“We’re on the brink of an enormous catastrophe. If you think the pandemic was bad, you can’t imagine what can be done with cyber.” This prophecy of doom is spoken by Former NATO Supreme Allied Commander Europe, General (Ret.) Wesley Clark, who participated (via online platform) in the panel titled “The cyber curse: is there a cure?” at the Cybertech Global conference in Dubai this morning (Tuesday).
“In the ‘90s the internet started blossoming, then banking went online, and people began doing online shopping, and credit card information was exchanged online,” says Clark. “When we first became aware of the problem, we bought antivirus products, but those evil hackers would get into people’s bank accounts, copy the account and take your social security number.
“Then we realized it wasn’t just personal information, but that destruction could occur, such as disrupting banking systems. Then, in 2007, the first known use of cyber to create kinetic levels of damage was employed, on Iran: rather than launch a bombing strike, a clever solution was provided, that used data inside those spinning centrifuges that were enriching uranium, to cause them to spin out of control and self-destruct.
“Many nations can do this, find and exploit vulnerabilities in software or hardware or people, and then inject malware into operating systems. Sometimes it takes immediate effect, sometimes it worms its way to different systems, sometimes it collects information and reports back, sometimes it lurks waiting for a command to be activated. It’s mostly defensive and the people inside will say they need to do cyber reconnaissance, but it has the potential for an offensive component.
Clark goes on to discuss the SolarWinds hack and the ease in which it was done. “The unclassified version of the story is that the Russians found a password that was like ‘SolarWinds123’. They typed it, got into the system, then moved through it to all other organizations that used the Orion software,” he says, and warns that “it’s possible to shut down critical infrastructure, refineries, businesses, banks, transportation - but most importantly, the electricity grid. It’s been done by the Russians in the Ukraine.”
So what can be done? Clark offers two solutions: one concerning the supply chain, and the other concerning training. “On the supply chain, you have to know where you’re getting your software and hardware, and it has to be validated before it installed, and updates have to be managed,” he explains.
“On the human side, you have to train your operators: they can’t open e-mails, even from their best friend – you don’t know what’s in that email, might be a phishing attack. You can’t go cruising websites looking for the best new technology when you’re connected inside a business – you click on a new server, and who knows what you downloaded into your computer. There’s executive awareness, to make sure everything comes together.
“But is there a cure? Right now, no. In fact, with the Internet of Things, right now the number of attacks is growing. My purpose here is to alert all of you to how serious the danger is: if the power grids are taken down – no nation really has proper backup. This has to be our first priority. This is a wakeup call we’ve had from the Russians for five years. So that’s number one: be advised, be warned, recognize the risk.
“Number two: the internet wasn’t designed for security, it was designed for the free flow of information. So everything we do is an add-on, everything is a patch to a system that is inherently vulnerable. We should have double authentication handshakes before any information is exchanged on the internet, positive identification.
“Everything could be fixed if we design a system for security. One of the urgent problems of this decade is to move away from cyber vulnerability and design systems for security.”
The Cybertech Global UAE-Dubai conference is taking place now, April 5th-7th, 2021.
Conference website: https://www.cybertechconference.com/