CRISTINA QUINN: It was 11:30 p.m. on a crowded flight from Vancouver to Raleigh, North Carolina.
Steven Petrow is tired, he'd been at a conference all week, and he spent most of the flight
working.
STEVEN PETROW: So as we approached Raleigh, I closed down my laptop, I read a little bit
from a book, I had a couple glasses of wine and then we landed, it was just about midnight.
I got up, I got my bag down from the overhead bin, and I was turning to start to go out
and this fellow came up to me from behind and said aren't you a journalist.
CRISTINA QUINN: The answer is yes.
Steven is a journalist who writes about digital life.
STEVEN PETROW: And I looked at him, and I thought I don't know you, I don't know
why you're asking me that question.
I decided I was going to be a little bit rude and not engage with him, and I was tired.
But then he said, "I know you were writing about Apple and the FBI."
And then I was like, "how could he know that.
There's no way he could know that."
He said "you better wait for me by the gate."
CRISTINA QUINN: Steven was totally shaken.
He's JUST spent his flight working on a story about the FBI pressuring Apple to help
it break into an alleged mass shooter's phone — this was big news about a year ago.
And now this suspicious man wants to talk to him.
Steven felt like he had no choice but to meet him after the flight…
STEVEN PETROW: I walked out and he came right up to me and then joyously, he tells me that
he hacked into the Airlines system, and had been sort of reading around people's emails
and computers to see what was interesting what he could find.
And mine was the most interesting to him.
Not only did he repeated back to me verbatim some of the emails I had sent and received,
he raised other possibilities for me.
That perhaps, what it if I had been corresponding with my doctor about sensitive medical matters
or transmitting important financial documents.
And by this point he kind of went on for a couple of minutes, everyone else from the
flight was gone and we were standing at the end of this terminal.
THEME ENTERS I'm here alone with this guy who knew my
name, he knew where I lived.
The sense of vulnerability and violation, and fear was high.
CRISTINA QUINN: It turns out, the guy who had broken into Steven's email was a hacker.
His intent wasn't malicious — he was mostly trying to teach Steven a lesson about living
and working in the Cloud.
A lesson many of us know in theory, but on a day to day basis is easy to forget: We're
all vulnerable, all the time — even a journalist who writes about tech.
Steven hasn't had any contact with the hacker since then, but that sense of vulnerability,
and that lesson he learned about the Cloud — has stuck with him.
If it can happen here — it can happen ANYWHERE, any time.
THEME UP
CRISTINA QUINN: I'm Cristina Quinn and this
is dot-future, a branded podcast from Microsoft and Gimlet Creative, about making the future happen.
Because the future doesn't just HAPPEN.
It's the result of a series of choices that we're making right now.
You can wait for the future to come to you … or you can engage with it– and get ahead
of the curve.
Welcome to dot-future.
THEME OUT CRISTINA QUINN: It's easy to feel vulnerable
to hacking, when everything is connected.
Your home thermostat, your baby monitor, your car, and if you're Vice President Dick Cheney…your
pacemaker.
SCOTT CHARNEY: When Dick Cheney was vice president they disconnected the wireless in his pacemaker…so
an adversary couldn't jump start his heart at an inappropriate moment.
CRISTINA QUINN: This is Scott Charney, a security expert at Microsoft.
We'll hear from him in a bit but the point he's making here is that if it's connected,
it can be hacked.
But this isn't just a problem for regular people … it's a problem on the world stage.
This happens a lot these days.
We saw it in May, with the "Wanna Cry attack."
And as we were putting the finishing touches on this episode — another MASSIVE ransomware
attack hit infrastructure in something like 150 countries.
Companies from the Danish shipping giant Maersk to the Russian oil conglomerate Rosneft were
affected, and the Ukrainian government was hit HARD.
Everything from banks, to the safety systems at Chernobyl, were targeted.
It drives the point home: It's more important than ever that the Cloud stays safe and secure
for all.
And that's what we're going to talk about today: New ways of waging war require new
ways of waging peace to keep the cloud safe for everyone.
CYRUS FARIVAR: When you hear about, like, the cloud, and you're like well what does
the cloud mean?
It just means the internet.
CRISTINA QUINN: This is Cyrus Farivar.
He writes for the tech website Ars Technica, and he's mostly right about the cloud.
If you're listening to this podcast on your phone — it's coming to you over the cloud.
If you stream movies, they're coming from the cloud.
If you upload your snapshots to a photo service, that's the cloud.
All of that data lives in privately owned data storage centers around the world.
All the big tech companies have them, Google, Amazon, Microsoft has one called Azure.
The cloud has a lot of advantages.
You can scale your storage so you don't have to keep buying new hard drives.
Someone with a lot more expertise than you is busy keeping your data safe.
And you access stuff remotely, and collaborate with people who aren't in the room.
Problem is, other people can also access your stuff remotely.
That's a lesson Steven Petrow learned at beginning of the show.
And it's a lesson that the entire nation of Estonia learned a decade ago.
CYRUS FARIVAR: Estonia is a tiny little country at the northeastern corner of Europe.
The entire population of Estonia is 1.3 million people.
So to put that in perspective that is the combination of the population of the cities
of San Francisco, Berkeley and Oakland, where I live.
CRISTINA QUINN: In the mid 2000s Cyrus traveled to Estonia to research a part of the book
he was working on called The Internet of Everywhere CYRUS FARIVAR: And I was surprised that this
country that is kind of obscure had somehow decided to declare internet access a human
right, in the early 2000s when wifi was still very much getting going in the US, Estonia
was adopting it all over the place.
CRISTINA QUINN: It was surprising to Cyrus — this tiny country had wifi in gas stations
and supermarkets!
Their citizens can VOTE online!
And they can do their taxes online, in about 10 minutes.
The Estonian government actually has a name for it — they call themselves E-Estonia.
So, what's going on over there?
It turns out, it's all deliberate.
Estonia is a very young nation.
Over the centuries, they've been occupied by a TON of other countries, ending with the
fall of the Soviet Union in 1991.
So now, to Estonia, being connected isn't just about convenience — it's a kind of
insurance policy for protecting the identity of their young country.
CYRUS FARIVAR: If the territory of Estonia were to be taken away, the government of Estonia,
the state of Estonia, the republic of Estonia, would live on in its data, which would reside
somewhere else.
CRISTINA QUINN: That "somewhere else" is the cloud.
Estonia hasn't always had its government backed up to the cloud.
Early on when they were still converting from Estonia to E-Estonia, the cloud didn't really
exist and that made Estonia vulnerable to an attack
— an attack that all started with a statue.
It's 2007.
The statue in question is "the Bronze Soldier of Tallinn."
It's a Soviet soldier located in a central square in Estonia's capital, Tallinn.
The statue is about 6 feet tall.
He holds his helmet and wears a cape.
He's looking solemnly down toward the ground.
And at his feet, lay the remains of a dozen Soviet soldiers.
CYRUS FARIVAR: The monument is meant to memorialize the Soviet Union soldiers who died after they
defeated the Nazis in the Baltics.
To many ethnic Russians that still live in Estonia today this is a statue it's a monument
that symbolizes their bravery and their heroism CRISTINA QUINN: But to most ethnic Estonians,
the statue was symbol of oppression.
The Soviet Union had been an occupier, and the statue was a relic of that.
And then, in late April of 2007, Estonia took the statue down.
CYRUS FARIVAR: So at about 4:30 in the morning some workers encircled the statue.
They put up a huge fence and there were a lot of people who started getting really upset
by this, and who started, shouting at the workers, things like "shame on Estonia."
And there was this large protest that devolved into something of a riot.
There were people that were smashing storefront windows — it got pretty hectic.
By the end of the night one person had been killed, there were dozens injured, hundreds
of people got arrested CRISTINA QUINN: And then almost as quickly
as it had bubbled up, the violence on the street calmed down.
But THEN something kind of WEIRD started happening — online.
First, Pro-Russian comments started showing up on Estonian government websites.
CYRUS FARIVAR: You know, at the beginning people thought of this, you know in the government,
they thought of this sort of as kind of a prank.
You know it's kind of annoying, but it's not really harmful in any real meaningful way.
CRISTINA QUINN: But within a week, it clear:
The attack was turning harmful in a very meaningful way.
CYRUS FARIVAR: And so May 1st was the day when major cyber attacks began affecting various
Estonian websites.
There were thousands upon thousands of spam emails sent to the mail server of the Estonian Parliament,
which knocked it out pretty fast.
Media websites were attacked in similar ways.
Most of the bank websites were not accessible.
CRISTINA QUINN: It was a "denial of service" attack.
Someone was sending so much nonsense traffic to the servers that hosted Estonia's government
services, that they couldn't keep up.
Banks, newspapers, government websites — were all knocked offline — even the national
emergency number couldn't withstand the attack.
And then, after a few days, it just stopped.
CRISTINA QUINN: It would be two years before anyone claimed responsibility for the attack
… a Russia-based youth organization, called Nashi, said they did it.
The Kremlin denied involvement, but the entire incident was a wake-up call for Estonia.
To help secure themselves against future attacks, Estonia moved their government data to Microsoft's
Azure cloud.
And just as they had with connectivity, they invested big in cyber defense expertise.
In the decade since this hack, Estonia's gotten really good at cyber defense.
Because, according to Cyrus Farivar: CYRUS FARIVAR: We now live in a world where nation
states can have a real effect on people's lives somewhere else
CRISTINA QUINN: Estonia was one of the first nations to be attacked this way – but what
happened to them seems almost quaint in comparison to what we face regularly today….
SCOTT CHARNEY: I mean the worst case scenario that we worry about is that critical infrastructures
are attacked and they're disabled.
CRISTINA QUINN: This is Scott Charney again.
He's part of a team that heads up security policy for Microsoft.
He says man made disasters, like a hack, are like natural disasters, but have the potential
to be even worse.
SCOTT CHARNEY: With the hurricane of course you usually know it's coming and then it
hits but then it passes and everyone does restoration. In a cyber attack it may never stop.
You know it may hit, and things may go down, and as you're trying to bring it back up,
the adversary keeps trying to bring it back down.
It's a storm that never ends.
And if you think of a world without telecommunications, air transportation, it's a pretty bleak world.
CRISTINA QUINN: A cyber war is a man made disaster.
The question is: how do you come up with rules to govern it?
How do you get all of the stakeholders to agree to what's off limits, ahead of time?
Well, there's kind of a precedent for this.
Here's Brad Smith, Microsoft's President and Chief Legal Officer, speaking at a global
security conference earlier this year.
BRAD SMITH: We need governments to take a page out of the 1949 Geneva Convention.
What we need now is a Digital Geneva Convention.
CRISTINA QUINN: A Digital Geneva Convention.
To understand what that is — and how it would help, let's go back to the analog
Geneva Convention.
ARCHIVAL TAPE
The time is 1949.
The place: The Palace of Nations, Geneva, Switzerland.
Here, 59 nations have met to create and set up an improved set of rules to provide a greater
measure of protection for prisoners of war, wounded prisoners, noncombatant military personnel
and civilians not engaged in hostilities.
Rules that have since been adopted by almost all nations of the world…
CRISTINA QUINN: What we call The Geneva Convention, came out of a series of conferences.
You know, like a convention.
But when use that term now, we're talking about a document that was ratified in 1949,
at the end of World War Two — when the world's leaders got together to talk about what the
rules of war should be.
But the idea of defining the rules of war goes back much further, according to Professor
Heidi Tworek, who writes about the history of media and technology.
HEIDI TWOREK: The first Geneva Convention was passed in 1864 and it governed how countries
should treat wounded and sick soldiers in armed combat on land battle fields.
Over the course of the late 19th and early 20th century the Geneva Convention gets updated
three times.
CRISTINA QUINN: Each of those updates was meant to address how non-combatants were treated
during warfare.
The rules changed as technology did.
Like when countries starting using aircraft to attack each other.
That warranted new rules, to govern how to limit injury to civilians in a bombing.
In its current incarnation the Geneva Convention protects:
The wounded and sick military personnel on the battlefield and at sea,
Prisoners of war
And civilians during war times.
SCOTT CHARNEY: When you think about the Geneva Convention which followed the Blitz on London
and the firebombing on Dresden, the world got together and said, "if we're going
to kill each other let's do it in a civilized way."
CRISTINA QUINN:This is Scott Charney again…
SCOTT CHARNEY: You know if you look at the history of the planet there's a lot of war
and soldiers often kill soldiers.
People try to avoid it.
But when it does erupt let's try and protect civilian populations.
CRISTINA QUINN: In the olden days you could protect civilians by not waging war in the
places where they lived and worked.
But now, where we live and work is the cloud.
And just like the skies became a new place where fighting and spying could happen, cyberspace
is a new battle ground.
Wars will happen there.
But to protect civilians, we need new rules, we need a new Digital Geneva Convention – and
there's a group of companies – including Microsoft – working to protect Internet users.
Here are some of the parameters they're working with right now:
Number one:
Recognizing that the "battlefield" -- as a discrete place that you can keep
civilians out of -- doesn't really exist on the internet.
Cyberspace is the playground, the school, the marketplace, the town hall and the economy
… and nations need to bear this in mind, when they exchange volleys on the internet.
Here's Scott Charney: SCOTT CHARNEY: The battlefield is designed,
deployed and maintained by the private sector, and the private sector is often the first
responder when there's an attack.
And so we are the battlefield.
And that's fundamentally different than the way it used to work.
CRISTINA QUINN: Number two!
A Digital Geneva Convention must be a partnership between the nations that wage war and the
private sector.
Because the private sector is made up of the companies that actually manage and protect
the infrastructure where cyber war occurs.
Both governments and private companies have a role to play, by pointing out security flaws
to one another, when they find them, so they can fix them – rather than leaving them
vulnerable to being exploited.
SCOTT CHARNEY: Microsoft has been involved in this debate for several years, and we are
urging more companies to join because we really think it is critical to promoting trust in
information technology.
CRISTINA QUINN: And finally, the third parameter they're working to establish … a Digital
Geneva Convention should be able to flex and change as easily as technology evolves.
To that end, Microsoft is calling for the creation of a group or a forum to help identify
the perpetrators of cyber attacks, as the tactics change and get more sophisticated.
Here's Microsoft President Brad Smith again from his speech at that Global Security Conference:
BRAD SMITH: We need an agency that brings together the best and the brightest in the
private sector, the best and the brightest in academia and the public sector.
We need an agency that has the international credibility not only to observe what's happening,
but to identify the attackers when nation-state attacks happen.
CRISTINA QUINN: The idea behind the forum is similar to the International Atomic Energy Agency.
That's an independent organization that helps investigate whether or not a country
has violated international rules, rather than relying on states to police themselves.
A neutral third party could help navigate the stumbling blocks that this new battlefield presents.
Like figuring out where a cyber attack really originated, here's Cyrus Farivar again.
CYRUS FARIVAR: If you're talking about you know missiles being launched from one place
to another you know we have satellites and we have lots of other ways of saying OK yeah
this was launched from this base, in this country.
It's very easy to understand that when it comes to you know who attacked who online
or who did what, it's a little bit trickier.
CRISTINA QUINN: For example, going back to our Estonia case study.
If one country had bombed another country, that would have been pretty clearly an act
of war.
But instead, the denial of service stunt — was it a hack?
Or an attack?
The answer has real world ramifications.
CYRUS FARIVAR: In Article 5 of the NATO Charter, it famously says, "an attack against one
is an attack against all.
Estonia is a member of NATO, United States is a member of NATO.
There are lots of other NATO countries in Europe.
And so what does that mean, if Estonia or the U.S. is attacked online?
Does that mean the other countries should gang up on Russia and attack Russian websites?
SCORING IN CRISTINA QUINN: When it comes to cyber warfare,
nations have a choice about HOW they respond.
But ignoring the issue isn't really an option anymore.
For better or worse, we're all in this together….according to Scott Charney.
SCOTT CHARNEY: You think about the Internet, you can think about global warming, which
you just can't solve one country at a time, because we're all connected.
We all share the same planet in the same environment, we all share the same Internet and we're
all dependent in large part on the same set of technologies.
CRISTINA QUINN: One set of rules — in a Digital Geneva Convention — is a place to start.
It's a way of getting countries and private companies around the table to begin
these conversations.
We've never done that before.
Now's the time to try.
But: In case you're sitting there thinking, "Man, this seems like it's totally out
of my hands,"….our historian and media expert from earlier, Heidi Tworek, has some
news for you.
HEIDI TWOREK: You see a lot of people who say ah there's nothing we can do we just
have to take it, and that just seems to me really a fallacious way of going about things.
Can we prevent massive cyber attacks?
I really hope so.
But let's not just pretend that there's nothing we can do about it.
CRISTINA QUINN: Like for starters, follow the instructions!
HEIDI TWOREK: Everybody has done that, where it pops up on your screen and it says "update"
and you always want to click on the button not now because you know how annoying it's
going to be.
But if you're a hospital you can't click on the "not now" button.
CRISTINA QUINN: This is one of the things that went wrong with this spring's "Wanna
Cry" ransomware attack.
Computers at the National Health Service in England were locked by the attack — and
held hostage, for ransom.
The computers were vulnerable because they hadn't been updated in ages.
But even if you're not a hospital, do the upgrade!
HEIDI TWOREK: They're actually about making sure that our computers are not vulnerable
and that our critical infrastructure is up to scratch and not subject to these sorts
of vulnerabilities as far as we can assure that.
CRISTINA QUINN: Heidi says upgrading might very well be more than just a good idea.
We should actually consider whether companies should be legally obligated to do updates
on critical infrastructure, in the same way citizens are legally obligated to take certain
precautions.
For example — HEIDI TWOREK: It's the responsibility of
every citizen within the United States to get themselves vaccinated against diseases
like Measles, because then that ensures that we don't end up having epidemics.
But if an epidemic does break out we do have the World Health Organization and we have
the CDC to deal with it.
So we have multiple stakeholders in trying to prevent epidemics and to contain health scares.
Individuals who use computers are also responsible.
They're not solely responsible but they play a role just as it is our role as a citizen
to ensure that our children are vaccinated.
CRISTINA QUINN: Everyone has a role to play.
As citizens, it's keeping our defenses up to date.
And as members of the global community — as nations — our role is to engage with each
other, to keep our Cloud safe.
A new Digital Geneva Convention might seem pie in the sky — get it, the Cloud, pie
in the sky — but it's also important.
Because we all play a part in keeping one another safe online.
Because we're all connected….on the Cloud.
CREDITS Dot-future is a co-production of Microsoft
Story Labs and Gimlet Creative.
We were produced this week by Ana Adlerstein and Katelyn Bogucki, with help from Victoria
Barner, Garrett Crowe, Frances Harlow, Nicole Wong, Abbie Ruzicka, Julia Botero and Jorge Estrada.
Creative direction from Nazanin Rafsanjani.
Production assistance from Thom Cote.
We were edited by Rachel Ward and mixed by Zac Schmidt.
Our theme song was composed by The Album Leaf.
Additional music from Eliot Lipp, Whaltho and Marmoset.
Special thanks to Tom Dannenbaum, Niki Clark, Matthew Dermot Clancy, and Ilves Sandoval
from the International Committee of the Red Cross.
Coming up next week on Dot Future, we're tackling the issue of health …
In the digital era we have access to so much data.
CHRIS DANCY: Because I keep track of a lot of sets of data about myself…what's your
heart rate..what's your respiration…what's your blood sugar?
It's very easy for me to understand where behaviors are coming from and how to adjust them.
How we turn data into meaningful information, to keep ourselves well.
That's coming up next week on dot future.
If you like dot-future, subscribe on Apple Podcasts, or wherever you get your podcasts!
And please, leave us a review to tell us why!
It really helps people find our show.
To learn more about the show, visit dot future dot net
I'm Cristina Quinn.
Thanks so much for listening!
Không có nhận xét nào:
Đăng nhận xét