Introduction

Advancements in information and communication technologies (ICT) inextricably bring new threats to the end-users and society. However, the last 40 years have shown that many of the same cyber security design and programming failures occur over and over again when a new ICT innovation and development cycle takes place. Unfortunately, this allows us to predict new cyber security failures in the next innovation cycle. The reason is that with each new ICT advancement developers and programmers fail to take previously identified cyber security lessons into account. They grow up in the totally new ICT-development cycles and environments. They are even motivated and encouraged to disregard “old school” ICT.

Firstly, a short historic overview about some of the developments in cyber threats and related cybercrime is provided. This serves as a basis for the next section which discusses previous ICT innovation cycles show the recurrence of cyber security failures with patching and fixing afterwards, and the lack of learning the previously identified cyber security lessons. A section about organizational issues is presented, and based on the lessons identified in the past, a final section discusses new ICT innovations and predicts new and emerging threats as well as disguised old threats in a new fabric which may be exploited by cyber criminals, hacktivists, industrial spies, and states.

Some Historic Milestones

When discussing cyber-related crime EC (2007) recognized three different types of cybercrime, overlooking the fourth one added below:

1. traditional forms of crime using cyber relates to, e.g., forgery and web shop and e-market types of fraud,

2. illegal content, e.g., pirated music and child pornography,

3. crimes unique to electronic networks such as hacking and denial-of-service attacks,

4. crimes unique to cyberspace which intent to have effects to physical systems and or in the physical world, e.g., the cyber manipulation of process control systems in the gas transport grid causing a pipeline rupture and subsequent explosions.

Many people today think that cybercrime is recent problem. The contrary is true as the following examples show:

• According to DHS (2014), “Beginning in 1970, and over the course of three years, the chief teller at the Park Avenue branch of New York's Union Dime Savings Bank manipulated the account information on the bank's computer system to embezzle over $1.5 million from hundreds of customer accounts.” Many more types of cybercrimes (e.g., forgery and fraud) have followed since then.

• Although the first replicating computer codes were developed in the 1960s, it took until 1971 before Bob Thomas developed the Creeper virus which infected other systems in the Arpanet. Although unwillingly running computer code at systems owned by another organization, his “experiment” was not yet considered a crime at that time.

• In early 1977, an insider over a weekend stole hundreds of original computer tapes and their back-ups from the computer center and back-up storage of a chemical industry company called ICI. He tried to extort ICI and requested 275.000 pound sterling (Geelof, 2007). After the perpetrator was apprehended, the newspaper headline stated “The theft of computer data of ICI marks a new era of criminality” (Korver, 2007).

• On November 2, 1988, Robert T. Morris released the first computer worm on the Internet which infected thousands of systems. In 1990, Morris was convicted under the 1986 Computer Fraud and Abuse Act. He was sentenced to three years of probation, 400 h of community service, and a fine of 10,000 USD (Markoff, 1990).

• In 1994, Russian hackers made 40 transfers which totaled over 10 million USD from Citybank to bank accounts in Finland, Russia, Germany, the Netherlands, the United States, Israel and Switzerland. All but $400K of the money was recovered (Harmon, 1995). This case showed that cybercrime could result in unauthorized transfers of high amounts of money.

• In 1995, the first phishing attempts took place.

• In 1997, the Electronic Disturbance Theater (EDT) was formed. EDT created tools to establish an electronic version of sit-ins on the internet. On April 10, 1998, their Floodnet tool was used by protesters from many nations to perform denial-of-service attacks on the website of the President of Mexico and later on the White House (Wray, 1998).

• In January 1998, a disgruntled system operator remotely manipulated the SCADA system of a coal-fired power plant putting it in emergency mode and removed the SCADA system software.

• In 2005, the air conditioning system of a European bank’s computer center was deliberately hacked. The computer room temperature slowly increased and caused a shutdown of all computer system services.

• In 2006, the Russian Business Network (RBN) started. Soon after its inception, RBN was a central point for offering cybercrime tools and services for spam, phishing, Trojans and more.

• In July 2010, the existence of the one month earlier detected Stuxnet process control system worm became widely known. Stuxnet specifically targeted the Siemens process control systems of the uranium enrichment plant in Natanz, Iran. Its effect was that it covertly cybotaged the speed control of the ultracentrifuges resulting in extreme wear and tear (Falliere et al., 2010) (for further reference to this case please see Chapters 9 and 13).

• In 2011, British intelligence agencies replaced a webpage with a recipe for making bombs by a recipe for making cup cakes (Huff Post Food, 2011).

If we neglect the traditional forms of crime and the illegal content type of cybercrime, the examples above show cybercrime, hacktivism, and (state) cyber operations which exploited the ICT-vulnerabilities of technology, of organizations, and of human behavior.

Cyber Security Lessons not Learned from Previous ICT Innovation Cycles

ICT has gone through a number of innovation cycles since its start in World War II. New ICT developments are adopted by industry and society in a way which reflects the technology adaption lifecycle model coined by Bohlen and Beal (1957). Early adopters take up the innovations. After the breakthrough of an ICT innovation, a fast uptake by users and organizations can be recognized. Later on, a mainstream phase occurs in which the negative drawbacks of the new innovations have been overcome.

It was shown by Venkatesh et al. (2003) and Venkatesh and Bala (2008) that adopting ICT innovations largely relates to the ease of use and its usefulness to the end-users and their organizations; in short, user-friendly functionality. The cyber security aspects of ICT innovations do not play a role according to their findings. After the many ICT innovation cycles we have gone through, one could expect that cyber security requirements would have come more to the forefront, but that is obviously not the case. The main reason is that no cyber security lessons are learned from earlier ICT innovation cycles and that the same mistakes are repeated over and over again as the driving forces for ICT innovation come from outside security-aware communities.

In the 1960s, one could walk to a terminal and start typing a username and password to log-in. If the username was entered wrongly, a new user environment was created. The usernames and passwords were stored clearly on the system and the password file often was accessible to all users and system programs. Over time, the security of computer access was improved and the number of times one could try passwords for a certain username became limited. The manifold of security problems posed by buffer overflows and lack of input validation allowing hackers to elevate their access level to system resources were fixed in the operating systems of mainframes in the mid-seventies. However, each new operating system version contained the same type of design and coding errors in newly developed functionality and patching of those holes was required.

In the seventies, existing and new computer companies caused an ICT revolution by bringing mini computers and midi computers to department levels of organizations. As these systems were intended to be used in small cooperative environments, ease of use was their advantage point. One could walk up to the system, reboot the system and run ones’ programs without any computer security measure other than the physical access to the room. Multi-user use was added in a simplistic way as seen from a computer security aspect. For example, the original UNIX/etc/passwd file was world-readable. It showed the usernames, and their related one-way encrypted passwords and the random salt value. The one-way encryption process was supposed to provide strong system access security as the process was irreversible. The claim was right; however as the encryption process was public, hackers simply used brute force processing of all character permutations through the fast password algorithm and compared the outcome with the encrypted passwords in the password file. Out of the box thinking resulted in a simple way to reveal usernames and passwords. Moreover, Moore’s law caused an increase in processing speed each year and thus decreased the password strength and time needed to break username-password combinations.

Other operating systems at that time allowed the user to interrupt a program which had access to the password file and created a memory dump containing all passwords in plain text.

Moreover, similar to earlier mainframes, the operating systems in minis and midis were not secured against hackers as bad coding practices were used, e.g., buffer overflows and lack of input validation. Providing new functionality in the operating system had priority over security.

Apple launched its Apple II in 1977. IBM followed with the Personal Computer (PC) in 1981. The initial disk operating systems did not provide any security other than a read-only bit to protect against the accidental overwriting of a file. It was personal computers after all.

Networking of PCs onwards from 1983, e.g., with Novell and LAN Manager, required more security to be added in hindsight to the PC. The increase in malware such as viruses and worms required additional security measures to be added to the PC platform—which was not intended to be secure at all—and its subsequent Windows operating systems. Major failures in computer security were found in simple access to the memory of system and other applications, disk scavenging, clear text passwords on the network, and too simple implementations of security measures that dealt with legacy protocols. An example was the legacy support for LAN Manager in Windows/NT where one easily could determine the length of a users’ password. In a similar manner, the protection of the Windows/NT password file and file system was based on internal system protection, it failed when hackers out of the box used of a Unix-based bootable floppy disk and application to access the system device.

It took until after the millennium before manufacturers like Microsoft started to take the security of their server operating systems serious. At the same time, design failures occurred in the encryption processes of wireless networking technology. The push to the world-wide market and of the new functionality was more important than proper cyber security. In a fast sequence, the wireless encryption protocol WEP was shown to be insecure causing the need for their replacement which was broken soon thereafter. Why did the system designers and programmers not learn from the lessons identified with earlier security failures? Why did they only look for functionality?

In parallel, ICT found its way in the automation of physical and real-world processes such as in the chemical industry, switching of rail points, and the control of the power, gas and water grids. The Supervisory Control And Data Acquisition (SCADA) and similar process control protocols were designed without many security considerations. The software was proprietary and no one else was interested in its detailed working. The process control networks were closed, therefore no hackers would have access. The same manufacturer root password which one could not change was embedded in thousands of units all over the world. The Stuxnet case was a case in making use of such a design and deployment error (Falliere et al., 2010).

The design, implementations of SCADA protocols and the protection of systems in the field did not keep pace with the security considerations ahead of their field. Connectivity with public networks, ease of teleworking, and tools like Shodan which identify vulnerable process control systems connected to the internet create the access paths for cyber criminals to critical infrastructures such as our energy grids (Averill and Luiijf, 2010).

Only some years ago, testing a SCADA network with the ICT-network tool Nmap at a large inhomogeneous SCADA installation caused one-third of the SCADA implementation to crash and another one-third to stop communication. The SCADA protocol implementations could not deal with an unexpected byte more or less in a received packet. It failed to validate the received protocol packets as the implementation expected a benign operating environment.

These are just some examples of ICT innovations and adaptation cycles where the system designers did not properly take security considerations into account and the programmers failed to learn from cyber security lessons identified in earlier ICT adaptation cycles. Failing to protect against buffer overflows, no input validation, not cleaning of sensitive information from re-usable memory buffers, and embedding system passwords are just some examples of errors—and thus disguised old threats—that occur over and over again with each ICT innovation cycle.

Moreover, new ICT-functionality itself provides unknown backdoors. For example, new versions of Programmable Logic Controller (PLC) boards nowadays may contain an embedded web engines. Often such new PLC boards replace old defective PLC boards. The new functionality, however, allows access to all PLC functions unless someone takes the time to lock the web interface entry.

More examples of these and other threats to process control systems can be found in Luiijf (2010).

Organizational Aspects not Learned From Previous ICT Innovation Cycles

When we take a look at the end-user side, early adopters of ICT innovations mainly focus on effectiveness increases, “cool” applications, and ease of use. Therefore, manufacturers are rewarded by early adopters for being first on the market with their cool new functionality, for not bringing months later a secured, well tested, and less easy to use innovation empowered by the use of ICT.

During the mainstream phase of an ICT innovation cycle, the whole chain (from manufacturer, sales force, and acquisition process at the end-user, system integrator, installer, third-party maintenance organization, and the daily operations by the end-user) largely fails to take cyber security into account. The whole process is focused on providing functionality, not on a secure operational environment. It starts with the manufacturer’s installation guide which discusses electromagnetic compatibility on the first pages, then where to connect the power cord and network plug. Security, if at all, is loosely documented after page 60. It even may be surprising that standard manufacturer passwords sometimes have been modified. Where ICT is almost hidden as part of easier to functionality, people are “unconsciously insecure.” An extensive discussion on this phenomenon and some detailed examples of avoidable cyber security failures can be found in Luiijf (2013).

Emerging Threats

From the above, it will be clear that any next ICT innovation cycle will result in new threats to end-users and our society. The bright new ICT inventors focus on the new functionality, increased efficiency and effectiveness of people and organizations, and ease of use. They lack any historic understanding of previous secure design failures and of earlier lessons identified in good coding practices.

This means that emerging threats can be predicted in new fields of ICT, especially where ICT is deeply embedded in functional systems. Often the threats are old threats disguised in a new look. These will allow cybercriminals, hacktivists, cyber spies, and states to enter ICT-based systems in an unauthorized way by making use of:

• Weaknesses in the validation of input values and protocol elements causing unexpected inputs to be used as a can opener.

• Buffer overflows allowing elevation of access rights to system manager (root) level.

• Man in the middle attacks to near field and wireless communication channels.

• The addition of self-configuring hardware modules to an existing system or network providing a backdoor.

• Publically known manufacturer and other default passwords.

• Unconfigured functionality which provides a backdoor.

• Unconsciously insecure managed ICT, often embedded in functions where people do not understand that it contains ICT under the “hood.”

The above forms a basis to understand the large number of next innovation areas where ICT is embedded and which may provide or already provides such security threats and new attack routes. We can distinguish mass products and essential parts of critical sectors:

1. Modern living: Increasingly, digital TVs are connected to public networks and the internet. The many millions of digital TVs with sets of fast video processing engines are an attractive source of processing power for cyber criminals, e.g., to make them part of botnets. The digital TV soon will become an open platform; see for instance the Wyplay developments, making the TV the heart of multi-media, gaming and other new digital services. Obviously, there is not yet a clear concern about the cyber security threats of the digital TV until it will be too late.

2. Modern living: Domotics (domestic robots) will take off soon. An increasing number of early adopters currently monitor and change temperature settings in their home or office remotely from their smart phone. This is just a first step in the remote management of the home. No one discusses the cyber security threats related to these functions.

3. Health sector: An increasing number of ICT-based systems are used to monitor the health of persons. Pacemakers and insulin pumps already have been hacked through their wireless interface. The designers did not take into account that hackers might be interested in manipulating such small systems. The wrong settings, however, may have a life-threatening effect (Stigherrian, 2011).

4. Soon, devices which monitor persons with a health problem on a 24/7 basis will be connected to the global grid with mobile and wireless technologies. If functionality goes first, manipulated data may cause all such patients automatically be phoned to report immediately at the hospital, or may cause wrong levels of medicines to be prescribed to patients.

5. Health monitoring and other medical equipment in hospitals is increasingly connected to the hospitals’ core network. As the protection of such networks may be weak for reasons discussed above, patients may be at risk. Impossible? In the Netherlands, a health monitoring system in a hospital emergency room was found to be a member of the Kazaa music sharing network. Thinking about cyber security seems to be discouraged near medical equipment. Is that because the cyber threat raises one’s pulse rate beyond healthy limits? Actually it is the unconsciously insecure phenomenon again.

6. Financial sector: Near Field Communication (NFC) chips provide a new form of identification and authentication for the holder of a smart phone. This forms the basis for contactless micro payments. It can be expected that cybercrime will take advance of the payment function by remote manipulation of the smart phone.

7. Transport sector: Modern cars and trucks contain an enormous amount of lines of code in its increasing number of electronic control units (ECU). According to TRB (2012), they are literally “computers on wheels.” The code modules monitor an increasing number of sensors and control and activate many actuators from brakes to windscreen wipers, from lights to collision avoidance systems. As many manufacturers develop modules, the interfaces between them need to be open. They presume a benign closed environment without hackers. However, if not already in your current car, network interfaces with public networks soon will provide automatic emergency call services such as Assist™ and eCall. Other services will follow which means that mobile data and mobile internet interfaces will open the car platform for two-way communication. Cybercrime will follow in due time.
Note that cars may not only be used for their mobility function. The battery may be used as temporary storage for locally produced power which can be used later to sell it at a much higher price to the power grid. Cyber criminals may try to disrupt such mechanisms in order to affect the cyber-physical grid behavior and energy market prices.
Another expected innovation stimulated by the authorities may be the activation of all car horns in a selected area. They may be an alternate to the hard to maintain, costly and in rural areas ineffective emergency siren system. Such functionality may be of interest to hackers to show their abilities (probably in the mid of the night).
Experiments with collaborative and fully automatic driving of cars and trucks take place in the USA and EU. Safety is an issue, but ICT security aspects seem to be of less concern despite many successful hacking attacks on cars in laboratory settings (Rouf et al., 2010). Moreover, the threat to the security of the transport system, e.g., due to malware affecting a specific car type or specific type of ECU, has not been addressed upfront. Once again, earlier identified lessons are not taken into account. Moreover, mechanics that perform the software upgrades to your car during maintenance have not been trained in cyber securing the laptop they hook up to cars, another unconsciously insecure risk. A more detailed analysis of threats to ICT systems in and around cars can be found in Bijlsma et al. (2013).
Another innovation is that of the next generation digital red light/speed trap camera. It will require only a power source. A wide range of wired and wireless connectivity means it provides for remote access. As the camera can be programmed remotely to read number plates and decide upon the information that is stored and transmitted for a picture for issuing a fine, it will be an attractive functional box for hackers to create havoc, e.g., take a photo of each taxi independent of its speed during the green phase.

8. Energy and drinking water sectors: Smart meters are rolled out now in a number of nations. They will form the first smart interface between the utility grids (such as power, gas, drinking water) and the local utility system within properties. Smart meters make it feasible for utility customers to have very flexible contracts based on greenness, time of day and day of the week. As prosumers they may sell locally generated power to the grid at the best time. Manipulation of smart meters, however, provides a business model to (cyber) criminals, as has already been shown in the USA by KrebsOnSecurity (2012). As smart meters often use mobile telecommunication technologies to communicate with neighboring concentration points and there will be many of those concentration points per local area, the investment in technology and therefore in cyber security needs to be cheap. On the other hand, equipment needs to function for years while one is not prepared for massive security upgrades in case of malware or other cyber security failures affect the smart meter function.
Some smart meters allow for a remote turn-off of the customer services. Cyber criminals or hacktivists may find a way to turn-off utility services at a large scale, for instance to extort a utility company. Note that in many nations, it is legally not allowed to remotely activate utility services to a property as that may endanger the safety of persons. A large-scale event therefore may take up to days to recover from.

9. Smart living: Smart appliances will be part of our homes soon. The smart fridge, dish washer, washing machine, and so on will start communicating with the smart grid and find the greenest or the cheapest time to use power and water. The even smart fridges will keep track of consumables and order supplies at the local super market. The design of such appliances, which have an expected lifetime of at least 15 years, do not take cyber security updates into account. Moore’s law, however, will cause an invalidation of any cryptographic protection mechanism in probably half of such a lifetime. With weak security, smart appliances may become a new distributed denial of service platform attacking either via ICT systems connected to the ICT layer, or the smart (power) grid. For example in the latter case an attack could provide false information to the grid on a massive scale about when how much power is required in a certain area. The question then remains how can we manage the security posture of millions of fridges, dish washers, and washing machines, including their update status, and their license to operate in the smart grid system? This becomes a cyber-security challenge equivalent to what Bijlsma et al. (2013) stated for the automotive sector.

10. All sectors: Smart (energy) Grids and Smart Cities require the cooperation of a large number of stakeholders who connect their mostly physical services though a management layer with its large ICT base. Risk management across a chain of organizations is a problem, especially because it is often vague who is responsible for them. Making the chain (cyber) resilient is an even larger challenge. But, at the higher level on information exchanges between organizations, the earlier identified cyber security lessons are not applied. Lacking validation of information acquired from another organization and verifying it was allowed and expected values may cause decisions to be taken with major consequences. Criminals may take advantage of such weak interfaces, e.g., by careful crafting of service price jumps.

11. Health and care sector: After a slow start, fixed position robots are applied in flexible industries such as the automotive sector. Currently, a first-generation mobile robot is on the market. A fast innovation cycle is expected as these robots are expected to become part of the workforce in hospitals and homes for elderly people. They will provide flexible services at lower costs and fill the current gaps in the availability of nurses and people providing personal care. The pressure to provide robots to the market may cause a main focus to be on safety aspects while cyber security aspects are overlooked. It can be predicted from the earlier identified cyber security lessons that cyber security failures will occur in the protection of communication channels between the robot and the main controlling station in validating commands to the robot. Who is liable when due to a cyber-attack a robot provides the wrong medicine or shakes up a bed with person enwrapped in plaster? Moreover, robots will be managed by a department which is likely to be unconsciously insecure. It will activate the robots without a properly secured configuration as the configuration handbook will only discuss robot safety issues and will not discuss cyber security issues at length.

12. All sectors: The next ICT innovation cycle is the Internet of Things (IOT). Almost any device will have an internet address, communicate what it senses, and may activate its actuators. Futurists dream about amazing new ICT functions and bright technical people implement them. In some cases they even inject an RFID chip under their skin to identify themselves as authorized users of innovative ICT-based services. Once again, more elaborate thoughts about cyber security are not in the designers’ mind set.

Conclusions

This chapter showed that earlier cyber security lessons identified about threats and risk to current and previous ICT innovation cycles do not make their way into the next ICT innovation cycle. The old cyber security lessons will be identified again. Patches will be used to plug the holes in the “Swiss cheese” design.

People with the bright innovative ideas are not educated in cyber security, neither are many of the programmers who implement their ideas. They neglect the old threats which provide attack paths to cyber criminals.

New and emerging threats can therefore be predicted as long as this innovation cycle without proper cyber security is not broken. The only advantage is that cybercrime investigators can prepare themselves for the next innovation cycle by becoming an early adopter and preparing the right set of forensic tools.