Unseen, all-out cyber war on the U.S. has begun

Security pros and government officials warn of a possible cyber 9/11 involving banks, utilities, other companies, or the Internet

1 2 3 Page 2
Page 2 of 3

The private sector owns and operates the infrastructure and systems that form the backbone of the Internet, and attacks on that system could break down trust in the Internet, with major economic and operational impact, Papadopolous says.

"In the past six months, we've seen foreign attacks on oil and gas companies in the Middle East and on U.S. banks, including Bank of America, PNC Bank, Wells Fargo, Citigroup, HSBC, and SunTrust. How will we react if the next attack is against the electric grid, or our food and water supply?" he asks.

In recent months, cyber attacks have become much more sophisticated, says the Cyber Security Council's Martinez. In some cases, overseas attackers have taken over servers in the United States that they then used to launch secondary attacks, making it appear as if one U.S. company was attacking another.

"The good news is [security] teams in most Fortune 500 companies are able to detect this and reverse it, but this type of threat is going to be a very big problem for us over the next 12 months," Martinez says.

Another battleground in the cyber war is the software industry. Much as we saw with the APT attack against Adobe Systems' software last year and with the attacks using weaknesses in Oracle's client-side Java over the last several years, we can expect to see more attacks against trusted software providers such as antivirus vendors, says Pat Clawson, CEO of security products vendor Lumension. "The attackers want to get to the unparalleled access they have to their customers," he says. "Once the antivirus vendors' payloads are compromised, the devastation could be staggering." Such fears explain why the feds recently advised all Americans to disable the compromised Java in their browsers.

Such cyber attacks on U.S. companies and their overseas partners, as well as on the Internet infrastructure, could be as devastating as the 9/11 attacks on the World Trade Center and the Pentagon, warned Leon Panetta, the U.S. Secretary of Defense. And Janet Napolitano, the Secretary of Homeland Security, warned just last week that a cyber 9/11 attack could happen at any time.

Cyber attacks and counterattacks are escalating
With the digital homeland now a cyber battlefield, "the paradigm in the U.S. must shift from defense to offense -- within internationally appropriate rules of engagement, of course. But offense will be necessary because a pure defensive strategy is not sustainable," says the Cyber Security Council's Martinez.

The U.S./Israeli cyber attacks on Iran are an example of such an offensive. But they likely unleashed attacks on the digital homeland in response. "It is nearly impossible for us to really know cause and effect here, but there has definitely been an escalating pattern of attacks," Papadopoulos says.

The escalation of attacks against private-sector targets is extremely troubling, he says. "If the attacks keep escalating and happening with more frequency and against more private-sector companies, we are putting at risk the stability and security of cyber space."

Nations have been testing each other's armor for long time, more quietly than not, Lumension's Clawson. Knowing your opponents' weaknesses is an important part of any defensive strategy, he says. That drives some of the offensive actions. Stuxnet, for example, "is a heavy engineering exercise that crossed never-seen-before-boundaries ... malware that could do new things."

But such offensive tests can also help the governments attacked respond more effectively, Clawson says. "That massive engineering effort is now being reengineered against us." Martinez concurs: "In the case of Stuxnet, an offensive maneuver engendered an offensive cyber response." As another example, Clawson notes that the apparently Iranian attack on Saudi Aramco had elements of the allegedly Israeli/U.S. Flame in its architecture.

1 2 3 Page 2
Page 2 of 3
How to choose a low-code development platform