THESE HAVE NOT been easy days for cybersecurity experts at some of the nation’s leading banks. A barrage of attacks on bank networks has intensified since September, clogging Web sites with traffic, slowing or crashing them. The banks have not lost data, but their online services have been interrupted.
The onslaughts are known as distributed-denial-of-service attacks, and the attackers have apparently reached a new level of skill and destructive power. Radware, a network security firm, reports that they are now harnessing powerful servers into destructive “botnets,” or chains of computers that have been infected by malware and ordered to swarm a target. The botnet technique has been around for a while, but the use of servers to generate the stream of pings gives the attackers unprecedented power.
According to a report by Ellen Nakashima in The Post, the banks have now turned to the National Security Agency (NSA) for help in protecting their systems. The super-secret electronic surveillance agency has been at the forefront of defending U.S. government networks from intrusion; its director, Gen. Keith Alexander, also serves as chief of U.S. Cyber Command. What’s happening now is something that Gen. Alexander and other cyberexperts have warned about for a long time: attacks aimed at the soft underbelly of American society, our wired but vulnerable private sector. Several news reports have identified the assault on U.S. banks as the work of Iran, perhaps in retaliation for Stuxnet, the computer worm designed to wreak havoc on Iran’s nuclear equipment that was apparently developed by the United States as part of a covert intelligence operation.
Out of concern for attacks on U.S. companies, Congress last year wrestled with legislation that would have allowed the NSA to share its sophisticated cybersecurity tools with the corporate sector. Sens. Joseph I. Lieberman (I-Conn.) and Susan Collins (R-Maine) championed a bill that would have eased the way for the government to enter company networks. But the legislation was opposed by the U.S. Chamber of Commerce, which warned of heavy-handed government regulation and bureaucracy, and it died.
Now, just months later, who’s knocking on the government’s door, demanding help? According to news reports, the attacks have stricken Bank of America, PNC Bank, Wells Fargo, Citigroup, HSBC and SunTrust. Perhaps they should tell the Chamber of Commerce a little about the experience. The business lobby’s approach to cybersecurity legislation was myopic last year. The chamber should face the reality that corporate America is seriously vulnerable to attack.
Congress would be well advised to focus early on this topic. The private sector remains unprepared for the kind of massive botnet assaults being aimed at the banks. The U.S. government can offer an important line of defense. Congress ought to lay down a foundation for this cooperation in new legislation, and without delay.