34 The Times Magazineor the past year, I have been
sheltering from the pandemic
in a cabin in the woods in
California, watching as the
American death toll climbed
higher than any other country.
Witnessing this has been equal
parts tragic and maddening, but
I know there is a quieter layer
to the terror, also invisible to
the naked eye but no less life-threatening,
palpable only when it hits our hospitals, our
bank accounts, our water, our bodies.
I have spent the past seven years
infiltrating the world of cyberwarfare, tracking
an escalating series of hacks on healthcare
services, the power grid, nuclear plants, our
privacy, our psyche, with no end in sight.
But this year, one in which we virtualised
our lives at a scope and speed the world has
never seen, I have caught a harrowing glimpse
of another plague, one for which there is no
vaccination, but one that promises to consume
us all if we do not alter our course.
Among the stories to have emerged during
the global coronavirus pandemic are two
cyberattacks that bookended it. Last April,
weeks into its stay-at-home order, Israel
announced that Iranian hackers had infiltrated
two Israeli water treatment facilities in an
attack that officials said was designed to cut
off water supplies or contaminate the drinking
water for thousands of Israelis quarantined
at home. Nearly one year later, the United
States reported an eerily similar cyberattack
on a water treatment facility in a small town
in Florida that increased the amount of
the caustic substance lye in the water from
100 parts per million to 11,000 parts per
million. Had an engineer not noticed a
phantom hand moving his cursor across
his screen, the attack might have poisoned
thousands of residents, sending them to
hospitals already under siege from Covid-19.
It is still unclear whether those two
cyberattacks, unnerving in their similarities,
are related. But what is clear is that they
flanked a period in which the world endured
not just a historic pandemic, but some of the
most aggressive and costly hacking episodes
in modern history. Water treatment facilities,
hospitals, schools, clinical trials, coronavirus
vaccine research, supply chains, treatments
and tests, electricity companies, technology
and cybersecurity firms and government
agencies were all, in some way, shape or form,
hijacked by hackers. Cybercriminal activity
spiked and nation-state hackers, not just the
usual suspects in Russia, China, Iran and
North Korea but newer players like Pakistan,
were caught hacking one another in an
attempt to glean any intelligence or advantage
they could in a pandemic that was global, but
for which the response was anything but.Unless we pause and change tack, these
cyberattacks offer but a tiny glimpse of what
the world can expect in the future as we
digitise our economies, societies and daily
lives at accelerating rates. When this is all
over, working from home could become the
new normal as companies such as Facebook
extend their work-from-home policies, and
others such as Twitter, Siemens and payment
companies like Stripe and Square offer
employees the option to work from home
permanently. We will depend more heavily on
Zoom and the so-called “internet of things”,
devices that we are now plugging into the
internet at a rate of more than 127 per second,
our smart televisions, thermostats, fridges,
pacemakers and insulin pumps. It will see
more critical infrastructure – more water and
sewage treatment facilities, power grids, oil
and gas pipelines, chemical plants, nuclear
reactors, health, financial and government
services – migrate to an internet that
was never built with our global security
in mind. Unless we reprioritise our collective
cyberdefence, this could have increasingly
life-threatening implications. Until now, the
vast majority of attacks have been designed
for espionage and thievery of money and data,
but the same code and digital entry points are
being used to set the stage for bioterrorism,
an assault on our grids, our democracies, our
transportation systems, our drinking water.
A decade ago, such predictions were
dismissed as overly alarmist. Indeed, too many
cybersecurity companies used the threat of a
calamitous life-ending attack, a “Cyber Pearl
Harbor” or “Cyber 9/11”, to market mouse traps
that never quite succeeded in keeping hackers
at bay. But the analogies to Pearl Harbor and
9/11 were problematic for another reason. In
those two attacks, we never saw the planes
coming; we have seen the cyber equivalent
approaching for more than a decade. The
focus on planes and bombs is also a distraction
from the predicament we already find ourselves
in here in the west, where our power grids,
hospitals, intellectual property, universities,
elections and now our water supplies have
already been intercepted by hackers. We
may not have seen the digital equivalent of a
Pearl Harbor but, with each passing day, we
inch dangerously closer. The world is simply
waiting for the appropriate geopolitical trigger.For years I have been digging into
the incentives behind our perilous digital
predicament. What I discovered was worse
than I could have conceived. I discovered
that the very governments charged with
keeping civilians secure were leaving us more
unsafe. In the most tangible form, I learnt that
governments in the United States and United
Kingdom – and, increasingly, regimes with
far less red tape and abysmal human rights
records – have paid hackers to dig for secret
vulnerabilities in popular software and never
tell a soul. These secret vulnerabilities form
the raw material for cyberweapons. They are
dubbed “zero days” because, once discovered,
companies such as Microsoft, Apple and
Google have had zero days to patch them.
This demand for “zero days” constitutes a
new arms race, traded between governments,
mercenaries and hackers, and they have not
only enabled those who own them to spy
on our communications, but increasingly
to hijack enemies’ critical infrastructure.Speed, cybersecurity experts have long
said, is the natural enemy of security. And
last January, the world began virtualising its
business, manufacturing, finance, education
and government at accelerated rates. Usage
of tools such as Zoom, Slack and Microsoft
Teams jumped 600 per cent between January
and April, a period that likewise saw a 630 per
cent surge in cyberattacks.
Many of those attacks were the work of
cybercriminals who seized on new work-from-
home dynamics and a sudden urgency in
business transactions to reap a profit. The
world’s data had migrated from corporate
networks, where dedicated IT staff monitor
for intrusions and regularly patch buggy
software, to the cloud, employees’ personal
phones and computers – riper targets for
hackers. By March, Action Fraud, the UK’s
fraud and cybercrime reporting centre,
was detailing a 400 per cent increase in
coronavirus-themed phishing emails. In
that month alone, hackers dispatched
some 500,000 phishing messages to British
recipients laced with either malicious links or
attachments that gave hackers a foothold on
their computers and phones or baited them
into fraudulent scams that would cost millions
of pounds over the next few months.F
Power grids, hospitals, intellectual property,
universities, elections and water supplies have all
been intercepted by hackers at dizzying speed
Cyberwarfare Continued from page 27OPENING SPREAD: GETTY IMAGES, NEW YORK TIMES/REDUX/EYEVINE. THIS SPREAD: GETTY IMAGES