While most Americans were watching fireworks on July 4, hackers launched what would turn in to a multi-day denial-of-service attack against U.S. websites. The Associated Press reported that the cyber attack knocked out the websites of several government agencies including the U.S. Treasury, Secret Service, Transportation Department and the Federal Trade Commission. In addition, the attackers targeted the websites of the White House and the Pentagon but neither was severely disrupted.
The attack later expanded to a number of other websites including the New York Stock Exchange, NASDAQ and the Washington Post. South Korean websites were also added to the list with many of the targets experiencing outages during the same time period. South Korean intelligence officials believe that North Korea initiated the attacks and today U.S. officials confirmed that the IP addresses of many of the attacks originated from North Korea. Officials have cautioned, however, that there is no evidence that the Pyongyang government was involved.
Recent troubles with the forthcoming system designed to protect the U.S. government’s networks, Einstein 3, indicate that relief is probably not on the way. As the Wall Street Journal reports, the next version of the Einstein system has some technical limitations and privacy concerns, according to current and former national-security officials. The current version of Einstein is just a massive intrusion detection system—it does not have any ability to actually prevent attacks. The next version will be more than just a passive warning system but as the WSJ noted, the next upgrade is at least 18 months away.The length of the outage has concerned a number of experts. Ben Rushlo, director of Internet technologies at Keynote Systems, which publishes data about outages, said, “The fact that it lasted for so long and that it was so significant in its ability to bring the site down says something about the site’s ability to fend off (an attack) or about the severity of the attack.” The current attack highlights many of the vulnerabilities that information security experts have been discussing for years, the need for more government attention to address online threats, and the increasing use of the Internet as a space for belligerence by foreign governments, terrorists, social activists and non-state actors. But we should refrain from the hysterical fear-mongering that too often follows this type of cyber security incident. Denial-of-service attacks are notoriously difficult to defend against and easy to launch. But this attack on public websites was not a threat to national security—no private information was lost, no critical infrastructure was rendered unavailable, and no national secrets were revealed. This is not to say that government action is not needed—it is. But as Congress works on crafting new legislation on cyber security, it should resist the impulse to move online security entirely into the realm of national security. As noted earlier, even this attack, which by the timing suggests it is politically motivated, has targeted not just government systems but also private systems. And the attacks were not limited to just the United States. Both of these facts suggest that as Congress develops cyber security legislation it will be critical to emphasize strong partnerships with the private sector and effective international coordination to respond to online attacks.