War on the web: how to stand up to cyber threats

Not too long ago, the phrase “electronic army” would have conjured up visions of something out of a 1980s dystopian film – probably the kind starring Arnold Schwarzenegger and a lot of fog machines. Yet the idea has become very real, as a group called the Syrian Electronic Army proves. Supporters of Bashar al-Assad’s regime, the group has managed to temporarily cripple the online operations of companies such as Twitter and The New York Times.

Digital warfare is escalating as sophisticated attacks are carried out against corporations, governments and individuals. The Survey on the Global Agenda tells us that people over the age of 50 find these attacks more worrying than the under-50s, but the shift to the cloud and the rise of the “Internet of things” means all of us could be affected.

Until quite recently, most people and organizations with a web presence were operating their own servers. It meant that as the web developed, anybody could set up a server anywhere and it wouldn’t feel far away to anyone. It worked beautifully for a while, and it also gave the system a certain resilience, because the eggs weren’t all in one basket. If an egg were to crack, the server’s owner wouldn’t be happy, but the overall system would be fine.

However, with the rise of denial-of-service attacks (typically by flooding a machine or network, rendering it temporarily unavailable) it seemed crazy to run your own server. And it was expensive, so you would outsource it. Businesses could pay a fee and let Amazon or someone else host it for them, but in the process they were giving up more control than they knew. Yes, it’s a stronger chain than before, but it’s got more links that can be attacked. And the eggs are increasingly in the same basket, so if Amazon Web Services goes down, then so do a lot of other things.

But there’s another pressing issue here, and that’s the Internet of things. It’s a catchy phrase in the tech world these days, referring to the fact that physical objects, often very mundane ones like thermostats and refrigerators, are now Internet-enabled. And web security hasn’t caught up. It’s shocking sometimes: a German IT security company called n.runs discovered earlier this year that communications between airplanes and the ground are not encrypted, and that it wouldn’t take much for a hacker to give some rather unusual instructions to a plane, or to update its firmware while it’s in the air.

Obviously these communications shouldn’t be open to the public, but because we’re in a transitional phase, where we’re migrating so much into this idea of an Internet of things, a lot of vulnerabilities are being overlooked.

So what can be done about it? I think governments and NGOs should ensure that it’s not catastrophic if they are hacked, rather than attempting to hold off the hackers. This is a team effort. Look at Wikipedia: if you want an online encyclopaedia to look good, you first have to figure out how to deal with vandalism. And this doesn’t mean trying to prevent vandalism from happening. Instead, it’s about finding fast ways put it right as it happens, making sure there are more editors fixing vandalism than there are vandals.

The same goes with cyber threats. You’re always dealing with an unpredictable current. But there should be more people working – and working hard – towards keeping the course, than people who are disrupting the flow.

This is an extract from the Outlook on the Global Agenda 2014, published this week.

Read a blog on the top 10 trends facing the world in 2014.

Author: Jonathan Zittrain is Professor of Law and Computer Science at Harvard University Graduate School of Design, and a Member of the Global Agenda Council on the Future of the Internet.

Image: The word Password is seen on a coputer screen REUTERS/Pawel Kopczynski.