The Israeli media has been awash in reports of an alleged Saudi hacker that goes by the online name of OxOmar and has posted the credit card information, national ID numbers and addresses of thousands of Israelis. According to recent reports, that person may turn out to be nineteen-year-old Omar Habib, who resides in Mexico. Some others, though less convincingly, have alleged that the origin of the attack lies in Iran. Ultimately, the origin and motivations of the cyber attack are less interesting than the nature of the vulnerability that it exposes.
Governments in developed countries have been thinking about cyber issues for a long time and have plenty of examples to choose from in terms of cyber attacks against governmental entities. Cyber attacks, purportedly originating in Russia, have previously hobbled government operations in Estonia and Georgia, and the list goes on and on. In the United States, cyber attacks are a part of daily life for the Department of Defense, Department of Homeland Security and other federal government entities. American cybersecurity policymakers have not yet been able to figure out how to safeguard all of the federal government (or who essentially has responsibility for what), let alone help protect state and local governmental entities. As far as the private sector is concerned, there appears to little, beyond the provision of generic advice, that the federal government currently offers to companies to help them protect themselves from cyber attacks.
Large companies, of course, have the wherewithal to employ world-class cybersecurity experts and, presumably, not only do they not need the government’s help, but they can probably teach the government a thing or two about cybersecurity. Unfortunately, this is not the case with respect to medium and small businesses – and these form the backbone of much of American commerce. Those companies will likely need government support if they are to cope with cyber threats.
The cyber attack on Israeli credit card companies should serve as yet another wake-up call for the United States. Our decision makers in Washington may decide that such things are going to occur and that threats to medium and small businesses, utilities, etc. are part of life and will not necessarily lead to catastrophic results for the economy. That may be a reasonable decision, but we need to have an analysis of which private sector entities we need to protect and which we don’t and what the federal government is prepared to do and what it isn’t (and this needs to be a federal government-wide assessment and not just one conducted by individual Departments with respect to areas under their purview). Then we need to develop a coherent strategy with respect to the private sector and provide the resources to execute that policy.