In Leonard Read’s famous essay “I, pencil,” the author, writing in the pencil’s voice, asserts “Simple? Yet, not a single person on the face of this earth knows how to make me.” From the wood, to the eraser tip (“inelegantly referred to in the trade as ‘the plug’”), to the graphite core, pencil-making is a global technical and manufacturing challenge. In few words, “it’s complicated.”
A number of years ago, I wrote a management speech along similar lines that should have been titled “I, spark plug,” but I am far too pedestrian to come up with such elegance. The ubiquitous spark plug, however, is absolutely fascinating. You probably own a dozen of these. They have no moving parts, channel between 12,000 to 40,000 volts, handle temperatures of 1200℉, strong electric fields, oil, water, metal, fuel, and air; and spark reliably every tenth of a second, for hours at a time. Physics, metallurgy, materials science, mechanical engineering: “it’s complicated.”
So, dealing with computer software, hardware, and networking, yes, it’s complicated.
Back in the roaring 90s, I started and ran an ISP. I had worked as an Air Force contractor for four years, and the USAF conveniently paid for my training in Cisco routers, protocols and security. I used that knowledge to bootstrap an ISP from nothing and it became a successful little company. What we had for operating systems, browsers (such as they were, with Mosaic, Netscape, and finally, Microsoft’s Internet Explorer), and “stack” software for computers to talk to the global network was laughably simplistic back in those days.
We did have hackers. Mostly kids, using “kiddie scripts” to try and break password security on relatively unsecured Unix-based systems. Notably, I helped thwart an attempt to hack a local TV station website we hosted. Yep, I got to ride along on a raid to capture a 17-year-old.
Things have changed and gotten much, MUCH more complicated.
The problem we face in cybersecurity is potentially economy-smashing, simply because of the example of the pencil and the spark plug. Extremely complicated software, using very complex and interconnected networks, instruct machines, “CNC” or computer numerical control devices, which make everything we use. SCADA systems can energize or de-energize electric lines, open and close valves to run pipelines, dam sluices, power houses, nuclear reactor cooling loops, and traffic lights.
The scenes in movies like “The Italian Job” are hopelessly simplified and over-dramatized versions of what hackers really do, but the capabilities to do those things are very real. In real life, the hacker would plant some kind of “trojan” (as in the horse) software in the traffic network computer, probably through social engineering, or targeted phishing using malicious email (called “spear phishing”), or through some exploit in an unsecured server or workstation. Then, months later, the hacker would activate a script to take control—generally not to change the traffic lights, but to encrypt and “ransomware” the entire computer network, for a large sum of money.
Criminals can make far more cash from ransomware than they ever could by taking over traffic lights just to break into a vault. In fact, all the crime action movies like “Die Hard” where criminals have these elaborate schemes to get bearer bonds, or gold, or cash, pale in comparison to the money to be made just by bombing our economy through cyber kidnapping jobs.
Crypto-currency makes this completely antiseptic, anonymous, and hugely enriching for the criminals. As an aside, I’m glad Elon Musk and Tesla have stopped taking Bitcoin for valid purchases of Tesla automobiles. It was encouraging criminals to buy Teslas with ransom money. His face-saving reason is that crypto-currency mining is mostly done in China, using coal-fired plants, and therefore is bad for the environment. Yeah, right, whatever you say, Elon.
One report shows that the average ransomware attack cost has tripled to more than $300,000.
Among the greediest groups operating in the past year was the now defunct Maze operation, which made demands averaging $4.8m compared to an average of $847,344 across the board. The operators of NetWalker, Ryuk and WastedLocker also tended to demand multimillion dollar pay-offs, almost always to be made in the bitcoin or Monero cryptocurrencies.
There is no shortage of targets for these criminals. Many companies don’t take cyber-security seriously enough. It’s a cost on the income statement, without any ROI against it. It’s simply a risk calculation for many companies, but the risk keeps going up from “if” to “when” due to the complexity of software and networks today, and the prevalence of outdated, unsecured software and operating systems.
When companies invest in new computers and operating systems, they build their ROI on three to five years, or more. But in three to five years, the software that might have been state of the art, is hopelessly vulnerable. Think of all the websites that used Flash, which is now completely gone, because it became a security nightmare.
There are still a lot of old Windows systems sitting around on critical networks at companies that make everything from pencils to spark plugs, to refrigerator compressors, to toilet float valves, to tissue paper, to newspaper ink.
Take the elegant complexity of the pencil, or the exacting technical specifications of the spark plug, and then feed it into the pencil-whipping security culture of C-suites where spending money for “extra” security is an unneeded expense, and (when they have one) Chief Security Officers have to beg for budget, and using the best auditors, administrators, and security methods.
As the threat of cyber attacks grows exponentially, we will all face a “tax” to pay more for everything that faces an economic shock created by these attacks.
Think about the global ripples from the Suez Canal blockage, the current ripples from the Colonial Pipeline shutdown, and the worldwide shortage of vehicle computer chips that’s caused a spike in used car prices. The chip shortage is due to COVID-19. But any given manufacturer could also face the added threat of cyber attack.
Just as the economy would begin to recover from the COVID-19 effects, look for cyber attacks to continue as a pox on us.
Companies must take security seriously. Hire people not just by the CISSP alphabet-soup letters, but also people who know security because they’ve lived it. I found the best cyber security professionals are the self-taught ones. And when these serious professionals say “you need to spend money” or “you shouldn’t have this unsecured old laptop at home,” the CEOs need to listen up.
It’s no longer an “if” risk, it’s a “when.” When a risk changes from a maybe to a certainty—which it is if companies don’t lean all the way forward in security—all the savings in the world won’t save them. When COVID-19 is behind us, the next pox could be the virus that hits complicated networks that run our economy, disrupting our lives in significant ways.
If you haven’t subscribed to the Racket yet, click the button below to do so while it’s still free. And remember, with the Racket you get MORE than what you pay for!
As always, we appreciate shares. If you see something here that you like, please send it to your friends and tell them that all the cool kids read the Racket!