A cyberattack of devastating proportions is not a matter of if, but when, numerous security experts believe.
And the scale of it, one information security specialist said this week, will be such that it will have its own name — like Pearl Harbor or 9/11.
“The more I speak to people, the more they think that the next Pearl Harbor is going to be a cyberattack,” cybersecurity executive and professional hacker Tarah Wheeler told a panel audience during the Organization for Economic Cooperation and Development’s (OECD)annual forum in Paris.
“I think that the most horrifying cybersecurity attack is going to have its own name and I think it’s going to involve something more terrifying than we’ve thought of yet.”
Wheeler is CEO and principal security advisor at Red Queen Technologies, a cybersecurity fellow at Washington, D.C.-based think tank New America, and former cybersecurity czar at multinational software firm Symantec.
Explaining her premonition, Wheeler pointed to vital health and transport infrastructure she described as grossly under-protected.
“I think about the fact that most American healthcare technology is secured, if at all, with ancient, crumbling security infrastructure. I think of planes full of people, the kind of infrastructure that protects flu vaccinations. I think about fertility clinics losing years’ worth of viable embryos,” she said, stressing that people are not paying attention to that crumbling infrastructure.
Wheeler is not alone in her apocalyptic outlook. Not a single report from technology companies and researchers in this field claims that the cyberthreat environment is becoming less hostile or less significant.
The World Economic Forum’s (WEF) Global Risks Report 2018 names cyberattacks and cyber warfare as a top cause of disruption in the next five years, coming only after natural disasters and extreme weather events.
“In a worst-case scenario, attackers could trigger a breakdown in the systems that keep societies functioning,” the report said. Industry and critical infrastructure like power grids and water purification systems could be potential targets for hackers, whether they are small groups or state actors.
Artificial intelligence-focused security firm BluVector reported in February that almost 40 percent of all industrial control systems and critical infrastructure faced a cyberattack at some point in the second half of 2017.
Companies and governments aren’t doing enough to protect these systems, Wheeler said.
“The inevitability is based in the easy access to the kinds of exploits that still work 10, 15, 20 years after they’ve been revealed,” she said, noting that there are still companies running critical infrastructure, including health infrastructure, on Windows XP and other platforms that are unpatchable — meaning they can’t be updated for vulnerability and bug fixes. Many internet of things (IOT) devices, she described, are unpatchable by design.
IOT, which has been described as “merging physical and virtual worlds, creating smart environments” through devices connected to the internet and that communicate with one another, represents a whole new level of vulnerabilities.
And cybercriminals have an exponentially increasing number of potential targets, the WEF report said, “because the use of cloud services continues to accelerate and the internet of things is expected to expand from an estimated 8.4 billion devices in 2017 to a projected 20.4 billion in 2020.”
The chief executive of defense firm Raytheon International, John Harris, recently called cyberattacks the “single biggest threat to global security,” adding that “the more we are connected, the more we are vulnerable.”