Over the weekend, reports emerged in the U.S. press of a significant compromise of computer systems at the International Monetary Fund (IMF) by an unauthorized party. While the details leaked to reporters of the New York Times remain scant, we know that the target is a critical one. For those trolling for data at the IMF, much valuable information could no doubt be found, as the body assumes a pivotal role in managing the still unraveling financial crises around the globe, particularly those in Europe. In the statecraft of cyberspace, this is a serious event, perhaps the most serious since the cyber attack directed at the Iranian nuclear enrichment facilities last year. Three questions are in need of answer, even if the information available is scant and vague.
What happened? Likely, an outsider gained access to the accounts of multiple users at the IMF. The Times’ reporters believe the vector for compromise to have been an incident of spear phishing, in which IMF employees received targeted emails, possibly from sources they trust, carrying malicious software designed to clandestinely purloin data. In other words, someone poked a straw inside the IMF and began drawing its information. What information was purloined and to where it went are now matters for the fund and the FBI to figure out.
How did it happen? A series of emails passed to Bloomberg news paint an interesting picture of an IT organization coping with a spear-phishing crisis. On June 1, IMF employees purportedly received a message stating that, “Staff are strongly requested NOT TO OPEN emails and video links without authenticating the source.” A week later, more bad news, as IMF’s IT shop asked employees to turn in their RSA SecureID tokens, a device designed to provide an additional layer of security to information resources beyond username and password. Earlier this year, RSA disclosed that its network had been breached and, while initially downplaying the event, the company later admitted it would need to replace nearly all of the SecureID tokens, perhaps numbering as many as 40 million. This means that remote access to IMF email and other resources by its employees is effectively suspended.
Who did it? Due to the sophistication of the attack, fingers have generally pointed to nation-states or state-sponsored cyber groups. While likely, this is not the only possibility. Assuming the best hackers are those who don’t get caught, and the IMF or someone aiding the organization did figure out that exfiltration of data was occurring, the absolute top tier of state actors – the U.S., UK, perhaps Israel, France and Germany – can probably be counted out. Next down the rungs are the usual suspects who do get caught – principally Russia and China. But perhaps bigger thinking should be conducted before we connect too many dots. These are times of great intrigue at the IMF, although the compromise likely occurred before Dominique Strauss-Kahn ran afoul the New York Police Department on charges of sexual assault. This summer may be the beginning of the end of the euro, and added certainty regarding the degree to which the economies of Greece and Portugal (or Ireland and Spain) are considered “too big to fail” by the IMF would be worth a pretty penny, no doubt. Finally, we should not discount the international workforce of the IMF. We shouldn’t rush to completely count out the complicity of an insider.
What does this mean in the larger context of the cyber discussion? Once again, news has gotten out of another information compromise. While “I was hacked” may be a contemporary reconceptualization of “the dog ate it” (and yes Rep. Anthony Weiner did attempt that defense), there may not only be more incidents occurring, but also an increased willingness for disclosure or a greater capacity to observe them. In the big picture, this is yet another attack on institutional confidentiality, although as the information has not shown up on WikiLeaks or in the communiqués of Anonymous, the theory that a narrow interest with a clear stake to gain is reinforced.
Certainly, from what we know, the IMF appears hapless. “Exercise caution to protect yourself from cyber sharks!” was allegedly one of the messages conveyed by the IMF’s chief information officer in a memo last week. We can assume that whoever covertly installed the software designed to purloin data from the IMF was looking for a degree of additional certainty in a time marked by great financial risk. Cyberspace isn’t the only place where the sharks circle.
Christopher Bronk is the Baker Institute fellow in information technology policy. He previously served as a career diplomat with the United States Department of State on assignments both overseas and in Washington, D.C.