Header graphic for print
Steptoe Cyberblog

Iran Targets US Banks, While Privacy Groups Target NSA

Posted in Cybersecurity and Cyberwar, Data Breach, Security Programs & Policies

The wave of service disruptions to several major US financial institutions are widely attributed to Iran. These distributed denial of service attacks have grown so serious that US banks have asked the National Security Agency for help.

However, privacy advocates tell us who we should really be worried about: “’The dual mission of the NSA, to promote security and to pursue surveillance, creates an intractable privacy problem,’ said Marc Rotenberg, executive director of the Electronic Privacy Information Center.”

I’m more focused on the actual attacker. Assuming it is Iran, as I do, what do these attacks mean?  One thing is certain, they’re the opposite of the cyber Pearl Harbor everyone’s talked about. Unless Adm. Yamamoto called up the Navy on December 7, 1941, and said, “We’ll be attacking Pearl Harbor for an hour and then the Philippines for an hour, but only on Tuesdays, Wednesdays, and Thursdays.” Because that’s how the bank attacks are going – short duration, scheduled disruptions.

That raises a few questions.  First, why would a country launch such a limited attack?  It could be a demonstration designed to show capability without actually provoking a response – sort of like sending an aircraft carrier to a trouble spot but staying in international waters.  Indeed, some of the details of these DDoS attacks do show surprising sophistication, and there’s no doubt the actual impact of the attacks could be greatly ramped up if the attacker wanted to. Second, if that’s the case, the best response would be to demonstrate that our defense can counter the attacker’s offense – sort of like surfacing an undetected submarine alongside the carrier.

Unfortunately, we are not doing so well at showing our defensive strength.  The attacks persist, and we can’t figure out a simple way to quash them.  That’s pretty troubling from a security point of view, particularly if you believe as I do that denial of service attacks are the least dangerous form of cyberattack.  If we can’t defend against scheduled, short-duration, denial of service attacks, our vulnerability to other attacks is even more worrisome.

Which brings me to my third point: If these are Iranian attacks, Iran is probably doing us a favor.  They are teaching us some important lessons, exposing the weakness of our defenses in dramatic form without actually destroying any infrastructure or causing serious harm.  It’s also revealing the weird priorities of the privacy groups, which seem to hate parts of our government more than Iran’s, even when they’re faced with an actual Iranian attack. And it’s giving us a kind of live-fire exercise in which to practice our cyberdefenses until we find something that works.  With enough time, maybe we’ll find a way to get our planes in the air, our ships out to sea, and our anti-aircraft guns unlimbered before a second wave of planes appears in the sky.