Our Final Invention: Artificial Intelligence and the End of the Human Era Hardcover (29 page)

Many species of malware exist, but whether they’re worms, viruses, spyware, rootkits, or Trojan Horses, they have one design goal in common: they were built to exploit computers without the owner’s consent. They will steal something stored on it—credit card or social security numbers, or intellectual property, or install a trapdoor for later exploitation. If the infected computer resides on a network, they can raid connected computers. And they can enslave the computer itself as part of a “botnet,” or robot network.

A botnet (controlled by a “bot herder,” naturally) is often comprised of millions of computers. Each computer has been infected by malware that got access when its user received tainted e-mail, visited a contaminated Web site, or connected to a compromised network or storage device. (At least one ingenious hacker scattered infected flash drives in a defense contractor’s parking lot. An hour later their Trojan Horse was installed on the company’s servers.) Criminals wield the botnet’s aggregate processing power as a virtual supercomputer to commit extortion and theft. Botnets break into corporate mainframes to steal credit card numbers and issue denial of service attacks.

The consortium of hackers who call themselves “Anonymous” have used botnets to enforce their brand of justice. In addition to paralyzing Web sites at the U.S. Department of Justice, the FBI, and Bank of America for perceived offenses, Anonymous has attacked the Vatican for the dated crime of burning books and the newer one of protecting pedophiles.

Botnets force compromised computers to send spam, log keystrokes, and steal pay-per-click ad dollars. You can be enslaved and not even know it, especially if you’re running an already sluggish and buggy operating system. In 2011, botnet victims increased 654 percent. Using botnets or simple malware to steal from computers grew from a multimillion-dollar racket in 2007 to a one trillion-dollar industry by 2010. Cybercrime has become a more lucrative business than the illegal drug trade.

Ponder that next time you wonder if anyone will be crazy or greedy enough to create malicious AI, or hire malicious AI when it’s available. Lunacy and greed, however, didn’t cause the cybercrime boost by themselves. Cybercrime is an information technology, powered by LOAR. And like any information technology, market forces and innovation fuel it.

One important innovation for cybercrime is cloud computing—selling computing as a service, not a product. As we’ve discussed, cloud services like those offered by Amazon, Rackspace, and Google allow users to rent processors, operating systems, and storage by the hour, over the Internet. Users can pile on as many processors as their project needs, within reason, without attracting attention. Clouds give anyone with a credit card access to a virtual supercomputer. Cloud computing has been a runaway success, and by 2015 is expected to generate $55 billion in revenue worldwide. But, it’s created new tools for crooks.

In 2009 a criminal network used Amazon’s Elastic Cloud Computing Service (EC2) as a command center for Zeus, one of the largest botnets ever. Zeus stole some $70 million from customers of corporations, including Amazon, Bank of America, and anti-malware giants Symantec and McAfee.

Who’s safe from hackers? Nobody. And even in the off chance you don’t use a computer or smart phone, you’re not necessarily safe either.

That’s what I was told by William Lynn, the former United States Deputy Secretary of Defense. As the number two official in the Pentagon, he designed the Department of Defense’s current cybersecurity policy. Lynn held the Deputy Secretary position until the week I met with him at his home in Virginia not far from the Pentagon. He planned to return to the private sector, and while we spoke he said goodbye to a few things from his old job. First, a military-looking crew came for the giant metal safe the DOD had installed in his basement to keep his homework secure. After a lot of banging and grunting, they returned to take out the firewall-protected computer network in his attic. Later Lynn planned to bid adieu to the security detail who’d occupied the house across the street for the last four years. Lynn is a tall, affable man in his mid-fifties. His slightly folksy voice carries tones of honey and iron, qualities handy during his past jobs as head lobbyist for arms manufacturer Raytheon and the Pentagon’s chief comptroller. He said his government bodyguards and chauffeur were like family, but he was looking forward to returning to the normalcy of civilian life.

“My kids tell their friends Daddy doesn’t know how to drive,” he said.

I’d read Lynn’s papers and speeches on national cyberdefense and knew that he’d driven the DOD to get organized to combat cyberattacks. I’d come to him because I was interested in national security and the cyberarms race. My hypothesis is nothing revolutionary: as AI develops it will be used for cybercrime. Or put another way, the cybercrime tool kit will look a lot like narrow AI. In some cases it already does. So, on the road to AGI, we’ll experience accidents. What kind? When smart tools are in the hands of hackers, what’s the worst that could happen?

“Well, I think the worst case is the infrastructure of the nation,” said Lynn. “The worst case is that either some nation or some group decides to go after the critical infrastructure of the nation through the cybervector, so that means the power grid, the transportation network, the financial sector. You could certainly cause loss of life, and you can do enormous damage to the economy. You can ultimately threaten the workings of our society.”

You can’t live in an urban area without learning something about the nation’s brittle infrastructure, particularly the power grid. But how did it become the stage for this wildly asymmetrical threat, where the actions of a few crooks with computers can kill innocent people and cause “enormous damage” to the economy? Lynn answered with something I’d heard before from Oracle cybersleuth, and former navy spook, Joe Mazzafro. Cyberattacks are overwhelming and destabilizing because, “The Internet wasn’t developed with security in mind.”

That truism has complex implications. When the Internet went from government to public hands in the 1980s, no one anticipated that a theft industry would arise upon its back, and billions would be spent to fight it. And because of those guileless assumptions, Lynn said, “The attacker has a huge advantage. Structurally it works out that the attacker only has to succeed once in a thousand attacks. The defender has to succeed every time. It’s a mismatch.”

The key is in the code. Lynn pointed out that while Symantec’s deluxe antivirus software suite is somewhere between five hundred and a thousand
megabytes
in size, which equals millions of lines of programming code, the average piece of malware runs only a hundred and fifty lines. So playing only defense won’t win the game.

Instead Lynn proposed to begin leveling the playing field by raising the cost of cyberattack. One way is attribution. The DOD determined that the big incursions and thefts were being performed by nation-states, not individuals or small groups. And they figured out exactly who was doing what. Lynn wouldn’t name names but I already knew that Russia and China command state-run cybercrime rings made up of government personnel and enough outside gangs to permit a whiff of deniability. In a massive 2009 attack dubbed Aurora, hackers broke into some twenty U.S. companies, including Google and defense giants Northrup Grummond and Lockheed Martin, and gained access to entire libraries of proprietary data and intellectual property. Google tracked the hacks to China’s People’s Liberation Army.

Symantec claims China is responsible for 30 percent of all targeted malware attacks, and most of it, 21.3 percent overall, comes from Shaoxing, making that city the malicious software capital of the world. Scott Borg, director of the U.S. Cyber-Consequences Unit, a Washington, D.C.-based cyber think tank, has researched and documented Chinese attacks on U.S. corporations and government going back a decade. Look up, for example, the exotically named cybercrime campaigns called “Titan Rain” and “Byzantine Hades.” Borg claims China “is relying increasingly on large-scale information theft. This means that cyberattacks are now a basic part of China’s national development and defense strategies.” In other words, cybertheft helps support China’s economy while giving it new strategic weapons. Why spend $300 billion on the Joint Strike Fighter program for a next gen fighter jet, as the Pentagon did in their most expensive contract ever, when you can steal the plans? Theft of defense technology is nothing new among the United States’ military rivals. As we noted in chapter Fourteen, the former Soviet Union didn’t develop the atomic bomb, it stole U.S. plans.

On the intelligence front, why risk flesh-and-blood spies and diplomatic embarrassment when well-written malware can accomplish more? From 2007 to 2009 an average of 47,000 cyberattacks a year were leveled against the Departments of Defense, State, Homeland Security, and Commerce. China was the chief culprit, but it certainly wasn’t alone.

“Right now, more than a hundred foreign intelligence organizations are trying to hack into the digital networks that undergird U.S. military operations,” Lynn said. “If you’re a nation-state, you do not want to bet the farm on the fact that we might not figure out who’s doing it. That wouldn’t be a very wise calculus, and people are pretty smart about their own existence.”

That not-so-veiled threat suggests another measure Lynn has pushed—treating the Internet as a new domain of warfare, along with the land, sea, and sky. That means if a cyber campaign is sufficiently harmful to American people, infrastructure, or economic vitality, the DOD will respond with conventional weapons and tactics. In
Foreign Affairs
magazine Lynn wrote: “The United States reserves the right, under the law of armed conflict, to respond to serious cyber attacks with an appropriate, proportional, and justified military response.”

As I spoke with Lynn, I was struck by the similarities between malware and AI. In cybercrimes it’s very easy to see how computers are an asymmetrical threat multiplier. Lynn said it with an alliterative flourish: “Bits and bytes can be as threatening as bullets and bombs.” Similarly, the hard thing to grasp about the danger of AI is that a small group of people with computers can create something with the power of military weapons, and then some. Most of us intuitively disbelieve that a creation from the cyberworld can enter our world and do us real, lasting harm. Things will work out, we tell ourselves, and experts concur with ominous silence or weak nods at defenses. With AGI, the equal danger of bytes and bombs is a fact we’ll have to contend with in the near future. With malware, we have to accept the equivalence now. We should almost thank malware developers for the full dress rehearsal of disaster that they’re leveling at the world. Though it’s certainly not their intention, they are teaching us to prepare for advanced AI.

Overall, the state of cyberspace ain’t pretty. It is teeming with malware that attacks at the speed of light, with the tenacity of piranhas. Is this our nature, amplified by technology? Because of their manifest vulnerabilities, older versions of the Windows operating system get attacked by swarms of viruses
as they’re being installed.
It’s like pieces of meat dropped on the rain forest floor, but ten thousand times faster. This snapshot of the cyber present is a vision of the AI future.

Kurzweil’s cyberutopian tomorrow is populated by human-machine hybrids that are infinitely wise and unspoiled by treasure. You hope your digital self will be a machine of loving grace, to paraphrase the writer Richard Brautigan. A fairer prediction is that the digital you will be bait.

*   *   *

But back to the connection between AI and malware. What chastening accident might smart malware dish out?

The nation’s energy grid is a particularly interesting target. There has recently been a loud, ongoing debate about whether or not it is fragile, whether it’s vulnerable to hackers, and who’d want to break it anyway? On the one hand, the energy grid isn’t one grid, but many private, regional, energy production, storage, and transportation networks. Some three thousand organizations, including about five hundred private companies, own and operate six million miles of transmission lines and related equipment. Not all power stations and transmission lines are connected to one another, and they’re not all connected to the Internet. That’s good—decentralization makes power systems more robust. On the other hand, a lot of them
are
connected to the Internet, so they can be remotely operated. The ongoing implementation of the “smart grid” means that soon all the regional grids and all our homes’ energy systems will be connected to the Internet.

In brief, the smart grid is a fully automated electricity system that’s supposed to improve the efficiency of electric power. It brings together old power sources like coal- and fuel-burning electrical plants with newer solar and wind farms. Regional control centers will monitor and distribute energy to your home. Some 50 million home systems across the country are already “smart.” The trouble is, the new smart grid will be more vulnerable to catastrophic blackouts than the not-so-dumb old grid. That’s the gist of a recent study from the MIT, entitled “The Future of the Electric Grid”:

The highly interconnected grid communications networks of the future will have vulnerabilities that may not be present in today’s grid. Millions of new communicating electronic devices, from automated meters to synchrophasors, will introduce attack vectors—paths that attackers can use to gain access to computer systems or other communicating equipment—that increase the risk of intentional and accidental communications disruptions. As the North American Electric Reliability Corporation (NERC) notes, these disruptions can result in a range of failures, including loss of control over grid devices, loss of communications between grid entities or control centers, or blackouts.

The feature of the power grid that makes it the queen of national infrastructure is that none of the other parts of the infrastructure work without it. Its relationship with other infrastructure is the very definition of “tight coupling,” the term Charles Perrow uses to describe a system whose parts have immediate and severe impact on each other. With the exception of a relatively few homes powered by wind and solar, what
doesn’t
get power from the electrical grid? As we’ve noted, our financial system isn’t just electronic, but computerized and automated. Fueling stations, refineries, and solar and wind farms use electricity, so in case of a blackout forget about transportation as a whole. Blackouts threaten food security because trucks use fuel to bring food to supermarkets. At stores and at home, food that requires refrigeration lasts just a couple of days without it.