As I predicted in previous postings, the cyber-attacks have gotten worse. Earlier this week, “hacktivists” slammed the websites of Nasdaq OMX, Bats Trading, the Chicago Board Options Exchange and Bursa Malaysia, causing outages although trading systems were spared. These latest attacks make clear that financial centers can no longer ignore these threats and that they are unprepared for them.
According to media reports, some of these recent attacks may have been the work of a group calling itself “the 99 per cent,” but there has been no official identification of those behind the attacks.
It’s disturbing that this week’s attacks quickly follow the cyber mayhem of last month when the Tel Aviv Stock Exchange, the Saudi Stock Exchange and the Abu Dhabi Securities Exchange (ADX) were caught in the crossfire of Israeli and Arab hackers. In Brazil, there were cyber-shutdowns of the websites of two Brazilian banks—Itaú Unibanco and Banco Bradesco—and further threats from hackers that the country’s top five banks would be next.
What can we make of these ongoing disruptions? First, hacktivists are prioritizing websites for venues that are major concentrations of transaction activity and which have inspired their wrath. There is also the implied threat among the hackers that they could do more damage than shut down a website. It’s also time to consider that the websites of top banks and other financial firms are next.
The major mainstream media outlets have given this week’s outages perfunctory coverage and have yet to connect the dots to provide a clearer view of what’s underway. One man who is connecting the dots and proposing a solution is Richard Clarke, who served three US presidents in senior White House national security roles. In an opinion piece for today’s Wall Street Journal, Clarke focuses on how cyber-attacks could lead to real war. (Clarke also wrote a book on the subject “Cyber War: The Next National Security Threat and What to Do About It.”)
To prevent real war, Clarke is urging the creation of an international organization to defuse “tensions among nations” when the cyber-attacks reach a fever pitch. “But there is still no operations center that a nation can call to get another nation to stop its citizens (or servers in its country) from causing problems. Nations, if they talk at all about these cyber attacks, do so at 19th Century speed with embassies requesting assistance either in person or through a letter.”
A “Cyber Risk Reduction Center,” modeled after the Nuclear Risk Reduction Center (NRRC), is needed, Clarke says. The NRRC was created in 1987 to link the operation centers of Washington and Moscow. “Now Washington and Moscow are beginning to explore using their NRRC channels to discuss cyber concerns, but neither side yet has the authority or capability quickly to stop malicious cyber activity originating in their own nation,” Clarke says in his WSJ piece.
A global cyber-risk reduction system would allow the country under attack to seek assistance, particularly from the country where the attacks are originating. “Implicit in such a system would be an ‘obligation to assist’ other members of the international system and to identify and prosecute the culprits,” Clarke says. “Failure to assist should have consequences such as financial damages or even outside filtering of message traffic to search for attack programs.”
More ominous than the lack of cyber-risk reduction system is Clarke’s conclusion that the US and Israel “are not ready for a sophisticated cyber attack from the likes of Iran and China.” In fact, he argues that if a conventional war breaks out, cyber attacks would be just another weapon. “Bombing Iran, for example, could unleash an Iranian government cyber attack. Israelis say they could handle that, despite the recent evidence to the contrary. Unfortunately, much of the critical infrastructure in the US is still not ready for a sophisticated nation-state cyber attack either.”
While Clarke says the cyber hostility has not risen to the level of terrorism because “no one has died and, so far, nothing has blown up,” the cyber-attacks over the past month-and-a-half are a wake-up call. We should not wait for cyber-attacks that are equivalent to 9/11 before we take action.
Need a Reprint?
Leave a Reply