Steven J. Ross, CISA, CISSP, MBCP
Serious cyberattacks have been in the news quite a lot recently.1 Large organizations in the United States, including Lockheed,2 Google,3 Citigroup4 and the International Monetary Fund,5 have all reported successful attempts perpetrated against them. Particularly discomforting was the attack on EMC Corp.’s RSA division, which was, in effect, a meta-attack in that what the hackers were reported to have stolen was security information related to the access control tokens used by millions of individuals around the world.6
By all indications, these are not examples of hacking, at least not as the term has been used for many years. The reported attacks were not attempted by mischievous teenagers seeking to create random damage just to show that they could do it. These were deliberate attacks with intent to cause some sort of harm. In some cases the motivation seems to have been monetary. In others, groups or individuals that are somehow aggrieved seem to have been seeking to exact revenge. Still others are said to be geopolitical in nature. There have even been incidents in which open military conflict was said to have included cyberwarfare.7
Allegations have also been made that cyberattacks were used as instruments of policy by one nation against another. The nation of Estonia was victimized so greatly that it found itself losing “the first war in cyberspace,” described in The New York Times as “close to shutting down the country’s digital infrastructure, clogging the web sites of the president, the prime minister, Parliament and other government agencies, staggering Estonia’s biggest bank and overwhelming the sites of several daily newspapers.”8 The so-called Stuxnet worm was evidently aimed at Iran’s nuclear program; “computer security specialists who have examined it were almost certain it had been created by a government and is a prime example of clandestine digital warfare.”9
In reading about these numerous examples of cyberwarfare in our times, I was struck by something I did not read. In many cases social networking services have been instrumental in what has become known as the Arab Spring, a wave of rebellions and outright revolutions across Northern Africa and the Mideast. For example, a Google executive in Egypt, Wael Ghonim, “was a quiet force behind the YouTube and Facebook campaigns that galvanized Egyptian protesters in January 2011”; when he was arrested during the uprising, “hundreds of Egyptians took to Twitter and the Internet, calling on him to become one of their new leaders.”10 It is, therefore, fair to say that many of those involved in the Egyptian events and those in other countries were computer-savvy. But, there have been no reports, of which I am aware, of cyberattacks on ruling governments (or rebels, for that matter). This startling omission leads to a train of possible conclusions that I find very disturbing, namely:
I said that the train of conclusions in this article was disturbing. It is particularly disturbing to realize that the last stop on that train is me and many people I know.
1 This was written in June 2011. I’m certain there will be many more such reports by the time this is read.2 Drew, Christopher; “Stolen Data Is Tracked to Hacking at Lockheed,” The New York Times (NYT), 2 June 2011. The New York Times is often referred to as the US paper of record. Accordingly, where there is no primary source, I quote the Times. For this reason, there is a bit of an American perspective to the incidents cited, but it is also clear that this is not solely an American problem.3 Markoff, John; David Barboza; “F.B.I. to Investigate Gmail Attacks Said to Come From China,” NYT, 2 June 20114 Citigroup, “Updated Information on Recent Compromise to Citi Account Online for Our Customers,” www.citi.com/citi/press/2011/110610c.htm5 Sanger, David E.; John Markoff; “I.M.F. Reports Cyberattack Led to ‘Very Major Breach’,” NYT, 11 June 20116 RSA, “Open Letter to RSA SecurID Customers,” www.rsa.com/node.aspx?id=38917 Markoff, John; “Georgia Takes a Beating in the Cyberwar With Russia,” NYT, 11 August 20088 Landler, Mark; John Markoff; “Digital Fears Emerge After Data Siege in Estonia,” NYT, 9 May 20079 Markoff, John; “A Silent Attack, but Not a Subtle One,” NYT, 26 September 201010 “Wael Ghonim,” Times Topics, NYT, 8 February 201111 And, if you have not read his works, I am certainly not going to give away anything here.12 Sanger, David; Elisabeth Bumiller; “Pentagon to Consider Cyberattacks Acts of War,” NYT, 31 May 2011
As ever, I invite readers to send me e-mails at firstname.lastname@example.org with any comments or questions on this column. There is also a comments tab on the Journal article pages of the ISACA web site (www.isaca.org/journal) where readers may enter comments. I promise to check this area regularly and respond to both sources of dialog with Journal readers.
Steven J. Ross, CISA, CISSP, MBCPis executive principal of Risk Masters Inc. Ross has been writing one of the Journal’s most popular columns since 1998. He can be reached at email@example.com.
Enjoying this article? To read the most current ISACA® Journal articles, become a member or subscribe to the Journal.
The ISACA Journal is published by ISACA. Membership in the association, a voluntary organization serving IT governance professionals, entitles one to receive an annual subscription to the ISACA Journal.
Opinions expressed in the ISACA Journal represent the views of the authors and advertisers. They may differ from policies and official statements of ISACA and/or the IT Governance Institute® and their committees, and from opinions endorsed by authors’ employers, or the editors of this Journal. ISACA Journal does not attest to the originality of authors’ content.
© 2011 ISACA. All rights reserved.
Instructors are permitted to photocopy isolated articles for noncommercial classroom use without fee. For other copying, reprint or republication, permission must be obtained in writing from the association. Where necessary, permission is granted by the copyright owners for those registered with the Copyright Clearance Center (CCC), 27 Congress St., Salem, MA 01970, to photocopy articles owned by ISACA, for a flat fee of US $2.50 per article plus 25¢ per page. Send payment to the CCC stating the ISSN (1526-7407), date, volume, and first and last page number of each article. Copying for other than personal use or internal reference, or of articles or columns not owned by the association without express permission of the association or the copyright owner is expressly prohibited.