This past week, the Financial Services Information Sharing and Analysis Center raised the cyber threat level from elevated to high, and warned banks of “recent credible intelligence” of possible cyber attacks to bring down their customer sites. The Financial Sector is constantly under attack, but it is normally from criminals. These events appear to something more.
While the Department of Homeland Security, the Secret Service, and the FBI have been silent, Senator Joe Lieberman (I–Conn), chairman of the Homeland Security and Government Affairs Committee, had a different story. He claimed the events were the work of the Iranian government. Lieberman is one of the most respected members of Congress on national security issues, and he seldom, if ever, speaks for shock value.
There were Distributed Denial of Service (DDoS) attacks on Bank of America, JP Morgan Chase, and Citigroup that swamped their websites. Even though a hacker group took credit, Lieberman said the attacks appeared to be an Iranian governmental counterattack in retaliation for the ongoing American economic sanctions against Iran.
Most cyber experts rank Russia and China as much more capable cyber adversaries than Iran. The Iranians, while behind, are still very good. Additionally, they are very motivated, and are leveraging their “3rd place standing” as cover. The (unfortunately acknowledged) U.S. cyber efforts against the Iranian nuclear program (Stuxnet, DuQu, Flame) have also given them some justification for the counterattack.
This effort illustrates the wonderfully asymmetrical nature of cyber. As the U.S. and its allies pressure Iran with sanctions, the Iranians are trying to make them feel some reciprocal “pain” in one of the only ways a smaller state can do so. It also shows that non-governmental targets are clearly fair game. The U.S. must continue to develop its defensive capabilities, both passive (fire walls, malware screen, etc.) and active (using advanced analytics to predict attacks and preempt them).
These events also show the weakness of the recently proposed regulatory regimes for cyber security. Today, the financial sector has some of the most advanced cybersecurity of any U.S. critical infrastructure sectors, well ahead of the norm. Despite being better than average, they were still hit. A static and government-directed set of “standards,” the very likely result of the sort of regulatory scheme in the Cyber Security Act of 2012 and the President’s proposed cyber executive order, will be circumvented and defeated by hackers, governmental or otherwise.
China and Russia are not likely to attempt truly destructive cyber activities against the U.S. simply because they have a vested interest in our system. They make money or steal intellectual property data, so there is little interest in creating havoc, at least for now. Iran has no such restraints. Given time and opportunity, they may begin to attempt things that dwarf DDoS attacks in destructiveness. The U.S. cyber authorities ignore Iran at their peril.