Is a Cyber Pearl Harbor a Real Threat?
By Samuel Greengard
In recent weeks, U.S. financial institutions such as JP Morgan Chase, Capital One and Wells Fargo have undergone sustained cyber-attacks from sources that security experts say could be a hostile foreign government or terrorist organization. Some experts, including Defense Secretary Leon Panetta, have cautioned that this distributed denial-of-service (DDoS) activity could foreshadow widespread and sustained cyber-attacks. In fact, he warned of the possibility of a "Cyber-Pearl Harbor."
Strong and frightening words. But according to security experts, the risk of a “Cyber-Pearl Harbor” attack is real … and growing. "Unfortunately, U.S. critical infrastructure is vulnerable, and security is weak overall," states Jonathan Gossels, president and CEO of SystemExperts, a Sudbury, Mass., security risk analysis consulting.
The power grid, flight control systems, traffic control systems, water treatment facilities, hospitals, communications systems and other key technology systems are all vulnerable, Gossels says. Although banks have withstood recent attacks reasonably well—most have managed to get through the attacks with few disruptions due to significant investments in security—other organizations and industries are lagging behind.
In fact, it's a tale of two mentalities, according to Gossels. "Financial institutions and certain companies in vulnerable industries have prepared for the risk of cyber-attacks,” he says, “but many other organizations have done the bare minimum and don't believe that they are a real target."
What’s even worse, Gossels warns, is that these incremental gaps in security, when combined, exacerbate the risk for everyone. "When you add everything up, it's apparent that the United States is at great risk from a sustained and coordinated attack on infrastructure," he adds.
Digging out of this hole is no simple task. Despite constant discussion about cyber-attack risks, CIOs and other IT executives aren't putting the essential protections in place. According to Gossels, a multipronged approach is critical.
This approach includes the use of data loss prevention (DLP) software, encryption, anti-malware systems, strong authentication methods and applying software patches as they become available. In addition, it includes training employees on how to spot increasingly sophisticated phishing and spear-phishing methods and other forms of social engineering.
The best approach is to adopt a comprehensive security framework based on ISO 27002 or COBIT. The former, for example, provides guidance on more than 135 controls in a dozen major areas.
Finally, Gossels says that these issues extend to human resources. At one company he consulted with, two high-level IT workers suddenly disappeared. Only afterward did the firm discover that they were Chinese moles who had been collecting data and trade secrets. Both lacked key documentation, but nobody had checked on it.
Many observers say that it's not a question of if a massive cyber-attack will occur; it's a question of when.
"The thing that the public and many business executives overlook is that we are living in the digital age,” Gossels says. “Our books and records reside in cyber-space, and transactions increasingly occur online. … The ability to take out key infrastructure would have a crippling effect on the economy and create lasting damage."