This Is How The World Ends (Not With A Bang, But With A FUD)

Morning. I mean, I think we've all had enough fun recently, but I'm going to give you more. So, enjoy. Here we go. Firstly, this isn't actually intended to spread fear, uncertainty, and doubt. Just for those of you who don't know what FUD means. Uh it's a term referring to the marketing that's used to sell you very expensive blinky boxes to solve whatever problem they think you need to solve, which mostly do nothing. But, some of them work, some don't. Spreading FUD is a great way to sell cybersecurity. Causes massive damage to the industry cuz people start to dismiss things. People learn helplessness and give up. And then they just spend six figures, seven figures on something with flashy

lights and nice interfaces, wash their hands of it, and move on. So, I'm not going to spread that because everything I say here is at least plausible to a reasonable degree.

Dramatic sting, wonderful.

That was a right. TEOTWAWKI, Wacky, however it's meant to be pronounced, the end of the world as we know it. Term used by preppers and other people to talk about a change in the world that renders it unrecognizable to what it was before. And when selecting the scenarios for this, I had to narrow down the criteria because there were just so many options. So, first of all, everything here is cybersecurity related. It is something which can or has been done by genuine attackers. There is no Hollywood magic, no quantum AI singularity technology involved. So, everything is theoretically possible. I also wanted to make sure that the crisis would be at least national scale. If I went on town scale, it got far too

easy to find scenarios. You know, poisoning a water supply wipes out a town, but doesn't end the world on a national scale. Uh no cyber magic, no nation-state actors. So, these had to be within reach of smaller groups than entire nation-states. Had to be purely cyber. So, no launching missiles alongside it, no running tanks into the middle of the road. Although that is relevant to one of them. And had to be a reasonably short time scale. So, that did sadly exclude Facebook from the list because that's over a longer time scale. But, there's enough of them anyway. First of all, we have utilities. So, water, power, everything that you think of that society now depends on

absolutely to remain in a recognizable state. And this one has happened a few times. There was a dam in New York where it was compromised in 2013. They were extremely lucky because the release controls were disconnected for maintenance at the time. Otherwise, the people who'd managed to break in could have decided to release the water. That would have meant no power and massive flooding over New York. Not really what you want, still on a town scale. More usefully for end of the world stuff, uh you may remember in 2015, Ukraine, the power grid was taken out nationwide. Now, it happened again in 2016. The lovely one with this is that the attackers were actually quite nice.

When they recon- or when they disconnected the power, they just left it disconnected. It was entirely possible with the access they had to reconnect it out of phase, which would have meant rather than a 6-hour outage, they would have destroyed the entire grid in a way that would probably not have been recoverable for days, weeks, maybe months because you've got no power to make these things possible at that point. And that would have been trivial for them to do. The more and more we build central control into critical national infrastructure, the more vulnerable we are to these things on a national scale. Just to add to the Ukraine one, same group of attackers, they were definitely not nation-state.

Uh same group of attackers carried out a denial-of-service attack against the customer phone lines. So, people who'd lost power couldn't even dial in and report it. Now, this one's one of my favorites and is the closest to sci-fi in this, but every single step of it is theoretically possible and has been demonstrated. DNA desktop synthesizers are now available for about 15,000 euros. A few months ago, it was 20,000, so they're coming down in price. So, you can buy one of these, and the cartridges of amino acids that let you construct your own synthetic DNA are cheaper than your inkjet cartridges. Not exactly difficult to get hold of. There is no real way to prevent people

creating harmful strains of DNA with these because it's just so unpredictable what interactions will be. There is an attempt to have a list by some of the people who send synthetic DNA by mail order, but most of them don't bother because it's a lot of work. And in 2017, a couple of researchers published a paper which frankly terrified me, where they resurrected a variant of smallpox, or a relative of smallpox. So, it was an extinct variant called horsepox. Had been completely wiped out, didn't exist anywhere. And they mail-ordered DNA samples, recombined them, integrated them into a bacteria, E. coli I believe it was, in a way that meant it was now infectious again. They supposedly destroyed the samples.

There were some criticisms of the work from people saying this is horrendously unethical. Why on earth would you resurrect extinct viruses that weren't harmful to humans and don't need any new vaccines created? But, you know, researchers. Cost of doing that at the time was about 100,000 dollars. Now, most of that was the researchers' time. So, that's roughly two postgrad students for about a year. The mail-order samples, you're looking at a few kilobytes of data, and you're talking pennies per genome pair. So, very easy to do. But, if you've got your own synthesizer, even better. Another fun fact about those synthesizers, they are sold with network cards. So, they can be plugged into the internet and remote controlled.

I'm sure no one would ever misuse that in the way that they misused fax machines, printers, 3D printers. No one's ever going to abuse that. These are things that are used to print retroviral treatments for people. So, anything that affects that, potentially it could be targeted at one person. That's nasty enough, corrupting someone's retroviral treatment for a condition. But, imagine if you make that something infectious. The genes of these things have been sequenced, the codings are known. I've had it on reasonably good authority that the knowledge to do this, to corrupt one of these so that you are injecting someone with a live viral sequence which will then begin to spread and make them infectious, is within the reach of about

a second-year biology undergrad in the UK. Other places, it may be different. So, we aren't talking seven PhDs, Bruce Banner. This is perfectly plausible to do. Going back to that safe list, there isn't one. You know the whole thing of printers can't print money, supposedly. Well, supposedly there is a list that means you can't order malicious DNA sequences. As I said, most of the people who synthesize it don't use it. You can't encode it into the printers. They just aren't powerful enough to do the analysis you need. There is nothing that can prevent someone from just going in and doing what they want. Hopefully everyone's feeling happy and bright about the future now. And then we have the ecological attacks.

Now, this was another one I rather liked. Some years ago, a guy called Chris Roberts, who some of you may have heard of, some of you may not have done, discovered that I think it was John Deere tractors, automated ones with automated planters, had a slight vulnerability issue. In that you could change values in the firmware updates that would then be pushed out automatically to all of the tractors connected, which was most of them. And with industrialized farming, that's almost all of the food source in the US at least. The update he demonstrated was that you could slightly reduce the distance between planting of seeds, which sounds annoying, but not too bad, until you then connect it to that slight

reduction means the seeds cannot grow. They're no longer viable. Industrialized farming has such tight tolerances that things are planted at optimal distances. Any variation in that, particularly reduction, and you have just destroyed grain harvests. Now, in theory, this would probably be spotted within a few days. But by that point, you've missed the planting season. You've wasted your seeds, and you now have famine on a massive massive scale. You simply cannot import enough food to deal with it, and you have destroyed animal feed and everything else. So again, really positive happy stuff here. Um I believe that vulnerability has been fixed. I also believe that SolarWinds have fired the intern who set a bad password, and so we never need to worry about

these sorts of things again. So all right. Enough doom and gloom, enough of that whole fear uncertainty and doubt. There are genuine problems with our industry which spread out and affect others. And one of the main things is that in those other areas, our industry often doesn't really exist. It wasn't considered at the design and build phase. It wasn't considered when we were constructing power plants in the first place. Wasn't considered when we started plugging everything into networks. Certainly wasn't considered by people making desktop DNA synthesizers, perfectly capable of making a more virulent version of COVID if they so decided. Sorry for saying the C-word. And putting network cards in them. Wasn't considered by the universities

and medical labs who connect them to their network and publish those interfaces to the internet so that people can work on them remotely. So you can do your research from home. Wasn't considered by John Deere when they looked at all of these really tight tolerance systems and didn't consider the data integrity. They made it something that could be adjusted, and they made it something that could be adjusted at scale. So what can we do about it? Well, we can go forwards and try and improve things and look at not just testing at the end, but really look at security by design. Really consider the threats against systems as we're building them. Not just build them and then say, "Oh,

look, I could destroy the entire grain harvest of the US. That might be a problem. It's okay, we'll put a patch on it." You can engineer systems safely. You can build systems so that they are actually secure. I know there's this whole idea of it's not if not but when, and that there's no perfect security. It's wrong. You can build things with good enough security that you're not going to get existential threats out of them. So that's part of it. Uh backup option. Locust farming is cheap. Locusts are tasty. Uh they're crunchy, you can season them well. They're highly nutritious. You can do it fully off-grid, and you can be self-sufficient. So just so you're aware, there is a backup

option. But really what we need to be looking at is disputing security. Moving from the model of robust systems where we stick everything in one place and say we'll just protect it really good, and instead saying we will build fault tolerant systems. Ones where compromising one node does not cause the entire thing to collapse. Yes, it's less efficient. It's less profitable. There is wastage when you do a resilient system. But if you break part of it, you root around the damage, you heal, you can recover, you can restore from other areas. We need to be looking at anything critical at distributed decentralized security. That was rather faster than I thought it would be. So, are there any questions from anyone?

I mean, one I often get asked about when I talk about this is nukes, because they come up. I did consider building that in, but the problem with nukes is that they're not actually that national scale unless you're launching a lot of them. And on top of that, the paper that I read, I couldn't find when I was putting this talk together. But there is supposedly a fail-safe system in certain countries' nuclear weapons systems where if they don't have a code entered every 24 hours, they switch to an open radio relay. It's a dead man's switch with the idea being that you can fly a plane over broadcasting the launch code on a particular frequency, and it will then

launch. Problem is, nuclear facilities or nuclear weapon facilities are very boring places to work. Many of the people working there actually played games such as, "How long can we leave it? How close can we get to midnight before we put the code in?" Uh the record was 72 hours after midnight. So there was an open relay for that long. And And this is hearsay, I will point out, so don't quote me on it. There was an example where junk data was found in the buffer of a nuclear missile because something had just been broadcast on that frequency, and it had picked it up. Now, yes, it's a long code. The chances of hitting it purely

at random are low for any particular instance, but you could potentially just run around broadcasting on that frequency loads of random strings and get a potential launch. But that's still just one missile. It's not bad enough to qualify for this. Any questions?

Uh it's probably long dead and not in a recoverable format, but you don't really need to bother because the genetic sequence for smallpox is available on the internet. So you can just download it and print it if you want.

Do you think we'll get a whole new set of vulnerable infrastructure with the all the global warming and carbon capture and storage, and that maybe there's a potential that people try and compromise that to either release it or to set our forests alight again or something? Uh geoengineering systems, I think absolutely. People are going to do the same thing. They're going to build bastions and centralized control. And yeah, absolutely. One of the things that came up while we're on environmental issues, when I was asking around and doing the research on this was smart cars. Again, it's just too small. If If someone compromised every single smart car system on the planet, you're still looking only at mega deaths,

which is bad, but it's not that end of the world as we know it on a national scale. Now, when you've got that smart navigation doing logistics on a much wider scale, yes, but that's sci-fi. You know, that's at least 5 years away.

Yeah, thanks. The slide on ecological one where you said systems in US, they were recalibrated to plant the seeds too close to each other. You mentioned that it's probably going to give rise to no seed germinating issue. Kind of say that there'll be a survival of the fittest, you know. Yeah. One will perish, other will probably So it probably wouldn't be no seeds germinating at all. It would have devastated the harvest because they cannot grow fully at that closer distance. So root systems get entangled, they're not getting enough nutrients, so you've massively reduced the harvest because it's so precisely calculated. And this is the thing. This is robust versus resilient. Having those really tight tolerances is great for

efficiency. It's great when you've got everything perfectly controlled, but robust systems are fundamentally fragile. When they break, they break in a big way. Resilient systems, if you had a tolerance of an extra inch in that with safety margins that you couldn't reduce the number below that, you'd have been fine.

Yes.

I'm waiting for someone to donate me 15,000 euros. So if anyone wants to, I'm happy to do that. But no, I haven't been able to as yet. I have spoken to a couple of universities to see if they'll let me go and test theirs. Um so far they've not been open. But it It might happen at some point when I find somewhere where they've got the right crossover between biology and computer science. I'm sure there are some ones on Shodan. In fact, I know that there are ones which would be available on Shodan from anecdotal evidence where people have said, "Yeah, I just log into it from home."

Um one of the like big issues in in history is that a lot of like big historical and the world as we know it events, not necessarily to do with cyber, usually tend to rely on like the crux of one individual being like, "Oh, I know, let's you know do do this." And another thing that I'm sort of seeing here is it could just be one bored individual who goes, "Oh, I know, I'll hack into a tractor." Or "I know, I'll buy a synthesizer and program my own virus." So, what is preventing the end Basically, it's a bit of a broad question, but what's preventing the end of the world as we know it from

happening? Surely it's pretty much guaranteed that there's going to be some random bored individual in the future who just goes, "Oh, I know, I want to, you know, cause the apocalypse." I think there are various things. Partly it's luck. No one's done it. Um partly it's that this sort of thing is not necessarily widely known. We are still a very small industry. And even within the industry, most people don't necessarily cross too much into other domains. And this requires looking at those different domains and building up a holistic picture. So, you've got a small number of people who could do this sort of thing, and most of them are fairly well educated and comfortable and don't necessarily have the

motivation. Because if you're one individual doing it, you would need to have a degree of persistence or a lot of luck. The other part of it is the people who could do it and are malicious are generally much more interested in profit. And frankly, doing one of these sorts of attacks would bring far too much attention on them. They're much happier doing ransomware. It's cheap, it's easy, customer service is great. You know, ransomware provider, one of the fastest growing industries in the world. But saying that no one's done it, um the Ukraine is the example I'd look at. It it has happened. It has been used, in that case in coordination with a physical attack.

But again, if they've been slightly more malicious about what they did to the power grid, you probably wouldn't have needed that physical attack. Could have just left the country to fall apart.

So, this is actually kind of building on that question. Because in some ways, isn't there an aspect of mutually assured destruction? Like as as you said, whoever attacked Ukraine, maybe one of their big neighbors, decided not to blow up the entire Ukrainian grid, knowing that if they did, it would end in a hot war. So, do you think with aspects like this, when it comes to superpowers, APTs, things like that, they're less likely to do it knowing the consequences, whereas a you know, an individual who have their own issues, who happen to get the ability as costs get lower and more and everything becomes easier to do, that could be more where the real risk

comes from, because for the big powers, they know it just escalates. Yep, absolutely. I think in the case of Ukraine, a large part of the reason they didn't do that was because they wanted the infrastructure intact, rather than necessarily out of goodwill. Um but yeah, as these attacks become easier, which they will do, you know, these systems are getting both more centralized and more complex, and more complexity means they're more vulnerable, then it will become easier and the bar will be lowered. But yeah, there is a degree of mutually assured destruction. You know, if you destroy America's grain harvest, they're not going to just take it on the chin. There will be consequences for the rest of the world,

and the same with any other nation-state of a reasonable level of power.

Um yeah, I mean on the uh the Ukrainian situation, I guess we all guessed who the corresponding neighbor was. So, they are already in or have been recently in a hot war with Ukraine. So, I think the distinction between hot and cold war is not a very sharp. You've got a measured hot response along with a measured um covert response, and they tend to run together. What I did wonder was why there was no mention of um oil and natural gas infrastructure attacks. I mean, we've seen some some um kinetic attacks, but some fairly spectacular attempts at very destructive cyber attacks on um oil and natural gas facilities, particularly in the Middle East, that have a wide repercussion and

repercussions elsewhere in the world. And as you know, we're pretty short of natural gas infrastructure in the UK. And significant attacks on the on a rather small number of sites would have quite a quite a serious effect. So, the only reason that wasn't mentioned was I was trying to pick the top three. Um partly that was which ones I was most interested in, but the other three that were on there were logistics attacks. Someone taking down Maersk or another large logistics company for a period of time is going to cause global chaos. Uh the oil and natural gas, so the supply attacks there, absolutely. Again, it was purely because I didn't like it as much as the other

three. And economic was the other one, because I'm really curious to see what happens if you destroy the data systems of a national bank.

Deathly silence. Hopefully I haven't depressed you all too much.

So, all the uh last topic that you mentioned that you didn't include, haven't we already found that the world is relatively resilient to Cuz Maersk had a big ransomware attack and they were back to fax machines, but it was all right. Aramco was off It's Saudi Aramco was off for a long time and it was bad, but the world continued. Um a lot of these things, they are fully impactful, but let's say you did the grain in America, maybe you get Nebraska, maybe you get Iowa, and that's pretty bad, but America has three time zones, so the chance you're going to get, you know, the entire grain harvest in two days, it's a large continent.

The systems are more resilient than I think we give them credit for. I think they're resilient at scale. So, America's probably a bad example, because really it's 50 countries, if we look at it properly. Um so, yeah, you're unlike In the same way, you'd be unlikely to affect everything across the entirety of Europe, but on an individual country, I do think these are a genuine threat.

I don't think there's any more questions, is there? Any more for any more? I promise the rest of the talks are much more optimistic than this. Well, yes, after James has depressed us all with a nice morning talk, I think we all owe him a nice round of applause.