2013 has distinguished itself as the most active year for cyber attacks ever. Throughout the world, nearly daily news reports have been filed detailing the results of incredibly effective cyber attacks ranging from small companies to nation-states. The sum total of these attacks has permanently and dramatically changed the information security threat landscape.
Among the numerous lessons drawn from this carnage is that cyber attacks have become an existential threat to many countries as the attacks – from financial services to power generation – threaten the fidelity and integrity of numerous industrial segments. As a result, regulators throughout the world are stepping in to try and drive meaningful action where they believe it is required. Normally these early efforts are the harbingers of future legislation and give birth to standard approaches and forums to debate the efficacy in approaches. Four noteworthy current efforts are as follows:
Effort #1: National Institute of Standards and Technology's Cyber security Framework (U.S.)
Effort #2: Office of the Superintendent of Financial Institutions (OSFI) Memorandum (Canada)
Effort #3: Office of the Comptroller of the Currency (OCC) Guidance (U.S.)
Effort #4: National Credit Union Administration (NCUA) Risk Alert (U.S.)
Each of these efforts has taken different approaches, however, they seem to have similar ethos. Let’s explore each in a little more depth:
National Institute of Standards and Technology’s (NIST) Cybersecurity Framework
In response to a Presidential directive, on October 22nd, the U.S. National Institute of Standards and Technology (NIST) released the latest version of its cyber security framework which aims to better secure U.S. companies and government agencies. The new draft goes into significantly greater detail than the previous version released August 28, which laid out higher level principles of the framework, including items referred to as “pillars.” The NIST outlined three central pillars to the new framework, which are designed to provide industry and government alike with common cyber security taxonomy, establish goals and intended targets, identify and prioritize opportunities for improvement, assess progress and improve communication among stakeholders. The final framework will be announced in February 2014 and should be the driving force behind the way in which all U.S. Government-operated and U.S. Government-procured systems will be secured from cyber attacks going forward. Overall, this framework is seen as the seed that will spawn numerous industrial requirements throughout the U.S.
Office of the Superintendent of Financial Institutions (OFSI) DDoS Memorandum
Earlier this year, large Canadian-based banks were hit by cyber attacks whereby one or more hackers used a brute force "denial of service" attack to disable several bank websites and mobile applications. Attacks such as these were reminiscent of Operation Ababil, which began in September 2012 and focused on attacking the websites of large U.S.-based banks. Those attacks were similar to the Canadian attacks in that they slowed down website operations and caused many bank sites to be inoperative for a significant portion of their customers. Mindful of this very real threat and the need to manage risk, on October 28, 2013, the Office of the Superintendent of Financial Institutions (OSFI) released a memorandum to federally regulated Canadian financial institutions (FRFIs) discussing the measures that FRFIs should be taking to prevent, manage and remediate cyber attacks. The memorandum states that cyber security is growing in importance because: (i) FRFIs increasingly rely on technology; (ii) the financial sector is interconnected; and (iii) FRFIs play a critical role in the Canadian economy. As part of this memorandum, OSFI required all FRFIs to conduct a self-assessment of the risks and take actions against those risks. OSFI also will be reviewing the fidelity of the assessment and the corresponding risk mitigation steps.
Office of the Comptroller of the Currency Guidance
In December 2012, the Office of the Comptroller of the Currency (OCC) notified its member financial institutions that DDoS attacks are on the rise and that they expect their members to take steps to identify the risks associated with the attacks and to provide notification to the OCC and others if they are under attack. The guidance reads as follows:
“Recently, various sophisticated groups launched distributed denial of service (DDoS) attacks directed at national banks and federal savings associations (collectively, banks). Each of the groups had different objectives for conducting these attacks ranging from garnering public attention to diverting bank resources while simultaneous online attacks were under way and intended to enable fraud or steal proprietary information. This alert provides a general description of the attacks, along with risk mitigation information and sources of related risk management guidance. The alert also reiterates the Office of the Comptroller of the Currency’s (OCC) expectations that banks should have risk management programs to identify and appropriately consider new and evolving threats to online accounts and to adjust their customer authentication, layered security, and other controls as appropriate in response to changing levels of risk.
The OCC expects banks that are victims of or adversely affected by a DDoS attack to report this information to law enforcement authorities and to notify their supervisory office. Additionally, banks should voluntarily file a Suspicious Activity Report (SAR) if the DDoS attack affects critical information of the institution including customer account information, or damages, disables or otherwise affects critical systems of the bank.”
National Credit Union Administration Risk Alert
In February 2013, the National Credit Union Administration (NCUA) issued a Risk Alert to member credit union institutions on “Mitigating Distributed Denial-of-Service Attacks.” The alert included the following verbiage:
“The increasing frequency of cyber-terror attacks on depository institutions heightens the need for credit unions to maintain strong information security protocols. Recent incidents have included distributed denial-of-service (DDoS) attacks, which cause Internet-based service outages by overloading network bandwidth or system resources. DDoS attacks do not directly attempt to steal funds or sensitive personal information, but they may be coupled with such attempts to distract attention and/or disable alerting systems.”
Clearly the sense of urgency and ferocity of the attacks came through in the alerts and provided for an understanding that the issues were broader than the availability of financial systems.
No one can say for certain how all of this will play out; however, given the increased frequency, directed attacks, and effectiveness of the techniques, we can safely assume that regulators and government legislators will take heed from public calls-to-action and will continue to drive prescriptive steps for all relevant organizations to follow.