91av

A cybercrime wave is coming – brace yourself

Phones, drones and robots can all be hacked and turned against us. Ex-Interpol agent Marc Goodman warns about the coming crime explosion
"Previously, I never had to worry about a hackable television, a hackable pacemaker, a hackable car, a hackable pet. But now all of this is possible"
“Previously, I never had to worry about a hackable television, a hackable pacemaker, a hackable car, a hackable pet. But now all of this is possible”
Photographed for <i>91av</i> by Pål Hansen

Your new book is called Future Crimes. How is crime changing?
In the old days, you buy a gun or a knife, you go hide in a dark alley until some sucker walks by and you say, “Give me your wallet”. Good business model, but you can only rob four or five people a day. However, with Moore’s law of technological progress comes Moore’s outlaw, and so we’re seeing a paradigm shift in crime. In one hack of the US retailer Target in 2013, over a third of Americans were victims, including . So one individual can now rob 100 million people. That has never been possible before and it’s because we’re all connected via vulnerable technology.

You started out as a police officer. How did you become interested in cybercrime?
I was the technical genius in the Los Angeles Police Department who knew how to use spell-check. I did the local policing thing, then I worked with Interpol for over 10 years, helping police forces around the world deal with cybercrime. As I got more into these cases, I saw how the bad guys were exploiting tech. In the late 80s and early 90s, when pagers were not yet that common, I saw gang members and drug dealers carrying them. Criminals had cellphones long before any cop did. Criminals are often early adopters of technology.

What technology have criminals adopted now?
Hacking itself has been encoded in software. If you wanted to hack into a bank 20 years ago, you’d need to be a master hacker. Now you can pay a fee to the master hacker, who has encoded his knowledge into crimeware. Most hacking attacks are no longer carried out by humans. That Target hack was carried out by a 17-year-old kid in Moscow who bought some software online that broke into the network.

You’ve called cybercrime a gathering storm. What’s about to happen?
The internet is about to get a whole lot bigger. It’s like the old days when London or New York ran out of telephone numbers and they needed to create new area codes. We’re doing the same with the internet and the impact will be massive. The old internet could support 4.5 billion simultaneous connections, but the new addressing system being rolled out – Internet Protocol version 6 – supports up to 78 octillion. That’s 78 billion billion billion things that can be connected to the internet at once. So if today’s internet is the size of a golf ball, in the next few years it could grow to the size of the sun. Every grain of sand on our planet could have its own internet address a trillion times over. Previously, I never had to worry about a hackable television, a hackable pacemaker, a hackable car, a hackable pet. But now all of this is possible. We’ve wired the world but failed to secure it.

“If today’s internet is the size of a golf ball, it will soon grow to the size of the sun”

You’re implying that every connected device is a target. Why do you think that?
No one has ever built a computer system that could not be hacked. We are rushing full speed ahead to put every possible device online and they’re all insecure. We should pause for a moment. If somebody hacks my television, do I care? But all of the world’s critical services are run by computers and we’re seeing these computers increasingly come under attack. People have always struggled for power. Now, if you control the code, you control the world.

Does that include connected technology like CCTV security cameras?
The tools we have to protect us can be subverted and that security used against us. It’s what I call the judo model of cyber security – using your opponent’s weight against them. You really can’t have any faith that when you set up 300 cameras on a street in London, or wherever, that the government is the only one watching.

Nor can anyone trust what they see on screens. We’ve all received phishing emails that appear to be from our bank. That was taken to the next level with the Stuxnet malware attack in Iran in 2010. Nuclear engineers in a control room were staring at screens that showed the status of uranium-enrichment centrifuges. The screens said everything was fine but the centrifuges were . Somebody had inserted a hack in between what was really going on and what was being presented on the screens. We are becoming increasingly disconnected from physical reality in this way.

It’s often said that we’re the weakest link when it comes to security. Is that fair?
If you’re content to not understand anything about technology and you’re happy just pushing the little buttons on your iPhone, then you’re at risk. Somebody else in Moscow or Guatemala understands exactly how that phone works and will use that against you. We need to give people a sense of cyber hygiene. In the real world, I cover my mouth if I sneeze. But we have no idea what hygiene looks like in cyberspace and so we continue to spread “disease”: we send around email attachments that have viruses and we plug strangers’ USB sticks into our computers.

However, one of the reasons why we have these fundamental risks today is bad software. I get that coding is complex, but Facebook’s motto used to be ““. In other words, speed to market is more important than security. Blaming humans rather than poor security design is bullshit.

If we fix cyber security, can we stop worrying?
The threats that we’ve been talking about are all behind computer screens. If somebody takes £50 out of your bank account, you’re not physically harmed. But a fair percentage of the devices we’re about to connect to the internet will be robots that can move. We’re about to introduce millions of computers that walk, crawl, roll and swim. They will fly above us like drones, follow us in swarm formation, track us down the street. Robots can kick, punch and shoot – and they can all be hacked.

We’ve already seen examples of people using drones. The who was planning to load drones with explosives and and the US Capital building. We’ve had peeping Toms. In Seattle, a woman was changing with her curtains open on the 25th floor of her building – something she’d never had to worry about before – and looked out her window to see a drone filming her. If you call the police and say, “There’s a drone outside my apartment”, what are they going to do? The tools aren’t there at all.

What about synthetic biology? Presumably you see problems there too…
Where do I begin? If you can code in DNA, you can hack DNA. The recipes for bioweapons like Ebola and Spanish flu are all online. The cost of synthesising them has dropped sharply and our ability to decode DNA is proceeding at a pace five times that of Moore’s law. With the tens of thousands of people experimenting with this technology, it wouldn’t be surprising if there were a few bad apples.

Another possibility is attacking a specific individual. If you can come up with a personalised cancer treatment (see 91av, 13 December 2014, p 28), you can come up with a bioweapon tailored to attack that person’s genetic code. We’re completely unprepared for these eventualities.

You’ve painted a vivid picture of future crime. What will future policing look like?
All of these crime bots are running amok, but we don’t have the cop bots to take them out. Robotics could be huge for policing – you could automate the bobby on the beat. And on the AI front, we should take advantage of big data for crime solving. We’ll also see a lot of the military technology that’s being developed – armed robots, aerial drones – coming to civilian law enforcement. The modern police force is already being militarised. There are definitely changes coming.

It sounds like a lot of resources will be needed to tackle these issues. Is that why you’ve talked about the need for a new “Manhattan Project”?
The wonderful technological future that we’ve been promised by Silicon Valley won’t come for free. It’ll take time, money and effort. But think about the existential risk that the Allies faced in the second world war – the prospect of the Nazis developing the nuclear bomb first. It galvanised them into action. During the Manhattan Project, the Allies had more than 110,000 people around the world working 24/7.

I use that comparison because we have just as much at risk. I think about the fact that the internet is at the core of the world we are building – fundamental to our electricity grids, national defence, healthcare and transportation. I think about having no electricity, no running water and sewage leaking on to the street because these systems have been hacked. It focuses the mind.

So why isn’t society being galvanised into action by this “gathering storm”?
The difference between the people of Manhattan Project and us is that they were serious about the threat before them.

Profile

Marc Goodman has spent decades in law enforcement and technology, and worked with the FBI and Interpol. His new book is Future Crimes: A journey to the dark side of technology – and how to survive it (Bantam Press)

Topics: Computer crime / Crime / Forensics / Hacking