The world did not end on April 1, the Internet did not fail and civilization did not collapse. In other words, for those who followed the hype, Conficker, a software virus that has infected computers worldwide, was no big deal. That is reassuring — and testament to the seriousness with which experts treated the virus when it was discovered. But Conficker’s fizzle could also encourage users to take security less seriously, and that would be a big mistake.
Conficker first surfaced in October 2008, when researchers discovered a piece of software that was burrowing its way into computers around the world. By January, it had infected millions of machines running the Microsoft operating system: Today it is estimated that as few as 3 million or as many as 12 million host the software. Much of the concern resulted from the uncertainty about the purpose of the virus. It merely instructed computers to contact a list of Internet Protocol addresses (called domains) through which the hackers who wrote the virus would send additional instructions to the infected machines. Security experts could not tell if the instructions would be to distribute spam, steal personal information, credit card numbers, attack critical databases or merely distribute an April Fool’s joke.
Conficker’s success was its undoing. The speed at which it spread alarmed security experts and the resulting press prompted specialists to join together to disrupt the way it worked. Software scanners were developed to identify infected machines and patches were written to block contact with the list of domains. Thus far, the fixes have worked. There is little sign of additional activity related to Conficker. Many of the computers remain infected, however, and could be activated in the future.
There will now be the temptation to dismiss the hoopla as hype, just as many recall the concern over “Y2K.” Then the prospect of a programming error when computers moved from 1999 to 2000 raised fears of global catastrophe. That date passed without incident.
The danger is that computer users will become inured to such warnings and blase about security. In fact, most users do not take computer security seriously. They are careless about passwords, ignorant about encryption and often too lazy to protect themselves — which means that they endanger anyone who connects to their computers or their networks. In a networked world, we are only as strong as the weakest link. It should come as no surprise that the estimated cost of lax cyber security is about $1 trillion annually. But the dangers transcend price tags.
Last month, researchers in Canada discovered that software designed to steal information had been secretly installed on computers in 103 countries. More than 1,200 computers were infected, and nearly a third of those machines were “high-value targets,” linked to governments. The researchers traced the attacks to computers located in China, but that does not mean that Chinese were operating the machines. The Chinese government has strenuously denied that it engages in cyber warfare. Circumstances — the targeting of computers linked to the Dalai Lama and the Tibetan government in exile — suggest that there is a link between Beijing and the group responsible for the attacks. But this is just a tip of the iceberg: A security firm noted the number of targeted espionage attempts jumped from one or two a week in 2005 to an average of 53 a day in 2008.
To be fair, most governments engage in cyber espionage and cyber war. Information technologies are the nerve system of modern defense establishments and detecting their vulnerabilities is an ongoing part of defense planning, especially for militaries that cannot hope to match their adversaries on the battlefield. But not only militaries are vulnerable. Governments now worry about “critical infrastructure,” assets such as electricity generation facilities, financial networks, telecommunications, public health and security, and fear that it too may be vulnerable to cyber attack.
The target does not have to be a government; nor for that matter are governments necessarily responsible for the attacks. Nationalist hackers take the initiative when their sensibilities are offended: It may well be that such groups are responsible for the attacks on the Tibetan organizations. Criminal groups are happy to steal credit card numbers, bank account passwords or even just take control of an individual’s computer to redirect and launch attacks on other targets.
As has been noted in another context, security is like oxygen: You do not notice it until it is gone. Then, of course, it is often too late to respond. Government must anticipate these dangers and do more to protect critical infrastructure. While providing genuine cyber security is beyond the skills of most individuals, we all have a role to play. Most importantly, we can ensure that we are not the weakest link.
In a time of both misinformation and too much information, quality journalism is more crucial than ever.
By subscribing, you can help us get the story right.