Rob Wainwright, the Director of Europol, on how the infrastructure underpinning the World Wide Web is vulnerable to attack. The interview is part of the Risk Response Network’s “What if?” series. The Risk and Responsibility in a Hyperconnected World – Pathways to Global Cyber Resilience was released on the 31st May 2012.
What is your main area of expertise and interest?
My field of expertise is combating serious international crime and terrorism, including cyber crime.
What would you say is the greatest or the most under-estimated risk in your field?
I would say the instability and vulnerability of the Internet’s infrastructure. We are living in an increasingly hyperconnected world, which was one of the big themes of Davos 2012. We now have 5 billion devices, from computers to cars to kitchen ovens, which access the Internet remotely. This increasing connectivity is making the Internet hugely important both for business and private life, but it creates vulnerability. Certainly in my world, there is a feeling that we understand the benefits of the Internet far more than the risks.
How might a worst case scenario play out?
We could be looking at a malicious attack by hacktivists or, in the worst case scenario, even terrorists, targeting the core systems that maintain the infrastructure of the Internet. They might attack the DNS, or domain name system: this is effectively the Internet’s directory, converting the numerical codes of IP addresses into words that can be searched on the Internet. If this were brought down, web pages would no longer be accessible. There is also the Border Gateway Protocol, which connects the regional hubs of the Internet to make it the global instrument that it is, supporting society and business. If either of these two systems were successfully attacked, for example using botnets, or distributed denial of service attacks, this would take down the Internet and have a huge effect on the way in which we do our business.
Can you give any examples of cases where the vulnerabilities of the system were exploited?
The last time that these core systems were attacked in a significant way was, as far as I know, way back in 2007. Some of the so-called “Root Servers” of the domain name system were indeed damaged. There are 13 of these Root Servers around the world. I think six of them were damaged in that attack, two of them quite seriously. It caused some disruption but recovery was quick and therefore no long-lasting damage was caused. Having said that, I think the activity of hacktivist groups is now showing that they are using increasingly sophisticated methods, particularly involving botnets, and my fear is that some groups have a greater capability now. They are showing this capability in different ways, including their disruptive attacks on financial institutions. We also, of course, have a huge cyber crime industry, with organized crime syndicates themselves developing very sophisticated ways to steal identities and carry out fraudulent activity online to the tune of billions of dollars each year. So, there is a big profit motivation here, as well as a potential terrorist threat. There are some very dangerous motivations that could inspire a disruptive attack on the critical infrastructure that maintains the Internet.
If we take the case of organized crime, do any noteworthy examples stand out?
Some of the threats that we are monitoring at Europol are those that allow a digital underground economy to flourish. In particular, personal data has become the oil in the machine. Millions of personal data are stolen from everyday citizens, which are then used online to create fraudulent identities to carry out massive attacks on people, governments and businesses as well. In one year alone, we estimate that a minimum of €100 billion in VAT fraud is committed online in the European Union alone. We see this happening along with the more traditional attacks, in which crime syndicates are involved in the proliferation of child sex abuse images online. So this is a multidimensional problem, which is certainly getting harder to police.
And how do you police it?
Well, there is a lot that we can do in the law enforcement community to increase our digital forensic capability so that we can investigate and identify early enough the first signs of serious criminal activity online. This means boosting our intelligence capabilities as well as increasing the extent to which we can share intelligence between national police agencies. Europol has a particular role in the EU to promote that, but I think law enforcement cannot do this alone. The Internet is central to all aspects of business and life and it is important therefore that a multistakeholder community address this problem. I am part of the World Economic Forum’s major new Cyber Resilience Initiative, Risk & Responsibility in a Hyperconnected World, which calls on business leaders, political leaders and law enforcement chiefs to sign up to the idea that we have to move on in our work to defeat cyber crime beyond the traditional area of securing our own perimeters. It’s not just bigger locks we need any longer, but a recognition that when we are online, we cannot operate with zero risk. We need to recognize that this is an interdependent problem and that we are all dependent on the Internet in this hyperconnected world in which we now live.
And if I were to ask you what is your greatest personal fear?
I am very worried by this great misplaced confidence in the unbreakable nature of the Internet. It is not unbreakable: it can collapse, it may indeed collapse. There is a parallel with the financial crisis. Very few people predicted the Armageddon scenario or paid much attention to it, and yet here we are deep in recession in many parts of the world. I don’t want to be a doomsday merchant, but I think the collapse of the Internet would have a very, very significant impact. This is what we referred to in Davos as the ‘dark side’ of the Internet, the dark side of connectivity. What drives me in my job is the need to protect people and society from these very significant cyber security threats. This is not just about protecting our economy, it is also about protecting the most vulnerable people in society. It angers me when I see fraudsters liberally preying on the weak and the old and the vulnerable with their scams online, telling people that they have won the lottery and if they could just give US$ 50 they would release the funds. So many unsuspecting older people are falling victim to these terrible scams. We have to stop these guys. We also have to stop the people who are preying on children. There has been an explosion of child sex abuse activity online and some of the cases that I have been involved with in the last two years have been operating against some of the largest online paedophile communities in the world.
Pictured: Cables attached to an Internet server at the Swiss Federal Institute of Technology (Reuters)
Rob Wainwright is the Director of Europol (the European Police Agency) and Vice-Chair of the World Economic Forum’s Global Agenda Council on Organized Crime.