Major U.S. banks have turned to the National Security Agency for help protecting their computer systems after a barrage of assaults that have disrupted their websites, according to industry officials.
The attacks on the sites, which started about a year ago but intensified this past September, have grown increasingly sophisticated, officials said. The NSA has been asked to provide technical assistance to help banks further assess their systems and to better understand the attackers’ tactics.
The cooperation between the NSA and banks, industry officials say, underscores the government’s fears about the unprecedented assault against the financial sector, and is part of a broader effort by the government to work with U.S. firms on cybersecurity. Nonetheless, the assistance is likely to dismay privacy advocates, who say that the world’s largest electronic spying agency has no business peering inside private companies’ systems, even if for the strict purpose of improving computer security.
U.S. intelligence officials said last year they believe the attacks against the banks and other companies have been carried out by Iran, although some experts have cautioned that it is difficult to accurately determine who is behind them.
“If you look at their actions, they’re taking this very seriously. The government is stepping up to the plate,” said one bank official, who like most interviewed for this article declined to be named because he was not authorized to speak for the record.
NSA declined to comment for this article beyond a statement saying that the agency provides assistance “in full compliance with all applicable laws and regulations.”
The cyber assaults against the banks are known as distributed denial-of-service, or DDoS, attacks, in which Web servers are overwhelmed with traffic, thus slowing their responsiveness or crashing them altogether. The disruptions – which typically last up to an hour or two at most – do not involve the theft of data, but have interrupted online banking services and diverted security teams at a large number of financial institutions.
The banks whose websites have been disrupted include Bank of America, PNC Bank, Wells Fargo, Citigroup, HSBC and Sun Trust. In recent weeks, attackers have targeted up to seven banks a day, but only on Tuesdays, Wednesdays and Thursdays.
For security experts at banks – already considered to be among the best at cybersecurity in the private sector – the attacks have been far more challenging than most DDoS incidents because the assailants have commandeered vastly more traffic to carry out the attacks.
The government’s willingness to engage “is emblematic of how these cyber-related risks are evolving,” the bank official said. “Agencies like the NSA have tremendous expertise for very sophisticated types of information-security programs.”
Although the NSA is known mostly for its collection of intelligence, its mission includes “information assurance” to secure both the military’s computer networks and other “national security systems.” The NSA has for more than 20 years helped companies that provide software to the Defense Department improve their security.
In general, it can provide assistance to private sector companies when their systems are seen as being critical to national security, said Richard George, a former computer security official at NSA. The request must come from a government agency, such as Treasury or the Department of Homeland Security, that has authority to work with the company.
“We can certainly help them analyze the situation,” said George, who is now at Johns Hopkins University’s Applied Physics Laboratory. “One thing we can do is ‘red team’ their solution. If their tech guys say, ‘This is what we plan to do,’ we can look at that and say, ‘Is it effective?’”
Google obtained NSA help in 2010 after the tech giant found its computer networks compromised by hackers believed to be based in China. The request, made through DHS, was justified on the grounds that Google’s search engine is widely used on Defense Department computers, a former defense official said.