I received the same email five times in as many weeks informing me of an A$18.60 refund following a “billing error” with a “mobile phone provider”. Not a huge sum, but believable.
I don’t have a mobile phone with this company, so I ignored it the first time, and the second.
But by the third email I had started to wonder: did someone else in my family have a phone with this company? And by the fifth email it took considerable strength not to click on the attachment. After 15 years policing experience and more than ten years addressing cybercrime, I was tempted. Scary. What if it was a legitimate email communication?
I checked the full email header, rather than the summary from/to/date header we see by default, and noticed the email originated in the United States, not Australia. This and a visit to a scam alert website that noted this particular email restored faith in my initial gut judgement, allowing me to rest easy knowing that I wasn’t missing out on the big bucks.
The emails were nothing more than spam. Determined, simple spam. Had I filled out the attachment I’d have entered personal information, including financial, so the “refund” could be paid.
Had my credit card details been successfully obtained to use fraudulently, I would be reimbursed by my bank under the terms of the e-Payments Code. So, no real loss. Or is there? Unsurprisingly, the banks don’t take one for the team in the online economy.
Their moment as the “white knight” sees them demand reimbursement from the online merchants where stolen credit card details were misused. “Card not present” – internet and phone – transactions are at the merchant’s risk. In turn, merchants build that loss into the cost of goods and services legitimate customers buy. So everyone loses out, bar the criminal.
Back to my original series of spam scam emails: the criminal also could have embedded a “malicious payload” of computer code in the attachment known as “malware”. A “key logger” may have been installed, sending every stroke I type – including passwords – back to the criminal. My contacts and files may have been plundered and abused by the criminal then resold to other criminals via well-developed criminal online black markets.
My computer – now made a “zombie” by the malware – could be drafted with other compromised computers into a “botnet army” and used to carry out denial-of-service attacks against business and government websites, causing them to crash. My computer may also have been used for breaking, or hacking, into other computers with all roads leading back to me if the matter was investigated. My computer could store and share illegal material such as child pornography and could be used to send more spam just like the one that caused all my trouble.
Maybe all of the above, over time. A tempting A$18.60 would have reaped significant individual loss, while contributing to a burgeoning criminal economy and supporting infrastructure. This scenario is played out in an automated, relentless fashion every second we’re awake and asleep.
And the increasing use of mobile and tablet devices, combined with a steady growth in online activities, multiplies the threats. For instance, what if the compromised computer, phone or tablet device I use for my personal life is also used for work? The corporate system could also be at risk, exposing company intellectual property, client information, finances and more.
Ultimately, what was first a damaging individual incident – when aggregated with potentially thousands or indeed millions of other individual incidents – could have national security implications, threatening Australia’s economic interests, the well-being of the Australian public and the integrity of Australian government information and systems.
The sheer scope of cyber vulnerabilities alone helps make a compelling case for national security concern. In a recent example, a seemingly benign hacker nicknamed Carna compromised 420,000 internet-connected devices, mainly routers and servers, to create his own botnet. While Carna claimed to have no malicious intentions the incident illustrates the potential size of internet security issues.
Malicious botnets like Waledac and Rustock – successfully crippled by Microsoft’s Digital Crimes Unit in 2011 – and the more recent Bamital botnet are examples of highly malicious criminal enterprises that affected hundreds of thousands of people worldwide.
Cyber vulnerabilities at a small business, corporate and government level mean that valuable intellectual property and traditional national security secrets can be targeted, as can computer systems running critical infrastructure supporting the economy: power, water, transport, food distribution, telecommunications and banking.
And in some instances that targeting may have found its mark via, say, a scam mobile phone refund email.
To date, we’ve failed to grasp the enormity of the misuse of technology and, as a result, have not viewed the problem as a societal one. The A$18.60 refund scenario highlights how cybercrime is both an individual and national security issue. Cybercrime can be so interlinked that, theoretically, my A$18.60 click could be part of a larger, orchestrated attack on critical infrastructure. It’s essential to recognise that no matter how benign a scam may seem it is potentially malignant and can definitely metastasise.
When addressing these issues, blame is usually attributed to end users or government agencies, particularly security services and police. There are few calls for internet service providers, online retailers, social network operators, software and hardware manufacturers and businesses in general to shoulder greater responsibility in providing safer services and educating end users.
True, end users and governments must scale up their efforts. But what’s needed most is a national approach addressing cybersecurity like a public health concern: with measurable baseline data, broad strategies and a relentless long-term commitment to tackle the problem.
Scientists, engineers and mathematicians can and should play a central role. Instead, a handful of public officials and information technology (IT) security professionals dominate the debate.
In the age of the internet, the once-dominant “three Rs” of reading, writing and arithmetic have been replaced by the “three Cs”: coding, computation and communication. Consequently, Australia requires more engineers, programmers and mathematicians to work on cryptography, to write secure computer code and crime-fighting software, to create safer machines.
We need properly qualified citizens who can be security cleared and called on to help the Australian government. To this end the government should introduce a scholarship scheme to encourage a step change in the number of young Australians studying science, technology, engineering and mathematics.
And we need more women. In an increasingly digitised future we run the risk of seeing a professional and educational chasm re-open between men and women – who are already under-represented in this sector. Anecdotal evidence suggests girls, generally, need more persuading to engage in the three Cs. If we are to increase the number of women focusing on cyber technologies at tertiary institutions and in the workforce – bringing a balance and skill set desperately required in the future – this must be addressed at primary and secondary levels.
Not only will such efforts lead to a safer and more secure Australia – and world – but an expanded Australian IT-security industry would be good for the economy in what is a fast growing multi-billion-dollar market. It makes dollars and sense.
This is an excerpt from the Australian Chief Scientist’s free eBook The Curious Country, available for download from 4pm December 3, 2013.