Last week's blog posting "Offshore and Cyber Security" rang true as cyber security and financial security were rudely awakened by word of what was being dubbed the largest security breach in history. This incident began over a year ago, but federal authorities and bank officials were able to keep this under wraps until Thursday October 9th. The data breach at the World Bank (WB) was discovered in mid 2007. After receiving a tip from the FBI, the World Bank moved quickly to investigate. This investigation continues today and like the vast majority of cyber events I have been involved with, it is highly dynamic and there is a great deal of contradictory information.
Here is what we know at this point. There were cyber security events at World Bank. I discussed the event with Carl Hanlon of World Bank and he stated that many of the news stories are fraught with errors and called some of the reporting out right irresponsible. Our discussion went on and he said, "Like other public and private institutions, the World Bank has repeatedly experienced cyber attacks." He emphatically stated that "At no point have we uncovered evidence the cyber attackers' accessed sensitive information in the World Bank's Treasury, procurement, anti-corruption or human resources departments."
World Bank issued the following statement:
"The Fox News story is wrong and is riddled with falsehoods and errors. The story cites misinformation from unattributed sources and leaked emails that are taken out of context."
In my conversation with Mr. Hanlon, a conversation I had just this past week at a U.S. StratCom meeting was repeated.
"We do not have the context framework necessary to intelligently discuss cyber attacks. We do not have a standard definition of what actually constitutes a breach, a cyber attack or an act of cyber war."
I have called for such a cyber attack framework and cyber warfare doctrine for some time now and this is clearly evidence that we need it now.
I also contacted Satyam (a company alleged to be involved with the attack) and this is what they sent me via email:
"There have been reports in a section of the press allegedly linking Satyam to possible security breaches at the World Bank (WB). These accounts are based on a single speculative story that appeared on Friday evening IST, in the US. Satyam is unaware of any facts that substantiate this allegation. ... Satyam takes this matter very seriously. We hold ourselves to the highest standards in the industry, and we take extraordinary care to develop secure networks and IT infrastructure for all our clients."
I posed the following question to Satyam: Was anyone associated with Satyam fired, asked to resign or put on leave pending an investigation of the security events that did occur at World Bank? Here is what I got as a reply: "As a matter of policy, Satyam does not comment on individual client contracts."
Like every other security breach it takes a long time to determine what the implications are and what the true impact is for a cyber event like this. In a piece by Fox News, they have a quote stating "They had the keys to every room at the bank. And we can't say whether they still do or don't until we fully and openly address what's happening here."
While the email seems to support that statement, it is still not known how much information was compromised or stolen.
Satyam is a global business and information technology company that provides consulting, systems integration, and outsourcing solutions to clients in over 20 industries. Satyam Computer is publically traded under the symbol SAY on the ADR and NYSE, their site says. As such, they need to formally address the allegations of information espionage because it could have a material impact on the company's performance and stock price. While they have stated that "the story has no validity," they seem to be just quoting/referring over and over to the World Bank's statement.
Were any of their employees/contractors involved or not, and if so, to what extent? Oddly enough, a five-year contract with the World Bank and Satyam lapsed in September. Failure to get in front of these allegations with a full disclosure could expose the company to shareholder litigation and possible investigation by other authorities including the Securities and Exchange Commission. Note: After being up by 1.29% at the market close on Friday, after hours saw the stock drop by 6.45% to 11.50.
The only thing for sure is that we will not know the extent of the information espionage if any and who was behind it. While I would have loved to point to the articles and say see I told you so, it would be totally irresponsible of me. These digital forensics and cyber attack DNA analysis are very complex undertakings and take years, not hours, days or months. Could new evidence be uncovered in the future that cause both of these organizations to change their current statements? Yes.
What bothers me is this. During these investigations, it is critical for all information that is going to be made public be vetted by all those authorities involved and get their approval so not to compromise the investigation. An ill timed leak can compromise an investigation and derail the efforts to bring the cyber attackers to justice. There are at least two lessons to be learned from all of this and that is communication, internally and externally, must be carefully controlled and prudently crafted before release. So free advice to every one who may experience a data breach, here is what to say if the media calls you about a breach:
We are aware of the claims of a security breach and take them very seriously. We are actively investigating and the situation is quite fluid. At this point we will not confirm nor deny anything in regards to this matter. We are working with authorities and as facts are uncovered and cleared for release to the public, so that they do not compromise the ongoing investigation, we will provide that information to you.
The second lesson is handling a security breach or any event involving information espionage requires a significant amount of coordination and security intelligence. Organizations would be well advised to plan for this coordination and obtain sources for security intelligence.
On a more philosophical note. How despicable this act was -- attacking an organization like the World Bank that does nothing but good. This comes close to rivaling the nasty hacking of web sites that contained information about photo sensitive epilepsy and implanting swirling, flashing images in an effort to trigger elliptic seizures. Clearly nothing is beyond the reach of cyber attackers and they will attack whomever and whereever they like. It is past the time for industry to stand up to this threat. Now governments around the world as well as the United Nations (UN) must address the global threat of cyber terrorism, cyber crime and cyber warfare.