The list below is an update to our reference of “Cyber Security Wake-Up Calls.” What does it take to be on the list? Generally each of the events below was so significant policy makers were loudly proclaiming to all who would listen that they were a wake-up call. This means there are reflections in public policy documents, speeches and the press that cite leaders using the phrase.
The list below is not all cyber incidents. And the list does not capture the full lessons or nuances of the event. But it should make a clear point: there is something about human nature that causes people to forget the cyber threat. We call this situation Cyber Threat Amnesia.
I believe there are cures for Cyber Threat Amnesia, and I think those cures might come with education, training and awareness (helping address Cyber Threat Amnesia is a key reason we wrote The Cyber Threat). Unfortunately recent events like the deep penetration of U.S. government systems and theft of records on almost every government employee make it clear that more needs to be done in raising awareness in the minds of senior executives.
For now, resolve yourself to this observable fact: Our history indicates cyber security events frequently cause action and remediation and get widespread attention. But soon after the attempt to remediate, organizations collectively forget about the threat.
Here is an updated list of major events. This is not all major events, just those widely reported to be “wake-up calls” for the nation.
Cyber Threat Wake Up Calls
- 1970 and 1971 – The Defense Science Board publishes what will be known as the “Ware Report” highlighting the potential dangers to department information in the coming age of connected computing. This report was widely seen as a “wake-up call” for computer security and caused changes at institutions like the National Security Agency to enhance the departments security posture.
- Nov 1988 – The Morris Worm was released and propagated throughout internetworked systems including those of the federal government. This “wake-up call” resulted in establishment of computer response organizations throughout DoD and also resulted in increased funding for computer security research being provided to academic organizations and institutions. The CERT/CC at Carnegie Mellon University was funded.
- 1995 – The President’s Commission on Critical Infrastructure Protection (PCCIP) was widely regarded as a “wake-up call” for the entire federal government and since it was extensively coordinated with industry and academia was also seen as a way forward in cybersecurity for the entire nation.
- 1997 – Deputy Secretary of Defense John Hamre was quoted as saying “Solar Sunrise was a wake-up call for DoD.” This activity resulted in increased funding to cyber defense organizations and the creation of a new joint activity called DoD’s “Joint Task Force Computer Network Defense” or JTF-CND (Bob Gourley was first Director of Intelligence (J2) there).
- 1998 Assistant Secretary of Defense Art Money was quoted as saying “Moonlight Maze was a wake-up call for DoD.” This activity resulted in enhanced counterintelligence resources and more information sharing across the DoD law enforcement and counterintelligence.
- 2009 Director of National Intelligence Admiral Blair testified that “Buckshot Yankee was a wake-up call” for the government. This activity resulted in more awareness and more funding for cyber security throughout the federal government.
- 2010 Deputy Secretary of Defense Lynn writes that “Google’s Aurora attacks were a wake-up call for us all.” This wake-up call resulted in stronger, deeper coordination across the federal space and underscored need for a DoD strategy.
- 2011 Deputy Assistant Secretary of Defense Bob Butler says “Wikileaks was a wake-up call for DoD.” This wake-up call resulted in significant activities and planning across the federal space aimed at enhancing security of information from disclosure.
- 2012 Sep, In one of the most destructive attacks against computers noted against any company to date, Saudi state-owned oil company ARAMCO had data destroyed on over 3/4 of their companies computers. The NY Times reports this as a “wake-up call” and attributes intelligence officials (including General Alexander) with that assessment.
- 2012 Oct, South Carolina Gov Nikki Haley announced a massive hack into state websites. The Gov offered the excuse that these attacks are increasingly common. Reporters suggested this be her “wake-up call”.
- 2012 Oct, Secretary of Defense Panetta issues what he said is a “clarion call” for American’s to “wake up” to the growing cyber threat.
- 2012 Nov, Former Director of National Intelligence McConnell provides “wake-up call” warning of a potential 9/11 type attack via cyber.
- 2012 Sep, Department of Energy issues a report on internal cybersecurity practices. This report by their internal inspector general was reportedly seen as a “wake-up call” for the agency’s cyber security group.
- 2013 Jan, New York Times acknowledges hacks into its papers by Chinese sources. This was widely reported as a “wake-up call” for security experts in media.
- 2013 Jan, Twitter was hit by a major hack in what security experts called a “wake-up call” for the ecommerce and social media community.
- 2013 Jan, Attacks on US banks called a “wake-up call” for the industry by cyber security professionals.
- 2013 Feb, Anonymous attacks against Federal Reserve investigated by FBI. Compromise, called a “wake-up call” compromised data from the Fed’s Emergency Communications System.
- 2013 Feb, Chairman of the House Intelligence Committee expressed confidence that the hackers recently targeting newspapers and other companies would soon “wake-up” Washington on cybersecurity.
- 2013 Feb, Mandiant releases a report exposing one of China’s Cyber Espionage Groups. This report, widely considered one of the best articulations of the threat, resulted in significant positive awareness on the seriousness of the threat and was widely called a wake-up call. We believe this is one of the best pieces of cybersecurity research ever produced by an independent company, and we know it is making positive, virtuous change. We hope this goes a long way to really being the wake-up call we all need.
- 2013 July, Snowden insider attacks declared a “wake-up call” in Bloomberg report.
- 2013 Nov, Australian newspaper cites Melissa Hathaway stating “We haven’t had our big wake-up call yet and I’m hoping that we’ll address the problems before we have a wake-up call.”
- 2014 May, When Target CEO Steinhafel was forced out of his position for the late 2013 attacks this was called a wake-up call for CEOs.
- 2014 Oct, Attacks against JP Morgan and loss of 76 million records called a wake-up call for the industry
- 2014 Dec, Sony hacks called a “wake-up call” for industry by Fortune and US leaders.
- 2015 Feb, Anthem attack and loss of 80 million records called a “wake-up call to step up cybersecurity”
- 2015 Feb, National Association of Attorneys General declares attacks against state governments a “wake-up call”
- 2015 May, IRS breach and loss of taxpayer personal info called “the latest cyber wake-up call”
- 2015 May, The VC investment and tech communities should especially take note to the “huge wake-up call” issued by Mary Meeker in her annual Internet Trends report.
- 2015 June, OPM loss of 4 million records of government employees results in latest wake up call. In a statement which stretched the truth further than saying this was a “wake-up call” OPM director Archuleta said that “Protecting our Federal employee data from malicious cyber incidents is of the highest priority at OPM.”
Of course the reason to publish this list is not to make fun of people for using the term “wake up call.” The reason to publish the list is to get your brain deeper into the game. Maybe there is something you can do to prevent Cyber Threat Amnesia. Maybe you can suggest action to current community or government or business leaders? Or maybe you can find ways to educate policy makers or Congress or the American public? Or maybe you have other ideas for stopping this madness of forgetting about the threat.
We certainly want to do our part. We will keep writing about cyber issues here. And we will continue to publish items for awareness in our daily Threat Brief. And for executives ready for insights into the real nature of cyber security and how threat actors can be expected to behave we have published The Cyber Threat.
Let us know if there is more you think we can do to strategically raise awareness of this threat. We are open to all ideas.
For more see:
- Awake Yet? The list of cyber security “wake up calls” grows as predicted
- The Cybersecurity Wake Up Call and the Snooze Button
- The Cyber Threat Provides New Insights Into Bad Actors: Book updated with latest on threat actors and the tech ecosystem
- Iran’s Hacker Hierarchy Exposed: The Islamic Republic of Iran Makes Maximum Use of Contractors and Universities to Conduct Cyber Operations
- The Maginot Line of Information Systems Security
For more on these topics see the CTOvision Guide to National Security Technology and
- An OODAcast Conversation with Dr. David Bray of the Atlantic Council Geotech Center (Part One) - April 3, 2020
- OODAcast– A Conversation with Dan Gerstein - April 1, 2020
- Update on The End Coronavirus Project and Need for Volunteers - March 28, 2020