The real cyber threat
May 21st, 2013
09:05 AM ET

The real cyber threat

By Mark Sparkman, Special to CNN

Editor’s note: Mark Sparkman, a former senior officer with the CIA’s National Clandestine Service, is a senior international affairs analyst with the nonprofit, nonpartisan RAND Corporation.  The views expressed are his own.

The announcement by prosecutors that charges had been filed against suspected cyber thieves believed responsible for stealing $45 million in a matter of hours from ATM’s in two dozen countries should send a stark message to governments around the world – banks could be the most vulnerable front in cyber space.

Plenty of people have been warning us these days to worry about cyber attacks, but generally we have been worrying about the wrong things. Most “cyber Armageddon” scenarios focus on gaps in our physical infrastructure and even far-fetched scenarios such as infant incubators in hospitals being turned off. But major swathes of the United States have routinely gone without electricity and water for days following natural disasters. Soon enough, life gradually gets back to normal. Want real chaos? Destroy confidence in the banking system (or even a part of it), and just stand back and watch.

Since last fall, a series of Distributed Denial of Service (DDoS) attacks on financial institutions have temporarily denied customers access to their bank accounts, and U.S. officials have pointed an accusatory finger at Iran. Although the attacks were not devastating, U.S. officials are rightly weighing their response options. The fact is that the United States needs to gear up for the coming era of cyber threats – and start by ensuring its financial flank is not catastrophically compromised.

The banking system is built on trust. It’s slow to establish and fragile to keep. That trust must be fiercely protected. Consider some of the ways cyber attacks could quickly undermine our faith in the system. If you suspected that someone was going to steal $1,000 a month from your bank account, wouldn’t you shut it down, regardless of government guarantees on your deposits? If a regional bank discovered that 10 percent of its capital assets were being moved (or removed) every month through cyber manipulation, what would it do? If a national government knew that a hostile actor was manipulating bond prices, how might it respond – and what could that response do to the global bond market?

More from CNN: Why cyber attacks threaten our freedom

International commerce depends on billions of electronic transactions each week, ranging from simple bank transfers to complicated debt swaps. The system works only because of the faith people put into it. It is rooted in the trust built up over decades of successful transactions governed by national and international legal and accounting norms. But what if people start to see the banking system as vulnerable to manipulation by terrorist groups, crime syndicates, or countries waging semi-clandestine campaigns to undermine a rival’s economy?

For a decade or more, governments with advanced cyber capabilities and a decent knowledge of financial systems have presumably been able to alter, adjust, and amend financial data to suit their own ends. And many governments have had tempting incentives to do so, from recovering stolen funds to hindering terrorist groups or drug cartels. But so far, the incentives not to change banking data have overwhelmingly carried the day within  governments whenever this issue is broached. After all, no responsible, law-abiding government wants to set the precedent that “stealing” money – or even moving it around – is acceptable, no matter how pure their motives. The stability of international financial institutions and banks, and even of states themselves, is grounded in the belief that financial holdings and transactions are sacrosanct – not to be tampered with by any government for any reason. So governments have only frozen or confiscated funds within the confines of international sanctions, often U.N. mandates, or when a company, organization or individual has broken the law.

Government responses to assaults on banks have been restrained thus far because the cyber attacks haven’t been that severe. True, financial institutions have had to weather some DDoS attacks, in which their sites are flooded with huge volumes of data until they collapse. Such attacks can be disruptive and annoying, but most individuals, companies, and governments wake up the next morning with just as much money in their accounts as they did before the attack.

All bets are off, however, in a true offensive cyber attack. Protected data would be changed, manipulated, or destroyed, and depositors might never recover their assets. With the possibility of such an attack looming, governments should be making serious decisions about deterrence, defense, retaliation, and escalation.

That day could be closer than we think. Given the unsettling recent advances in DDoS attacks and the ever-growing scale and speed of international financial transactions, even these heretofore nuisance attacks may be crossing the threshold into outright assault on a nation’s financial infrastructure or economy. Blocking banks, businesses, and individuals from conducting transactions for even a few days could have a major economic impact.

In April, for example, Wells Fargo Bank was slammed by a sustained DDoS attack. To keep up their customers’ trust, Wells Fargo assured them publicly that their personal “information is safe.” But that may not always hold true. Companies, credit card issuers, and medical firms have regularly reported breaches of personal information – and while these have often been disconcerting and sometimes even unnerving, these information breaches or data spills have usually not significantly undermined the trust that individuals and companies place in institutions that failed to adequately protect their data. Why? Simply put, while customers may have fretted about having had their credit card data out in the open for a few days, they ultimately suffered no real losses.

An offensive cyber operation would be something else entirely. Such attacks aim to destroy or alter enough data to harm a target institution or national economy. The most worrisome attacks would involve adversaries deploying cyber weapons to prevent normal financial transactions from taking place. That would undermine companies’ abilities to conduct business and dilute the trust that underpins any stable economy.

A major cyber attack would require a response from the nation at the receiving end – and establish a new field of warfare. States will want to retaliate in ways that deter future would-be cyber attackers. Any nation or group that moves beyond financial espionage, messaging, or annoyance to actually electronically manipulate assets or markets must understand that it will be subject to retaliation that inflicts pain proportionate to the damage done. And if the attackers persist, target nations must be ready to escalate by returning fire at a rate and magnitude that will deter further attacks.

Adversaries cannot be allowed to destroy in a second the trust in our financial systems that has taken centuries to build.

Post by:
Topics: Cyber • Economy

Next entry »
soundoff (54 Responses)
  1. matslats

    The RAND corporation is pretty desperate to appear nonpartisan. But if there's no significant difference between left and right, nonpartisan just means they support the rich over the poor.
    What did the RAND corporation ever do for the poor?

    May 21, 2013 at 10:44 am | Reply
    • Zoglet

      periodically start wars in which the poor die and the rich profit?

      May 21, 2013 at 4:38 pm | Reply
    • Bitrat

      I had the same thought, but who knows what RAND is up to these days? It's a name right out of the cold war dark ages.....
      Perhaps they're right that protecting the banking system is most important, but where was the protection in 2008? Why haven't any of the SEC people that deleted prosecution records been indicted? Where was the protection for all those people who thought they were buying a house and ended up homeless? All that happened with "normal" banking procedures.......

      May 22, 2013 at 9:40 am | Reply
  2. matslats

    Can you imagine a more sinister career path than to move from the CIA to the RAND corporation? How can this piece be anything other than propaganda to scare the plebs into obedience? Now the pentagon has declared cyber attacks to be a form of 'real' warfare, the real Cyber threat is from false flag attacks.
    Ah yes, "War is the health of the state," the radical writer Randolph Bourne said.

    May 21, 2013 at 10:48 am | Reply
    • Orlando

      "False Flag Attacks"'re so stupid.

      May 22, 2013 at 2:26 am | Reply
      • Mike Mongo

        Actually, Matslats used the term correctly to indicate that it is our own government utilizing DDOS under the guise of Iran, etc. to scare the sheep, like you, into obedience...which I wholeheartedly agree is more of a real threat than Iran, given the latest in Benghazi, IRS, and DOJ effups. So go back under your rock. Peace.

        May 22, 2013 at 8:43 am |
      • Yakobi

        Before you complain about the M.I.C. on the internet, first patch that hole in your tinfoil hat.

        May 22, 2013 at 1:10 pm |
  3. Bnode

    Great. Now they can steal all our money, blame it on some resource rich "developing country and invade them for their stuff.
    Come on patriots. You need to go to war to defend cleptocracy, I mean democracy.

    May 21, 2013 at 1:54 pm | Reply
    • Bitrat

      Ha ha ha ha! Probably true.....maybe I should go back to keeping paper records of EVERY bank transaction? (sigh The wireless statement system was so convenient, and it saved paper....) Well, more recipts to pile in a box in the garage I guess ;*p

      May 22, 2013 at 9:42 am | Reply
    • Yakobi

      Gotta love the idiots who blame EVERYTHING on the people who try to keep real enemies at bay.

      May 22, 2013 at 1:13 pm | Reply
  4. Jerry

    We need to worry more about this new breed of criminal instead of all these Middle Eastern Muslim countries and these "terrorist" organizations over there. This is what those idiots in Washington need to be concerned with, not Russia or China! I guess that those stupid politicians in Washington are only concerned about getting more votes!

    May 21, 2013 at 3:30 pm | Reply
  5. Nerd

    The problem is that the people that know how to fix this stuff aren't being consulted.

    May 21, 2013 at 5:36 pm | Reply
    • Doodlebug2222

      That is generally because they think they are educated enough to know how to handle thing, and because they think IT is some how out to cheat them and are too expensive.

      I think another threat is to utility companies – their records, their operations, etc., the postal service and other services we take for granted and never give second thoughts too. Same with grocery stores and the companies that deliver to them.

      May 22, 2013 at 5:05 am | Reply
    • Mike Mongo

      That's because to fix it would mean moving from MS Windows to some other OS as our fundamental platforms, which no one has the guts to try and do...

      May 22, 2013 at 8:46 am | Reply
      • Bitrat

        Perhaps it's a little more complicated than that – the whole password – https – certificate system is getting a little long in the's not just an OS issue....look at how easy it's getting to hack passwords. Eventually the whole internet backbone has to be improved security wise IMHO.....

        May 22, 2013 at 9:45 am |
      • Bnode

        Mission critical systems do not run on Windows.
        We have Unix for that.

        May 22, 2013 at 4:42 pm |
    • Newton

      No single countermeasure or mitigation service is 100 % efficacious. It requires the entire international community to ACT – Achieve Cybersecurity Together. As the world is increasingly interconnected, everyone shares the responsibility of securing cyberspace. (Source: Counterterrorism and Cybersecurity: Total Information Awareness, Springer Science+Business Media, April 15, 2013)

      May 22, 2013 at 1:11 pm | Reply
  6. Samuel

    Banking is built on TRUST...? I trust that they will be held to an entirely different status than us. They will be too big to fail. They will not be punished for breaking the law and trust of American citizens. The will FULLY hold me accountable for mistakes, error or any rule or law breaking.

    It is not the banks that should be worried about cyber attacks. They have endless resources (provided by us) to take care of them selves. It is thier cyber-bullying of us...we should be worried about!

    May 21, 2013 at 6:07 pm | Reply
  7. Hasai

    "Protected data would be changed, manipulated, or destroyed, and depositors might never recover their assets."

    ....I do believe that the author might wish to research the concept of "backup tapes."

    May 21, 2013 at 6:43 pm | Reply
  8. Mm

    Bwaahahahaaaaa. Trust? Banks? Yeah sure. As soon as JP Morgan fires Dimon.

    May 21, 2013 at 7:45 pm | Reply
  9. Tom

    This is kind of ironic considering that banks and wall street practically destroyed the world economy all by themselves and no one has yet been prosecuted for that.

    May 21, 2013 at 8:49 pm | Reply
    • 100 % ETHIO

      No Law to prosecuted them. Some old Law is outdated and can not be compared with the new High-Tech systems. They knew it beforehand anyway.

      May 21, 2013 at 10:05 pm | Reply
  10. 100 % ETHIO

    Cyber bully is good for voiceless.
    Voiceless people are being bullied by mainstream media, all the time.
    Now, it is the voiceless turn. Buckle-up!

    May 21, 2013 at 10:00 pm | Reply
  11. Pale Horseman

    The real cyber threat is ignorance. The more unintelligent people become; the easier it is to use social engineering on them to hack them.

    Education will help ward off cyber attacks!

    May 21, 2013 at 10:01 pm | Reply
  12. Serge Storm

    Many companies offer DDoS protection, like 10Gbps packages. But its a shared pool of protection. Only a few offer real protection, companies like prolexic and gigenet.

    May 22, 2013 at 6:29 am | Reply
  13. thinkifyoucan

    This is one of those face to palm, no-kidding, predictable weaknesses. It was only recently when banks started enhancing their ATMs, at it wasn't driven by security – but it was to add features such as check scanning/envelope free deposits. The truth of the matter is the vast majority of ATM networks still use, or at least need to be low tech for several reasons. The computers inside the ATM are not running the latest quad-core i9 CPUs with 8 GBs of RAM. No, they are more likely using 13 year old 1.2 GHz dual core Celerons, or worse. They can't support the latest OS or malware protections, nor could they handle a strong firewall. All a hacker has to do is spoof being an ATM, send fake deposits, change a pin, then get the real money from the machines. Not that hard for someone who knows what they are doing. Our ATM networks still support dial-up because, even a gas-station outside NY City lacks the broad-band connection the PCI clearinghouse. Yet we are supposed to be surprised that banks are cyber-weaklings?

    May 22, 2013 at 6:32 am | Reply
    • Yakobi

      Or simply rip the ATM off of its foundation with a stolen pickup truck. That seems to be the thieves' preferred M.O. lately.

      May 22, 2013 at 2:47 pm | Reply
  14. William F. Slater III

    Destroy confidence in the banking system (or even a part of it), and just stand back and watch.

    After what happened in 2008 – 2011, I'd actually like to see confidence restored in the banking system.

    I don't think the author understands cyberwarfare very well.

    There are some useful articles, presentations and other resources at this link:

    May 22, 2013 at 6:34 am | Reply
  15. John

    Instead of DDoS attacks I would be a tad more worried about the data mining of all IP traffic yhat's being done around the world. The corporations and governments continue to collect more and more info that most are unaware is even being transmitted.
    Trouble with Sparkman and his ilk is that they just surf and regurgitated whatever they read. Speak to a network nerd and lean what is really in all those 1's and 0's being transmitted. You'd be surprised.

    May 22, 2013 at 7:10 am | Reply
  16. j. von hettlingen

    The cyber world is nowadays a stretch of shark infested waters. There's more risk that we be robbed by thieves online than attacked by terrorists.

    May 22, 2013 at 7:33 am | Reply
    • Yakobi

      I don't know about you, but given the choice, I'd rather have a little money stolen than be blown up.

      May 22, 2013 at 2:38 pm | Reply
  17. EVN

    Cyberattacks aren't needed to "destroy confidence" in the banking system. The "too big to fail" boys are doing that all by themselves.

    May 22, 2013 at 7:54 am | Reply
  18. rightospeak

    Rand Corp. is just one of many 'foundations" that the Big Money Trust owns and uses it to push their propaganda. The banks because of toxic assets and gambling are in trouble and strangely enough no crook has gone to jail for ripping people all over the globe. Now they will look for excuses to get your money. It is already happening. A sudden bill of $20 or $50 ( some friends told me ) shows up on your monthly statement for " maintenance fees" -if you do not run to the bank and tell them ; what ; they will keep on taking your money.
    This fear mongering is for a purpose just like 9/11 hoax.

    May 22, 2013 at 9:09 am | Reply
    • Yakobi

      You appeared almost sane until the statement about 9/11.
      There must have been a run on tinfoil hats recently.

      May 22, 2013 at 2:36 pm | Reply
  19. ricdesan

    "Want real chaos? Destroy confidence in the banking system (or even a part of it), and just stand back and watch."

    I find this statement hilarious. Anyone that isnt mind frakked by popular media has very little confidence and this clue already educates them to have NO CONFIDENCE in the banking system. When Cyprus decided to steal from depositors is when any faith remaining in the banking system was killed.

    Real estate, PM's and durable goods are the only valuable savings worth having. If you Havent minimized your banking profile I suggest you do so, because one thing is sure, when a bank holiday comes ... and it will. If you are not wise about your holdings you are going to learn about chaos real quick!!!!

    May 22, 2013 at 1:24 pm | Reply
  20. SamT

    That's why I keep an Excel spreadsheet of every transaction with a running balance. Sure, I could be making up all the numbers, but with an eight year track record, that's real data. In the event the shtf, I'll hopefully get my money...if it's worth anything by then.

    May 22, 2013 at 1:31 pm | Reply
  21. Ex muslim

    I wish I cud slit the throat of allah, muhemmed and every muslim in the world including zakaria. Cancerous religion and cerous followers. Islam is against humanity and must b killled

    May 22, 2013 at 3:49 pm | Reply
  22. sianclaire29

    This is truly scary stuff. The problem is that cyber criminals are always ten steps ahead of the government and industry. The government has only just cottoned on to the real scale of the threat, and they have a LOT of catching up to do. The cost of recovery from a cyber attack can be as much as $6000 per hour, and the annual cost of cyber crime is more than that caused by international terrorism (around $100 billion).

    May 23, 2013 at 10:20 am | Reply
  23. Cheap Alexander Mcqueen

    because you reel in all reference it's an outdoor little bit of logo or message, however, if you for some reason didn't detect who's this situation wouldn't be the best-considering with regards to videos. Cheap Alexander Mcqueen

    June 2, 2013 at 3:08 am | Reply
1 2

Post a comment


CNN welcomes a lively and courteous discussion as long as you follow the Rules of Conduct set forth in our Terms of Service. Comments are not pre-screened before they post. You agree that anything you post may be used, along with your name and profile picture, in accordance with our Privacy Policy and the license you have granted pursuant to our Terms of Service.

Next entry »