In September, a number of websites belonging to U.S. financial institutions — including Wells Fargo, Bank of America, U.S. Bancorp and JPMorgan Chase — were disrupted, and customers were blocked from using their services. The Middle Eastern group claiming to be behind the attacks posted online that it was vengeance for a YouTube video that negatively portrayed the Prophet Muhammad.
But last week, U.S. Defense Secretary Leon Panetta hinted that Iran was the real culprit behind the attacks. He further warned of a potentially devastating blow to the country, dealt entirely from the virtual world. "A cyber attack perpetrated by nation states… could be as destructive as the terrorist attack of 9/11," he said in remarks about the online threats facing the U.S.
Caution is needed to understand and deal with the threat correctly, notes Wharton’s Andrea M. Matwyshyn, assistant professor of legal studies and ethics. “I see the policy conversation around ‘cyber attacks’ or, more correctly, information security vulnerabilities, now taking on unduly charged and political rhetoric, being conflated with other issues such as intellectual property issues, as well as taking a troubling turn toward unwarranted militarism,” she says.
Panetta’s comments are not overstating the problem, she adds. “However the correct reaction to these issues is not overzealous militarism. These issues are, first and foremost, technological information security problems and national defense questions only secondarily and incidentally.”
In the past two months, cyberattacks in the Middle East have broadened in scope and complexity. Among the newest victims were two major companies in the regional oil industry — Saudi Aramco, the world’s largest oil producer, and Qatar-based RasGas. In mid-August, malicious code was planted in roughly 30,000 workstations belonging to Aramco, along with disruptions to the company’s website and e-mail. A few days after, RasGas suffered a similar attack.
Internet security experts chalked up the attacks to new malicious software called Shamoon, which spreads through shared hard drives and seeks to permanently erase information. Different regional ‘hacktivists’ took responsibility for the attacks, claiming they were motivated by Syria’s ongoing civil war, though the hydrocarbon companies did not confirm what the virus was, nor where it came from.
The incidents follow an exchange of attacks between Saudi Arabian and Israeli hackers at the beginning of the year that first targeted credit card information, before escalating to attacks and counterattacks on larger commercial interests in Israel and in the Gulf. Additionally, it was confirmed that the U.S. created and released viruses to specifically disrupt Iran’s nuclear program, which have now spread into the wider Internet.
There are a number of measures and strategies to consider for companies that may find themselves caught in the middle of such a conflict; while complete protection from electronic attack in today’s world of flash drives and shared networks is impossible, leading security experts and academics note that though companies now place resources into being prepared for an attack, the real issue becomes their ability to deal with one when it happens.
"The best offense is a strong defense," Matwyshyn says. "Many companies are still under-informed with respect to basic information security protection measures. Basic errors abound in both the private and public sector. Regular audit of systems and fast, thoughtful responses to information security incidents is essential. Hiding the occurrence of security breaches — a strategy regularly employed by companies in the past — is neither sustainable, nor desirable."
Most experts point to a U.S. and Israeli cyberattack on Iranian nuclear facilities with a computer worm called Stuxnet — which covertly operates in and disrupts industrial systems — as a turning point for cyber warfare. Stuxnet "marked a significant and dangerous turning point in the gradual militarization of the Internet," wrote author and visiting Columbia professor Misha Glenny in a recent op-ed in The New York Times. "Washington has begun to cross the Rubicon. If it continues, contemporary warfare will change fundamentally as we move into hazardous and uncharted territory."
There have always been the cyber equivalent of vandals, who engage in hacking as a prank, but are little cause for concern, says Gurpreet Dhillon, professor of information security at Virginia Commonwealth University. "We’re more worried about intentional attacks, which are targeted at infrastructure, the economy, citizens and the country," he says. "Are companies prepared? For the most part, yes. Most utility companies in the U.S. do have some kind of backup system that is going to identify such attacks. SCADA systems [supervisory control and data acquisition, an automated industrial monitoring system] are increasingly becoming popular around the world. But question is not if you are prepared, but rather, can you deal with this kind of attack? The answer is probably no, and there is not much you can do, other than evaluating the risks of failure if something happens."
Matwyshyn notes that there is reason Middle East hacker groups increasingly see Western corporations as targets. "The space between private and public sector in the United States is increasingly blurred, because much of the sophisticated technology employed in U.S. military equipment is constructed in the private sector and many other national defense and critical infrastructure data management services are outsourced to the private sector; attacking those private entities threatens national security."
Ponemon Institute, in its 2011 cost of cyber crime study, noted the median cost of cyber crime to U.S. companies it examined was US$5.9 million a year. Though exact figures are disputed, the costs of cyber crime to U.S. consumers are estimated to be gigantic — over US$20 billion in the past year alone, according to security software firm Symantec. In remarks to the U.S. Senate in June, Nevada Sen. Harry Reid stated that cyber attacks are a true threat. "We’ve already seen cyberattacks on our nuclear infrastructure, our Defense Department’s most advanced weapons, the NASDAQ stock exchange and most major corporations. Cyber attacks don’t threaten only our national security — they also threaten our economic security."
But politically motivated attacks are everywhere, VCU’s Dhillon notes. "It’s not just the Middle East. Can you really forecast if there is going to be a politically motivated attack? No, the only way you can predict is if you the probability of an occurrence. It’s very hard — you don’t know where, or who, or which system is going to be affected by the attack. And that’s something these cyber criminals take advantage of. So clearly, companies have to be aware of what’s happening in their environment — we call it environment scanning. You need to know what’s going out there in the world."
Companies that believe they are currently being targeted by an Internet-based attack in the United States can seek assistance from the FBI to assist in ascertaining the origin of the attack and stopping attacks in progress, Matwyshyn says. For public companies in the U.S., she adds, disclosure obligations under securities law and guidance from the Securities and Exchange Commission also exist.
But Dhillon says a company would have little recourse if it sustained losses in a cyberattack from a foreign entity, either hacktivist group or state actor. "If something goes wrong, it’s your company’s insurance that’s going to kick in, not the nation state that’s going to kick in. The nation state will be sympathetic, and will go out of their way to help your company. But they certainly are not going to compensate your company. If there’s an oil spill, citizens can’t make claims that they’ve lost their livelihood. Similarly, if there’s been a cyber terrorism attack, you can’t claim it from Company X, that because of your relations with Country Y, I’ve lost my business. That’s not going to happen."
The onus then falls on companies. Particularly in industries such as banking where the level of technology sophistication is not as high as inside technology-focused companies, rigorous internal assessment of information security deficiencies is essential, Wharton’s Matwyshyn says. "The greatest information security failure is being unwilling to admit what you don’t know — that you lack technology expertise and that you should listen to those individuals who possess that technological expertise. Information security is not the province of the IT department; it must become an officer and director level priority. Companies without deep internal technological expertise are more likely to make this critical error."
Institutions that are at risk from cyberattack — particularly those dealing with money or sensitive information — need to organize themselves, Dhillon says. Companies have to work with local groups and trade organizations to encourage further security development and create standards. "Communication and coordination becomes a very important aspect to help deal with attacks, especially communication with authorities," he says.
Staying silent about an attack, Matwyshyn adds, is not a viable strategy to deal with it. "This approach, called ‘security through obscurity’ has been widely discredited in information security literature. It presumes that the company can control external information about its security problems — something that is factually inaccurate. Individuals external to the company will always eventually deduce that a breach has happened. In particular, hackers frequently brag about their exploits. Further, delaying notifying business partners — other companies that rely on the same systems or information — could result in broader harms that may give rise to basis for lawsuits. The more promising approach is an approach driven by a goal of information security through process — regular analysis, assessment and incremental improvement of information security deficiencies."
Keeping open lines of communication is important during an attack, Dhillon says, but adds that sometimes it doesn’t make sense to go public with the information that a cyberattack has occurred because an investigation is ongoing. "But once that has occurred, it makes sense to share that information with the public, so they are aware also. Not to scare them, but to create awareness that such attacks occur."
There are physical solutions to consider. "You need to contain these attacks," Dhillon says. "The more interconnected these systems are, the greater the chance of failure. If you are able to contain the attacks in a smaller area, then it becomes easier to deal with. But unfortunately, in our quest to connect everything, it increases complexity. It’s a butterfly effect; one thing goes wrong, it all goes wrong. So how do we prevent that? We don’t necessarily need everything to be connected. You need to compartmentalize. You need to have systems with built-in recovery if something goes wrong."
Monitoring is another key aspect, he adds. "Most of the time, these attacks are identified by sheer luck, because some activity is seen in a network and it is reported, and then it turns out what was being witnessed was an attack. Clearly, some investment needs to be made in that area. Awareness training is also needed. If employees know that an attack is going to occur, they are more likely going to report things."
There is a need to understand both sides of a politically motivate attack, Dhillon says: the attacker’s motive, and the company’s context. "Perpetrators always stick to the easiest way to attack an infrastructure. Whatever is vulnerable to them, that’s what they are going to attack. They’re not going to spend hours on something that’s not going to have any impact. They’re going to attack an organization where they think they can get in. It just makes sense. The idea is to show they are powerful, that they can do things, and create commotion in a given society. They’ve achieved their purpose by hacking into an organization with weak protection in place.
"In a Middle Eastern context, there are going to be certain kinds of attacks. So you’re going to have to profile those kinds of attacks. In a North American context, there’s going to be certain kinds of attacks. So it’s important for institutions around the world to recognize which attack threats are more relevant than others. You can keep on protecting your infrastructure, but you’re never going to have a 100% secure environment. So how do you prioritize your vulnerabilities, how do you prioritize your actions, within the context of your environment?"
The Middle East region and the larger global environment would do well to formulate better laws to deal with cyber crime and cyber terrorism, Dhillon says, along with increasing communication and coordination between organizations.
But confronting such a nebulous threat can be overwhelming even for the biggest companies, though, and the specter of increased attacks — either from politically motivated hactivist groups, or more shadowy state-sponsored groups — raises the question of whether additional measures by governments can be made to halt the use of cyber weapons.
"There is no need for an arms race in this space," Matwyshyn says. "Everyone will lose. Every country is vulnerable to attack on its own soil through vulnerabilities in computer code; there is no such thing as error-free code. The first step for all countries — the U.S. in particular — is to work on tightening the quality and security of the code they run inside their countries. Having brilliant offensive code-based weapons is pointless if you are vulnerable to reprisals. No country has a monopoly on hacker talent."