‘Terrorists could potentially cause a lot more damage and harm than they are currently doing with their attacks all over Europe,’ says Aiko Pras, professor of Network Operations and Management. ‘If you digitally knock out Schiphol Airport, it would create total chaos. Airplanes can no longer take off and passengers would not receive any information. That would be the perfect time for terrorists to attack, because all your victims are already herded together and in a state of confusion.’
He had some doubts about whether or not to share this example. However, the professor in the Design and Analysis of Communications Systems (DACS) department knows that criminal minds can also come up with scenarios such as this one without his help. ‘The problem with this kind of scenario is that it is hypothetical. I cannot concretise how enormous the consequences of a major digital attack combined with a physical strike will be. I can only warn of the dangers, because the technology needed for a large-scale cyberattack is not all that complicated. Just look at teenagers who knock down their school’s internet just to get out of a test.’
'Because of the internet, everyone now has access to the means to commit acts of digital violence’
Crime for everyone
The digital age marks a new era for our society. Everything and everyone is connected to the internet and even critical infrastructure comes with internet protocols. Pras believes this raises new questions about our security – on a global scale, even. After all, when you give everyone access to the internet, anyone with sufficient knowledge can take advantage of it. ‘An important characteristic of the sovereign state was the monopoly on violence,’ he says. ‘The state was in control of the weapons, from assault rifles to tanks and nuclear devices. Because of the internet, everyone now has access to the means to commit acts of digital violence.’
As a result of this ‘democratisation’ of violence, we are engaged in a new Cold War, Pras believes. There are some significant differences, however. ‘All countries have programmes that they keep strictly confidential. They do not want to reveal how advanced they are and what they are really capable of. During the Cold War, it was all about showing your strength and deterring the enemy. Another difference is that cyberweapons are ridiculously cheap. The smallest nations can develop the most serious weapons and even the nation states are acquiring digital weaponry.’
- Kevin Mitnick. Committed his first major hack at the age of sixteen. Some time later, he cracked the systems of the Pentagon, the NSA and major organisations such as Dell and Compaq. He was arrested and spent five years in prison, including eight months in solitary confinement because people believed he could start a nuclear war by whistling into a telephone. Mitnick was released in 2003 and currently works as an internet security consultant.
From basement hacker to terrorist
Researcher Roland van Rijswijk, a member of Pras’ department, confirms his thesis supervisor’s words. He combines academic knowledge with practical experience in his role as Research & Development project manager at SURFnet, which manages Dutch educational and research networks – including that of the UT. ‘Cyberattacks are becoming more serious and complex in nature,’ he says. ‘Around the turn of the century, the first Distributed Denial-of-Service or DDoS attacks were committed. Over the past five years, the strength of these attacks has become a serious problem.’
In his line of work, securing universities, such DDoS attacks are an everyday occurrence. ‘A few years ago, so-called booters began to appear. These are online services where you can buy an attack. The term ‘booting’ comes from the world of videogaming and refers to kicking someone out of the game. That is exactly what happens to a network during a DDoS attack. A server is overloaded with ‘visitors,’ it cannot deal with the volume of traffic and goes offline. Students try to knock down their educational institute, for example to get out of an exam,’ says Van Rijswijk. He is quick to add: ‘Before you get any ideas, remember that you risk a four-year prison sentence if you do something like this.’
The researcher, who recently earned his PhD cum laude in Pras’ department, differentiates between various levels of cybercrime. First of all, there are the large-scale attacks that involve breaking in and stealing, eavesdropping and sabotage. ‘That is the domain of terrorists, nation states and large-scale industrial espionage,’ he explains. ‘Examples include Americans tapping the phone lines of the German Chancellor Merkel, terrorists who just want to destroy something or companies out to steal the latest technological developments from their competitors.’
'The attackers carefully prepare their scam'
Other forms of cyberattacks include phishing, ransomware and blowing services off the internet. That is usually the work of ‘basement hackers.’ However, in the playing field that exists between these loners on the one hand and nation states on the other, highly organised groups operate. ‘This type of cybercrime has been given an entirely new dimension following the recent cases of CEO fraud. The attackers carefully prepare their scam. They might, for example, create an account and ask a secretary to quickly transfer a large sum using phrases that the CEO would use. The receiving account is of course owned by the attacker.’
- Adrian Lamo. Hacked into the systems of Yahoo, Microsoft and the New York Times. Was given a two-year suspended prison sentence. He joined the other side in 2010, when he reported Bradley Manning to the American authorities for leaking hundreds of thousands of confidential documents to WikiLeaks.
This is in line with the image that professor Marianne Junger has of hackers: ‘Only around twelve percent of the hacks appear to originate outside of the Netherlands,’ she says. ‘That is not all that surprising. If you want to hack a specific target, like a CEO, you have to master the language and be nuanced. Attacks on a larger scale, such as the recent ransomware attacks, usually do come from abroad.’
According to Van Rijswijk, the criminals invest significantly into this kind of ‘local’ attack, which can often take months to prepare. ‘The scammers take their time getting to know the CEO and the business,’ he says. ‘Next, they register thousands of domain names and link email addresses to them. That requires an investment of tens of thousands of euros. You might compare it to gambling in a casino. The higher the bet, the higher the potential profit. It is a high-risk game, but the pay-off of a successful scam is enormous.’
It is clear that this type of phishing is not done by a lone hacker in a basement. ‘This is a form of organised crime,’ says Van Rijswijk. ‘That is what makes it so dangerous to go after the criminals.’
'One can break in through backdoors'
Even parties we would normally consider to be the good guys hack computers. ‘The most dangerous methods are adding software or deliberately including faults in the system,’ says Pras. ‘These contain so-called backdoors through which one can later break in. Secret services – meaning governments – frequently use this tactic. It is not just the rogue states, either; western nations use this method too. The government of Bavaria admitted to using this tactic in 2011 and the Snowden publications have all but confirmed that the US also uses backdoors. That is a major problem, because if these backdoors are found, anyone can access them.’
- Gary McKinnon. Responsible for ‘the largest military hack in history.’ In 1997, he infiltrated the computers of the American army and NASA. He claims his goal was to find information about UFOs. He posted a message that read ‘your security is crap’ on the websites he hacked. The British ultimately did not extradite him to the United States.
Cybersecurity and privacy
Politicians, policy makers and scientists are all familiar with the problem of cyberattacks, phishing and fraud. ‘Policies designed to protect us immediately lead to a different problem,’ says Andreas Peter, researcher in the Services, Cybersecurity and Safety department. ‘Namely: privacy. Of course, it is important to fight against crime, but not at the expense of everything else. As a tax payer in a democracy, you have certain rights and liberties – even digitally.’
It would seem like a simple trade-off: if a government wants to adopt stricter security measures, that will always compromise people’s privacy. ‘After all, the goal is to break through digital anonymity,’ says Peter. ‘That is only possible when you know who is online and what they do on the internet. Since the introduction of the Patriot Act, following the terrorist attacks in 2001, the American government has more authority to monitor people. Nation states take things one step further when it comes to watching their own citizens. They spy on people in secret and draw up far-reaching legislation to make this practice legitimate.’
Privacy does not necessarily come at the expense of security and vice versa, Peter says. He uses the distribution of and fight against child pornography as an example. ‘We know that distributors tend to use corporate networks to hide their identity,’ says Peter. ‘The police have a large database of information that they would like to link to corporate systems in order to filter out illegal content and its senders. However, it is a gigantic leap from a privacy perspective to give police access to all communication that takes place within an organisation.’
His group was therefore commissioned by the police to develop a system for ‘revocable privacy.’ ‘Your personal information will remain private, unless there is a good reason to suspend that privacy.’ The system works by using cryptography. ‘We install a kind of black box in the corporate network, in which the police database is cryptographically hidden in such a way that criminals cannot access it. In the end, we only see results if there are similarities between the police’s data set and what the system finds on the corporate network. We can only revoke someone’s privacy if the system detects any pornographic content. This method allows us to build privacy ethics into the system itself.’
Digital licence plate
The line between security and privacy is not as clear to Marianna Junger, professor of Cybersecurity and Business Continuity, as her colleague Peter suggests. ‘When I drive onto the highway in my car, I can be recognised by my car’s licence plate. That is no different from the way your IP address makes you digitally recognisable.’ To her, the internet is an open system that was developed in good faith. ‘The downside of that open and anonymous nature is that hatred, crime and bullying are abundant on the internet. We have yet to find the right balance between openness and security.’
- Albert Gonzalez. Stole more than 130 million credit card details between 2005 and 2007. He is currently serving a twenty-year prison sentence.
With her group, Junger researches internet abuse and how people behave in cyberspace. ‘This is a difficult field,’ she says. ‘There is hardly any information to work with. Normally, you would base your research on extensive studies of victims, but these are hardly available in the world of cybersecurity. Victims such as major corporations or banks are not interested in publicly announcing that they were attacked. This complicates our research into large-scale fraud.’
The human factor is a key aspect of Junger’s research. ‘Of course, technology is important in the world of cybersecurity,’ she admits. ‘However, we are seeing more and more that human actions are the decisive factor. Victims easily give up their own personal details when they receive a call or an email, they lose their phone that contains sensitive information or they use weak passwords. People are still the weakest link in the cybersecurity chain.’
Because of ongoing digitisation, the profile of the criminal has also changed. ‘People are more tempted to engage in illegal activities online. Whether it concerns slander or fraud, the digital line is easier to cross than the one out in the ‘real world,’’ Junger explains. ‘Online, women make up a larger share of the criminals than they do in real life. In general, however, you might say that every bad character trait someone has also exists online, sometimes in an exacerbated form. The anonymity of the internet brings out the worst in some people.’
Hack the hacker
What to do with hackers? ‘The best solution is to hack them back,’ professor Aiko Pras believes. ‘The only question is what you will find on the other side. That is why we only focused on teenagers in basements for a long time. I am becoming increasingly interested in the big players, though, and that road quickly leads to e.g. the Russian mafia. That is a dilemma I struggle with. The same goes for the collaboration within our group with students from countries such as China or Iran. We work with confidential databases and research potentially sensitive networks. I do not want to put these students, who of course have ties to their native countries, in a dangerous situation, because their governments will stop at nothing.’
An adolescent with growing pains
The internet is a platform to which we are all connected, which is not all that difficult to hack and for which the rules are still poorly defined. It is like an adolescent with growing pains. We are forcing this adolescent to grow ever larger and ever faster. Due to the rise of the Internet of Things, we are connecting more and more devices to the internet. It is no longer just our computers and smartphones that are connected to the web; so are our printers, surveillance cameras, thermostats, et cetera. Our vacuum cleaners, refrigerators and kettles are not far behind. Roland van Rijswijk says what is one everyone’s mind: ‘Do we really need all that?’
He calls it ‘the Internet of Shit.’ ‘We are heading towards disaster because we surround ourselves with cheap junk from Asia. Do you really believe that products sold at such low prices were developed with any concern for cybersecurity? I would never install any of those cheap security cameras in my home or use a baby monitor with a Wi-Fi connection. You never know who else might be watching.’
Pras wholeheartedly agrees. ‘When a Chinese range of surveillance cameras is hacked, who is responsible? The manufacturer in China, the supplier or perhaps the consumers themselves, because they should have known the product was crap. There is no answer yet to this question of liability, but the discussion is sure to arise at some point.’
Another element is – once again – the difficult question of privacy. ‘These devices often also communicate with their manufacturer,’ Van Rijswijk illustrates. ‘That means databases are filled with information about my behaviour. When I control my thermostat with an app, my energy company knows I am home. The same goes for the manufacturers of my vacuum cleaner, my surveillance cameras and many other devices. Do you really want to share all that information with everyone?’
‘Apparently, we want free services and do not care very much about our privacy'
Marianne Junger already suggested that people are the weakest link when it comes to cybersecurity. The same goes for online privacy. ‘Apparently, we want free services and do not care very much about our privacy,’ she says. ‘For now, I will consider that a given.’ Andreas Peter shares her view: ‘We are clearly very satisfied with services such as Google and Facebook and we hardly care that they track everything we do and claim our data, only to sell it to advertisers.’
Peter does have a problem with the unrestricted collection of personal information by a few major organisations. ‘We have to take back control of our own data and stop relinquishing our privacy quite so easily. Encryption should be the standard for all data traffic, not just an option.’ A relatively small group of internet users is already doing so by using more privacy-aware alternatives such as DuckDuckGo instead of Google, Diaspora instead of Facebook and SpiderOak instead of Dropbox. ‘There are also alternatives for Gmail, like ProtonMail. Yes, you have to pay a small annual fee, but that does make it a lot harder for Google, and therefore the American intelligence agencies, to spy on you.’
The big game
Each of the researchers indicates that we have significant personal responsibility when it comes to cybersecurity. However, what about the ‘big game,’ the nation states that spy, eavesdrop and steal? ‘That topic is slowly receiving more attention,’ says Pras. Several years ago, cybersecurity was added to the agenda of the Munich Security Conference, where he was a speaker. ‘One hundred million was allocated to digital security. It is a drop in a bucket, but it is also a good start.’
‘The problem with cybersecurity is that the problem is largely invisible,’ says Pras. ‘Literally and figuratively. Politicians are unaware of the risks and advisers and policy makers know everything about yesterday’s threats but little to nothing about the dangers of tomorrow.’ This means the researchers’ job is two-fold: making sure that the systems are optimally organised and informing the public and especially governments about the dangers of cybercrime. ‘In the meantime, the best we can do is put out one little fire at a time,’ Van Rijswijk agrees.
- Albert Gonzalez. Stole more than 130 million credit card details between 2005 and 2007. He is currently serving a twenty-year prison sentence.
Hackers, terrorists, countries arming themselves in secret… How can we possibly defend ourselves against cyberwarfare? ‘First of all, we must realise just how vulnerable we are,’ Pras continues. ‘Once we come to terms with that, we must realise that we need a contingency plan. How can we communicate in the event of a large-scale attack and who is responsible for what? Last, but certainly not least, we must make the internet divisible. If one part is under attack, we can quarantine it and keep other parts secure.’
Pras emphasises that these measures are desperately needed, because the dangers are enormous. ‘The internet is currently in the hands of a bunch of cowboys. Even at the state level, everyone is just messing around without marking ethical boundaries. Take the French secret service, for example. Their job description openly states that they engage in corporate espionage. The EU and the United Kingdom spy on each other to achieve the best possible negotiation position regarding Brexit. Then there is North Korea: that country is not connected to the internet and is therefore out of our reach, but it could still hold the rest of the world hostage. Believe me, it is something of a miracle that there has not been a major attack yet. It is only a matter of time.’
Experts who contributed to this article:
Aiko Pras, professor of Network Operations and Management, EWI faculty
Marianne Junger, professor of Cybersecurity and Business Continuity, BMS faculty
Andreas Peter, assistant professor, specialised in Privacy-Enhancing Technologies, EWI faculty
Roland van Rijswijk, post-doctoral researcher and R&D project manager at SURFnet, EWI faculty