September was a bad month for some of the nation’s biggest banks, as their web servers were hit with a large-scale assault by well-armed cyber attackers. Bank of America, Citigroup, JPMorgan, PNC Financial Services Group, US Bancorp, and Wells Fargo – financial institutions with highly advanced cyber security – were all victims.
The perpetrators were apparently uninterested in gaining access to accounts, but rather wanted to cause disruption of service to customers by simply crashing the banks’ web sites. It is still unclear who exactly is responsible. According to the Los Angeles Times, an Islamist group called Izz al-Din al-Qassam Cyber Fighters has taken credit for the attacks. But Sen. Joseph Lieberman (I-Conn.) has accused the Iranian government of instigating the cyber strike, arguing that a single group was likely unable to pull off this type of attack alone.
In addition to the psychological blow of having some of our top financial institutions successfully attacked, there has also been real inconvenience for customers. The Business Courier of Cincinnati reports that 400 employees of Comair, a regional airline which banks with PNC, failed to receive their paychecks at the end of September because of the attacks.
The tactic used against the banks was a relatively common one, called a distributed denial of service (DDoS) attack. It works like this: The perpetrators link together numerous computers and then have this network send a large number of requests to a web site all at once, which overwhelms the site’s server and essentially shuts it down.
What was striking about these particular assaults, explains Network World, is that they were highly sophisticated, and the attackers knew how to get around the banks’ software meant to protect against DDoS attacks.
This is just the latest in a long line of high visibility attacks unleashed on US firms, but no doubt it is fueling debate in Washington over how the nation can best protect itself in the ongoing cyber war. The Obama Administration and Congress have been wrangling for months over competing proposals that would spell out details of how the private sector and the federal government could share information about cyber attacks.
It is unlikely that the politicians will reach an agreement soon. But there is consensus among the nation’s leaders that our infrastructure – including power plants, water treatment facilities, and transportation systems – is vulnerable.
As for this specific string of attacks, there are at least two lessons to be learned: First, no amount of cyber security will completely shield a company. These banks have some of the most high-powered software and most expert personnel employed to protect their digital assets, and they still lost this cyber battle. So while those charged with protecting their firms from cyber attacks should be vigilant and stay updated on the latest developments, they should avoid feeling a false confidence that their security systems are impenetrable.
Second, because it is impossible to completely safeguard against attacks, companies need to have cyber liability insurance. Such coverage can compensate victims for losses stemming from a variety of causes. For the banks, they avoided a nightmare scenario in which customers’ assets or personal information was stolen. But they did have an interruption in their business, which could potentially result in lost income. Cyber insurance can cover both of these situations, as well as many others.
(Many business owners and managers understand the need for cyber insurance, but do not fully understand it. An introduction to some of the issues surrounding such coverage can be found in an article titled “What is Cyber Insurance?”)
So, it makes sense to do everything reasonable to digitally protect your firm’s network, but you need to then acquire cyber insurance to kick in when your digital defense system fails.