Overshadowed in the past months by bombings in Syria and Iraq as well as Ebola in Texas was news of earth-shattering significance for the way we communicate around the globe. The much-discussed but little-understood Shellshock vulnerability has rocked the computer security field to the core. Hot off the heels of the Heartbleed vulnerability in OpenSSL discovered in April, Shellshock allows anyone to remotely execute commands on a server that implements Bash by appending additional code to the end of function calls in environment variables. The ability to remotely execute commands allows hackers to manipulate services, steal data, and potentially take over the machine for their own nefarious purposes. If that sounds complicated, for once, it’s easier done than said. Since the bug was revealed, there have been millions of attempts to exploit it, with a number of successes. Making matters worse, Shellshock has gone undetected for about 22 years, guaranteeing widespread vulnerability in Mac, Linux, and Unix systems. Despite being largely irrelevant in the desktop market, Linux and Unix are dominant in the server market, making much of the Internet vulnerable. Developers have been frantically trying to patch the bug, but many devices have no way to be upgraded, and many will simply never receive a fix.
Shellshock, the latest and most widespread vulnerability to be discovered, is indicative of a larger problem. As more and more businesses and services move online, it is becoming increasingly lucrative to risk prosecution and jail time by breaking into others’ systems. Despite increased awareness of security concerns at the corporate level, rapidly increasing complexity and scale has made it all but impossible to defend computer systems everywhere. In 2013, federal agents notified more than 3000 U.S. companies that their computer systems were hacked, at a cost of around $400 billion annually in intellectual property theft alone.
That $400 billion is distributed across society; corporations absorb much of this loss through IP theft and fraud. US corporations alone suffer a loss of up to $250 billion annually from IP theft (though not all of this is due to cybercrime). Furthermore, the cost of cleaning up after an intrusion can be as high as $100 million. The release of credit card numbers and bank account information is costly both for the consumers whose information was stolen and for the firms that lose out to fraud. Hundreds of billions in economic damage also costs hundreds of thousands of jobs. More difficult to quantify is the loss experienced when private and potentially embarrassing data is released, such as in the recent celebrity iCloud hacks or the recent release of over 100,000 assumed-deleted snapchat photos.
Potentially worse than the persistent attacks on corporate and government interests is the risk of a crippling attack against electrical infrastructure, telecommunications equipment, or other utilities that could cripple any or all of these services. Many utilities are already under near-continuous attack. Experts have long predicted a cyber 9/11 that could severely damage the US; these warnings appear increasingly prescient.
There are several areas in which modern cyberdefenses are failing. On the consumer front, many of these issues involve tradeoffs between security and convenience. Widespread password reuse means that compromising one service often means a hacker can access a user’s other accounts. “Forgot password” features, particularly coupled with access to a user’s email account, have long been a boon for cybercriminals.
More important are the systems that are actually handling the data. Shellshock and heartbleed are indicative a failure of the open source community. Open source software is software distributed under an open source license, which, among other things, requires that the software be free to use and redistribute, that the source code must be publicly available, and that the authors of the software do not discriminate in who can and cannot use the software. While many argue that shellshock and heartbleed alone do not prove that open source is more failure-prone than proprietary software (and they are correct), it is widely acknowledged that many of the Internet’s most important projects (like OpenSSL) are dramatically understaffed and underfunded. Given the monumental importance of many open source projects used by thousands of systems, developers, and companies, this level of funding should be unacceptable. All developers, but particularly the Internet’s giants, should consider giving back to these projects, if only for their own security. Unfortunately, due to the very nature of open source, there is little these small groups can do to attract more funds or labor. In order to bolster Internet security, the relevant government authorities (in the US: the National Security Agency, US Cyber Command, the Department of Homeland Security, etc.) should also begin contributing money and technical skills to such critical projects. While recent revelations about government snooping would make such cooperation more difficult, there are certainly ways these projects could attract financially support while keeping “big brother” as far away as possible.
However, disclosure of cyber attacks still remains an issue. Under current law, U.S. corporations are not required to disclose a cyber attack, even if personal information is stolen. Public companies are required to disclose to investors (and thus the public) events which are material to the share price, which may include a cyber attack. For a large corporation, however, “material” is vague enough that even a significant cyber attack may not be detrimental enough to the bottom line to warrant notification. Because exposing data puts them at legal risk, many companies choose not to disclose cyber attacks, even privately to security centers or the government. This is a lose-lose situation: not only are affected parties not notified, but an opportunity to share information about the attack (and thus make everyone more secure) is lost. A controversial bill in the Senate, the Cybersecurity Information Sharing Act (CISA), appears to overcompensate for this effect, offering legal immunity to companies that share cybersecurity information with “any other entity or the federal government.” This language of the bill is exceedingly vague, does not require the company to fix the underlying problems or disclose breaches publicly, and creates a perverse incentive to reduce investment in preemptive security, because consumers cannot sue the company for losing their data. Still, at least CISA acknowledges and pays attention to the problem.
Cooperation, both between corporations and with the government, is critical to reducing cyber attacks. At the same time, however, consumers’ privacy must be safeguarded. CISA also provides for a coordinated system to share cyber security information. Proponents note that the bill would allow multiple agencies to coordinate against threats in cyberspace, but opponents fear funnelling more information to the NSA after the Snowden revelations last year. To reduce fears of privacy violations, clearer constraints on the use of such information and limits on what user data is sent will be needed.
We are living in the Wild West of the Internet, an era which will be remembered as much for its freedom and openness as for its powerful criminals. As the Internet matures, however, it is becoming increasingly important for the government, corporations, and consumers to secure essential services from attack. For consumer technology, convenience must be carefully weighed against security. The most important systems and defenses must be bolstered. And both information sharing and privacy must be balanced. Achieving these goals will not eliminate cybercrime, but such changes will at least slow down its progression.
Featured image source