The past few weeks have seen a series of cyber attacks against the U.S. government (including penetrating the CIA and US Senate websites); Gmail accounts for U.S. officials, Chinese activists and journalists; multiple defense contractors including Lockheed Martin; NASDAQ, the G-20, the IMF and Citibank. Attacks on U.S. networks have increased forty percent in the past year. British Defense Secretary Liam Fox said that these attacks were regular, in large number and had become a “matter of urgency.” Department of Commerce General Counsel Cameron Kerry said the “recent wave of cybersecurity attacks and breaches sounds an urgent wake-up call.” said Kerry.
U.S. Defense Secretary Robert Gates indicated that the U.S. was prepared to use force against cyber attacks that could be considered acts of war. While Gates indicated that it was not one country involved, focus has turned on China as a result.
The attacks are impacting US businesses. Google was one of approximately twenty U.S. companies believed to be targeted by a very sophisticated attack originated by China. The FBI also has identified $20 Million in attempted wire fraud in the last year alone in which banking credentials of small-to-medium sized U.S. businesses were compromised and used to initiate wire transfers to Chinese economic and trade companies. Google has gone public with the attack because it believes it was motivated by a desire to get gmail account information on human rights activists. Google’s move has been applauded, since as one expert put it “those who have been targeted by China have dealt with a certain level of persistence and seen these attacks take place over long periods of time, where all signs point back to China and it really feels like they’re not even trying to hide that it’s them anymore.”
This is by no means a problem limited to China, however, as Russian hackers have reversed-engineered Skype and posted the results on the Internet. In addition, the U.S. is not above playing cyber-offense, as there are reports that the Stuxnet worm that derailed Iran’s nuclear program was a covert U.S. initiative.
The Obama administration has responded to the growing threat with proposed cybersecurity legislation that would impose harsher penalties for cybercriminals and establish a national standard for data beach disclosures, while requiring the Department of Homeland Security to work with the private sector, to identify and address vulnerabilities for critical infrastructure.
After Citibank drew fire for its delay in reporting (and its under-reporting) its data breach, the Securities and Exchange Commission determined that public companies must disclose material attacks. In addition, data breach legislation has been introduced in both houses in response to the current wave of attacks.