| Author's Note: This article is not intended to offend cyborgs, androids, or other microprocessor-minded minorities. |
What does it mean to be ‘safe’ or to exhibit ‘safe behavior’ online today? If you ask these questions to most people, they’ll likely respond with a consumer-educated answer about anti-virus, or maybe they’ll provide a pithy reply about high-potency passwords, or avoiding any proclivity of porn. It’s good advice, on all fronts. But what does ‘safety’ really mean in the context of the digital age?
A computer virus is, after all, a computer virus. Despite what science fiction might lead us to imagine, we are not computers. We are humans, biological in nature. We are prone to many maladies, but the only Trojan threat we need to fear is the horse full of angry Greek soldiers. We use computers, certainly, putting our personal information, our intellectual property, and our productivity at risk, but you can’t hurt a human by infecting a computer…right?
Warrant officer Ripley might disagree, as might Frank Poole. Science fiction has long taught us that when computers go bad, they have ways of exploiting our soft, fleshy weaknesses. Just ask Neo (after he takes the red pill), John Conner, Kevin Flynn or his program, “Tron”.
Stepping out of mythology and science fiction into the realm of fact, we can see that we’re still not as safe as we might think. It’s because we still think of online safety, primarily, in terms of our information. It’s our bank accounts that are at risk, or our entertainment. The closest the threat ever gets to us, as human beings, is the potential to expose us to information that we don’t want – shielding our children from inappropriate content, for example. Manipulation of our digital lives might hurt our thoughts, beliefs, ideals, and even our reputations, but it couldn’t possibly hurt us physically.
Or could it?
Unfortunately, the belief that our physical and digital lives are distinct and detached is a very basic and unrealistic sentiment. It’s one that is shared by many people, but is nonetheless false. The truth is that computers can hurt us. They can hurt us badly.
Consider personal information – a Facebook post about an upcoming vacation that results in a burglary. That would certainly hurt emotionally and economically, but not physically. Now consider public infrastructure. Trains are routed and controlled using digital systems. Our energy utilities are controlled using digital systems. Our emergency response, much of our healthcare, clean water and waste-water facilities, prison cells, and almost everything is controlled using digital systems.
These systems can be hacked, monitored, manipulated, broken, and outright sabotaged. The recent trend for advanced persistent threats, or APTs, is one toward destructive behavior. It’s not enough to steal information anymore, as certain breeds of malware are out to hurt the systems that they infect – and when those systems control the infrastructure that our physical lives depend on, we all feel that pain.
It’s not science fiction, it’s fact. We’ve seen malware targeting the nuclear industry in Iran. We’ve seen it targeting the oil industry globally. We’ve seen malware switch tracks on railway systems, issue false amber alerts, explode electrical substations and spew sewage.
These things can all hurt us indirectly, but they still don’t hit us personally, individually. Well, we’ve also seen hacks demonstrated against insulin pumps, and the electronic control units in our cars. Ever had the urge to engage only the front right brake? While on a bridge? I didn’t think so.
There have been demonstrated cyber attacks against Smart Grids that can cause an electrical substation to trip. In the wrong climate, at the wrong time of year, an extended power outage could certainly be dangerous. What if the same threat were used the other way around, causing too much electricity instead of too little? High voltage arcs, line failures, and even substation explosions are possible – fortunately, only theoretically possible at this point, but disturbing nonetheless.
I’m not recommending a resurgence of the Luddite movement of 19th century England, but we do need to rethink what ‘safety’ means in the modern digital world. If we don’t, we might just wander into the wrong digital neighborhood, and get the information-age equivalent of a mugging. You won’t actually catch the computer virus, but the harm that could come from taking our digital lifestyles for granted is enough to make you sick.
Eric D Knapp (@ericdknapp) is the Director of Strategic Alliances for Wurldtech Security Technologies, and the author of Industrial Network Security: Securing Critical Infrastructure Networks for Smart Grid, SCADA and Other Industrial Control Systems. His new book, Applied Cyber Security for Smart Grids, was co-authored with McAfee CTO Raj Samani and is available on Amazon.