UAE hack shows cyber weapons not just a tool for superpowers

Technology advances and the internet information explosion have leveled the global playing field over the last several decades.

Startups from Boston to Bangkok have leveraged technological innovation to create phenomenal new products and services, disrupt markets and industries and change our lives in ways we could not imagine. World-wide access to information on-demand has never been greater.

{mosads}On the whole, this has been a very good thing. 

Unfortunately, as we all know too well, the level playing field has also empowered bad actors — individuals, organizations and countries — to exploit new technologies in order to wreak havoc.

The depth and danger of the havoc — and the urgency for stepped-up efforts here in the U.S. to stop it — was evident in the recent disclosure of the United Arab Emirates’ success during 2015 and 2016 in using high-powered spying tool called Karma to hack into the iPhones of activists, diplomats and foreign rivals.

It has been reported that Apple discovered the vulnerability in mid-2016 and rendered Karma less effective.

The UAE’s success in obtaining and deploying Karma shows that sophisticated cyber weapons are not only the domain of the world’s superpowers. Think about it. Tiny UAE — about the size of South Carolina with a population of just 9 million people — purchased a “weapon” that could potentially access every iPhone in the world.

That was not its intent in this case. But what if it were?

The UAE Karma hack puts a bright spotlight on just how unsecure the internet remains and how far the device makers — Apple and others — still have to go in securing the smartphones and the smartphone applications that have become essential part of our daily lives.

So, what do we do now?

Security was never a priority for the internet’s original architects and building in security after the fact will be a long, arduous and costly effort. Yes, it is worth doing, but it is not a fix we are going to see any time soon.

On the other hand, there are important things the device-makers and the application developers can and should be doing right now to enhance their security.

First, they should increase their research into, and investments in security software.

Given the ubiquity of cyber attacks, security breaches and hacks, it may seem hard to believe that we’re still in the early innings when it comes to developing security software, but that is the case.

New, more-effective software security tools and solutions are coming to market all the time, and both the device-makers and application developers should be investing heavily in the best of them in order to assure they design, develop and deliver more secure products. Those who do will gain a competitive advantage.

Device-makers, in particular, need to conduct extensive security audits and significantly increase the security testing before their products ship.

Being proactive is essential.

Additionally, it seems likely that here in the U.S., the government will look to play a more activist role in ensuring data security and information privacy, as was the case in Europe with the EU’s General Data Protection Regulation (GDPR) that went into effect last May.

GDPR is a regulation in EU law on data protection and privacy for all individuals within the European Union and the European Economic Area. It also addresses the export of personal data outside the EU and EEA areas.

Apple and Cisco have already signaled support for a GDPR-like initiative here in the U.S., and we can expect government hearings at the very least in the near future.

Technology advancements will continue apace, but unless we do much more to assure that security is designed in, we will suffer the consequences of the havoc that ensues.

Lou Shipley is a lecturer at the MIT Sloan School of Management.