Computer experts have long warned about a catastrophic cyber-attack in the US, a sort of Web 3.0 version of 9/11 that would wreak enormous damage throughout the country. Like most Americans, I shrugged. With all of the enormous resources the country enjoys, those warnings seemed like the rantings of a digital Chicken Little.
Oddly enough, the revelations of the National Security Agency whistleblower Edward Snowden gave me some false comfort. If the powerful NSA was so good at hacking its own citizens, then surely the agency could prevent criminals, terrorists and foreign enemies from doing the same?
And then there’s Silicon Valley, which I frequently write about. Surely the uber-geeks who run the world’s greatest innovation cluster could code something to smite the evildoers? Well, on behalf on the US, I admit I was terribly wrong. We are so screwed.
I came to this conclusion recently, over a span of seven days. Earlier this month I attended a preview of retail giant Target’s new “Internet of Things” showroom in downtown San Francisco. The company had constructed a mock house intended to show how “smart devices” connected to the internet could seamlessly work together to automate the 21st-century digital home. A car alarm wakes up the baby sleeping in the nursery. A sensor detects the baby’s cries, alerts the parents and automatically triggers the stereo to play soothing music.
It was all very impressive, but I couldn’t help notice an irony: the retailer that in 2013 was subject to a hack that comprised the credit-card data of 100 million consumers now wanted people to entrust their entire homes to the internet. “It’s been a long time coming, but we are just getting started,” a Target executive said.
One week later I found myself at a dinner in a fancy hotel to discuss cybersecurity with the executives of top Silicon Valley firms. Unlike the festive Target event, the mood was decidedly grim. Actually it was downright alarming.
Forget about the Sony and Ashley Madison hacks. Those cyberthefts may cost companies some money and embarrassment, but that’s not what the execs were nervous about. Even the successful breach of Chrysler’s in-car systems, which allowed hackers to take control of a Jeep on the highway and prompted the recall of 1.4 million vehicles, is a mere appetiser compared with what’s coming down the road.
By 2020 the US will be hit with an earthquake of a cyber-attack that will cripple banks, stock exchanges, power plants and communications, an executive from Hewlett-Packard predicted. Companies are nowhere near prepared for it. Neither are the Feds. And yet, instead of mobilising a national defence, we want a toaster that communicates with the washing machine over the internet.
In many ways the Target event and the dinner demonstrate a kind of collective cognitive dissonance about technology. We’ll eagerly pursue innovations like the internet of things and electronic health records even as we’re increasingly aware of how vulnerable such technology makes us to terrorists and criminals. In fact, the reference to earthquakes was fitting. Scientists have long predicted the “Big One” – a massive earthquake in Seattle or San Francisco that will kill lots of people and cause trillions of dollars of damage. Yet people still build houses and buildings on what is essentially the most dangerous land in the country.
What struck me about the dinner, attended by executives from Hewlett-Packard, software company Cloudera and PayPal, along with academics and investors, was the naked pessimism in the room. Nobody even tried to put a happy face on the situation. “A slow-moving train wreck,” one executive said. Forget about coordinating with each other or the Feds: companies don’t even know how to deal with their own hacks, never mind worry about someone else’s. A whopping 57% of chief executives have not been trained on what to do after a data breach, according to a report by HP. And more than 70% of executives think their companies only partially understand the risks. Buying antivirus software is one thing; deploying an effective strategy is quite another. However, companies don’t even want to admit they were hacked in the first place.
Think about the big hacks that have dominated headlines in recent years. In most cases the companies disclosed the intrusion only after someone forced them to do so – either journalists or the hackers themselves. Again, let’s focus on Target. In December 2013, blogger Brian Krebs disclosed that hackers stole data from millions of Target REDcard users. Yet it took Target more than 24 hours to confirm it. One wonders when or even if Target would have admitted the breach had it not been for Krebs’s story. The hack took place at the height of the holiday shopping season, the most important sales period for retailers.
Indeed, hours before Krebs broke the story, then CEO Gregg Steinhafel issued an unusual statement to say that he was pleased with holiday sales. Once the hack became public, sales sharply fell. A few months later I wrote a story for the San Francisco Chronicle that disclosed hackers, possibly from China, had inflitrated the systems of the country’s top three medical-device companies. Only Medtronic eventually admitted to the hack – about four months after my story appeared and more than a year after the hack occurred. Sadly, Corporate America’s ineptitude is only half the problem. In general, people “just don’t give a shit” because they don’t have any real skin in the game, said one person at the dinner. Unless lots of consumers lose lots of money, cybercrime will continue to remain a vague and distant threat.
Oh sure, it’s pretty annoying when you have to cancel your credit cards. But since banks and other financial institutions cover any financial losses from fraud, people don’t feel any financial pain from cybercrime – at least not enough to make them care.
How else to explain this? According to SplashData, the five most popular passwords in circulation are “123456”, “password”, “12345”, “12345678” and “qwerty”. Darwin wins again.
For all American pontifications about privacy, we don’t exactly make it hard for people to see our stuff.
A survey by the Pew Center showed that in 2014, while Americans said that they care deeply about privacy, the vast majority of respondents – 91% – had not made any changes to their internet or cellphone use to avoid having their activities tracked or noticed. Only 7% reported that they had made these kinds of changes in “recent months”.
Sadly, the people at the dinner all agreed, the only thing to shake companies, consumers, and the government out of our weird stupor is a massive cyber-attack akin to 9/11. Only instead of planes flying into the World Trade Center, these cyber-attacks, whether from a hostile state or terrorists, will hurt all of us, not just people who happen to shop at Target. In the meantime we will continue to connect our appliances to the internet and download attachments from sketchy emails. But don’t count on companies or the Feds to prevent the Big One. Because they are just as lost as we are.
Thomas Lee is a columnist at the San Francisco Chronicle who frequently writes about cybersecurity. This is adapted from a column that appeared in the newspaper last week.