Last week, Bloomberg BusinessWeek released an exposé on a 2010 security intrusion at The Nasdaq Stock Market, now thought to have been perpetrated by Russian state-sponsored hackers looking to gain trade secrets that would help transform the Russian stock exchanges into a global financial hub. At the time, Nasdaq reported that the attack was limited to its Directors Desk portal, a web application used by corporate directors to share confidential company information, and that they had “no information that anything was taken”. According to BusinessWeek, this statement would be true only because Nasdaq lacked the logs and monitoring systems to even know what had been taken. “Basic records of the daily activity occurring on the company’s servers, which would have helped investigators trace the hackers’ movements, were almost nonexistent…There were indications that a large cache of data was stolen, though proof was scarce, and it was hard to see what was spirited out”.
This article highlights several truths of the state of cyber security: (1) A significant majority of network security intrusions are not detected by the target, but by a third party (in this case, the FBI); (2) hackers can remain undetected inside a company’s networks for months, siphoning off information and/or planning a subsequent attack or theft; and (3) even companies and industries that we would expect to have a sophisticated approach to cyber security can be victims. “The team was surprised at how vulnerable a sophisticated operation such as Nasdaq could be. ‘Our assumption was that, generally speaking, the financial sector had its act together much more,’ says Christopher Finan, a former cybersecurity expert in the Obama White House.”
As I blogged about recently, the U.S government has identified cyber terrorism as a major risk to U.S. interests, and in particular to critical infrastructure such as our banking and financial systems. This story highlights the challenges in coordinating among the multiple government agencies with expertise in cyber security, and the reluctance of private sector companies to cooperate and share information on their own cyber vulnerabilities.