Although the hacker claims to have sensitive data on over a million Israelis, the banks involved say it is only thousands. Nonetheless the Israeli government is cyber-rattling. The Deputy Foreign Minister Danny Ayalon called the incident:
…a breach of sovereignty comparable to a terrorist operation, and must be treated as such. …Israel has active capabilities for striking at those who are trying to harm it, and no agency or hacker will be immune from retaliatory action.This incident raises a number of questions. I have long speculated about strategic identity theft. Not the strategies of identity theft, but rather using identity theft to interfere with a target’s functioning. In one way, this is very much beginning to occur. As I’ve written before, efforts to infiltrate critical networks to gather intelligence rely on the same combination of technological and social engineering that cyber-criminals use. But there are important differences. Cyber-criminals use low-cost techniques that target the easiest (and often most gullible) targets. Right now the Internet environment supports that approach. The systems by which credit cards are processed leaks. An enormous percentage of the world’s credit cards are already compromised. With easy access to thousands of credit cards, even if most false charges are rejected a tiny number of successful charges will bring a comfortable return. Spam works the same way, if one in ten thousand spam emails are successful, then the answer is to send out a billion spam – which doesn’t really cost much more than sending out a million or a thousand.
Of course cyber-criminals (if they think this through) don’t want to overwhelm Internet commerce, because that is how they make their money. They need to keep the level of crime low enough that financial institutions can absorb the loss. A few thousand lost credit cards here and there can be replaced. It is a cost of doing business.
But what happens if the attacker is not a criminal but instead an adversary that seeks to undermine the target’s ability to function? Credit card theft is among the least sophisticated and complex forms of identity theft. But occasionally, there are stories about people who discover that they are leading second financial lives, owning homes and taking on debt because their identity has been pirated. Could enough financial fraud occur to actually undermine an economy (we have recently seen how sensitive and fragile advanced economies can be)? The scale of this operation, even against a relatively small country, would have to be enormous – but that doesn’t make it impossible. What if, instead, an adversary targeted several hundred key bureaucrats so that critical agencies had difficulty functioning, as their top officials were suddenly all wrestling with personal bankruptcy? Even if these scenarios were not completely effective, they could certainly create a sense of panic.
This panic might be a sufficient end in its own right. One of the most valuable resources a state has is the attention of its leaders. The ability to generate a cyber-crisis might be an excellent way to distract an already busy leadership.
xOmar 0 may have sought to do this, but achieving it was beyond his abilities. But that is no reason to be sanguine. That fact that an individual with limited skills and resources can do this indicates how much more is possible. This incident is a possible harbinger of things to come. In one very specific way, these issues do resemble terrorism in that the targeted states often did not have effective policy options (this was a particular problem for the U.S in the 1980s.) Ayalon’s bluster aside, twenty-first century leaders facing cyber-crises may have the same problem – limited policy options – which means that the crisis becomes a greater and greater distraction. The fact that it has not happened yet is no reason to believe that it cannot.