Election Day has come and gone without the big internet attack that the experts forecasted after the Oct. 21 outage of over 1,000 websites.
But take no comfort.
Many bigger — and more annoying — attacks are on the way. It is only a matter of time.
To understand why, and possibly how and where the next attacks might occur, I recently spoke with CEO Tom Leighton of Akami Technologies AKAM, -0.74% and the company’s chief security officer.
If you don’t know Akami or what makes its people security experts, here’s a quick rundown. This tenacious internet bubble survivor founded in 1998 helps companies like Facebook, Amazon, Netflix, Apple, Google, Microsoft and many smaller ones offer uninterrupted content.
FBI: Cyberattacks on Private Industry Will Continue
The Federal Bureau of Investigation says online attacks such as the one that downed parts of the Internet in October, are here to stay. WSJ’s Lee Hawkins explains.
It does this by scattering thousands of servers around the world at the edge of the internet where there is more capacity. This puts businesses close to their customers — and helps them avoid internet choke points.
As part of the job, Akami has to fend off hundreds of web attacks a day, designed to block or corrupt sites, or steal content. It gets about 16% of its revenue from security tools.
This line of business is growing rapidly — over 40% annually. This alone should be your first clue that attacks are only going to ramp up. The second comes straight from the top. “I believe that much worse is yet to come,” says Leighton, Akami’s co-founder. “The scale and sophistication of cyber attacks are rapidly increasing, along with the potential for disruption and damage.”
Here’s more on why this is.
Reason #1: Attackers now have massive firepower and they’re getting more every day
In the early days, the bad guys got bandwidth by commandeering PCs. Then they moved on to servers. Now, they’re working with devices connected everywhere to the Internet like DVRs and security cameras.
The upshot? Attackers are doubling their available capacity about once every 12-18 months, says Andy Ellis, the chief security officer at Akami. This means they now have massive power to swamp websites with traffic, taking them down in what are called distributed denial of service attacks (DDoS).
Attackers can now lob one terabit of data per second. “One terabit, that number is very scary,” says Ellis.
Attackers have this (and growing) capacity thanks to the internet of things. Companies that sell stuff attached to the internet (like those DVRs and security cameras) set basic default passwords in devices without prompting users to reset them. Or they hard-code passwords so they can’t be changed. This makes it simple for the bad guys to guess passwords, infiltrate these devices and take them over to launch DDoS attacks.
In DDoS attacks, infected devices send out requests for information to websites. But they use a phony return address — the address of the website attackers want to take down. As all the responses flood in, the website crashes. “You can send a really small question and get a really big answer,” says Ellis.
As many as 5.5 million devices get connected to the internet of things every day. This helps explain the ongoing rapid growth in firepower. “You have millions of devices coming online every day, many with plenty of bandwidth and minimal security. All the conditions are ripe for more attacks,” says Leighton.
It seems weird that clever geniuses, top managers and founders of companies that helped build the internet and the software that runs it — at places like Microsoft, Apple, Oracle and Google — made literally billions of dollars and didn’t devote at least some of that wealth to creating a safer system for the rest of us. But oh well. That’s how it played out.
Now, unfortunately, there doesn’t seem to be a way to reverse the vulnerability in the system. “I don’t see an obvious way to change that. But I would like to be pleasantly surprised,” says Leighton.
The good news is that even with all that firepower, attackers most likely won’t be able to literally “take down the internet.” That’s because so many telecom companies now have their own version of the internet backbone. “There is so much robustness and resilience in that infrastructure,” says Ellis.
But that doesn’t mean it won’t at least seem like the internet was taken down — like it did on Oct. 21. In that assault, attackers took out servers that a company called Dyn used to provide some of the technical support needed to run websites.
There are many more vulnerabilities like this to be exploited. For example, a lot of websites use smaller cloud service providers that have defense systems that could easily get knocked out. And many websites use ad vendors whose servers are vulnerable. Websites set up to display ads before content won’t work if the ad servers are knocked out.
Reason #2: The trend is not your friend
If web attacks were a company, its stock would be on fire because growth is phenomenal. DDoS attacks jumped 129% in the second quarter compared to same quarter a year before, according to Akami. The company dealt with almost 5,000 of them. One customer was attacked 373 times.
Another type of attack increased 276% to record highs. This happened with network time protocol attacks. In these attacks, servers are disrupted by a flood of requests to confirm what time their clocks display, a request more typically made to synchronize clocks.
The number of attacks overall may continue to grow about 10% a quarter, says the company.
Reason #3: John Podesta-style email hacks are actually pretty easy
Democrats have been embarrassed by revelations in emails hacked from the account of John Podesta, Hillary Clinton’s campaign chairman. You can expect more of these, because they are pretty easy to do.
“There are two types of organizations. Those that know they have been breached and those that don’t know they have been breached,” says Ellis, citing an old maxim in the security business.
But it’s a maxim that’s based in reality. “It’s amazingly difficult to defend an organization. It is hard to do if you are smaller organization,” says Ellis.
These infiltrations often start when someone allows entry by clicking on a phishing link. Once in, hackers can often move around freely without being noticed for weeks or months.
Reason #4: The bad guys get free software and free publicity
For the number of attacks to keep rising, hackers don’t necessarily have to get better at what they do. It’s enough that more of them join in. That’s bound to happen because of two trends.
First, software programs used to launch attacks are being shared more often online. The Mirai program used in the Oct. 21 botnet attack is a good example of this. It was widely available before the attacks. “There’s a whole variety of tools to accomplish attacks that are easily available online,” says Leighton.
Next, publicity about high-profile outages draws fresh recruits. You can’t blame the media for covering outages like the one on Oct. 21. But there is a downside. The publicity invites copy-cat attacks and attracts new recruits. “The cat’s out of the bag when you see an attack like the one we just saw. It makes everyone aware of what’s possible,” says Leighton. “If anybody didn’t know before, they sure know now.”
Where the next big take downs might happen
So who will the next big target, and what kind of havoc will future attacks cause?
No one really knows, of course, except the attackers. But if past is prologue, gaming sites and retailers will be high on the list.
The online gaming industry suffered 57% of all DDoS attacks on the Akami platform in the second quarter. This sector ranks high in part because gamers try to get an advantage by knocking each other off line.
Retailers get their share of DDoS attacks. But they really stand out for a different category of assault called web applications attacks, with 40% of them. Retailers are rich targets for web app infiltration because they have a lot of customer information that’s worth stealing. Hotel and travel companies rank second for web app attacks with 21% of attacks, followed by financial services at 11%.
The good news is that the doomsday scenario of a nuclear-utility attack that makes a reactor meltdown is unlikely. Nuke systems are hardened targets. “It is certainly harder to penetrate a utility and especially a nuke utility,” says Leighton. “But it’s no longer unthinkable.”
But even without nukes in the mix, attackers can cause a lot of damage.
Think about cars, for example. They used to be fairly simple mechanical devices. Now they are rolling computer networks. In the old days, there was a mechanical connection between the steering wheel and the car wheels. Now there is a software interface. It’s the same with brakes and accelerators. The bad news here is that car companies regularly connect to their cars to issue commands. You can imagine what might happen if one of these systems was taken over by bad guys.
Sensors are another vulnerability. Getting into sensors used by trains or dams, for example, could allow attackers to trick humans into thinking trains are travelling at a slow speed, or that water levels are flat when they are really rising. “You don’t have to compromise a system if you can control its sensors,” says Ellis.
Other attacks could create civil unrest and fuel corrosive conspiracy theories. Even minor corruption of voter rolls — that, say, change voter information rendering some people ineligible to vote — could spark allegations of a “rigged election” and subvert our democracy.
Likewise, defacement of a media website that posted erroneous voting tallies or projections before polls close could do the same. Even if those were taken down pretty quickly, it would be impossible to know how many voters might have been influenced.
The unknown provides perfect fodder for conspiracy theorists who want to allege that “the system is rigged.” So even if hackers didn’t disrupt this election, there’s always the next one.
At the time of publication, Michael Brush had no positions in any stocks mentioned in this column. Brush has suggested Akami, Alphabet, Facebook and Netflix in his stock newsletter Brush Up on Stocks.