By Steve Viuker
A dating website that helps married people cheat has been hit by hackers. Ashley Madison, which uses the advertising slogan, “Life is short. Have an affair,” said it had been attacked and some user data stolen.
Adult FriendFinder matches people for sexual encounters. The site claims to have “helped millions of people find traditional partners, swinger groups, threesomes and a variety of other alternative partners.” That site now has new friends and partners after being hacked.
A trend sure to make folks ill is the hacking of numerous health websites. And “Say It Ain’t So, Joe!!” – the St. Louis Cardinals have been accused of hacking files of the Houston Astros.
The above hacks might seem somewhat harmless, and perhaps even humorous. And though hacking has gone beyond the breach of Target stores, finance is still on the top of the charts on the hacking hit parade. A report by the New York State Department of Financial Services in May 2014 found that most financial institutions experienced “intrusions or attempted intrusions into their IT systems” in the previous three years.
PwC reports that there were 42.8 million cyber incidents around the world in 2014, a 48 percent increase over the previous year. The FBI estimates that over 500 million financial records were stolen in 2014, the vast majority by cyber means. Target reported that its 2013 data breach, in which the credit card data of 40 million people was stolen, cost the company almost $250 million. Estimates of the cost to payment card companies from fraud range from $240 million to $2.2 billion, per a report from the Center for Strategic and International Studies, “The Evolution of Cybersecurity Requirements for the U.S. Financial Industry.”
Hacking the Government
However, the April breach of the Office of Personnel Management (OPM) broke the alarm bells and sent shockwaves across a broad spectrum of thought leaders. Though the attack on the OPM was originally estimated to have affected 4.2 million people, compromised personal data for possibly 21.5 million current, former and prospective government employees and contractors was the final total. Director of National Intelligence James Clapper suggested the intrusion likely was carried out by Chinese hackers. That charge was dismissed by Chinese officials.
“OPM was wakeup call for corporate America,” said Paul Ferrillo of Weil, Gotshal & Manges. “OPM had signature-based intrusion detection hardware in place called Einstein 3. But Einstein 3 only works if there was a previous hack attempt that was recorded and thus placed into its alert systems. It appears the Chinese attack escaped Einstein 3 in the first instance. Hackers are too good for normal perimeter defenses. The United States needs to think hard and fast about big data analytical tools to detect network anomalies far earlier in the process so these large scale exfiltrations can be stopped and remediated earlier in the process. The seriousness of this attack cannot be underestimated.”
According to a report in the Wall Street Journal, Donna Seymour, CIO of the U.S. Office of Personnel Management, faces a lawsuit. “We are going to see more CIOs taking the fall and ultimately being named in lawsuits,” Matthew Karlyn, a partner at Foley & Lardner LLP told the WSJ. A group led by the AFGE union sued OPM director Katherine Archuleta and Seymour. The suit accuses them of negligence and privacy violations. Archuleta eventually did resign.
Jim Noble, faculty member for New York Institute of Finance and co-founder of TAC-Int and former CIO for Merrill Lynch and BP, explained that “the problem with threat intelligence-based systems is the ‘zero day’ attack using techniques that have never been seen before. That is really quite rare, and almost always state sponsored. In that event, it is really not at all difficult to encrypt sensitive data, such as the data stored in the OPM system.”
At a breakfast sponsored by the Long Island Business News, Rep. Steve Israel, who serves on the Defense Subcommittee, said that “everyone in Washington knows that the likelyhood of a cyberattack on our citical infrasturcture is massive. There has been 680 percent increase regarding attacks on federal systems since 2010. Recently, the House of Representatives passed the Protective CyberNetworks Act. This will facilitate the sharing of information between private entities and the federal government.”
Said Rep. Lee Zeldin, who serves on the Subcommittee on Terrorism, Nonproliferation and Trade, “There are legitimate liability issues and it is important that we protect the liability concerns of companies that want to share information.” Melinda McLellan, counsel at BakerHostetler’s New York office, agrees with Zeldin. “I think there is reasonable concern that certain cybersecurity proposals could give companies immunity regarding sharing data with the government. There is also a proposal for a breach notification law at the federal level in an attempt to harmonize the various laws in the states. Most companies will share information with the government if required to.”
In March of this year, Davis Polk partner and former FTC Chairman Jon Leibowitz testified at a hearing before the House of Representatives Energy and Commerce Committee’s Subcommittee on Commerce, Manufacturing and Trade regarding the Data Security and Breach Notification Act of 2015. Leibowitz serves as co-chair of the 21st Century Privacy Coalition, which represents the nation’s leading communications providers to advocate for modernizing U.S. privacy and data security laws. They came out in support of a single federal law.
“We believe that national data security legislation should also preempt state common law,” said Leibowitz. “Once Congress enacts robust national data security requirements, companies’ focus should be on compliance with these requirements. The uniform national framework that is the objective of this legislation would be undermined if class actions can still be brought pursuant to state law. The result would be a continuation of the patchwork of state requirements that provide inconsistent protections for consumers across the United States.” One aspect of the bill says that every company must have adequate data security.
The Biggest International Threats
Babak Pasdar, president and CEO of Bat Blue Networks, told Banking New York that “one of the objectives of ISIS and other terror groups is to embarrass nations. They have cyber armies that leverage social media and realize the importance of being able to wage a cyber war. They don’t have the advanced capabilities at present, but it is only a matter of time before they develop them. The Internet is the great equalizer.”
Also at the LIBN breakfast, Israel said “there are two countries in the world that are capable of inflicting massive damage on the United States via the cyber attack: China and Russia. They are doing industrial espionage, not because they want to destroy the United States, but as a tool and tactic. The bad news is there are two counties that have the will to use a cyberattack to destroy the United States: Iran and North Korea. They have the will, but not the way, but eventually will have both.”
“China poses the greatest threat to the United States,” said Pasdar. “They are the most resourceful and have the most to gain. And they are effective since they have been doing this longer than any other country, including the United States. The Chinese don’t always do damage. They also collect data and intelligence. And the idea that there is a ‘lone wolf’ hacker in a dingy apartment drinking energy drinks isn’t true. It is more on the level of an ‘Ocean’s 12’ scenario.”
Ken Citarella, senior managing director of investigations at Guidepost Solutions LLC, said an organization “must understand two things: what their network is and how it operates. Data exists in layers of importance. Third-party vendors creates risk as we share the digital highway with them. When a vendor supplies services they might be the equivalent of a driver who appears to be okay and unexpectedly becomes a risk.”
In the Aftermath
And reputation is vital. After a breach, is your firm or bank still trustworthy? Explained Jason Maloni, senior vice president chair of the litigation practice at Levick: “Many times it is perception versus reality. The perception is that your competition is an option; the reality is there is a universal risk. No matter how many breaches we read about, it always happens to someone for the first time. A good entity appreciates and shares the sensitivity to that.”
Maloni explained that Target compounded the error of their attack because they didn’t have a handle on the facts and the number of customer accounts that were breached kept changing. The three questions are: ‘What happened; What are you doing for me; Am I still at risk?’ If you’re a retailer, you can’t announce a breach until you can say it was fixed.”
“The high-profile breaches that wipe out data are mostly done by rookies,” Pasder said. “The more sophisticated organizations want sustained access and data. In addition, there are third-party entities going out on what is known as the darker net and buying vulnerabilities and the selling them for millions of dollars to various governments. Terror groups are bidding for these just as the United States is.”
Said consultant Bob Bigman, a featured speaker at a recent Billington Cybersecurity Summit: “Companies talk about cyber issues and they read more and go to conferences, but I don’t see them changing their network configurations or making their systems attack-proof. The government asking for cooperation doesn’t faze the hackers. That’s just a feel-good solution.”
Politics as Usual
And even cybersecurity gets caught in the web of politics. Despite pressure from The Financial Services Roundtable (FSR), American Bankers Association (ABA) and Securities Industry and Financial Markets Association (SIFMA), attempts to pass CISA failed after lawmakers failed to strike a deal on amendments.
Republican Sen. John McCain accused Democrats of intentionally “putting this nation in danger by not allowing the Senate of the United States to act against a very real threat to our very existence.” Retiring Nevada Sen. Harry Reid said that if Republicans were so concerned about the urgency, they shouldn’t have put cybersecurity on the back burner “while they tried to defund Planned Parenthood.”
Dave Oxner, managing director of federal government relations at SIFMA, told Banking New York: “We continue to believe that this bipartisan information sharing legislation is a critical piece of the effort to help the financial services industry better protect its systems and data as well as the privacy of its customers. We are encouraged by the Senate’s recent agreement on a process to complete consideration of CISA in the fall and would urge an expedited conference between the House and Senate to send a bill to the president.”■