For several days, Bank of America’s systems had problems. The problems – primarily denial of service disruptions – hit their web site and reportedly their mobile banking services.
For BofA, the nation’s largest bank based on assets, this was not the first issue or attack they experienced in the past year. Nor in fact, was BofA the only U.S. financial institution that has been experiencing what appears to be a series of directed cyber attacks. JPMorgan Chase and Citigroup also are reported to have been struck by similar related aggressive cyber activities, beginning last year.
Early on in the latest event, sources believed the web service interruptions may have been caused by a group protesting the anti-Islam film Innocence of Muslims.
However, on Sept. 21, information began to circulate that the attacks had been traced to Iran. Senator Joseph Lieberman (ID-Conn), the head of the U.S. Senate Homeland Security Committee gave those reports greater credence when he said during a C-Span interview that he thinks the disruptions of the web sites of JPMorgan Chase and BofA were carried out by Iran.
Many cyber analysts believe these cyber attacks are clearly in retaliation for the widely publicized Stuxnet attack on Iran’s nuclear enrichment facilities. Another theory is that the recent attacks are in response to strong economic sanctions.
Are we returning cyber fire? Will we launch or have we launched retaliatory cyber strikes to their retaliatory strike? Two real possibilities and no one really knows for sure.
At the same time the cyber attacks were taking place, on Sept. 18 at the U.S. Cyber Command Inter-Agency Legal Conference, Harold Koh, a legal adviser for the State Department said, “Cyber activities that proximately result in death, injury, or significant destruction would likely be viewed as a use of force.”
That has been interpreted to mean an act of war! He went on to present support for his statement referencing the application of international law and the application of that law could result in a nation take action in self-defense.
It is important to note that we have already experienced entities in the private sector returning cyber fire when they experienced an attack.
Now we have legal guidance about what level of cyber attack constitutes an act of war (result in death, injury, or significant destruction) and at the same time experiencing as strike, counter-strike cyber exchange. Where this will lead is anyone’s guess.
Kevin G. Coleman is a long-time security technology executive and former Chief Strategist at Netscape. He is Senior Fellow with the Technolytics Institute weekly blog for Breaking Gov on the topic of cyber intelligence.