Should the U.S. Government Fight Back When Businesses Are Cyberattacked?
Some business leaders think so, but experts warn it’s a bad idea
By Robert K. Knake and Richard A. Clarke
The attacks started out small. The first wave, at the end of 2011, was just probing and planning, stress-testing the capabilities of the world’s largest financial institutions. Over the next nine months, the attacks would occur only sporadically, a day here and there, but in September 2012 the frequency and severity of the distributed denial-of-service (DDoS) attacks went up. The websites of U.S. banks such as JPMorgan and Bank of America were flooded with traffic on an unprecedented scale, and, oddly, at predictable intervals, Tuesday through Thursday from 10:00 a.m. to 2:00 p.m., Eastern Standard Time, as if someone was trying to send a message.
Media outlets, with the help of unnamed officials in the Obama administration, quickly pointed to Iran as the culprit, believing the attacks were a response to the Stuxnet malware that had disrupted Iran’s nuclear enrichment program several years earlier. Phones began to ring throughout the White House West Wing. At every level from CEO down to chief information security officers, the banks wanted the government to do something to stop the attacks.