In a few years, if you enter all available facts into a super computer and ask it how to make the internet secure, information security expert Adi Shamir predicts this is how the computer will respond:
Kill the internet. Start over again.
“The internet, as we know it, is beyond salvaging,” says Shamir, an Israeli who won the prestigious Japan Prize this month, worth about $442,000. The prize, established by the Japanese government, honors advances in life sciences, electronics and communications.
Alarms over the state of the internet appear with greater frequency as malicious code runs rampant, criminal hackers sweep up passwords of hundreds of millions of users, and nations skirmish with digital weapons. Once a platform for enlightenment, the internet flirts with a dark age, industry leaders warn, and global action must be taken.
Chief among them is Microsoft’s president, Brad Smith, who called Feb. 14 for a Digital Geneva Convention, an international agreement to protect civilians from the destructive uses by states of the digital sphere.
“The time has arrived to call on the world’s governments to implement international rules to protect the civilian use of the internet,” Smith said in a keynote address last week to a gathering of cybersecurity professionals at the RSA Conference, a five-day annual meeting.
He drew a comparison to how war-weary nations in 1949 came together to draw up the Geneva Conventions, which now bind 196 nations and commit them to offer humanitarian treatment to civilians in times of war.
Smith said cybercrime is taking an increasing global toll, and that 74 percent of the world’s businesses expect to be attacked each year. Economic losses due to cybercrime may hit $3 trillion by 2020, he added.
But more alarming, he added, is that nations have unleashed their cyber arsenals.
Cyberspace has become a potential new and global battleground.
Brad Smith, Microsoft president
“We suddenly find ourselves living in a world where nothing seems off limits to nation-state attacks,” Smith said. “Cyberspace has become a potential new and global battleground.”
Smith referred to the 2014 North Korea hack of Sony Pictures, and said it culminated last year in “hacking incidents connected to the democratic process itself,” a reference to U.S. assertions that Russian state hackers influenced the U.S. election in President Donald Trump’s favor.
Civilian users around the world pay a price as the battleground intensifies, experts said.
“The online environment is increasingly noxious. Every year, the level of risk, crime and threat goes up,” said Philip Reitinger, a lawyer who is president of the Global Cyber Alliance, a nonprofit group seeking to end systemic threats on the internet.
“The situation is going to continue to get worse for the next 10 years,” added Reitinger, who formerly fought cybercrime from senior posts in the departments of Homeland Security and Justice.
That assessment was echoed by Mike Rogers, a Republican and former Michigan congressman who once chaired the House intelligence committee.
The United States is in a cyberwar, and most Americans don’t know it.
Mike Rogers, former House intelligence panel chief
“The United States is in a cyberwar, and most Americans don’t know it,” Rogers said.
But whether an international treaty or convention could slow the destructive currents that make the internet increasingly hazardous is subject of intense debate.
Smith called for a global pact that would “commit governments to avoiding cyber-attacks that target the private sector or critical infrastructure or the use of hacking to steal intellectual property.” He said it could build on existing regional agreements, such as one signed in Europe and known as the Budapest Convention on Cybercrime.
In effect, he called for a global cyber sheriff, ensuring that nations live up to agreed-upon rules but also codifying that their territory not be used by others for digital mayhem.
J. Michael Daniel, who spent more than four years as cybersecurity czar in the Obama administration, said he worries that some authoritarian nations would distort such an accord.
“They don’t even use the term ‘cybersecurity.’ They use the term ‘information security.’ What they really mean is content control. Their goal in such a treaty would be trying to say that they could say what goes on the internet,” Daniel said after a forum at the conference.
Their goal in such a treaty would be trying to say that they could say what goes on the internet.
J. Michael Daniel, former White House cybersecurity czar
A better first step, Daniel suggested, would be further agreements of the sort that Obama reached with China’s President Xi Jinping in September 2015, which barred purely commercial hacking between the two nations, but not digital espionage.
“It was a very critical step forward in achieving modification in Chinese behavior. It helped change their decision calculus on what they were doing,” Daniel said.
For the engineers and information security specialists, such lofty talk was of less interest than the nitty-gritty discussions of how to break things using the internet, and how to avoid a longer-term train wreck from hacking and cyberattacks.
It was the findings of Shamir, the cryptographer, and an international team from Israel and Canada, that created a significant buzz. He told of how the network of connected appliances and devices – the vaunted “internet of things” – could fall victim on a massive scale to malicious activity using ad hoc networking capabilities.
Shamir, a professor at the Weizmann Institute of Science in Rehovot, Israel, described how the team installed a transmitter in a car and drove by buildings installed with “smart” Phillips light bulbs, taking control of the bulbs and forcing them to blink SOS in Morse code. In further testing, they put the transmitter on a drone and injected a worm from the air into a single such bulb, sparking an infection that passed like a nuclear chain reaction, causing lights to blink in an expanding circle.
The team captured video of the action of the lights from a camera on the drone.
“You can actually see the lights flicker on and off in the building,” said Sean McBride, lead analyst for critical infrastructure at iSight, which offers cyber threat intelligence and is a subsidiary of FireEye, a Milpitas, Calif., cybersecurity company.
A scientific paper from Shamir’s team describes how the worm could be used for anything from triggering epileptic seizures in humans to knocking out the lights in a city the size of Paris or harnessing the networking power of the bulbs for an attack on a third party.
“Within minutes, you can infect the whole city and make all kinds of bad things (happen),” Shamir said at a forum.
Little can be done to halt such methods from falling into the wrong hands, McBride said.
“If you write the paper, then someone else can take that and do what they want with your discovery,” McBride said.