by John DiMaria, BSI

I was disappointed that there was only a passing mention to cybersecurity at the recent State of the Union Address. As a matter of fact if you took a bite of your popcorn at the wrong time you missed it.

I realize the president's address was focused mainly on the economy, but the biggest threat to our economy today is the lack of preparedness to identify, mitigate, detect and ward off a major cybersecurity attack.

The President clearly states in Section I of the Executive order; Improving Critical Infrastructure Cybersecurity, released last February that “The cyber threat to critical infrastructure continues to grow and represents one of the most serious national security challenges we must confront. The national and economic security of the United States depends on the reliable functioning of the Nation's critical infrastructure in the face of such threats”

The right attack could cripple this nation and its infrastructure. We are reminded daily of the disasters that just affected the retail industry, what if that attack was targeted directly at the banking industry or even the stock exchange? Suppose you woke up one morning and found out that the NYSE or the reporting outlet’s computers had been hacked and false information had been reported over the last week or even just 24 hours? Not possible? Think again.

Just a couple of days ago (January 28, 2014) a story written by BankInfo Security noted a hacktivist group known as the European Cyber Army that it had waged targeted distributed-denial-of-service attacks against Bank of America and JPMorgan Chase. The author Tracy Kitten reported that “The European Cyber Army claims to have targeted the United States' two leading banking institutions without warning, according to a string of tweets the group posted Jan. 28. But the attackers suggest a target list may soon be released”. (Tracy Kitten, 2014)

In August of 2013 an outage of the Nasdaq stock exchange. Investigation showed that it had the incident had all the earmarks of the three waves of denial-of-service attacks that bedeviled U.S. financial institutions, including stock brokerages, since last September 2012. USA today reported that an Iranian hacking collective — Cyber Fighters of Izz ad-Din al-Qassam — claimed credit for orchestrating sophisticated attacks that have overwhelmed the expensive security systems U.S. banks have put into place to keep their online banking services up and secure. The story noted that Reuters reported the giant brokerage house “reported a system programming error that set incorrect price limits and selling algorithms affecting contracts for companies such as JPMorgan Chase & Co., Johnson & Johnson and Kellogg Co.,”. Prior that week there was a computer error that caused Goldman Sachs to sell options for a dollar (Byron Acohido, 2013)

Just April prior Syrian hackers claimed and AP hack that tilted the stock market by $136 billion. According to the Washington Post story, the official Twitter account of the Associated Press sent a tweet to its nearly 2 million followers that warned, "Breaking: Two Explosions in the White House and Barack Obama is injured," some of the people who received this tweet were apparently on or near the trading floor of the New York Stock Exchange.

The Dow began to nosedive and dropped about 150 points, from 14697.15 to 14548.58, before stabilizing, when news that the tweet had been erroneous began to spread. During those three minutes, the "fake tweet erased $136 billion in equity market value," according to Bloomberg News' Nikolaj Gammeltoft. ( MAX FISHER, 2013)

Cyberattacks are evolving at an incredible rate. James Lyne, Director of Technology Strategy at Sophos who focuses on upcoming technology and threat trends, in a recent interview with BankInfoSecurity noted that “cybercriminals are approaching their activities with a business-like mindset, streamlining the process of obtaining the malicious code they need and targeting who they want to hit with their exploits” he reported that that five or six years ago you'd see numbers like 6,000 pieces of malware a day and today, on average, they see 250,000 individual, new PC malicious codes every day. ( Jeffrey Roman, 2013)

I like hundreds of other professionals attended all five of the NIST Cybersecurity Workshops. We were there because we cared, because we believed in the message sent by the executive order, we applauded the effort and wanted to get involved to make a difference.

Not even a mention of cybersecurity reminding everyone that it still stands as one of the biggest threats and that the “The national and economic security of the United States still depends on the reliable functioning of the Nation's critical infrastructure in the face of such threats”, was disappointing and concerning that this is just another “flavor of the month” that will die or get lost once the midterm elections are over this November.

John DiMaria is a BSI Certification Portfolio Expert, Six Sigma Black Belt, certified Holistic Information Security Practitioner, and Master HISP with over 28 years of experience in management systems and international standards. The views expressed in this blog are his own.

Bibliography

Jeffrey Roman. (2013, July 3). How Cyber-Attacks Are Evolving. p. 1.

MAX FISHER. (2013, April 23). Syrian hackers claim AP hack that tipped stock market by $136 billion. Is it terrorism? p. 1.

Byron Acohido. (2013, August 22). Nasdaq outage resembles hacker attacks. p. 1.

Tracy Kitten. (2014, January 29). DDoS: New Attacks Against Banks. p. 1.