Almost all reported that they were targeted in last year’s highly publicized “distributed denial of service attacks” (DDOS) — efforts to disrupt access to Web sites by barraging servers with computer traffic. The assaults, which are ongoing, made headlines in the fall when U.S. officials said they believed they were launched by the Iranian government in retaliation for sanctions imposed because of Tehran’s nuclear program.
The disclosures are significant in that for years, companies, including banks, have been loath even to acknowledge that they have been victims of such incidents.
But it appears that SEC guidance issued in October 2011 making clear that companies need to report significant computerized theft or disruption, combined with greater public attention to the issue, is forcing more disclosure. Also, the fact that the banks hit by the DDOS attacks have been named in media accounts has made ignoring them more difficult.
Fifth Third Bank in Cincinnati, for instance, disclosed it had endured a DDOS attack early last year. “We did it as a way to be transparent,” said Debra DeCourcy, a bank spokeswoman. “If there is something else positive that can be gained from that, it’s all the better.”
DDOS incidents do not involve penetrating networks, but the assaults that washed over the banking industry in the fall were of such force and duration that banks have spent millions of dollars shoring up their security, industry officials said. Some analysts estimate that the collective cost comes to hundreds of millions of dollars.
The disruptions also got the attention of the White House and the national security community, which have been trying to help the private sector better handle such incidents. President Obama recently signed an executive order aimed at helping companies in critical sectors shore up their network security. Improved sharing of threat data between the government and companies is considered crucial to that effort.
Such corporations as eBay, LinkedIn, Level 3 Communications, Chesapeake Energy and AT&T have admitted they suffered intrusions or disruptions last year. “It’s almost naive for most large companies in the critical infrastructure sector to say that they aren’t subject to attack,’’ said Paul Smocer, president of BITS, a financial services trade organization.
The stepped-up disclosure, he said, “brings greater awareness, greater diagnosis and a desire to find a stronger cure” for system vulnerabilities.
Even with the new openness, security experts say the real scale of companies affected by cybersecurity incidents is much larger.