Hacks and attacks: what’s the right level of defence?

I watch the Ukraine-Russia conflict with anguish. The loss of life and property is appalling, and the bombing seems relentless. But I wonder why we fight wars with bombs today, when we could just as easily fight with computers. If you bring the network down, you win.

Suffice to say that in the Ukraine-Russia war, both are actively used: bombs and computers. The Russians have tried to destroy Ukraine’s systems and infrastructure and vice versa.

More than 2,000 cyberattacks were aimed at Ukrainian organizations in 2022, according to statistics from Ukraine’s Computer Emergency Response Team provided to POLITICO. While more than 300 of these attacks were against the security and defence sector, more than 400 attacks targeted groups impacting civilian life, including organizations in the commercial, energy, financial, telecommunications and software sectors. More than 500 other attacks were aimed at government groups.

Source: Politico

This is why it intrigues me to look at cyberattacks around the world. When you break the country’s computers, can you break the country?

This came to mind when I saw the news this week that Danish banks were disrupted by DDoS (Distributed Denial of Service) attacks. DDoS just means you cannot access the bank’s web services. It’s not a hack. It does not compromise your data. But what happens if it was a hack?

For example, when you are invited to a Zoom call and asked to download software. It looks like Zoom, it feels like Zoom, but it’s not Zoom. It’s a hack. Or what about an email from a colleague asking to transfer funds urgently, but it’s actually generated by an AI using GPT-3? Or, more often, an email from your boss saying there’s an urgent need to make a payment?

Then you have the simpler scams, like you have a parcel delivery – which is fictional – or a win on a lottery – that’s just made up.

In fact, in retrospect, the Nigerian 419 scam seems laughable. Yes, I am your long lost relative leaving you a million pounds. Just give me your bank details.

So, what to do?

Whether it’s cyberwars or citizenwars, we need to always be alert to attacks, whether criminal or cross-border. In fact, in some ways, it makes a more compelling reason for supporting cryptocurrency.

Cryptocurrencies held in cold wallets are far more secure than fiat currencies held in bank accounts. Is that too much of a stretch of imagination?

Maybe yes or maybe no, but in a world of everything moving to digital and attacks on digital infrastructures becoming more and more sophisticated and non-stop, you need better defences. Which defence do you trust? Username and password? SMS text and OTP? Or something offline that requires approvals from you via username, password, SMS text and OTP before it moves online? Or approvals using username, password, SMS text, OTP, fingerprint and FaceID before it moves online? Or approvals with all of those and some DNA, blood and spit?

Whatever the solution is, we need a world where digital convenience is balanced properly with digital security. We seem to be a way away from that right now and, imho, most of what has been deployed is chunky and clunky. What’s the right solution?