Professional Insight
On the Shelf

Peering Into the Murky Future of Cyber Threats

Future Crimes by Marc Goodman (Doubleday. 2015. 464 pp. $27.95)

On an ordinary day in February 2013, residents of Great Falls, Montana, were surprised to hear the zombie apocalypse had begun. A news bulletin running on the official Montana Emergency Alert System on KRTV stated, “The bodies of the dead are rising from their graves and attacking the living.” Eventually it became clear that hackers, not the undead, were to blame. Someone had taken control of the station’s feed to broadcast the bogus alert.

This is the sort of incident that worries cybercrime specialist Marc Goodman, who recounts the incident in his new book, Future Crimes. While the zombie alert turned out to be a prank, it showed how easily criminals with more malicious intentions could seize control of vital infrastructure. “We’ve wired the world,” Goodman said, “but we’ve failed to secure it.”

Goodman began his crime-fighting career as a rookie cop in the Los Angeles Police Department. In 1995, he was selected to work on a high-tech case because of an unusual credential: He knew how to spell check in WordPerfect. Since then, Goodman has served as futurist-in-residence with the FBI and consulted with Interpol. But he’s motivated to fight cyber threats by the same concerns that led him to be a cop. “I don’t like when innocent people become victims of a crime,” he says.  “And what I see as we transform our world into one that’s run by computers, [is] those that are in the know are extremely well disposed to take advantage of and to exploit those who are not.”

Goodman points out that criminals have long used technology to gain a competitive edge. “Theft used to be a one-on-one affair,” he says. “One person would get a gun or a knife, hide in a dark alley, and point that at somebody and say, ‘Give me your wallet.’” In the 1890s, bandits like Butch Cassidy realized that a new technology, the long-distance train, created the opportunity to rob many people at once. But with networked computers, that math has spiraled out of control, as shown by the theft of data from more than 110 million accounts when Target was hacked in 2013.

Today, it’s much more than credit card numbers that is at risk. The bigger challenge, says Goodman,  “is that we now have a world that’s run by computers. Our bridges, our tunnels, air traffic control, our electrical grid, hospitals, 911 systems: they’re all run by computers. And every one of those computers is hackable.” Some of the evidence Goodman cites is striking. When Dick Cheney was fitted with a pacemaker, his surgeon disabled its wireless capabilities to prevent terrorists from hacking it and sending the former vice president a lethal shock. In 2013, the police department of Swansea, Massachusetts, was forced to pay a ransom of $750 in Bitcoins to retrieve its own files, encrypted by a piece of malware known as CryptoLocker.

At least the cops in Swansea knew they had been hacked. According to Goodman, “One of the huge problems with the cyber threat is that most people don’t know when they’ve been a victim. So if you want to count the number of cars that are stolen in the United States every year, it’s a much easier problem. Because when Joe or Jane goes down to their garage in the morning and sees their car is gone, they’re like, ‘Hey! My car is gone!’ And it’s the type of thing you notice when you need to drive to work in the morning.” Detecting when your data have been stolen, on the other hand, can be much more difficult. According to one study, when a company is hacked, the average time from intrusion to detection is 211 days.

While it can be difficult to detect cybercrime, researchers have some idea of how much it costs the global economy. A recent study by the Center for Strategic and International Studies and McAfee places the current cost at $400 billion U.S. annually. But how can companies and governments quantify the cost of future risk? “If any actuary wants to be a super hero,” says Marc Goodman, “this is their chance.”

Goodman believes that actuaries “could theoretically play a huge role” in tackling cybercrime. He explains, “The challenge is that we can’t quantify this threat, because of the detection issues. So what other ways could we go about detecting the threat? And then how could we measure and map it? Because until we can measure and map it accurately…. we can’t count it. And if we can’t count it, then we can’t dedicate law enforcement resources to it.” Goodman has come to the conclusion that, “You’ll need a whole new generation of actuaries to figure out the cyber threat … and those that come up with the killer algorithm that can help explain this are in line for some untold fortunes.”

As sobering as the data on cybercrime may be, Goodman manages to make his review of the threats entertaining. Studded with references to science fiction movies and TV shows, from Lost in Space to The Six Million Dollar Man and Minority Report, the book also serves as an encyclopedia of computer crime anecdotes. Some of these are inventive in the extreme. In Seattle, Washington, an armored truck robber used Craigslist to crowdsource his getaway. The bandit first placed a “Help Wanted” ad promising top wages for construction workers. He then instructed applicants to show up near a certain Bank of America, dressed for work in a hard hat, safety vest, tool belt and safety goggles. Wearing an identical outfit, the thief approached an armored car guard, squirted him in the face with pepper spray and stole a bag of money. The real thief then melted into the crowd of construction workers and got away.

In a chapter on things that are now hackable, Goodman counts 338 sharks in Australia who have Twitter accounts. An acoustic tag on each fish sends a Twitter alert whenever one swims within half of a mile of a beach, attracting some 40,000 Twitter followers. Less amusing is the story of a high school student in Pennsylvania who was called into the principal’s office for dealing drugs. As evidence, school officials showed Blake Robbins a photo of himself, sitting in his own bedroom, popping red pills in his mouth. The pills, it turned out, were Mike and Ike candies, and the photos had come from his laptop’s own camera. The school had supplied its students with laptops but failed to tell them it was using software to spy on them. Reading about this incident caused one reader (the one writing this review) to immediately stick duct tape over her laptop’s camera, one of the commonsense precautions that Goodman recommends in the appendix.

One bank robber, tweeting shark or student busted for candy consumption may not seem too menacing, but Goodman contends that cybercrime is about to achieve liftoff, thanks to the exponential growth of computer power. A modern smartphone, for example, contains more computing power than NASA used during the Apollo 11 moon landing. According to an axiom called Moore’s law, computing power doubles roughly every two years. To illustrate the power of this kind of exponential growth, Goodman cites the example of a hypothetical water lily leaf that doubles in size every day until the 30th day of the month, when it will smother the entire pond, killing all other life. A leaf of this size grows slowly at first, covering just one-tenth of one percent of the pond by Day 20. But nine days later, when the leaf covers 50 percent of the pond and the threat is obvious, there is only one day left to act. Which raises the question: How many days, weeks or years remain to defuse the world’s cyber threats?

According to Goodman, “Cyber was just the beginning… and there’s this whole wave of technological awesomeness that’s coming, but there’s this whole new wave of technological threats that we need to be aware of.” Among that next wave of possible threats, Goodman counts robotics, artificial intelligence, nanotechnology, 3-D manufacturing, and the Internet of Things. “But what I’m seeing,” says Goodman, “is that awareness is growing linearly, and the threat is growing exponentially.”

Goodman ends his book with some precautions that individuals can take to protect themselves from cybercrime. For solutions on a larger scale, he is currently focusing on two ideas: first, an XPRIZE for cyber security. “I think an incentive prize … could really drive a ton of innovation,” he says, “to look at building much more resilient systems or less hackable software. People forget that when Charles Lindbergh crossed the Atlantic, it was [motivated by] an incentive prize … and it got the very nascent field of aviation off the ground.” Second, Goodman advocates a Manhattan Project for cybersecurity, “bringing together 10 times or 100 times more people than we currently have thinking about this problem from all backgrounds. And actuaries could be right there at the table, trying to contribute their skill set to solving the problem.”

Asked why he wrote Future Crimes, Goodman says, “I think that this is a kind of a clarion call to let people know about this risk that we face.” In his conclusion, he notes, “The proverbial twenty-ninth day of the lily pond is fast approaching.” However, the book and its title do sound one hopeful note: There is still time available in the present to prevent the crimes of the future.

Laurie McClellan is a freelance writer living in Arlington, Virginia.