Looming threat of stock markets getting robbed? Or is this World War 3.0?
From Pearl Harbor to #SiliconSlaughter — The cyber crisis
To rob the stock market, follow these four easy steps.
Step 1: Wait for positive quarterly earnings.
Step 2: Short those stocks.
Step 3: Launch a crippling cyber attack against those companies.
Step 4: Buy a yacht and cruise into international waters.
I founded Staminus, a cyber security company acquired this year by cyber security powerhouse StackPath. I’ve been personally involved in stopping more than 3.5 million attacks.
I understand the intricacies of cyber security.
Much of the Internet was down Friday October 21st due to widespread cyber attacks. What happened could have been illegal financial capitalization, or the beginning of visible state-sponsored Internet warfare.
World War 3 never made sense. Nuclear holocaust sucks for everyone. We may have embarked on World War 3.0, the beginning of World Wide Web Warfare.
Pearl Harbor meet Silicon Slaughter
Twitter. Spotify. PayPal. Tumblr. WhatsApp. CNN. Shopify. Etsy. Netflix. Zillow.
These are all public companies (or properties of public companies). They were all taken offline using massive cyber attacks. The list of victims also included private companies such as:
SoundCloud. GitHub. Reddit. Dyn.
These companies cover a wide range of industries: communication, finance, music, media, news, retail, real estate, and infrastructure. Nobody is safe.
In fact, the total list of all casualties is pretty long — likely in the hundreds or thousands. That’s because the attack affected Internet infrastructure. This lead to many websites and applications being unavailable.
Who’s to blame?
Donald Trump blames Hillary and Hillary blames Russia. Or China? It’s hard to keep track.
The scary part is, anyone with moderate know-how can launch this attack. It’s not that sophisticated. It could be state-sponsored. It could be a group of kids with MacBooks. It could be one angry person. It could be a shady hedge fund. It could be hacker activists (hacktivists). The Internet is the great equalizer. Like democracy, it’s a double-edged sword.
Companies like Facebook and Google want to deliver Internet to everyone on Earth. It increases their revenue. Governments seek to replicate the success of the American economy at home, fueled by the Internet. The power of the Internet will soon be in the hands of every person on Earth.
“Any skilled engineer can take control remotely of any connected ‘thing’. Society has not yet realized the incredible scenarios this capability creates.” — André Kudelski, Chairman and CEO of Kudelski Group, World Economic Forum: Mastering the Fourth Industrial Revolution
There is no future
This story gained traction when KrebsOnSecurity.com, a popular security blog, was taken offline via cyber attack in September. The attack used botnet software called “Mirai” to launch a DDoS (Distributed Denial of Service) cyber attack. It used insecure security cameras and other Internet-connected devices.
Mirai means “future” in Japanese. It is much bigger now, and way more coordinated. Ironically, it jeopardizes the very future of the Internet.
The Internet of scary things
The scope of this problem is frightening. Mirai’s hacked cameras are a small subset of the “Internet of Things” (IoT). IoT refers to any electronic device connected to the Internet whether light bulbs, thermostats, door locks, cars, phones, drones, and much more. We’ll have about 28 billion of them by 2021.
However convenient, the majority of IoT devices will likely be hackable. It’s estimated that there are 30 code errors for every 1,000 lines of code. Robust IoT systems often contain hundreds of thousands of lines of code. Software security flaws will naturally exist and hackers will exploit them.
Hackers just need one major security flaw to exploit millions of devices. It can take as little as days or weeks to exploit software. Once hacked, launching an attack is simple.
Cyber security companies use advanced software and hardware technologies to stop Mirai and other similar attacks. Much of the technology depends on sophisticated artificial intelligence. It can take years and tens or hundreds of millions of dollars in research to combat even simple attacks.
So it’s easy to launch successful attacks and difficult to stop them.
Private defense, public offense
These cyber security technologies have worked pretty well until now. The last time the industry failed to protect major companies was about 16 years ago when cyber assaults took down Buy.com, eBay, CNN, Yahoo, and Amazon. So cyber security companies have done a pretty good job of privatizing defense.
Capitalism works. Small government is good. Sort of.
Governments have been unable to stop these attacks in real time. They pursue cyber criminals and sometimes prosecute them, but they’re not nimble enough to save a company from bankruptcy in the face of sustained attacks. They are, however, good at launching attacks with impunity, which is what we witnessed recently with Russian attempts to mess with our elections.
The democratization of the Internet means it represents a major sector of global GDP. It also means more people and governments can engage in cyber warfare. Cyber security companies face an uphill battle. They have to use private funding to defend against publicly funded cyber attacks.
Attacks also impact more people today. 16 years ago, a million people noticed Yahoo was offline. Today, tens or hundreds of millions of people notice large-scale attacks.
“The changes are so profound that, from the perspective of human history, there has never been a time of greater promise or potential peril.”― Klaus Schwab, The Fourth Industrial Revolution
The scope of the game has dramatically changed.
That’s a lot of cabbage!
The Internet represents around 6% or $1 trillion of U.S. gross domestic product. It is equally or more important for other countries. In an era when physical military confrontations can lead to nuclear war, anonymously chipping away at $1 trillion is enticing.
There is strong motivation for any number of nation-states to attack this US sector. It hurts the U.S. economy, and helps drive valuable users to foreign copy-cat companies.
When users notice an online retail website is down, they buy their widgets elsewhere. If this happens enough, they’ll permanently change their buying habits. Even if the site loads slowly, users have a tendency to go elsewhere. That’s why content delivery networks (CDN) are so widely used.
This leads to lower daily active users (DAU) — a measure of how many users are active per day on Internet sites and applications. DAUs are pretty bad when a site is offline. And users tend to be sticky. Once they move off a platform, they’re usually gone for good and DAUs plummet. This represents both short and long term loss of value for the company.
So cyber security companies have to be perfect. Not only do they have to keep the site up, but they also have to make sure it’s fast. A marriage of security and content delivery.
When they fail, we may see damage into the billions of dollars.
So really, who do we blame?
I don’t think it matters.
If attackers are reasonably sophisticated, they can pretty much guarantee their anonymity. This looked like such a sophisticated attack. Whether it was financially motivated or a form of modern warfare, we may never find who was ultimately responsible. And even if we did, we likely wouldn’t begin a conventional war but rather launch our own cyber attacks against them and their allies.
Since defense is more complex than offense, countries with better cyber security industries will win.
This represents a historic shift in the global share of power. Physical force is being replaced by intellectual capital. The arms race has morphed from tanks and nukes to hoodies and MacBooks. The Manhattan Project of our generation will be the invention of sentient artificial intelligence.
Welcome to World War 3.0.