The cyberattack that temporarily paralyzed the American Express website last week highlighted the escalating frequency and brazenness of strikes aimed at global financial institutions. In the past six months, similar attacks hit JPMorgan Chase, Wells Fargo, and Bank of America, while another disabled computers at banks and television networks in South Korea. As predicted by Arthur W. Coviello at the Techonomy 2012 conference last November, the perpetrators of these attacks appear to be more focused on disruption than on fraud. The New York Times reports that a group called the Izz ad-Din al-Qassam Cyber Fighters claimed responsibility for the attacks on U.S. banks, although many experts agree that the group is a cover for Iran. Meanwhile, North Korea is seen as a likely culprit in the attacks on South Korea, with Kim Jong-un’s government openly declaring its agenda of cyber disruption against its southern neighbor.
While American Express claims to have found no evidence that customer data was compromised, the attack on their network illustrates the urgency of greater collaboration between government agencies and the corporate sector to protect against future, and potentially more harmful, attacks. Until recently, there has been little unanimity in how to respond to cyber threats. While the Obama administration has urged companies to be more transparent about security breaches, corporate advisers often take a contrary approach, tamping down disclosure of potentially embarrassing events. The administration’s aim has been to build consensus in the business community to support legislation that regulates how companies protect the country’s critical infrastructure.
The intensity of the attacks suspected of emanating from Iran may help build resolve for cooperative action. As Mr. Coviello warned in the cyberwar session at Techonomy, “If you’re going to unleash something like a Stuxnet on me, if you’re going to do something to me in cyberspace, I’m going to come after you with at least a proportional attack to disrupt you. And if I get even more sophisticated, I go to the next level, which is to destroy something.” The prospect of a catastrophic attack could galvanize business leaders to set aside their aversion to regulation and work with the government on a comprehensive plan for cyberdefense.