Banks seeking help from the U.S. government in battling a campaign of cyberattacks that defense officials say is being led by the Iranian government are unlikely to get much relief without a diplomatic solution, security experts say.
Several affected banks, including PNC Financial Services Group, SunTrust Banks and BB&T, want the government to stop or at least lessen the severity of the denial-of-service attacks that started about a year ago, The Wall Street Journal reported on Wednesday. The Iranian government has denied any involvement.
Because financial institutions typically have sophisticated defenses around online banking sites, the fact they are seeking help is an indication of the sophistication and intensity of the threat. Banks have already spent millions of dollars in battling the attackers.
While no customer or account data has been stolen, the cyberattacks have taken their toll on the bank's profits, as well as customer confidence, the report said. U.S. officials say they are looking at options, which could include retaliation.
Outside of reaching a diplomatic solution, options available to the government would unlikely stop the attacks quickly, experts say. Blocking the attacks or taking down the botnet behind them would be difficult because of the complexity of the infrastructure.
"Because botnets are infected hosts living all around the globe, there is no easy way to just block them," said David Hobbs, director of security solutions at Radware. "Computers and servers are compromised daily and often belong to legitimate companies worldwide."
Another option suggested by the banks included having the government work with Internet service providers to block malicious traffic coming from computers in Iran. However, Scott Hammack, chief executive of Prolexic Technologies, said that would be difficult, given that traffic in the bank attacks are coming from compromised systems in Europe, the U.S. and Asia. Some of the banks affected by the campaign are customers of Prolexic, which specializes in denial-of-service attacks.
"[Law enforcement] have been trying to do that to a certain extent ... but those infrastructures are so complicated it's difficult to pin down what's doing what," Hammack said.
Something the government could do that the banks can't is to launch a retaliatory strike. But such a move would make the situation much worse, Hammack said.
"You could try to attack Iran with some sort of offensive [cyber] weapons and take down some of their infrastructure, but then you're going to create something that's going to escalate and inflame quite a few other Arab neighbors," he said.
In general, the banks are likely to be "on their own for awhile," Hammack said. "I don't think the government is going to get involved in building something out to create a defensive measure that the banks can lean on."
Sign up for Computerworld eNewsletters.