10.3 What is the Problem?

WHO? Everybody who relies on cyber technology.

WHAT? Is vulnerable to cyber-attack.

WHEN? Inherently stupid and fragile computers make cyber-attack a persistent threat.

WHERE? 92% of malware is delivered by email.

WHY? There can be no perfect cybersecurity because new malware is constantly emerging.

Before we start in on the root problem of cybersecurity, let us introduce some terminology. First off, the term “cyber” is derived from “cybernetics”, the study of control systems devised by Norbert Weiner in 1948. Current usage traces back to the 1990s, as the Internet began to expand, but generally refers to computers and anything related to them. “Cyberspace” is the Internet. The term “cyber” was actually derived from usage of this term. “Cyber-Attack”, according to the US National Research Council, is “any deliberate action to alter, disrupt, deceive, degrade, or destroy computer systems, networks, programs, or data.” In today’s parlance, somebody who perpetrates cyber-attack is called a “hacker”, and the action itself referred to as “hacking”. Title 18 Section 1030 of United States Code makes it a crime to hack into somebody’s computer without their permission, or to distribute malicious code, or to otherwise degrade computer services. So “cybersecurity” is the antithesis of “cyber-attack”. According to DHS, cybersecurity is “the activity of defending against damage, modification, or exploitation of computers and networks.” In theory, cybersecurity is easy. We only need ensure confidentiality, integrity, and availability. Confidentiality ensures that the system and data are not accessed by unauthorized agents. Integrity ensures that the system and data are not corrupted by unauthorized agents. And availability ensures that the system and data are always accessible when needed. Unfortunately, cybersecurity is easier said than done. It’s like saying “Peace on earth and goodwill towards men”. Easier said than done. What make the problem so difficult is that computers are stupid and fragile. Computers are stupid because they will do as instructed regardless if the outcome is catastrophic. Lion Air Flight 610 and Ethiopian Airlines Flight 302 were both tragic victims of this fact. In response to a faulty sensor indicating the aircraft was about to stall, the avionics took corrective action placing the aircraft into a dive and crashing despite desperate attempts by the pilot to pull out. Computers are also fragile because a single wrong character can disrupt millions of lines of code. In 1983, a software error caused the Soviet missile warning system to indicate the United States had launched a nuclear strike. Fortunately cooler head prevailed and World War III was averted. A similar set of errors, not software related, also occurred on the US side, resulting in the movie “War Games”. Theoretically, we could eliminate most of these problems if we could ensure software reliability. Therein lies the problem. It is impossible to ensure the reliability of software. Even a small program with only 100 lines of code, a few nested instructions, and a single loop may contain 100 trillion possible paths. If we could test 1,000 paths every second, it would still take 3,170 years to test all possible paths. Now consider that the Android operating system for mobile devices has 12 million lines of code! This means that with any useful software, you don’t know what you have, and no way to find out! It also means that your software is riddled with vulnerabilities waiting for a hacker to find. Malware is software designed to exploit computer vulnerabilities. 92% of malware is delivered by email. When you click on the link or attachment, you launch the malware and give your computer permission to execute it. Anti-virus software can protect against known malware. The problem is unknown malware. Hackers are constantly finding new exploits and creating new malware, called “zero day” exploits. Because new malware is emerging all the time, there can be no perfect cybersecurity.