Midday on July 15th, 2020, many high-profile Twitter accounts were compromised and began posting scams to entice users into sending them cryptocurrency (generally BTC, but also some others such as XRP for Ripple’s account). I’m not going to write about this in detail since everyone else already has, but for more information check out an article on the topic: Coindesk, TheVerge, TechCrunch, BBC, infinite others
What if instead of posting low-quality cryptocurrency scams, the attackers did something else?
Sure, they could have tried to use CEO accounts such as Musk and Bezos to make millions (or possibly billions) on the stock market by tweeting about earnings and purchasing large amounts of far-out-of-the-money near-expiration call options on the underlying stocks. But we have a lot of ways to catch people that try that, and many regulations and organizations that would make it more difficult (many more than just the SEC) to get away with (although as a side note, $TLSA’s stock+option trading volume is absurdly high, and it would be very difficult).
But, what if they had tried something else entirely, something not motivated by short-term financial gain?
What if the attackers wanted to cause chaos and violence, perhaps alongside putting certain political movements and goals forward? What if they had pre-written thousands of tweets about a topic, perhaps a fake and outrageous event occurring, paired with fake images and videos, perhaps even some higher-quality deepfakes? How many people could they get killed? Could they start a war?
You might think this sounds absurd at first glance. But remember, most of the world’s most influential people use Twitter, including the leaders of most national governments. Although a private corporation that plays by its own rules, Twitter is still the means with which many elected officials communicate with the public. Entire social movements have started and ended through the power of a single viral tweet, sometimes resulting in significant violence or many deaths. Social media platforms have been used by extremists of every type imaginable in the past, and this isn’t going to stop any time soon.
What if the next exploit affects much more than some Twitter accounts?
But, I want to go much further than talking about Twitter. What if instead of an exploit that allowed attackers to compromise Twitter accounts, it had been something much worse? What if they were able to compromise any web server, or any online Windows machine, or industrial control systems for utilities, power plants and military operations? None of these scenarios are by any means impossible. Enough software and hardware exists at enough layers of abstraction that there’s generally always 0-days lurking in critical systems, sometimes for years or decades, before they’re found. We know that 0days are found often by security researchers, private companies, governments, and others (sometimes rewarding up to $2,500,000), but also that they are less commonly exploited in obnoxious and harmful ways (generally being hoarded by government security agencies or reported in good faith).
We were unprepared for covid despite epidemics throughout all of history
It was said by many that the covid pandemic could have been predicted, in a sense (which is why it was not a true black swan event). Perhaps not the specifics of it such as the date, virus, and origin. But the general idea of “at some point in the future, something bad is going to happen like this, and we need to prepare for it.”
Another one of these “something really bad is going to happen in the future” categories involves cybersecurity, data privacy, and AI. Just one of these topics individually can be involved in a terrible catastrophe, and indeed have been before, but I think we’re coming close to a combination of all three that can lead to events much worse than we’re currently prepared for.
Security: Billions of humans live digital lives, including the most influential, famous, and dangerous. These people all have email accounts, phones, Twitter accounts, and more, all of which can be compromised, controlled, and manipulated by others.
Data Privacy: The amount of data that social media giants (among others) have on most people is massive, and in my opinion vastly underestimated both in quantity and power. The majority of human communication is now owned by private companies that store things forever. A large proportion of all human social connections, conversions, movements, opinions, and thoughts are stored in databases that not only will not forget, but that the user does not have any control or often even knowledge of.
AI: Advances in the area of content generation have been happening very quickly in the last few years. We now have GPT-3, which can write plenty of things better than humans can. We have deepfakes, which can produce believable fake images and videos. We can do the same for voices and much more. Much of this isn’t yet perfect, but it’s clear that we’re improving quickly.
So, take the three above topics of security, data privacy, and AI, and combine them all. Bonus points if you throw in some political tension, which we’re certainly not lacking right now either.
We are not prepared for a true disaster involving technology
As a society, we’re woefully under-prepared for disasters in all of these areas.
We’re not prepared for critical infrastructure, both physical and digital, to be compromised or attacked by highly-funded and competent groups, maybe even state-ran.
Not prepared for the massive campaigns of disinformation, fake news, and propaganda that lie ahead. If you thought things were bad in the last few years, just wait, because we’re on the verge of accelerating it by 10x, and fact-checking is not a solution. China’s government seems to be working very hard both on the offensive and defensive here. Is anyone else truly competing?
Not prepared for how to deal with database leaks that will contain the life history of millions of people, including their ‘private’ conversations and deepest secrets, and items so egregious that they instantly spark violence. Plenty of data breaches have led to murders and suicides already. There are still many countries where you can face imprisonment or death for being gay, being atheist, being of a certain ethnicity, or speaking out against the government (yes, we really don’t have it as bad here, huh!). Do you know what happens when these people have their private information carelessly leaked? It’s not pretty. And this is just for normal database leaks, let alone if a database leak had some information in it falsified (with the majority left intact, thus offering plausibility for the fake parts) to maximize its effect.
Not prepared for how to face that humanity is becoming increasingly controlled by viral algorithms that do not prioritize human values of happiness and love and truth, but rather nothing but outrage and in-group bias as the only bottom line. Most of us already feel powerless against this, but it may only just be beginning.
Not prepared for how anonymity is becoming a luxury only achievable by ultra-competent tech gurus, with most people having been forced to move their communication into more and more centralized ways over time, feeding all of the above issues. Not prepared for how one of the many reasons anonymity is getting much more difficult to obtain is because the easiest way to tell if someone is a bot or a human is to require verification of phone numbers, addresses, and more. And don’t let me forget to mention how many governments are eyeing up ways to ban end-to-end encryption.
I’m supposed to end on an optimistic note
How can we do a better job of addressing these problems?
- Promote education on the importance of cybersecurity, especially at the government and corporate levels
- Promote decentralized solutions instead of centralized social media platforms, allowing users to have control over their discourse, their platform, and their own data
- Promote anonymity, even when it is difficult, and fight to ensure end-to-end encryption is a right for everyone forever
- Promote better regulations around privacy and data security so that hoarding large amounts of personal data is less of an asset and more of a liability
Although a lot of this post might read as alarmist and pessimistic, I’m still (mostly) optimistic about these things in the long-long-term. The best part about terrible events like covid is that they make us stronger and better prepared for the next (similar) storm to hit us. Security used to be a second thought (or not a thought at all) for most companies, but we’ve improved significant in the last decade, and bug bounty programs and significant security spending are now common. I used to get looked at like I was insane for talking about how big of an issue the amount of tracking and data-collecting our society performs was a big problem, but even this is something that a lot of everyday people believe now as well. I just hope the stepping stones along the way to becoming prepared for the future aren’t so terrible that we don’t make it there in one piece.
Feel free to say hi on Twitter for any comments, suggestions, complaints, etc.