Last Thursday, Reuters ran a story that the US defense firm Lockheed Martin was experiencing a major disruption to its computer systems because of cyber attack.
The Reuters story said that the attack began the weekend before and indicated that it involved the company's SecurID tokens which allow Lockheed's 126,000 employees "... to access Lockheed's internal network from outside its firewall."
As a result of the attack, Lockheed reset all of its employees' passwords.
You may recall that last March, SecurID, the major two-factor authentication security product of RSA (which is the security division of the EMC Corporation), was itself the target of a sophisticated cyber attack. The attack resulted in SecurID's offering to be partially compromised. SecurID is used by 40 million people and 30,000 organizations worldwide.
In the wake of the attack on SecurID, Lockheed took steps to increase its IT security defenses and lower its reliance on SecurID, as did many other defense and commercial companies. Steve Winterfeld, cyber technical lead at defense contractor TASC which is deeply involved in IT security, was quoted as saying in the Reuters article:
"You have no idea how many people are freaked out right now [about the SecurID breach] ... TASC is no longer treating the RSA device as if it were as secure as it was beforehand."
The Reuters article started a media feeding frenzy of speculation about what was going on at Lockheed and whether US defense secrets were at risk. The $45.8 billion company makes the F-22 and F-35 stealth fighters, among many, many other classified defense systems.
Helping chum the story was that Reuters used an unnamed defense official as a major source of its information, as well as two other sources who also declined to be identified. Lockheed also wasn't immediately forthcoming about what was going on, nor was SecurID. And a US defense official deciding to go public with the information seemed to indicate that the US Department of Defense wasn't happy about what was going on at Lockheed.
The Reuters story - and further speculation that US defense secrets may have been taken not only at Lockheed Martin, but other defense contractors like Boeing, Northrop Grumman and Raytheon among others - spread like wildfire, which then caused Lockheed to issue a press release late Friday that stated:
"On Saturday, May 21, Lockheed Martin detected a significant and tenacious attack on its information systems network. The company’s information security team detected the attack almost immediately, and took aggressive actions to protect all systems and data. As a result of the swift and deliberate actions taken to protect the network and increase IT security, our systems remain secure; no customer, program or employee personal data has been compromised."
"Throughout the ongoing investigation, Lockheed Martin has continued to keep the appropriate U.S. government agencies informed of our actions. The team continues to work around the clock to restore employee access to the network, while maintaining the highest level of security."
So, was the cyber attack routine - Lockheed, like most government and commercial defense organizations around the world, gets attacked on a daily basis - or was it something more? The jury is still out, but there does seem to be a sense that the SecurID breach may be more significant than first thought. SecurID is still not talking about the Lockheed issue, at least not yet.
The Financial Times of London today had a nice explanation of why the IT security community is uneasy about what happened at Lockheed:
"The National Security Agency ...[declared that] ... not long after the RSA attack that the tokens should no longer be deemed sufficient to grant access to 'critical infrastructure'. Defence contractors including Lockheed began requiring employees to put in extra personal passwords."
"Although Lockheed said its programs and customer data had not been compromised in the attack, the breach suggests that the extra passwords were not sufficient to repel hackers, an ominous sign for remote-access systems in defence and other industries."
The Lockheed cyber attack also suggests that it isn't some lone hacker that was involved in the SecurID breach, but more likely a state-sponsored group. Lockheed has some of the most sophisticated IT security defenses around, and it is unlikely that a single hacker would have been able to cause as much disruption to Lockheed's network as has been reported.
Last March, EMC played down the financial impact of the cyber attack on SecurID. That may now be changing.
Raising the story's profile a bit more, there is also a story in today's Wall Street Journal reporting that the US government has decided that certain types of cyber attacks originating from another country can constitute an act of war, and therefore trigger a "traditional" military response from the US.
As one military official in the WSJ article stated it:
"If you shut down our power grid, maybe we will put a missile down one of your smokestacks."
Of course, tracking such an attack as being sponsored by specific country is not especially easy, as this other Reuters story from yesterday points out. And if Lockheed's IT systems had been significantly compromised say by another country, would that warrant US military retaliation?
A story in The Australian says that Australian mining companies are experiencing an onslaught of cyber attacks by persons unknown who are seemingly interested in gaining insights into their corporate decision making and strategic plans. Do cyber attacks that target a country's economic interests constitute an act of war?
What if a major US bank's IT systems were taken out, say in similar fashion to what happened to South Korea's Nonghyup bank by supposedly North Korea?
And how long does a power grid have to be turned off by a cyber attack to start a war? An hour, a day or a week or more?
The WSJ says that the decision to treat certain types of cyber attacks as potential acts of war is part of a DoD cyber strategy policy document which is expected to be made public in the following weeks. I will be interested whether it has answers to these types of questions or not.
Contributing Editor Robert N. Charette is an acknowledged international authority on information technology and systems risk management. A self-described “risk ecologist,” he is interested in the intersections of business, political, technological, and societal risks. Along with being editor for IEEE Spectrum’s Risk Factor blog, Charette is an award-winning author of multiple books and numerous articles on the subjects of risk management, project and program management, innovation, and entrepreneurship. A Life Senior Member of the IEEE, Charette was a recipient of the IEEE Computer Society’s Golden Core Award in 2008.