• The West’s biggest security weakness is in the old electronics and sensors that control processes in infrastructure and industry.
  • It’s not that hard to take an entire country’s internet offline — it has already happened at least twice.
  • Hackers used to be most interested in stealing your credit card data. Now they’re looking to hobble major infrastructure like ports, power grids, and cities.
  • “The problem people don’t realize is it becomes a weapon of mass destruction. You can take down a whole country. It can be done,” a source tells Business Insider.
Gatwick Airport is Britain’s second busiest by passenger volume, and Europe’s eighth. And yet it was brought to a standstill for two days by two people and a single drone.

Its vulnerability reminded me of a conversation I had two years ago, at the Web Summit conference in Lisbon with cybersecurity investor Sergey Gribov of Flint Capital. He was talking up one of his investments, an industrial cybersecurity firm based in Israel called CyberX. Half-bored, I girded myself for his pitch. They usually go like this: “The internet is full of hackers! They want to steal your data and your money! If only companies used my company’s awesome product, we would all be safe!”

I have heard hundreds of pitches like this.

But my conversation with Gribov was different. It was … extreme. The criminals who break into the web sites of banks or chainstores and steal personal data or money are not the scariest people out there, he told me. The hackers we really ought to be worrying about are the ones trying take entire countries offline. People who are trying to take down the internet, switch the lights off, cut the water supply, disable railways, or blow up factories.

And then, how do you respond? Does the country that was attacked — the one struggling to get its power grid back online — launch nukes? Probably not, he said, because “you have no idea who did it.”

“You can have a team of five people sitting in a basement and be just as devastating as WMDs,” he said. “It’s really scary. In some sense it’s a matter of time because it’s really easy.”

At the time, I discounted my conversation with Gribov. His VC fund was invested in CyberX, so he had an obvious interest in propagating the idea that the world is full of bad guys.

But in the years since we talked, two unnerving things happened.

“Someone is learning how to take down the Internet,” Bruce Schneier, the CTO of IBM Resilient believes

The scope of the 2016 internet outage after the attack on Dyn.
The scope of the 2016 internet outage after the attack on Dyn.
Wikimedia, CC

Both attacks were conducted by relatively unsophisticated actors. The Dyn attack was done by three young men who had created some software that they merely hoped would disable a competitor’s company, until it got out of control. The Mauritania attack was probably done by the government of neighbouring Sierra Leone, which was trying to manipulate local election results by crippling the media.

Apparently, it is possible to take the world offline.

Someone is learning how to take down the Internet,” Bruce Schneier, the CTO of IBM Resilient believes.

Three major power suppliers simultaneously taken over by hackers

Next, I talked to Nir Giller, cofounder and CTO of CyberX. He pointed me to the December 2015 blackout in Ukraine, in which three major power suppliers were simultaneously taken over by hackers. The hackers gained remote control of the stations’ dashboards, and manually switched off about 60 substations, leaving 230,000 Ukrainians in the cold and dark for six straight hours.

The hack was almost certainly done by Russia, whose military had invaded Crimea in the south of the country in 2014.

“It’s a new weapon,” Giller says. “It wasn’t an accident. It was a sophisticated, well-coordinated attack.”

CyberX has done work for the Carlsbad Desalination Plant in California. It claims to be the largest seawater desalination plant in the US. And it serves an area prone to annual droughts. Giller declined to say exactly how CyberX protects the plant but the implication of the company’s work is clear — before CyberX showed up, it was pretty easy to shut down the water supply to about 400,000 people in San Diego.

2010 was the year that cybersecurity experts really woke up to the idea that you could take down infrastructure, not just individual companies or web sites. That was the year the Stuxnet virus was deployed to take down the Iranian nuclear program.

“Stuxnet in 2010 was groundbreaking”

The principle behind Stuxnet was simple: Like all software viruses, it copied and sent itself to as many computers running Microsoft Windows as it possibly could, invisibly infecting hundreds of thousands of operating systems worldwide. Once installed, Stuxnet looked for Siemens Step7 industrial software. If it found some, Stuxnet then asked itself a question: “Is this software operating a centrifuge that spins at the exact frequency of an Iranian nuclear power plant that is enriching uranium to create nuclear weapons?” If the answer was “yes,” Stuxnet changed the data coming from the centrifuges, giving their operators false information. The centrifuges stopped working properly. And one-fifth of the Iranian nuclear program’s enrichment facilities were ruined.

“Stuxnet in 2010 was groundbreaking,” Giller says.

Groundbreaking, but extremely sophisticated. Some experts believe that the designers of Stuxnet would need access to Microsoft’s original source code — something that only a government like the US or Israel could command.

A simple extortion device disabled Britain’s largest employer in an afternoon

Then, in 2017, the Wannacry virus attack happened. Like Stuxnet, Wannacry also spread itself through the Microsoft Windows ecosystem. Once activated, it locked up a user’s computer and demanded a ransom in bitcoin if the user wanted their data back. It was intended as a way to extort money from people at scale. The Wannacry malware was too successful, however. It affected so many computers at once that it drew attention to itself, and was quickly disabled by a security researcher (who ironically was later accused of being the creator of yet another type of malware).

During its brief life, Wannacry became most infamous for disabling hundreds of computers used by Britain’s National Health Service, and was at one point serious threat to the UK’s ability to deliver healthcare in some hospitals.

The fact that a simple extortion device could disable Britain’s largest employer in an afternoon did not go unnoticed. Previously, something like Stuxnet needed the sophistication of a nation-state. But Wannacry looked like something you could create in your bedroom.

FILE PHOTO: A screenshot shows a WannaCry ransomware demand, provided by cyber security firm Symantec, in Mountain View, California, U.S. May 15, 2017. Courtesy of Symantec/Handout via REUTERS
A screenshot shows a WannaCry ransomware demand, provided by cyber security firm Symantec.
 Thomson Reuters

Tsonchev told Business Insider that Wannacry changed the culture among serious black-hat hackers.

“Oh look, we can actually start to do things like take down manufacturing plants and affect the global shipping industry”

“So this year, we see follow-on attacks specifically targeting shipping terminals and ports. They hit the Port of Barcelona and the Port of San Diego and others. That seemed to follow the methodology of the lessons learned the previous year. ‘Oh look, we can actually start to do things like take down manufacturing plants and affect the global shipping industry.’ A couple years ago they were just thinking about stealing credit card data.”

Another scary thing? The Wannacry attack was in May 2017. By December 2017, the US government confirmed that the North Korean government was responsible for the attack. The North Koreans probably just wanted money. The hermit-communist state is chronically poor.

But it may have taught North Korea something more useful: You don’t need bombs to bring a nation to its knees.

Oddly, you have a role to play in making sure this doesn’t happen. The reason Russia and North Korea and Israel and the US all got such devastating results in their attacks on foreign infrastructure is because ordinary people are bad at updating the security software on their personal computers. People let their security software get old and vulnerable, and then weeks later they’re hosting Stuxnet or Wannacry or Russia’s wifi listening posts.

So if you’re casting about for a New Year’s resolution right now, consider this one: Resolve to keep your phone and laptop up to date with system security software. Your country needs you.