These have not been easy days for cybersecurity experts at some of the nation's leading banks. A barrage of attacks on bank networks has intensified since September, clogging websites with traffic, slowing or crashing them. The banks have not lost data, but their online services have been interrupted.
The onslaughts are known as distributed-denial-of-service attacks, and the attackers have apparently reached a new level of skill and destructive power. Radware, a network security firm, reports that they are now harnessing powerful servers into destructive "botnets," or chains of computers that have been infected by malware and ordered to swarm a target. The botnet technique has been around for a while, but the use of servers to generate the stream of pings gives the attackers unprecedented power.
The banks have now turned to the National Security Agency (NSA) for help in protecting their systems. The supersecret electronic surveillance agency has been at the forefront of defending U.S. government networks from intrusion; its director, Gen. Keith Alexander, also serves as chief of U.S. Cyber Command.
What's happening now is something that Alexander and other cyberexperts have warned about for a long time: attacks aimed at the soft underbelly of American society, our wired but vulnerable private sector. Several news reports have identified the assault on U.S. banks as the work of Iran, perhaps in retaliation for Stuxnet, the computer worm designed to wreak havoc on Iran's nuclear equipment that was apparently developed by the United States as part of a covert intelligence operation.
Out of concern for attacks on U.S. companies, Congress last year wrestled with legislation that would have allowed the NSA to share its sophisticated cybersecurity tools with the corporate sector. Sens. Joseph Lieberman, I-Conn., and Susan Collins, R-Maine, championed a bill that would have eased the way for the government to enter company networks. But the legislation was opposed by the U.S. Chamber of Commerce, which warned of heavy-handed government regulation and bureaucracy, and it died.
The business lobby's approach to cybersecurity legislation was myopic last year. The chamber should face the reality that corporate America is seriously vulnerable to attack.
Congress would be well-advised to focus early on this topic.