When I was growing up, I was inexplicably fascinated with my parent’s perspective on the world during their own childhood. In 2012, I was in fifth grade, and had a good part of my summer ruined because I read a National Geographic article about the impact climate change would have on the continental US. It described how Cape Cod would be underwater by 2100. I happened to read this before our drive down our family home in West-Yarmouth (a small town in Cape Cod, Massachusetts). This disaster scenario loomed over me, and it made me wonder what existential threat my parents worried about when they were kids, which I ended up asking my dad. He grew up during the height of the Cold War, and he told me during his childhood he was worried about the start of a thermonuclear war with the USSR.
Both fears are derived from concepts that do not need highly technical knowledge to understand. Densely populated land masses being swallowed by a growing ocean is scary. Cross continental nuclear annihilation is scary. However, what happens when we do not know what to fear because we do not understand that it is a threat to our everyday life? How can we protect ourselves from this threat? The answer is not fearmongering, but education. It is important for every person to know that for the past two decades, there has been an ongoing arms race on our streets, in our homes, and in our pockets. This arms race is in the realm of cybersecurity, the protection of electronic data.
I remember back in February feeling inconvenienced by CU Office of Information Technology (OIT)’s requirement for all members of the university to change their password or lose access to every software provided by the school. Such a tedious scenario is oftentimes the extent of the average person’s knowledge of cybersecurity: boring and inconvenient. What people do not know is that the world of cybersecurity is so multifaceted that it literally (for example) is the deciding factor stopping your Jeep’s computer from being hacked making your car come to a dead stop on a highway.
Unfortunately, as of 2015 such security is an illusion. Jeep’s computing system has been exploited in this nature due to a computing concept called a ‘zero day.’ A zero day is defined by New-York Times cybersecurity journalist Nicole Perlroth as, “a software or hardware flaw [in a computing system] that they [the developers] have zero days to come up with a defense.” 8 A duo of hackers were able to find a weakness in the Jeep Grand Cherokee’s Uconnect system which allowed them to override the motor control of the car (Greenburg, 2015). 1 The only saving grace was the fact that this exploitation was done by a pair of ‘white hat’ hackers. These types of hackers are ethical, and often hack so the software they are breaking into can become more secure when the exploitation is patched. The opposite of a white hat is a ‘black hat’ hacker, whose goals are not driven by a code of ethics. The ethical line in the sand for what constitutes a white hat or black hat is drawn by the individual. This creates a muddled grey color of morality.
During the Cold War, development of technology on both sides of the Iron Curtain had oversight. In the US, the government contracted private companies, and hired teams of engineers and researchers to develop their technology. In the USSR vast bureaucratic naukograds, or ‘science cities,’ allowed the top minds of the Soviet Union to live together in secure and remote areas of the nation to work on engineering projects assigned by the government. Resources and funding were hard-to-come-by resources and this meant that if someone was interested in the research and development of cutting-edge technology, they had to go to a centralized location to be able to do so. 6
As the Cold War progressed, overseeing institutions were able to keep their workers in check and manage the projects they were developing. The ethics of such projects absolutely can and should be called into question. In the US, one of the most well-known secret projects was the CIA’s MK-Ultra program. This project was headed by chemist Sidney Gottlieb with the goal of accomplishing mind control through the process of drugging and electrocuting human test subjects. 7 People died and lives were destroyed. The program is a marker in a list of highly questionable projects from that era. The nature of the unethical experiments carried out by the Soviets are not as easy to find as the American ones, but they did occur. Poison experiments were often carried out on unwilling prisoners in gulags, as conformed by Lavrentiy Beria, the Former First Deputy Premier of the Soviet Union.4
An outlier to this monitored process belongs to a back-yard engineer working with technologies as powerful as the ones wielded by these teams of sponsored scientists. In the early 1990s, seventeen-year-old David Hahn, later dubbed the Nuclear Boy Scout, attempted to create a breeder reactor in his garden shed from trace amounts of americium located in smoke detectors. At the end of his attempt, the Environmental Protection Agency (EPA) was forced to evacuate Hahn’s neighborhood and decontaminate the area from the high amounts of radiation he was able to produce. 5 Hahn was a smart individual acting on his own code of ethics to achieve what he saw as a scientific breakthrough, albeit to the detriment of others.
The Cold War was not a time of hardline scientific ethics, and people take for granted that records exist demonstrating that. Such accountability for some of the worst human right’s violations is one thing from that time that we do not have the luxury of in today’s cyber wars. It is incredibly hard to pinpoint who is responsible for online attacks because the people who work on them are granted a certain anonymity on the internet that can’t be replicated in the physical world. Hackers these days are akin to thousands of Hahns, acting on their self-defined ethics to further their goal, leaving everyone else to deal with the “radioactive” fallout.
Today, anonymous hackers act as mercenaries, selling their talents to the highest bidder. The murky, morally grey spaces created by the solitary nature of their work means that the lucrative zero-day market determines what they are willing to do. Proxy wars that were a staple of the Cold War can be waged today without sending boots on the ground, achieving the desired devastation to an enemy state with a script of code. During the Obama administration, US hackers destroyed an Iranian nuclear refinement plant by using a malware called Stuxnet which caused vital centrifuges to malfunction, effectively ending the nuclear program. In retaliation, many cyberattacks have been leveraged against the US. 2 As recently as February of 2022, officials discovered that Russian based hackers were able to break into Department of Defense contractors’ servers and sneak around for six months, collecting intellectual property and US communications with other nations regarding sensitive defense matters. 3 Lists of attacks and counter attacks span for pages and can be dated back to the early 2010s. Espionage has been optimized and it is not going away any time soon.
We might think of the current online environment, or ‘surface-net,’ as a transparent fish bowl that allows viewers to see into the lives of others. Profiles often list where people go to school, what year they graduated, where they live right now, and their first and last names -- the list goes on. It is hard to build a following on a platform without giving people intimate insight into your life. I call this the ‘town square’ of the internet. Like a town square, people in this part of the internet are walking around in broad daylight, easily navigating the curated world around them. Beneath this town square is the underground, and the underground is home to the ‘catacombs’ of the internet. I say catacombs because it takes a particular set of skills to be able to navigate this dominion. This is the place where, for example, fraudulent emails are created that trick users into resetting their password, giving the hacker access to a phished account. It is the iterations of specific inputs designed to crash a website or application. It is the script containing the hacker’s intention of disruption to be inserted into the exploit. Hackers reside in the catacombs of online space. While nothing is stopping any user from visiting this space, for many, a lack of technical knowledge holds them back from being able to navigate these catacombs as easily as a hacker.
Since there is no light in the catacombs, who cares who you are? Real achievement comes from seeing how far you can explore underground, what areas of undiscovered earth can be found, and who can find them the fastest. These metaphorical new tunnels take the form of zero-days exploits. The average internet user’s goal is not to break the website they are using or steal other people’s data. However, it is important for them to realize that the surface level they see is not the extent of their world and that they are in danger of being tricked into a pitfall created from underground if they don’t step carefully.
The root of everything online can be traced back to a human creator. No human is perfect. Therefore, every system is vulnerable to someone dead-set on utilizing design flaws to break their way in. It is very important to be aware of this, because our world becomes only more intimately interconnected every-day. When it comes to cybersecurity, it does not matter what type of hacker is trying to exploit a system. Personally determined ethical codes do not impact the fact that when someone is being targeted, they must have the most robust defense against an attack. In our era, arduous tasks are becoming more convenient, like ordering a pre-paid Uber at the click of a button. Such convenience creates a lower patience tolerance for the average person. Our brains are becoming reprogrammed to tolerate shorter and shorter delays in gratification. This is called ‘net-brain.’ We must ignore our net-brain to better protect ourselves online. I say this because the most effective way to safeguard your information comes in the form of two-factor authentication and updating your software. Two-factor authentication requires an external device’s permission to allow you to sign into a desired account. This process is not as convenient as having a password saved on file, but it is the most secure. Only you have access to the external device, stopping a potential hacker in their tracks. Similarly, software updates come out for a reason. They patch bugs that make a piece of tech undefended from attack. If you don’t update to the latest version, you leave yourself in a precarious and unsafe position.
Such safeguards are becoming more and more important. With our ever-increasing SMART technologies making their way into home appliances, our phones have become central hubs of control for these devices. In a hypothetical situation, you use a Ring doorbell, have a Google Home, and a Chamberlain MyQ garage door opener. One Saturday, you unknowingly fall for a phishing email and a black hat hacker installs a script on your un-updated phone that allows them to see every keystroke you make. They obtain all your login information for the apps controlling your SMART appliances, since you didn’t get around to enabling two-factor authentication. Over the course of the week, they check the Ring periodically to see when you leave the house for work and when you come back. They hear over the Google Home on Friday that you are going to see your parent’s (who live a state over) for the weekend. They watch you leave by morning on the Ring, and then use the Chamberlain MyQ garage door opener that night to break into your home without causing alarm to your neighbors, robbing you blind.
This is an improbable, nightmare scenario, but as no system is perfect, and every system is vulnerable, breaking into the circle of interconnectivity can create a terrible domino effect in personal security online and offline. These problems extend beyond the scope of your presence online. Hackers can demand hundreds of thousands of dollars to sell back zero-days found in top companies’ databases or servers. Alternatively, they can demand the same companies to pay a ransom, so they don’t leak the data they hacked. This point does not resonate for many people until they experience it themselves. However, such attacks on big companies do impact individuals. If you applied to a school that used the University of California application system, I have bad news for you. In August of 2021, it was revealed that the UC’s file transfer company, Accellion, had their systems breached. This caused all student’s application information to be leaked online. This application required students to input their Social Security Number (SSN), academic details, and other private information – now all unrecoverable due to the leak. This hack is personal for me. I was not accepted into UC Berkeley, but someone can now use my SSN to commit fraud and potentially financially devastate me. All of this happened because of an unseen flaw in the parent company’s data processing services. I had no way of protecting my information once it was sent off to be transferred by this third party and it stung to see the email from the UC Application confirming the worst.
The situation is mirrored by the climate change crisis that kept me up at night as a kid. I could do everything in my power to reduce my carbon footprint, but it is a drop in the ocean compared to what massive multinational corporations need to do to make a tangible change to the situation. Putting all the pressure on the user to be cyber-secure can only go so far. The average internet consumer has no say in where a company stores their data, so the expectation should be that it is as secure as it can be. There needs to be a shift of the current culture of cyber security in the corporate world. These companies have relied too much on mercenaries to do the heavy lifting for them in exploiting flaws in their systems to be patched, all the while putting the user in harm’s way.
The best offense is an impenetrable defense, and one country has seemed to catch on to this concept before the others. China is currently working on a quantum computing satellite. 9 This form of technology would be able to encode any message that passes through it so well that it would surpass the world’s current capabilities of hacking. This would make it incredibly difficult for any other nation to intercept information. Such technology has the potential to produce a net good. If more was invested into making third-party online security more robust, everyone would be better off in the long run. The general public needs to truly understand what is at risk when putting their life online and to demand that third-party services value the same level of caution is the first step in creating a safer online experience. The question remains, is our nation ready to take the leap? Or will all the nukes in our pockets finally detonate?