Co-authored with Betsy Cooper, executive director of the Center for Long-Term Cybersecurity at UC Berkeley.
The latest widespread ransomware attack, which has locked up computers in nearly 150 countries, has rightfully captured the world’s attention. But the focus shouldn’t be on the scale of the attack and the immediate harm it is causing, or even on the source of the software code that enabled it (a previous attack against the National Security Agency). What’s most important is that British doctors have reverted to pen and paper in the wake of the attacks. They’ve given up on insecure digital technologies in favor of secure but inconvenient analog ones.
This “back to analog” moment isn’t just a knee-jerk, stopgap reaction to a short-term problem. It’s a rational response to our increasingly insecure internet, and we are going to see more of it ahead.
As part of our research, in 2015 we developed a scenario for the not-so-distant future called “the New Normal,” in which consumers’ baseline belief has flipped from “the internet is basically safe unless I do something stupid” to “the internet is fundamentally insecure, a dangerous neighborhood in which my safety is always at risk.” The impetus for the flipping in that scenario was a flurry of larger, ever more visible hacking attacks — of personal email accounts (Colin Powell and John Podesta) and corporate data (Yahoo and Sony), not to mention bank account information. Last week’s ransomware attack may start to tip a significant proportion of internet users over the edge.
The surprise is not that the frequency of such attacks is accelerating; it’s that it took so long. There are at least three reasons for this acceleration. First, the internet has a fundamentally insecure infrastructure that was initially made for interoperability among a small number of trusted parties, but is now being used by billions who do not know and should not trust one another.
The second reason is that increasingly inventive criminals have become today’s most ambitious internet entrepreneurs. Their work has been made easier by the theft of powerful hacking tools created by and for state security agencies but now available for sale.
Third is the commercial innovation imperative. Consumer demand for digital devices and services keeps pushing companies to the limits of what is technically possible, and then pressing them to go even a little bit further, where security often becomes nice to have but not a necessity.
Silicon Valley has responded creatively, but there’s no silver bullet. Experts have encouraged us all to use two-factor authentication, but text messages can be intercepted even with it. We’ve moved to biometrics, but once a fingerprint or iris scan is stolen, there is no way to change it the way you can change a password. Such security measures are better than nothing, but they won’t repair the internet’s underlying structural flaws.
So what would it mean if we crossed the threshold to digital insecurity? One possibility is that some things we now take for granted — from banking online to electronic medical records — will shift from being seen as common sense to being viewed as scary, dangerous, even reckless.
We know what it looks like when expectations of security in physical environments degrade: People put triple locks on their doors, retreat into gated communities, look over their shoulder as they walk down the street. In our scenario, we’ve imagined the digital equivalent. Will you soon be asked to place your phone and laptop in a locker before you are allowed to enter an office building or a friend’s home? Will you tell your colleagues to call you before they send you an email with an attachment?
Governments will start worrying more about protecting themselves than about innovating in services. Industries like health care and finance will go back to basics. Getting paper money from a bank teller may be less a novelty than a necessity. What happens if your hospital has fully converted to digital X-rays and doesn’t have an analog backup machine lying around? (The British National Health Service is already finding out).
A society and economy that moves in this direction would be different from the one we have today, and very different from what Silicon Valley is looking to build. Security needs to be made a priority at least as great as innovation right now. We recognize that the consequences of prioritizing security are not all good, and the slowing or reversal of digitization will be a significant headwind for the United States economy even more than for other countries, at a time and in a political environment that really can’t afford such a setback. But there is no other viable choice. You can’t fix a broken foundation by simply building more stories atop the house that rests on it.
The world spends a lot of time right now thinking and dreaming about how life will be digitized, mostly for the better. We don’t yet have a word for even a partial “return to analog,” but we will have to start looking for one at the same time as we work to create a much more secure internet.