“More or less,” I say. “The connection of devices to the Internet.”
“Yes, essentially. And not just laptop computers and smartphones. Anything with a power switch. Washing machines, coffeemakers, DVRs, digital cameras, thermostats, machine components, jet engines—the list of things, large and small, is almost endless. Two years ago, there were fifteen billion devices connected to the Internet. Two years from now? I have read estimates that the number will be fifty billion. I have heard one hundred billion. The layperson can hardly turn on a television anymore without seeing a commercial about the latest smart device and how it will do something you never would have thought possible twenty years ago. It will order flowers for you. It will let you see someone standing outside the front door of your home while you are at work. It will tell you if there is road construction up ahead and a faster route to your destination.”
“And all that connectivity makes us more vulnerable to malware and spyware,” I say. “We understand that. But I’m not so concerned, right at the moment, about whether Siri will tell me the weather in Buenos Aires or whether some foreign nation is spying on me through my toaster.”
Augie moves about the room, as if lecturing on a large stage to an audience of thousands. “No, no—but I have digressed. More to the point, nearly every sophisticated form of automation, nearly every transaction in the modern world, relies on the Internet. Let me say it like this: we depend on the power grid for electricity, do we not?”
“Of course.”
“And without electricity? It would be chaos. Why?” He looks at each of us, awaiting an answer.
“Because there’s no substitute for electricity,” I say. “Not really.”
He points at me. “Correct. Because we are so reliant on something that has no substitute.”
“And the same is now true of the Internet,” says Noya, as much to herself as to anyone else.
Augie bows slightly. “Most assuredly, Madam Prime Minister. A whole host of functions that were once performed without the Internet now can only be performed with the Internet. There is no fallback. Not anymore. And you are correct—the world will not collapse if we cannot ask our smartphones what the capital of Indonesia is. The world will not collapse if our microwave ovens stop heating up our breakfast burritos or if our DVRs stop working.”
Augie paces a bit, looking down, hands in his pockets, every bit the professor in midlecture.
“But what if everything stopped working?” he says.
The room goes silent. Chancellor Richter, raising a cup of coffee to his lips, freezes midstream. Noya looks like she’s holding her breath.
Dark Ages, I think to myself.
“But the Internet is not as vulnerable as you are saying,” says Dieter Kohl, who may not be Augie’s equal on these matters but is far more knowledgeable than any of the elected officials in the room. “A server may become compromised, slowing or even blocking traffic, but then another one is used. The traffic routes are dynamic.”
“But what if every route were compromised?” Augie asks.
Kohl works that over, his mouth pursed as if about to speak, suspended in that position. He closes his eyes and shakes his head. “How would…that be possible?”
“It would be possible with time, patience, and skill,” says Augie. “If the virus was not detected when it infiltrated the server. And if it stayed dormant after infiltration.”
“How did you infiltrate the servers? Phishing attacks?”
Augie makes a face, as if insulted. “On occasion. But primarily, no. Primarily we used misdirection. DDoS attacks, corruption of the BGP tables.”
“Augie,” I say.
“Oh, yes, I apologize. Speak English, you said. Very well. A DDoS attack is a distributed denial-of-service attack. A flood attack, essentially, on the network of servers that convert the URL addresses we type into our browsers into IP numbers that Internet routers use.”
“Augie,” I say again.
He smiles in apology. “Here: you type in www.cnn.com, but the network converts it to a routing number to direct traffic. A flood attack sends bogus traffic to the network and overwhelms it, so the network stalls or crashes. In October of 2016, a DDoS attack shut down many servers, and thus many prominent websites in America, for nearly an entire day. Twitter, PlayStation, CNN, Spotify, Verizon, Comcast, not to mention thousands of online retail operations, were all disrupted.
“And then the corruption of the BGP tables—the border gateway protocol tables. The service providers, such as, for example, AT&T—they will essentially advertise on those tables who their clients are. If Company ABC uses AT&T for Internet service, then AT&T will advertise on those tables, ‘If you want to access Company ABC’s website, go through us.’ Let’s say you’re in China, for example, using VelaTel, and you want to access Company ABC’s website. You will have to hop from VelaTel to NTT in Japan, and then hop to AT&T in America. The BGP tables tell you the path. We, of course, just type in a website or click on a link, but often what is happening almost instantaneously is a series of hops across Internet service providers, using the BGP tables as a map.
“The problem is that these BGP tables are set up on trust. You may recall that several years ago, VelaTel, called ChinaTel at the time, claimed one day that it was the final hop for traffic to the Pentagon, and thus for some period of time, a good portion of Internet traffic intended for the Pentagon was routed through China.”
I know about it now, but I wasn’t aware of it then. I was just the governor of North Carolina back then. Simpler times. The understatement of the century.
“A sophisticated hacker,” says Augie, “could invade the BGP tables at the top twenty Internet service providers around the world, scramble the tables, and thus misdirect traffic. It would be the same effect as a DDoS attack. It would temporarily shut down Internet service to anyone served by that provider.”
“But how does that relate to the installation of the virus?” asks Noya. “The object of a DDoS attack, as I understand it, is to shut down Internet service to a provider.”
“Yes.”
“And it sounds as if this—this scrambling of the BGP tables has the same effect.”
“Yes. And as you can imagine, it is very serious. A service provider cannot afford to lose service to its customers. That is its whole reason for existence. It must act immediately to fix the problem or it will lose its customers and go out of business.”
“Of course,” says Noya.
“As I said before, misdirection.” Augie waves a hand. “We used the BGP tables and the DDoS attacks as platforms to invade the servers.”
Noya raises her chin, getting it now. Augie had to explain all this to me more than once. “So while they were focusing on that emergency, you snuck in and planted the virus.”
“An accurate enough summary, yes.” Augie cannot help but beam with pride. “And because the virus was dormant—because it was hidden and performed no malicious function—they never noticed.”
“Dormant for how long?” asks Dieter Kohl.
“Years. I believe we started…” He looks upward, squints. “Three years ago?”
“The virus has been lying dormant for three years?”
“In some cases, yes.”
“And you’ve infected how many servers?”
Augie takes a breath, a child prepared to deliver bad news to his parents. “The virus is programmed to infect every node—every device that receives Internet service from the provider.”
“And…” Kohl pauses, as if afraid to probe further, afraid to open the door to the dark closet to find out what’s hidden inside. “Approximately how many Internet service providers did you infect?”
“Approximately?” Augie shrugs his shoulders. “All of them,” he says.