The denial of service attacks now afflicting American banks are widely attributed to Iran. They’ve grown so serious that US banks have asked the National Security Agency for help.
That has provoked the usual response from privacy advocates. Faced with a serious threat to the security of our online banking accounts, they are happy to tell us who we should really be worried about: “’The dual mission of the NSA, to promote security and to pursue surveillance, creates an intractable privacy problem,’ said Marc Rotenberg, executive director of the Electronic Privacy Information Center.”
I’m more interested in the actual, uh, attacker. Assuming it’s Iran, as I do, what do these attacks mean?
One thing is sure, they’re the opposite of the cyber Pearl Harbor everyone’s talked about. Unless Adm. Yamamoto called up the Navy on December 7, 1941, and said, “We’ll be attacking Pearl Harbor for an hour and then the Philippines for an hour, but only on Tuesdays, Wednesdays, and Thursdays.” Because that’s pretty much how the bank attacks are going – short duration, scheduled disruptions.
That raises a couple of questions. First, why would a country launch such a limited attack? It could be a demonstration designed to show capability without actually provoking a response — sort of like sending an aircraft carrier to a trouble spot but staying in international waters. Indeed, some of the details of these DDOS attacks do show surprising sophistication, and there’s no doubt the actual impact of the attacks could be greatly ramped up if the attacker wanted to. Second, if that’s the case, the best response would be to demonstrate that our defense can counter the attacker’s offense – sort of like surfacing an undetected submarine alongside the carrier.
So, how are we doing at showing our defensive strength? Not so good, I’m afraid. The attacks persist, and we don’t seem to have a simple way to nullify them. That’s pretty troubling from a security point of view, particularly if you believe as I do that denial of service attacks are the least dangerous form of cyberattack. If we can’t defend against scheduled, short-duration, denial of service attacks, our vulnerability to other attacks is even more worrisome.
Which brings me to a third point: If these are Iranian attacks, Iran is probably doing us a favor. It’s teaching us some important lessons, exposing the weakness of our defenses in dramatic form without actually destroying any infrastructure or causing serious harm. It’s also revealing the weird priorities of the privacy groups, which seem to hate parts of our government more than Iran’s, even when they’re faced with an actual Iranian attack. And it’s giving us a kind of live-fire exercise in which to practice our cyberdefenses until we find something that works. With enough time, maybe we’ll find a way to get our planes in the air, our ships out to sea, and our anti-aircraft guns unlimbered before a second wave of planes appears in the sky.