Rise of the Machines - Weapons of Mass Disruption
This September, the hosting company OVH was subjected to the largest Distributed Denial of Service (DDoS) attack to date, with peaks of over 1 Tbps of traffic. The attack harvested nearly 150,000 CCTV cameras and personal video recorders as part of an Internet-of-things (IoT) robot network (botnet).
What made this event extraordinary was not just the power of the attack, which incidentally was two orders of magnitude greater than the June 2015 launched by the hacktivist group Anonymous, that crippled the Government, or that the IoT botnet targeted critical infrastructure (DNS being one of the control plains of the Internet), or that big names like Twitter and Kijiji found it to be seriously inconvenient.
What was incredible was that we saw this coming a long way off.
The concept of a network of smart devices was discussed as early as 1982. We talked of DDoS as a tactic at the same time the Internet was invented and had already generated some unintentional events. The idea of intentionally using machines as part of a DDoS was discussed openly in 1994 as the notion of the Internet-of-Things (IoT) became popular in 1999. Mobile bots were seen in Canada by 2008. Today they are routine. In 2014, Hewlett-Packard Co. released a research report that concluded “70 per cent of Internet-of-Things connected devices were vulnerable to hacks.” Later that year, CCTVs were used in botnet attacks.
It would appear that we have been admiring the problem for quite some time.
Where is this all going? The IoT with the expanded address space of IPv6, has hastened the unprecedented growth of the Internet’s attack surface and supplied an ecosystem for reaping devices as part of a criminal robot network. Cisco's latest Visual Networking Index (VNI) predicts that global Internet traffic should reach 2 zettabytes per year by 2019. Cisco also foresees that the IoT will grow to 50 billion devices by 2020, while Intel says it will be 200 billion, and the IDC weighs in a 212 billion. Global IP traffic will grow at a compound annual growth rate of 23% between 2014 and 2019, according to the 10th annual Cisco forecast. If adversaries are launching 1 Tbps DDoS attacks today, then it is reasonable to expect two orders of magnitude larger attacks in the next few years, simply because the size of the Interconnected Networking (Internet) space is growing faster than our ability to secure it.
Cyberspace has expanded into physical and human terrains thus forming new pathways for contagion, creating emergent effects and magnifying the potency of consequence. To date, we have seen semantic botnets amplify and propagate toxic messaging across a nation, 10’s of millions of computers, devices and cloud services be constructed in part of a network used for exploitation and attack, while using social media and text messaging as Command and Control (C&C). Informationalized warfare has already been used to target critical infrastructure in a coordinated fashion.
We are entering a period of instability, rapid convergence, Internet expansion and risk within a complex adaptive system where social media provides a frictionless state between the Human terrain, the Network and the Internet-of-Things (IoT), evolving to the Internet-of-Everything (IoE). Where, a thought, communicated by disruptive technology, can jump over firewalls and precipitate the collapse of nations. The AP Twitter hack by the Syrian Electronic Army in April 2013, caused panic on Wall Street and sent the Dow plunging 143 points. The fake tweet erased $136 billion in equity market value in 3 minutes.
There appears to be an over-emphasis on resiliency, emergency management, incident response and disaster recovery, thus establishing a policy of failure as the starting point to strategy and subscribing to disaster continuity as a practice.
A 100 million 100 Tbps fast-flux attack network is on the horizon, one that is comprised of mobile devices, cameras, industrial controllers, wearable computing, your Fitbit watch, face book account and toaster. An autonomous botnet of this type may just create the perfect maelstrom that breaks the Internet-of Everything (IoE).
Solutions to this admirable problem have been over-studied and under-executed.
Chief Executive Officer at Dominant Information Solutions Canada Inc
7yAlthough I agree with Dave on many of the points, I think it is very important to contextualize the issue with some considerations outside of the cyber environment that have significant influence on potential futures. 1. It is true that we saw it a long way off, although it is the nature of business not to spend money mitigating issues that are not yet problems. This can be frustrating, but until there is a business motivator to react proactively, I would not expect them too. I would not expect the early models of my fridge to have independent hardware capable of being a process watch dog or running independent update capabilities. That is one processor for the fridge, and three more for security. Why would someone making the first ever internet-enabled widget spend money on first developing robust security models - particularly when there is no global standard? 2. We need to ask who the 'end-of-the-internet benefits'. Although technically possible, who is motivated to bring it down? Who profits? After taking the internet down and de-stabalizing economies, what will they do. How are they going to skype their mom, text their kids, pay their mortgage, or order pizza (VoIP)? These wouldbe attackers are still part of the society, and nation-states still rely on the internet. Ransomeware groups still give you back your data, because they want to be able to make money. If they are not benefiting, then why do it? 3. Dooms-day scenarios for volumetric DDoS have a limited life-span regardless of how big they are. The Telecommunications companies of the world have the final advantage, because they own the infrastructure that provides the internet and manage key infrastructure out-of-band with the internet. It will be mitigate if it happens. New safeguards can be implemented. (Again, we need to think about who benefits and if they are a unicorn or not) Just a few main considerations. Although examination of technical possibility is important, it needs broader environmental, human, social, and cultural considerations if we want to contextualize this threat. The way we need to tackle cyber threats is not with fear, but with a holistic understanding of the issue. Victory through knowledge!
CEO at Dependable Defence Inc.
7yAgreed, you have said all that I could say... less... they have been warned.