I was on a panel at the Global Sovereign Wealth Fund forum discussing the realities of investment and political risk in emerging markets. The discussion darted from security issues, domestic banking institutions, and government policy. But I was confounded by the absence of one of the greatest risks of our modern age, and one that is often surprisingly overlooked.
To some, the topic of cyber security is merely something to nod along to. It is a ‘growing’ risk at best, but not a fully-fledged one. Such views however are more often rooted in ignorance than any true understanding.
In spite of the great work that private security firms do to track botnets and protect the IT infrastructure of companies that can afford their fees, governments remain at fault. Modern devices and systems remain insecure and frankly, this is how many government intelligence agencies prefer it. Various news outlets have rightfully blamed the U.S. for the recent global WannaCry ransomware cyber-attack that even infiltrated the National Health Service systems in the UK.
Microsoft President Brad Smith launched a scathing attack on the US intelligence agencies in the aftermath, declaring that “this attack provides yet another example of why the stockpiling of vulnerabilities by governments is such a problem”.
This is an endemic culture that exists in the world of intelligence services that pose significant threats in the cyber world. Consider the paradoxical logic espoused by MI5. According to its website, “equipment interference, also known as computer network exploitation (CNE), allows MI5 to interfere with electronic “equipment”. This includes computers, computer media (such as USB sticks) and smartphones for the purpose of obtaining communications or other information”. In short MI5 have the freedom, if deemed necessary, to hack.
A little further down the page, MI5 announced that:
“The investigatory powers Act will prevent the use of other powers to obtain stored communications and information from “equipment” where the interference is in the UK and would otherwise constitute a Computer Misuse Act Computer Misuse offence”.
In other words, the UK has the right to exploit holes in network but the rest of the world does not. This is the same logic that the FBI have followed in its demands for back doors into electronic devises that inevitably give malicious non-state actors and other states the capacity to enter devices.
At this complex stage of debate, the world is witnessing a rapidly growing arms race for some of the most intricate cyber technology, but more importantly, ways to undermine encryption. In the past GCHQ went to the extent of hacking into “the internal computer network of the largest manufacturer [Gemalto] of SIM cards in the world, stealing encryption keys used to protect the privacy of cellphone communications across the globe”. The slide obtained by Edward Snowden reveals the brash comments about planting malware and securing access to “their entire network”. Effectively by hacking “into one of the largest manufacturers of SIM card keys—or, of SIM cards and the keys that are on them, GCHQ has really acquired a huge amount of information—that will make bulk surveillance of telephone communications very, very easy”. his demonstrates the desire of intelligence agencies to exploit weaknesses in cyber systems rather than establishing robust systems resistant to such invasive attacks.
To a great extent, society has been moon-walking off a cliff and falling into a cyber-jungle; bewildered, lost, and startled by this strange new terrain. For the sake of the average individual in society and institutions across the world, a clear debate needs to be had regarding privacy, intrusion, encryption and hacking. Why? Because citizens need to understand what is at stake if end-to-end encryption is quashed by a mathematical cyber wizard at the NSA or any other foreign intelligence service.
The question on everyone’s mind is, will this happen again? And if so will cyber-attacks become a new norm for companies, governments & wider society? The simple answer is a resounding yes. This will happen again, simply because solving the problem will make it near impossible for intelligence services to roll around in data that they have secretly been gathering by circumventing encryption.
In addition, there is no global consensus on whether solutions to any specific cyber issue should be remedied by private etch firms, governments or both in tandem. Even if concrete cyber norms were set out to help combat attacks, governments would not trust each other with sensitive technology, so we end up back where we started. Society needs to understand that the cyber security, cyber espionage and the cyber world in general, is an extension of the physical world, which as we know all too well, is inundated with rivalry, competition, and subversion. To what extent can we hope for international aggregated norms to combat cyber threats?
Unfortunately the daunting and dark reality is that for the time being, credible and serious solutions to this problem exist solely in the words of experts at think tanks and global forums. Until a concrete international remedy, that is truly international and encompasses the developing world, cyber threats will pose a bigger threat than what they actually are.