The large-scale hacking attack against Wall Street this summer was more significant than the public realizes, analysts say.
But beyond that, it’s not clear whether the large-scale breach of cybersecurity at JPMorgan Chase and other financial institutions in August exposed a weakness in the country’s national defense and whether it was an attempted theft or an act of something else. The company’s quarterly earnings report being released Tuesday may shed more light on the attack.
Following JPMorgan’s disclosure in August that the contact information for 76 million households and about seven million small businesses had been compromised, the Obama administration began receiving updates about the hacking event with its other national security briefings.
Yet national security officials still are not able to say definitively whether the attacks were launched by the Russian government in retaliation for economic sanctions over Ukraine or were part of a normal attempt at financial theft.
The uncertainty shrouding a breach at the biggest U.S. bank, with some of the best security available, has raised worries among lawmakers and analysts.
“This hack has some national security officials worried because it raises questions about what other systems might be vulnerable and because of concerns that it might be part of a broader strategy by Russia,” said Matthew Waxman, a professor at Columbia Law School and a cybersecurity expert for the Council on Foreign Relations.
At an event in Washington on Friday, JPMorgan CEO Jamie Dimon said the company would probably double its cybersecurity spending from its current $250 million annually.
“We need help and [need to continue] working together with the government… The government knows more than we do,” he said, according to the Wall Street Journal.
A spokesman for the bank said Dimon was referring not to any particular policy or item of legislation, but to the government’s ability to identify threats across companies and industries. But lawmakers such as Sen. Angus King, I-Maine, have used the event to call for passage of the Cybersecurity Information Sharing Act, passed by the Senate Intelligence Committee in July.
Jasper Graham, a former National Security Agency official and now the senior vice president of cyber technologies and analytics at cybersecurity firm Darktrace, said the public might have underestimated the danger involved in the breaches.
“I don’t think people should dismiss the attacks” just because no Social Security or credit card information was lost, Graham said. “We really truly don’t understand what the adversary was after,” Graham added, noting that the hackers’ goal might not even be bank-related.
“We don’t know the full intent of the hackers. We don’t know if this was [just] stage one of five,” he said, explaining that they could have been hoping to gain access to customers’ social media or emails.
The attack calls for not only the Senate Intelligence Committee’s legislation, said Tom Kellermann, chief cybersecurity officer at security software company Trend Micro, but also mandatory breach reporting, updated forfeiture laws for hackers, and better funding for the Secret Service, which investigates financial crimes.
“The average American doesn’t appreciate the problem because it’s invisible,” Kellermann said. “We’ve been living in this utopian mindset that the Internet is a pacific place outside of child pornographers,” he added, claiming that it is instead governed “not by the rule of law but by guilds of thieves.”
Kellermann suggested that JPMorgan’s hackers could have been aiming to get ahead of the bank’s trades, or they could have been Eastern European-based hackers acting on the implicit orders of the Russian government.
But Mark Jaycox, a legislative analyst with the Electronic Frontier Foundation, a privacy advocacy group, said, “We hear this need that we need cybersecurity bills, that we need computer security bills, that the sky is falling, that there’s going to be another cyber-Pearl Harbor or cyber-9/11 … but what we’re already seeing is that companies can share this information” even without legislation clearing them from possible legal repercussions of disclosing customers’ data.
Jaycox noted that banks, as well as other industries, already have systems to share information with the Department of Homeland Security. He suggested that businesses needed to learn to share data earlier with the public, noting that the information regarding JPMorgan’s breach came to light during a regulatory filing.
The government already does well responding to requests for technical services when cybersecurity is attacked, said Doug Johnson, vice president of risk management policy at the American Bankers Association. He also noted the banks’ ability to share information with the Department of Homeland Security through its National Cybersecurity and Communications Integration Center.
“We recognize that nation-states are one of the threat actors that now attack our financial institutions, I think that’s a reality,” Johnson said.
The latest breach of banks, in addition to recent hackings at Target, Home Depot and other major businesses, calls “for a continuing discussion between the public and private sector about what our respective roles are. I don’t think that conversation ever ends,” said Johnson, adding that the discussion about how to prevent threats “will always evolve just like cybersecurity and the cyberthreats are evolving as well.”
