Modern human life cannot be understood without internet. We sell our data (consciously or unconsciously) in exchange to access a range of services such as social networking, access to our bank accounts, purchase of products, home automation, etc. Are we aware of what this means? Are the participants in this ecosystem prepared to defend our data left in their hands? Clearly not, and with the expected explosion of the internet of things, this is only going to get worse.
A brief introduction. In terms of cyber-security, it is called vulnerabilities the doors that systems left open (usually inadvertently) and that can be found and open (exploited) by cyber-attackers. If located and open, they will access the system by injecting an element of software (virus). This infection can have multiple objectives. To demonstrate that they are able to do so, corrupt the system, extract information without the user being aware or, for example, take control of the system supplanting the real user.
Is it complicated to be achieved? It depends. The first rule of common sense is that the more doors we let open, the easier it is that you give them an inch and they’ll take a mile. The systems never provide absolute security, don’t let them foolish you. It is a continuous process of cat-and-mouse game. The older our system, the easier for the cat. That door is already known. That is why it is so important to have the latest versions of the software systems.
Are we in good hands? In the latter cyber-attack, the door through which they entered was an already obsolete version of Windows. Something understandable for individuals having to pay with their scarce resources such updates, but what to say of those big companies whose workers continued to have these obsolete systems? It’s not a good thing. It leaves us an intimate concern. If you are not able to protect your own employees’ data, what about the protection of your clients’ data (our data)? This also launches a question to software vendors. Shouldn’t they do more to promote the updates to their software? Who is responsible for having in the market a version that has known vulnerabilities? Microsoft warned this vulnerability for a while ago. Which brings me to the next question, if these companies comply with the legislation, shouldn’t our legislators do something more than what they are doing to promote these updates? Everything costs money and resources. If it is not mandatory, the companies will hardly do it “motu proprio”.
I would like to return to the dangers of cyber-space. Do we know all the attacks that occur? Clearly not. In fact, you only know them when for some reason it can’t be hidden. When a massive cyber-attack occurs, it is not possible to be hidden. It also passes to the public knowledge when it involves a potential cancellation of elections, a manual recount of the votes, or a hint of foreign interference in the results of the votes. However, the majority of the attacks remain in the non-public knowledge. If a company or institution receives an attack, and even more if this attack is successful for the attackers, to recognize it would be the same as recognizing their vulnerability. In the same way as if there was a rumor that a bank is not reliable, the money flies out of their accounts, let us imagine that our data have been violated by being in the hands of one of these companies. The effect is often devastating. If this occurs, who is responsible to sue for damages of the consequences? Does anybody surprise their attempt to blame on some weak passwords or other elements attributable to the end user?
What consequences can have these cyber-attacks? This is the big question. If everything happening is that we are asked for $300 in bitcoins or if by turning on and off or updating systems everything is solved; then it is like a cold, a mere notice that we have our body-defenses rather at low level. However, the above is only the surface of the underneath true elements that are at stake here. The objectives of the cyber-attacks can go far beyond than entering into the systems of a financial institution and get transferred some nice amounts to a tax haven without leaving a trace. There are much more serious threads. What would happen if the objective was to enter into a food industry, or in a nuclear power plant, or in a water company? Is this difficult? Unfortunately not so much. Although the companies take measures, these tend to be against frontal attacks to their servers. There usually are greater protection and reduced vulnerabilities. The problem is that there are many rear doors.
What if the access is done through an Internet service provider? Today all businesses have suppliers, which are increasingly integrated with the client in order to pass orders, deploy systems just-in-time, etc. This implies access to client systems by the supplier. What if the provider is much less protected than the customer? Enter their systems is much easier, and once there, enter the customer’s is just to follow the normal flow to which has already kept open the door. Boom. Let us imagine that the cyber-attacker comes through this procedure and get control of production systems of a yogurt and change the products to use or their proportions. What if at the same time made undetectable these changes because they would have also “hacked” quality control systems. What would happen? What if that happens in a nuclear power plant and the cooling times are changed? Does anyone remember what happened with the centrifuges that Iran was using to try to create fissile material for atomic bombs? The true story some day will come to light.
Is there a total bullet-proof cyber-security? No, it doesn’t exist. Death is intimately linked to life. Death would not exist if there were no life. The risks in cyber-space are inherent to the fact that it exists and therefore it is possible to navigate through it (for both, the ”good” and the “bad” guys). Having said that, it is not the same to have the best ultimate health care system that has plenty of proven protocols against known diseases and resources to respond to the unexpected threads, that having a crappy one without resources. Not to have cyber-security in place is bad, but to have a mediocre one is even worse, as it serves for the same purpose, that is to say, for nothing, but in addition we will have spent money on it.Companies and countries should implement the best systems they can afford to permanent detect vulnerabilities and be in a position to fix them. It’s no joke. Europe does not have good cyber-security systems. Obvious, nor has any company among the best technological ones in the world. Today the best cyber-security are in hands of government departments and private companies in the US and Israel. No one will be surprised that for these companies to provide their services abroad, permission has to be obtained from their respective governments. And it is not always granted.
This massive attack of the type called ransom malware is only a heads up flag. A mere cold that last a few days. The worst thing is under the surface. The lion’s stake is on what the corporations and the governments have on their servers. This is the trophy that the cyber-attackers seek. Some of them just for the money, others because this is the real field where they are fighting the wars of our post-modern world.
Francisco Canós
Article published in Spanish 16th of May 2017 at: 
