A Freedom of Information Act disclosure has provided total confirmation of our warnings over many years. Our financial system has been under attack. The Federal Reserve was forced to disclose more than 50 serious breaches in the past five years. Some of these may have been nation-state level espionage. Others were likely criminal activity. And this is just the tip of the iceberg because the 51 were “information disclosure” successes against the Washington-based Fed Board of Governors. There were many other breach attempts, numbering in the hundreds. And, there have been many, many other attacks on commercial and investment banks as well as directed against the 12 regional banks of the Fed.
These attacks have not gone unnoticed. In fact, the SEC recently declared that cyber security was the biggest risk facing the financial system as noted in a Reuter’s article from May 18th:
Cyber security is the biggest risk facing the financial system, the chair of the U.S. Securities and Exchange Commission (SEC) said on Tuesday, in one of the frankest assessments yet of the threat to Wall Street from digital attacks.
Banks around the world have been rattled by a $81 million cyber theft from the Bangladesh central bank that was funneled through SWIFT, a member-owned industry cooperative that handles the bulk of cross-border payment instructions between banks.
The SEC, which regulates securities markets, has found some major exchanges, dark pools and clearing houses did not have cyber policies in place that matched the sort of risks they faced, SEC Chair Mary Jo White told the Reuters Financial Regulation Summit in Washington D.C.
Despite all of this reality, the Federal Government’s cyber response is viewed as passive and weak by China and Russia according to an article today written by our friend Bill Gertz. Here are excerpts:
BY: Bill Gertz Follow @BillGertz
June 1, 2016 5:00 am
The Obama administration policy of avoiding assertive action against foreign hackers came under fire from Congress last week, and is raising concerns that the White House is failing to protect the country from large-scale cyber attacks.
Christopher Painter, the State Department’s coordinator for cyber security, defended the administration’s strategy for deterring massive data breaches, like China’s pilfering of sensitive personnel records on 22 million federal workers, known as “deterrence by denial” . . .
Instead, “deterrence by denial” refers to a defensive effort to protect information networks against an onslaught of increasingly sophisticated and innovative cyber intrusions in the hope that foreign data thieves will eventually give up trying—rather than any effort to actually deter such attacks before they occur.
The policy fits the overall Obama administration approach of limiting the use of assertive or offensive action against foes and doing as little as possible against those undermining U.S. interests. Instead, the administration uses only diplomatic and law enforcement means that have had little or no effect in deterring massive hacker attacks, primarily from China, along with those originating in Russia, Iran, and North Korea.
China’s cyber attacks continue unabated, despite an announced agreement last year in which Beijing promised to curb some cyber spying. Vice Adm. James D. Syring, head of the Pentagon’s Missile Defense Agency, revealed to Congress in April that Chinese military hackers are relentless, conducting cyber attacks on his agency’s networks “every day”. . .
China’s impunity remains the most serious result of the current failed policy. The administration in 2014 indicted a small group of Chinese military hackers with little or no prospect of ever prosecuting them. To date, there have been no sanctions imposed for China’s hack on the Office of Personnel Management. Obama was ready to sanction the Chinese government for the OPM attack in September, but backed off after a promise from Chinese leader Xi Jinping to curb government-backed cyber economic espionage—a promise that does not cover the Big Data intelligence gathering that took place in the OPM hack, and which is beginning to affect U.S. intelligence personnel.
Russia too has evaded sanctions for the cyber mapping of U.S. critical infrastructure networks, and for being linked to the first destructive cyber attack against a nation’s major infrastructure, an attack that targeted Ukraine. A sophisticated cyber strike temporarily shut down electrical power for more than 220,000 Ukrainians in December.
Iranian hackers, too, were indicted recently for hacking a waterway control network used to regulate a dam in upstate New York. A few North Korean officials were hit with meaningless sanctions for the Sony Pictures Entertainment hacking, but no real effort was made to punish Pyongyang.
In all these cases no significant cost was imposed, leading many to observe correctly that the current policy is not working.
A recent Pentagon report to Congress on cyber deterrence includes the phrase “deterrence by denial,” defined as efforts “to persuade adversaries that the United States can thwart malicious cyber activity, thereby reducing the incentive to conduct such activities.” It does not explain how thwarting attacks reduces the incentive to conduct further attacks.
In reality foreign government hackers are extremely sophisticated and conduct attacks relentlessly and through multiple channels and methods. Stopping one type of attack often drives innovative hackers to find new vulnerabilities and methods of attack.
The idea of deterring future attacks by denying current ones is like saying “we stopped your attack so don’t try it again.” The Pentagon report also says the United States seeks cyber “deterrence through cost imposition”—another questionable assertion as there has been no cost imposition on China despite at least two decades of large-scale cyber attacks . . .
“Make no mistake, we are not winning the fight in cyberspace,” McCain said. “Our adversaries view our response to malicious cyber activity as timid and ineffectual. Put simply, the problem is a lack of deterrence. The administration has not demonstrated to our adversaries that the consequences of continued cyber attacks against us outweigh the benefit. Until this happens, the attacks will continue, and our national security interests will suffer.”
Concerns about the weak cyber deterrence policy are bipartisan. “I’m concerned that there’s too much ambiguity in our current cyber deterrence policy which leaves our adversaries confused about what behavior in cyberspace the United States is willing to tolerate,” said Sen. Ben Cardin (D., Md.) at last week’s hearing.
BOTTOM LINE: This is a cyber-economic war and our current strategy appears to be failing. We desperately need a course correction.