In pandemic terms, Galactica was an island that no one could travel to.
Our software infrastructure is not built with security in mind. That’s partly because a lot of it depends on older layers, and also because there has been little incentive to prioritize security. More operating systems could have been built from the start with features such as “sandboxing,” in which a program can play only in a defined, walled-off area called a “sandbox” that is unreachable by anything else. If that program is malicious, it can do damage only in its sandbox. (This is analogous to the idea of “air gapping,” in which crucial parts of a network are unplugged from a network’s infrastructure.)
Read: How ransomware became a billion-dollar nightmare for businesses
Adding security after the fact to a digital system that wasn’t built for it is very hard. And we are also surrounded by “technical debt,” programs that work but were written quickly, sometimes decades ago, and were never meant to scale to the degree that they have. We don’t mess with these rickety layers, because it would be very expensive and difficult, and could cause everything else to crumble. That means there is a lot of duct tape in our code, holding various programs and their constituent parts together, and many parts of it are doing things they weren’t designed for.
Our global network isn’t built for digital security. As I wrote in 2018, the early internet was intended to connect people who already trusted one another, such as academic researchers and military networks. It never had the robust security that today’s global network needs. As the internet went from a few thousand users to more than 3 billion, attempts to strengthen security were stymied because of cost, shortsightedness, and competing interests.
Even putting aside the security of our networks, our ordinary devices are sometimes shipped with passwords that are drawn from a preexisting list that includes the very-hard-to-crack “password,” “1234,” and “default.” In 2019, I explained how vulnerable that leaves us, using the example of interlinked zombie baby-monitors being used to cripple infrastructure (such as by bringing down cell communication infrastructure in Liberia) or to censor journalists:
Most of our gizmos rely on generic hardware, much of it produced in China, used in consumer products worldwide. To do their work, these devices run software and have user profiles that can be logged into to configure them. Unfortunately, a sizable number of manufacturers have chosen to allow simple and already widely known passwords like “password,” “pass,” “1234,” “admin,” “default” or “guest” to access the device. In a simple but devastating attack, someone put together a list of 61 such user name/password combinations and wrote a program that scans the Internet for products that use them. Once in, the software promptly installs itself and, in a devious twist, scans the device for other well-known malware and erases it, so that it can be the sole parasite. The malicious program, dubbed Mirai, then chains millions of these vulnerable devices together into a botnet—a network of infected computers. When giant hordes of zombie baby monitors, printers and cameras simultaneously ping their victim, the targeted site becomes overwhelmed and thus inaccessible unless it employs expensive protections.
Many problems like these aren’t fixed, because of what economists call “negative externalities”: Shipping software or devices like these is free, and fixing any issues that come up is expensive. Taking the latter, more expensive route provides no immediate reward. It’s like telling factories that they can pollute as much as they want, dumping their waste into the air or a nearby river, or they can choose to install costly filtering systems, in a setup where the pollution isn’t quickly visible through smell or appearance. You can guess what happens: The companies don’t worry about it, because they don’t have to.