Iran has reportedly launched a series of attacks on US banks, raising dire implications not just for geopolitics, but also for cloud security.
Since the fall, a series of major US banks -- including Bank of America, J.P. Morgan Chase, and Citigroup -- have seen their websites stumble and falter as a result of massive DDOS (distributed denial of service) attacks.
Today, the New York Times is reporting that unnamed "government officials" are saying the attacks are the work of Iran, "most likely in retaliation for economic sanctions and online attacks by the United States." A former official, and security expert, James A. Lewis, has said there is "no doubt within the U.S. government that Iran is behind these attacks."
One reason not to suspect activity by an organized and powerful cybercriminal operation is that nothing was stolen, and no credit card information was compromised. The objective of the breach seems to have been to cause disruption.
At this point, you might be tempted to breathe a sigh of relief. At least Iran is hammering high-street banks rather than the power grid or transit systems. But the bad news is that these attacks seem to have exposed the vulnerability of cloud computing for the first time.
Security researchers reported last October that these attacks were originating from hacked datacenters rather than from giant botnets. Using the cloud, the intruders were able to generate quantities of traffic described as "overwhelming." The new information is that the datacenters were hacked, not by savvy thieves, but by a potential enemy.
The implications should be obvious to everyone, although perhaps not to the group of US Senators which has been blocking cybersecurity legislation designed to protect the national infrastructure.
- First, we can foresee botnets being superseded by malicious "cloudnets."
- Second, assuming major banks are not migrating key functions to cowboy cloud suppliers, reputable cloud vendors are indeed vulnerable to breaches.
- Third, if a potential enemy can disrupt the banking system via the cloud, then there other things they can disrupt too.
What do we take away from this? Politically, it undermines the argument that the private sector can be trusted to maintain cybersecurity -- specifically relating to the national infrastructure -- without oversight. At an enterprise level, it's yet another reminder that cloud security isn't just something to chat about: It's a live issue.
Last month, I wrote a blog called Waiting for Shoes to Drop: The Year in Security. In response to my blog, David Silversmith pointed out that just because we hadn't heard the shoe drop, didn't mean anything. He was right. The shoe just dropped, and it made quite a thud.
— Kim Davis , Community Editor, Internet Evolution