I asked readers in “The Unhackable Internet” to consider what they would do if they woke one morning to find their money gone. Last week that question became frighteningly real.
Twenty thousand customers logged on to find that money in accounts at Bank of America had disappeared.
One account holder, staring at $0 account balances, described it as a “heart-stopping” moment. Was her money really gone? She said that she received little to no communication about this “glitch” as the day progressed until Bank of America said that “some clients were experiencing an issue.” The problem was not resolved until that evening.
Events like this are the canaries in the cyber coal mine. After national defense, the U.S. banking system is among the most secure critical infrastructures in the country. It has exemplary regulatory and industry standards, conducts regular tabletop exercises and has built redundancies into systems in anticipation of a catastrophic cyber event.
But all of those defenses and precautions must operate in an insecure virtual environment that includes none of the usual protections that exist in the real world.
First responders know what to do and how to coordinate with each other when there is a fire, flood, or earthquake. But if your computer screen goes blank or your accounts show $0 balances, do you know who to call? Unlike national defense, in cyberspace, all businesses and individual users must defend their own spaces.
Given that, how does it make sense to continue to load every inch of critical data and every penny of value onto networks that aren’t secure, can’t retaliate when attacked and ultimately incentivize cybercriminals to act because their chances of being found and prosecuted are negligible? Would anyone live in a city that has those characteristics?
Somehow, online convenience and social engagement have become more important than security and privacy.
People assume that the government is protecting us against cyber disasters. After all, everything in the analog world is regulated. Well, no one is watching over us in cyberspace, and no one is making sure we are secure. Even where businesses do have strong defenses, they may be undone because users ignore digital hygiene.
Viewed most cynically, cyberspace has become a virtual ecosystem that makes it easy for hackers, criminals and rogue nations to take advantage of us.
Ignoring for the moment who is to blame for this predicament, we must begin to fix it before we are catapulted into the next level of cyber hell. Here is where I would start.
First, nothing breeds anarchy like anonymity. It is imprudent to live in a digital world where no one is required to identify themselves. Democratic nations must work together to recreate cyberspace so that every user is required to present identification credentials as they must do to move in the real world. Rogue nations and others that refuse to abide by those rules should be denied access.
Second, no civilized society can function without some form of governance. The failure to create or adhere to rules has consequences in real life, and so it should in cyberspace. The Wild West of the internet was fun when it was about video games and live cams, but we are well past those giddy days.
Third, without enforcement, only responsible people act responsibly. Today, there are no cybercops or an 800 number we can call to stop, pursue or arrest cyber burglars. Without a cyber police force that is reachable, ubiquitous and effective, we will continue to be defenseless against a growing legion of global online hackers and criminals.
Finally, things we do online that require enhanced security should be done through secure private networks (“SPNs”) that maintain high levels of security and authentication. Those who don’t want to live according to the rules of those networks should be denied access or be subject to kill switches that terminate their virtual lives.
These small steps would help immensely, but it is unlikely that even they occur. Our legislators understand little about technology and the risks that it is creating. And many are dependent on tech to support their campaigns. FTX’s Sam Bankman-Fried reportedly made $100 million in campaign contributions to protect his political flanks.
Without protective legislation, strong rules, cybercops, better security and tech-literate users, it seems inevitable that we wake one day to zero balances. The gut punch we will feel when that occurs may spur us to act, but it will be too late at that point.
Thomas P. Vartanian is the executive director of the Financial Technology & Cybersecurity Center. He is the author of “The Unhackable Internet.”