As we hurtle forward into the digital, connected future, ever-more objects are becoming targets for hackers and malicious software.
Where once hacks only affected computers, they now bring down everything from cars to power grids, thermostats to secretive nuclear enrichment programs.
So how long until a hack doesn’t just cause a nuisance or monetary losses but actually kills someone?
One well-respected security expert thinks humanity will see its first death as a result of a hack within 10 years – and it may even have already happened.
“It could have happened already, but we don’t know. Stuxnet could already have killed people,” Mikko Hypponen, chief research officer for F-Secure told Business Insider, referring to the sophisticated computer worm that targeted Iranian nuclear facilities that most people believe was developed by the American and Israeli intelligence services.
“We don’t know if it killed people, it’s possible because it caused centrifuges which are filled with uranium gas to break down in the middle of their spinning cycle, so if there are scientists in the room they could’ve died … I guess the Iranians would have told the world if Americans had killed people with the hack.”
“We as mankind crossed a line.”
Hypponen is a highly regarded security expert who has been working in the field since the nineties. He’s a regular public speaker on the subject, once tracked down the authors of the first ever computer virus, and has been profiled by Vanity Fair.
The security executive doesn’t think whether or not someone has died is what’s important. “The important part is the Americans and the Israelis must have understood what they were doing. It could kill people, and they did it anyway. And I think we crossed some line – we as mankind crossed some line – when they made that decision.”
Stuxnet isn’t the only time we’ve seen a hack with potentially fatal consequences. In December 2015, the Ukrainian power grid was taken offline by a devastating hack. Had it gone on longer, or had conditions been worse, it could have easily resulted in a death. “If the power outage had gone for longer, yeah we would’ve had people starting to die for many different reasons. Hospitals starting to fail, or just people starting to freeze because it’s December.”
Like Stuxnet, nation-state-sponsored hackers are suspected, with investigators pointing pointing fingers at a Russia-based team.
Ordinary hackers aren’t about to start trying kill you…
While the connected world gives ever-more opportunities for harmful or even fatal hacking, Hypponen doesn’t think ordinary hackers are suddenly going to turn into murderers. Because why would they?
“Then we get to the next question: Who would do it and why? People have these notions of evil hackers doing stuff like that, but that’s actually not likely to happen. Hackers don’t want … to kill people. It’s also illegal to kill people.”
Hackers will continue to be motivated by the same things people will always be motivated by – albeit with more tools at their disposal. “Driving people off the roads in their connected cars? It could be done, but I’m not worried about it.”
Hypponen is more worried about people exploiting vulnerabilities to steal cars. “Killing people is a bad idea. It doesn’t make money. Hackers generally want to get a benefit for their hacks.”
…but they’re not the only ones out there.
Don’t breathe easy just yet. Stuxnet and the Ukranian power grid show there are hackers out there with the capability out there today to cause fatalities, even if just as collateral damage. There will certainly be more attacks like them.
And there are some out there with malicious damage and human harm as their primary aim. “Who would be interested in doing hacks where people suffer? Well, extremists – ta da! – Islamic State, or any other group which has the know how and has the will to do evil like this. And this is why I’m really glad to see the US military is taking the risk of extremist hacking so seriously. They’ve now drone-killed two hackers with drone strikes – two UK citizens by the way.”
Whoever the hacker and whatever the reason, deliberately or accidentally, it’s going to happen, Mikko Hypponen says – within a decade.
“Ten years. Within ten years. Could be five.”