Is Cyber War <i>Really</i> War?

  • Over the past year, banks have been bombarded with cyberattacks of all kinds: distributed denial of service, phishing, malware, and wire transfer fraud, to name a few. Who’s attacking the banks and why? What defensive tactics are banks getting better at, and what work has yet to be done? This special report looks at how the cyberthreat landscape has changed.

    October 7

DDoS attacks, ACH fraud, and account information theft are problems, but is it hyperbolic to talk about war — cyber war? Certainly any buzz term has some hyperbole baked into it. A close look at the nature of these threats and the responses they trigger is revealing.

Banks, like all businesses, compete for greater market share, you could call this the main strategic goal of most banks and financial institutions. It's a goal that demands more online and mobile presence along with more functionality. And, while no one can call the web "new" anymore, these ventures into cyberspace for banks are far from mature. New frontiers always draw established power centers as well as bandits, unscrupulous profiteers, and adventurers whose motives are not so easily defined.

So it should come as no surprise that along with reliable business partners and friendly governments, banks in cyber space meet not so friendly governments (some in league with ideologues), powerful criminals, petty thieves, politically motivated groups, and those whose sole motivation may be to act, "because they can."

Banks have been forced by their strategic mandate to adopt tactics to deal with the disruption that these actors can cause. So the terminology of war, using tactics to support a long term strategic goal, applies.

And there are weapons. Botnets powered by ever more sophisticated malware are the latest in an evolving arsenal of offensive weapons. Firewalls and anti-virus software are still useful defensive weapons, but banks are finding they need more. "Banks that think firewalls on premise are enough should look again," says Carlos Morales, vice president of global sales engineering and operations at Arbor Networks, Burlington, Mass. "We recommend a layered approach, something the bank can control on premise and additional protection service from an upstream security provider." There are many options here from your own ISPs to CDN vendors like Akamai and CloudFlare.

Bill Stewart, senior vice president at Booz Allen Hamilton and authority on banking cyber security, says banks will have to start thinking more like the military. "When I started in this (cyber security) business twenty five years ago, we built systems that could stand up against nation state attacks. They worked, but much of this technology is still not deployed in the private sector. It is possible to do it, and I think this will drive much of the investment in defensive technology. It is an arms race."

There are also multiple fronts, often determined by the motivation of the attacker. An emerging front may be the mobile space. While we haven't yet seen botnets of Galaxy S-4s and iPhones, president and CEO of FS-ISAC Bill Nelson says, "There are thousands of pieces of malware now available for mobile devices, particularly droids."

To be sure, there are still some like Mike Smith of Akamai who say, "I can't even say 'cyber attack' with a straight face. "You go after banks because that's where the money is," Smith says. Even so, Smith goes on to talk about the arms race in bank cyber security and the mobile front.

Finally, cyber war or technical nuisance, it is at least noteworthy that one of the keynote speakers at the Black Hat cyber security conference this year in Las Vegas was none other that General Keith Alexander, the director of the NSA.

For reprint and licensing requests for this article, click here.
Bank technology
MORE FROM AMERICAN BANKER