Why is security online so hard to achieve? Edward Lucas's Cyberphobia argues that we are more at risk online than we realise
“We are staking our future on a resource that we have not yet learned to protect.” This was the warning CIA director George Tenet issued about our growing dependence on the internet. It was 1998 and Larry Page and Sergey Brin had just set up Google in a rented garage; Facebook founder Mark Zuckerberg was just 14. In the 17 years since, the internet has changed beyond recognition.
Reading Edward Lucas’s Cyberphobia, however, it becomes clear that Tenet’s words are as true now as they were then. Lucas is a senior editor at the Economist. His work covering Eastern Europe since the end of the Cold War, including two books on modern Russia — The New Cold War: How the Kremlin Menaces Both Russia and the West and Deception: Spies, Lies and How Russia Dupes the West — has prepared him well for the murky worlds of online crime, identity theft and cyber-warfare that he delves into here.
Lucas’s argument is that whether it be individuals targeted by fraudsters and con artists, companies who fall victim to corporate espionage or governments on the receiving end of cyber-warfare, we are more at risk online than we realise.
The ad-hoc and anarchic development of the internet explains much of what makes security online so hard to achieve. With every technological step forwards cracks are papered over and another layer of complexity is added, ready for the hackers to exploit. One piece of software may claim to be water-tight, but it will have to interact with other software that may not be and hardware that is by definition vulnerable. Lucas’s account of this messy web of connections evokes the inner workings of the crumbling Palace of Westminster: stuffed to breaking point with telephone lines, pipes and fibreoptic cables with no one quite sure what goes where.
Another thing the hackers have on their side is the fact that computer networks are such great levellers. As Lucas puts it, when you move from the “real world” onto a computer “complex criteria of trustworthiness, familiarity and predictability give way to simple binary questions: are the Is and 0s in the right order to make a transistor switch one way or another?” Hackers are persistent, ingenious and anonymous, while their targets are often careless and ill-informed.
Our attitude to security and identity online is also part of the problem. Lucas uses a fictional couple — Chip and Pin Hackett — to describe many of the security issues private citizens face when they turn their computer on. They are risk-averse middle-aged professionals who are cautious in the decisions they make in the real world. They wear helmets and high-visibility clothing when they cycle; when buying a car they prioritise safety over performance. Like most people, they are aware of the trade-offs and risks involved in driving: if you speed you are more likely to crash, if you brake sharply you may skid.
Yet, when it comes to computers, not only do the Hacketts not invest in their security as they would with a car, they — like many of us — aren’t even aware of the consequences of their actions. Lucas’s point is that, as with the software on their home computer, Chip and Pin’s approach to online security needs updating.
Cyberphobia is not, however, merely Internet Security for Dummies. His worries about the security of our online identity run deeper than the simple concern that our bank details may be stolen by crooks. With more and more of our affairs being conducted online, Lucas is rightly alarmed at the ease with which our identity can be hijacked and our reputations damaged. We assume we know who we’re dealing with — but how can we be sure?
One country to have taken this problem seriously is Estonia, where everyone is issued with — though not obliged to use — an ID card which they slot into a reader and enter a four-digit number to prove they are who they say they are online. Estonians use the cards for everything from paying bills to signing important emails. Critics of the system fear misuse by an overbearing state. Lucas, whose knowledge of Russian politics presumably make him sensitive to such arguments, points out that the cards only reveal metadata — details of when and where you used your card, not what you were using it for. Such an approach is surely preferable to what most of us must endure at the moment: divulging our credit card details, address, date of birth, mother’s maiden name and whatever else we are asked for whenever we want to carry out the simplest of tasks.
Unlike all too many authors of books on technology, Lucas does not presume that his readers are au fait with the baffling jargon that puts so many off the subject. His book will be comprehensible even to seemingly incurable cyberphobes. If they confront their fears and read it they will have joined Lucas’s fightback against the crooks and spooks who want to exploit our ignorance.