Could the U.S. Face 'Cyber Pearl Harbor'? Protecting Banks from Hacker Attacks
As U.S. financial institutions continue to be attacked, Defense Secretary Leon Panetta warns of a "cyber Pearl Harbor." Michael Leiter, former director of the National Counterterrorism Center, and Neustar, Inc.'s Rodney Joffe talk with Margaret Warner about why banks are vulnerable to disruptions, theft and destructive threats.
MARGARET WARNER: We turn to a new cyber campaign against American banking giants and growing worries about what they might foreshadow. It began late last month and continues to this day.
Two more U.S. banks are the latest targets in the spate of cyber-hits on American financial institutions. This week, Capital One and BB&T suffered disruptions on their websites, leaving customers without access to their accounts.
A group calling itself the Qassam Cyber Fighters claimed responsibility and said the attacks are retaliation for an anti-Muslim video. But some U.S. officials, like Connecticut Senator Joe Lieberman, blame the recent uptick of attacks on Iran and its elite security force.
He spoke last month on C-SPAN.
SEN. JOSEPH LIEBERMAN, I-Conn.: I think that this was done by Iran and the Quds Force, which has its own developing cyber-attack capacity, and I believe it was a response to the increasingly strong economic sanctions.
MARGARET WARNER: Also blamed on Iran, recent hits on Saudi Arabia's state oil company, Aramco and Qatar's natural gas producer, RasGas, that disabled 30,000 computers entirely.
And Defense Secretary Leon Panetta warned last week that the threat to America's vital infrastructure throughout is rising.
DEFENSE SECRETARY LEON PANETTA: The collective result of these kinds of attacks could be a cyber Pearl Harbor, an attack that would cause physical destruction and the loss of life.
MARGARET WARNER: Iran denied any role. But Panetta said the U.S. military stands ready to respond or even preempt destructive attacks.
In fact, it's been widely reported that the U.S. and Israel disrupted Iran's nuclear program with a computer virus called Stuxnet in 2010.
Meanwhile, big banks who've been hit are anxious about what may lie ahead. This was J.P. Morgan Chase's CEO, Jamie Dimon, last week, at the Council on Foreign Relations in Washington.
JAMIE DIMON, J.P. Morgan Chase: Computers in 10 years are going to be a 100,000 times faster. And so they will be able to do calculations quicker and get through quicker. And we're going to have to meet that in every way, shape or form.
MARGARET WARNER: For now, though, a cybersecurity bill sits stalled in the Senate, with little prospect of action this year.
For more, I'm joined by Michael Leiter, director of the NationalCounterterrorismCenter from 2008 to 2011.
And Rodney Joffe, senior vice president at Neustar, an information services company that provides cybersecurity for private and government clients. In 2009, he designed a scenario for a government exercise in how to defend against cyber attacks.
Welcome to you both to this important topic.
Michael Leiter, begin by describing what these hackers did that could temporarily disrupt these Web sites.
MICHAEL LEITER, former director of NationalCounterterrorismCenter: In this case, what they did was a disrupted denial of service attack.
And in layman's terms, all that means is taking computers away from those banks and then flooding effectively the Web sites of those banks, so normal customers in the bank can't actually communicate, transfer funds and the like.
MARGARET WARNER: And is there something that makes banks particularly vulnerable to cyber-hacking?
MICHAEL LEITER: Banks actually tend to be one of those industries that is prepared for cyber-hacking probably better than any other industry in the United States, but we see here that they are still susceptible.
And I think it's really two things. One, they represent American power, in the same way that the terrorist attack, the WorldTradeCenter on 9/11, they represented American economic power.
The second is again they are so reliant, increasingly so every day, on their websites for core aspects of the business.
You and I both check our accounts, transfer funds. And cyber-activists or cyber-hackers know that this is the case.
MARGARET WARNER: So what is the danger?
Well, first of all, Mr. Joffe, the banks have tried to defend themselves, yet they were really outgunned in this case. What does that tell you about the growing level of sophistication of these hackers?
RODNEY JOFFE, Neustar, Inc.: As Michael has said, the banks really are the best prepared. That's where the money is.
And so they have been working for many years. And as a sector, they're very well prepared. What is different about is that the people behind the attack, whoever that may be, were very, very knowledgeable about how the Internet works.
And so what they have able to do is on an almost day-by-day basis overcome the defenses and sort of take an extra step forward. And so even though there was warning -- in fact, almost all of the banks have had days or weeks of warning...
MARGARET WARNER: They announced, it, right?
RODNEY JOFFE: They announced it in a public post. Even though that was in place, it was very difficult for the banks to defend themselves.
MARGARET WARNER: So, what do you think is the danger of a more sophisticated, more broadly-based attack on the financial system that really could disrupt or disable significant portions of our financial network?
RODNEY JOFFE: So, there is a significant threat, not just against the financial sector.
But one of the problems is that there's a great teaching moment going on, so that not only people who are trying to attack the financial infrastructure, but trying to attack other parts of U.S. and, in fact, global critical infrastructure, are now learning about a mechanism that actually overcomes some of the barriers that have been in place from the beginning.
There's a fundamental issue with the protocols that actually makes this happen.
MARGARET WARNER: Is that the case as you see it, that with every attack they get better at it, whoever is doing this?
MICHAEL LEITER: They do get better. We get better at defending, but they're moving faster than we are in most cases.
We really see three types of threats. We see the disruption threat, and that's what we saw with these banks. We see all the time the theft threat, organizations and companies that have been penetrated and their proprietary information is stolen. And, finally, we see the most dangerous, the destructive threat.
And that's what we saw in the case of Aramco, the Saudi oil company.
MARGARET WARNER: Meaning they went in and actually were able to permanently destroy data.
MICHAEL LEITER: That's exactly right, and going in, penetrating those networks and erasing files, and in this case ending up with a burning U.S. flag in the place of the files that actually make the computers function.
MARGARET WARNER: Isn't there also a danger here, a threat of just having the American public lose confidence in the security of their money in a bank, let's say, and in doing business with banks online, I mean, that could be in and of itself destructive?
RODNEY JOFFE: So, in reality, that's probably the biggest challenge.
In the current attacks, there is some financial impact to the banks, but we don't have any evidence that we have seen so far of money being stolen.
But what will happen over time is that the public will begin to lose confidence. If you think about it as an individual, you have banking to do towards the end of the month. If you're unable to get into your bank account over a period of a day or two, you start to worry about the stability of the entire banking infrastructure, which is obviously a trust issue globally.
MARGARET WARNER: Right. Your mortgage payment is due, and you are not going to be able to have it paid.
RODNEY JOFFE: That's all you care about.
MARGARET WARNER: So, which of America's adversaries out there, Michael Leiter, have the technological know-how or on the verge of it of being able to mount a systemic attack? Is it countries like Russia, China, Iran? Is it criminal elements? Is it jihadis? Who?
MICHAEL LEITER: I will start with ones who are actually not that great, and that's terrorist groups.
Although they have some capability, they're not the strongest in this regard. The next is organized crime. And organized crime largely out of Russia has really incredible sophistication. And that then links to the state threats. And by far, the most able in that regard are China, which has been identified that has a serious national security policy of using cyberterrorism or cybertheft, and Russia.
The other issue we face is that those hackers are also being rented out by states and by others. So we have an alignment of interests here among some states and some organized criminals, which makes this threat that much more difficult to defeat.
MARGARET WARNER: And you didn't mention Iran.
MICHAEL LEITER: I didn't mention Iran, and I should have. So thank you.
The CEO of PNC Bank, one of those banks that was attacked over the past couple of weeks, blamed hackers in Iran for this most recent attack. And it's been widely, widely reported that the attacks did emanate from Iran. Whether the government was involved, it's hard to know.
MARGARET WARNER: And before we go, what more should be being done either by companies or by the government that isn't being done now to guard against this?
RODNEY JOFFE: So I think that one of the biggest problems is attribution, the struggle we're having now in terms of who's behind it.
It's important to know where it's coming from, because then you either provide diplomatic pressure to try and alleviate the attacks. What Michael said about the most dangerous groups, which is criminals and their nation state, the line is very blurred.
One of the biggest problems is we can't tell whether we're dealing with a nation state issue or a criminal issue, and most times they work together.
MICHAEL LEITER: None of this is going to be stopped by building firewalls.
We are going to have to produce a system that works between the government and the private sector and within industries which is agile, so people can identify these threats very, very rapidly, respond operationally, and reduce the threat. And we absolutely are going to have to protect proprietary information, which is being stolen in massive and historic amounts.
MARGARET WARNER: But that means that companies have to be willing to share the information.
RODNEY JOFFE: Really important, the sharing of information between companies and in the private sector and in the public sector critical.
MARGARET WARNER: And that's of course one of the big contentious issues on the Hill.
Well, Rodney Joffe and Michael Leiter, thank you.
RODNEY JOFFE: Thank you.
MICHAEL LEITER: Thank you.