oxford University Professor Lucas Kello characterises these mid-spectrum activities that sit between traditional definitions of war and peace as Unpeace.
As Healey points out, just because destructive, state-on-state cyber warfare hasn’t happened yet, doesn’t mean that it can’t or won’t happen. It could, and it might. Its impact would potentially be as catastrophic as that of an attack against the internet. Russia’s claim in 2019 to have tested its ability to disconnect from the internet, suggests that the Kremlin is taking the threat seriously. If we assume for the time being that cyber deterrence holds, and that as happened during the Cold War with nuclear weapons, an uneasy albeit imperfect peace prevails, does that mean that cybergeddon is off the cards? Possibly not.
There is a further scenario that requires consideration. The diversification of actors and the proliferation of cyber weapons cited in 2018 by the L0pht founders, combine to form the most likely scenario, which is that of an accident.
The potential for unintended consequences in cyberspace has been apparent since the Morris worm of 1988, and it was demonstrated again following the 2010 Stuxnet attack against the Iranian nuclear facilities at Natanz. Despite the fact that this was an attack against an air gapped or non-internet connected network, the code subsequently spread globally, after an Iranian engineer is reported to have connected an infected machine to the internet. Stuxnet has subsequently caused damage in more than 115 countries. The fact that it has not caused strategic damage to the world economy is probably due to the fact that the code was specifically designed to attack the Iranian nuclear infrastructure. Nonetheless, the warning from Stuxnet is clear: cyber weapons, once deployed, can behave unexpectedly and are, effectively, in the public domain. The theft of cyber weapons also represents a major risk, as witnessed in 2016 by the Shadow Brokers’ apparent theft and sale of US Government zero-day exploits.
NotPetya and WannaCry are examples of the invocation of the law of unintended cyber consequences. WannaCry, which is estimated to have done $4bn worth of damage globally, including £100m of damage to the UK National Health Service, is based upon a stolen NSA cyber weapon, re-purposed by the North Korean hackers and deployed for financial motives. Having probably been sold to the North Koreans by brokers affiliated to the Russian Government, WannaCry significantly impacted Russia including, ironically, the Russian Ministry of the Interior, whose remit includes protection from cyber-crimes. NotPetya, the worm widely attributed to Russian attacks against Ukraine in 2017, and which nearly destroyed Maersk, also did significant damage to Russian energy giant Rosneft. A world in which cyber weapons proliferate amongst actors with either little understanding of, or little care for the potential consequences of their use, runs the risk of catastrophic damage to its digital infrastructures.
Gazing into the cyber crystal ball
If this hierarchy of scenarios is accurate, an attack against the internet is, for the time being, the least likely to materialise. That could potentially change with bifurcation of the internet, something that Eric Schmidt has estimated will take place within 10–15 years, and which former NCSC CEO Ciaran Martin has also deemed as probable, albeit not inevitable. At this point, the world would effectively have two competing internets: one led by the US and the West, and another led by China and non-Western countries. China’s Belt and Road Initiative has in some respects already begun this process, with many of the 60 or so countries involved, trading certain freedoms in return for infrastructure.
The reliability of norms governing the behaviours of nation states in cyberspace is open to question. To date, Thomas Rid’s assertion that Cyber War Will Not Take Place appears to hold true, albeit within narrow and arguably outdated definitions of what constitutes violence and war. Whilst the most capable cyber nations have been willing to engage in irregular cyber conflicts, they have steered clear of conducting full-scale strategic cyber warfare. Where cyber conflicts have occurred in Estonia, Georgia and the Ukraine, attacks have followed geopolitical events or as an element of mainstream military activities.
How long this ‘unpeaceful’ cyber peace will hold is unknowable. Cold War deterrence worked because nuclear weapons possessed certain characteristics that made deterrence theory possible, notably their easily understood effects and our ability to observe their infrastructures. Cyberspace is less accommodating. Capabilities, intentions, attacks and attribution are much less discernible. Outcomes are far from predictable.
Covid-19 has laid bare both the fragility and the resilience of economies and societies. Yuval Noah Harari is right to warn of the opportunity for a digitally inspired, human catastrophe. For as long as the internet remains resilient and our nascent strategic norms hold, it seems that an accident, brought about by human error or ignorance, poses the greatest threat to the technologies we rely upon for our daily lives.
The starting gun on the race between the internets of the future has already been fired. Ciaran Martin’s view is that the survival of an internet run along open ‘Californian’ lines will require alliances across the Five Eyes and their partners to take on a commercial dimension spanning software and hardware manufacturers, difficult though this will undoubtedly be.
In regards to the protection of our wider critical national infrastructure, one of the chestnuts perennially offered by the cyber cognoscenti is that there are no silver bullets on offer to solve these issues. Whilst businesses seek simple and quick solutions to problems, the problem of cyber insecurity is too big and too complex to lend itself to simple and quick solutions. Facebook CISO and industry veteran Alex Stamos believes that the problem will be solved by software, but not for several decades. Despite this we have a cyber security industry that appears to be intent on attempting to provide silver bullets in the form of eye-catching products and services many of which, in the opinion of Stripe’s Peter ‘Mudge’ Zatko, actually do more harm than good. In his view, the organisations with the best cyber security are those that eschew shiny products in favour of good security design implemented from the ground up. This is also problematic — there are only so many former L0pht members (or folks with similar knowledge and experience) to go around, and they tend to work for the big companies like Stripe.
Whilst Governments typically operate relatively little critical national infrastructure, and therefore own just a small part of the cyber security problem, Government intervention currently offers the best means of preventing harm at scale. More action will be required to build resilience by baking cyber security into regulatory models, as has been done in the UK by the Bank of England. Energy and telecommunications are likely candidates to follow suit. Banning payments to criminals by companies falling victim to ransomware, 58% of whom in the UK admit to paying ransoms, is another possible step.
Governments are traditionally loathe to interfere in markets, but there are many who take the view that the cyber security industry is something of a market for lemons. Faced with market failure, it would make sense for Governments to tackle the low hanging fruit, as the UK NCSC has done, by offering to ‘protect from the centre’ with a range of free-to-use protective services, affording a degree of protection to those typically unable to protect themselves. The Active Cyber Defence (ACD) programme’s pithy aim is to ‘Protect the majority of the people in the UK from the majority of the harm caused by the majority of the cyber-attacks the majority of the time.’ The programme is now in its third year and its initiatives are being emulated internationally.
Until the cyber security industry works out how to demonstrate greater efficacy, and/or until industry works out how to do cyber security, the world is likely to require more initiatives like ACD. This will attract a different set of debates and challenges related to transparency, censorship and privacy.
The focus on cybergeddon potentially misses another, potentially bigger issue, namely the extent to which non-destructive cyber-attacks that don’t always grab the headlines, are set to challenge our existing notions of power and international order. It is in this regard, in technology’s potentially transformative effects upon geopolitics, that we are in the foothills of our understanding.
In his 2014 book, World Order, Henry Kissinger put it thus:
Nuclear weapons… catastrophic as their implications were… could still be analysed in terms of separable cycles of war and peace… cyberspace challenges all historical experience.