Yuichiro Chino / GettyImages
While the internet has undoubtedly brought new benefits, it’s also brought new problems as cyber criminals look to exploit our seemingly ever-growing reliance on connectivity.
Phishing emails, malware and ransomware attacks, or getting your bank details, passwords and other personal information stolen – the internet has provided malicious hackers with a variety of new ways to make money and cause disruption. Just look, for example, at how critical infrastructure, schools and hospitals have been affected by cyberattacks.
We’re yet to fully secure networks against today’s internet threats, yet technology is moving on already, bringing new threats that we must somehow prepare for.
Quantum: crypto cracking and mining
One of the most significant technological breakthroughs heading our way is quantum computing, which promises to be able to quickly solve complex problems that have defeated classical computers.
While this advance will bring benefits to scientific research and society, it will also create new challenges. Most notably, the power of quantum computing could make quick work of cracking the encryption algorithms we’ve used for decades to secure a range of areas, including online banking, secure communications and digital signatures.
Currently, quantum computing is expensive and the expertise required to develop it is restricted to large technology companies, research institutions and governments. But like any innovative technology, it will eventually become more commercially available and easier to access – and cyber criminals will be looking to take advantage of quantum.
“There’s some things over the horizon that you can see coming; notably quantum computing being able to crack current encryption algorithms,” says Martin Lee, technical lead of security research at Cisco Talos.
“What was an entirely appropriate encryption key length 20 years ago is no longer appropriate”.
The US Cybersecurity and Infrastructure Security Agency (CISA) has already warned that action must be taken now to help protect networks from cyberattacks powered by quantum computing, particularly those that support critical national infrastructure.
But while disruptive cyberattacks powered by quantum computing are a key cybersecurity threat of the future, quantum computers could themselves be a lucrative target of hackers.
Let’s think of the specific example of crypto-mining malware. This is a form of malware that attackers install on computers and servers to secretly use the power of someone else’s network to mine for cryptocurrency and pocket the profits – all without needing to pay for the resources or the power being consumed.
Cryptocurrencies, such as Bitcoin, are generated by computers by solving complex mathematical problems – the sort of mathematical problems that could be relatively trivial for a network of quantum computers to solve. That means that if cyber criminals were able to plant crypto-mining malware on quantum computers, they could get very rich very quickly – at almost no cost to themselves.
“Infecting one of those would allow somebody to start calculating very complex algorithms,” says David Sancho, senior antivirus researcher at Trend Micro.
“If you have a crypto miner on a quantum computer, that’s going to tremendously speed up your mining capabilities – those things becoming a target of trivial cyberattacks, it’s a very easy prediction to make.”
Exploiting AI and ML
But quantum computing isn’t the only emerging technology that cyber criminals will look to take advantage of: we can expect them to exploit developments in artificial intelligence (AI) and machine learning (ML), too.
Like quantum computing, AI and ML look set to power innovations in a range of areas, including robotics and driverless cars, speech and language recognition, healthcare and more.
AI that can adapt and learn can be used for good, but ultimately, once it becomes more widely available, it’s only a matter of time before cyber criminals are using it to help make cyberattacks more effective.
“We will start seeing malware campaigns, ransomware operations and phishing campaigns being run totally automated by machine-learning frameworks. It hasn’t been done yet but it wouldn’t be very hard at all to do,” says Mikko Hyppönen, chief research officer at WithSecure.
One means of exploiting this technology would be programming a text-based generation algorithm to send out, and reply to, common spam emails or business email compromise (BEC) campaigns.
Rather than needing a human to take time out to write and reply to messages, criminals could rely on an algorithm that can also analyse which responses are most likely to be real victims that are worth replying to, rather than people who remain unconvinced, or those who send prank replies back to the spammer. That reality means in future you could end up being scammed – by a bot.
There’s also the potential that cyber criminals could use advancements in ML to develop self-programming smart malware which, rather than needing a developer to support it, could update itself by automatically reacting to the cyber defences it meets to have the greatest chance of being effective.
“You could imagine when self-programming programs become more capable than right now where they can finish functions created by humans – that sounds great until you give it ransomware,” says Hyppönen.
“It could change the code, make it more complex to understand, make it so it’s different every time, it could try to create undetectable versions. All of that is technically doable, we simply haven’t seen it yet – and I think we will,” he warns.
But AI being abused to power cyber threats isn’t a just a future problem for the internet – it’s already happening now, with deep learning being used to power deepfakes, which are videos that look like they’re real people or events but are actually fake.
They’ve been used in political misinformation campaigns, pranks to fool politicians – and they’re already being used to enhance BEC and other fraud attacks, with cyber criminals using deepfake audio to convince employees to authorise significant financial transfers to accounts owned by the attackers.
“We’re entering this brave new world around deepfake video that will be used to commit crimes. Not just manipulation, but also in disinformation and misinformation,” says Theresa Payton, CEO of Fortalice Solutions and former CIO at the White House.
Take the example of CEOs who are in the public-facing realm. They appear on television, they give speeches, are there are videos of them online, so it’s relatively simple to find recordings of what they sound like – and it’s already possible for scammers to run those resources through deepfake technology to mimic their voice.
After all, if an employee gets a call from the head of the company telling them to do something, they’re likely to do it – and the cyber criminals behind these attacks know this fact.
“I already know of three cases where deepfake audio was used to successfully convince somebody to transfer money to a place they shouldn’t have transferred it. That is stunning to me that as a sample size of one, I already know of three cases,” says Payton.
And as the technology behind deepfakes continues to improve, it means that it will only get harder to tell what’s real from what’s fake.
“I grow increasingly concerned about our lack of ability to really shut down manipulation campaigns,” says Payton.
Internet of compromised Things
Deepfakes aren’t the only area where cyber threats could impact our everyday lives if the future of the internet isn’t secured properly. Increasingly, smart Internet of Things (IoT) devices are becoming a bigger part of our daily existence, with a variety of sensors, appliances, wearable devices and other connected products appearing in homes, offices, factories, and more.
While there are certain advantages to connecting IoT devices to our home and workplace networks, this increased level of networking is also creating a larger attack surface for cyber criminals to try to exploit.
“When you add functionality and connectivity into everyday devices, they become hackable. Devices that were unhackable become hackable. It might be very hard. Nevertheless, it is always doable. There is no secure computer. There is no unhackable device,” explains Hyppönen.
“This is the thing that’s happening now during our time, and there’s no stopping it. It doesn’t matter what we think about it, it’s going to happen anyway, and it’s going to be increasingly invisible.”
Think about your home appliances: it’s increasingly likely they’re ‘smart’ and connected to the internet. Anything from your television to your toothbrush could now be internet-connected.
But for appliance manufacturers, building internet-connected devices is a relatively new phenomenon and many won’t have needed to think about cybersecurity threats before. Some vendors might not even think about it in the design process at all, leaving the products vulnerable to hackers.
While hackers coming after your coffee machine or your fish tank might not sound like a concern, it’s a point on the network that can be accessed and used as a gateway to attack more important devices and sensitive data.
While IoT security should (hopefully) improve as it becomes more widespread, there’s also another problem to consider. There’s already millions and millions of IoT devices out there that lack security – and these might not even be supported with security updates.
Think about how many smartphones can’t receive security updates after just a few years. Then scale that reality up to the fast-growing IoT – what’s going to happen if devices that aren’t regularly replaced, such as a refrigerator or a car, can continue to be used for decades?
“There’s no software vendor on the planet that would support software written 20 years ago. It’s just not happening,” says Hyppönen, who suggests that when manufacturers no longer support updates for their devices, they should open source it to allow others to do so.
“You would get the security patches for your old, outdated legacy things by paying for the service just like you pay for any other service.”
Connected devices are already becoming ubiquitous throughout society, with no sign of this trend slowing down – whole smart cities will become the norm. But if cybersecurity and compliance isn’t a key force driving this trend, it could lead to negative consequences for everyone.
“If you don’t resolve these issues, you’re going to have attacks happen at a scale and speed you’ve never seen before – bad things will be faster. That is incredibly concerning,” says Payton, who believes it’s only a matter of time before a ransomware attack holds a smart city hostage.
“They will be a target – and we will experience some level of sustained disruption,” she adds.
Cyber security arms race
Despite the potential threats on the horizon, Payton is optimistic about the future of the internet. While cyber criminals are going to be using new technologies to help improve their attacks, those responsible for defending networks will also be deploying the same technologies to help prevent attacks.
“I’m pretty energized about our continuing ability to model nefarious behaviors, then use artificial intelligence, big data, analytics, and different types of machine learning algorithms to continue to refine technology,” she explains
“Now, will it block everything? No, because cyber criminals are always adapting their tactics. But I do have a lot of optimism for being able to block more of the basic-to-medium types of threats that seem to get through today.”
That sense of optimism is shared by Hyppönen, who looks back on how technology has evolved in recent years. He believes cybersecurity is improving and that even with new technologies on the horizon, it doesn’t mean cyber criminals and other malicious hackers will simply have it easy.
“Computer security has never been in better shape than today. That’s a controversial comment – people on the street would most likely think that data security has never been worse because they only see the failures. They only see the headlines about yet another hack,” he says.
“But the fact is, if you compare the security of our computers today and a decade ago, it’s like night and day. We’re getting much, much better at security – attackers have a much, much harder time breaking through.”
Let’s hope that situation remains the case – the future stability of the internet depends on it being true.