At a press breakfast in Washington, Homeland Security Secretary Janet Napolitano warned reporters that assaults on the United States’ electronic infrastructure could have effects comparable to the hurricane that struck the East Coast just days ago. The threat of a Cyber Sandy aside, Napolitano also confirmed that hackers have stolen money or information from American banks, revealing breaches that go beyond recent episodes where hackers merely shut down financial institutions’ websites.
The cabinet secretary reportedly told Washington Post editor Mary Jordan that, “Right now, financial institutions are actively under attack. We know that. I’m not giving you any classified information.” Jordan asked if money or information is being stolen from banks. “Yes,” Napolitano said, before telling reporters, “I really don’t want to go into that per se… all I want to say is that there are active matters going on with financial institutions.”
Most recently, US officials blamed Iranian “hacktivists” for denial-of-service attacks—which overwhelm web servers with requests for access, shutting them down—that targeted major American banks including PNC, Bank of America and Chase. Similar tactics were used by American hackers to shut-down the New York Stock Exchange’s website, though not the operation of the exchange itself.
The allusion to on-going issues of outright theft, rather than knocking websites out of commission, is intriguing. While hackers have stolen money from bank accounts in the past, it’s usually as a result of social engineering—that is, someone figured out the password, persuaded the account owner to give it up, or had inside access. If there are recent attempts to exploit weak cyber-infrastructure to steal from banks on the same magnitude as the denial-of-service attacks, it would be quite a story. (Bank of America two weeks ago suffered a $400,000 theft from an account belonging to a city government, though how the money was stolen remains unclear.) But Napolitano is staying mum for now.
She didn’t hesitate to describe the consequences of future cyber attacks, however, warning that hackers could infiltrate control systems for utilities, water plants, public transit and, yes, finance. “If you think that a critical systems attack that takes down a utility even for a few hours is not serious, just look at what is happening now that Mother Nature has taken out those utilities,” Napolitano said.
In the meantime, no major cybersecurity laws have been enacted in the US since 2002, which means that America’s cyber police are running on the legal and regulatory equivalent of a ten-year-old computer operating system. Senate Republicans blocked an internet security bill supported by the Obama administration, but the administration is planning to implement many of the key provisions unilaterally—if the president is re-elected.