The security breach at the International Monetary Fund underlines the need for legislation on cyber security, says a privacy, data protection and data security lawyer.
It emerged at the weekend that the International Monetary Fund (IMF), which holds sensitive economic data about many countries, was targeted by a sophisticated cyber attack earlier this year.
Cyber security officials said the hack, which took place over several months, was designed to instal software to create a digital insider presence at the IMF, according to the BBC.
IMF staff were notified of the attack in an e-mail last week. The e-mail from IMF management said suspicious file transfers had been detected, and that an investigation had shown that a desktop computer had been compromised and used to access IMF systems.
David Beesley, managing director of consultancy Network Defence, says spear phishing is difficult to defend against because it primarily targets users not PCs, and the information that attackers can gather from social networking sites makes the phishing e-mails look very convincing.
"Really, firms need to use a mix of user education and layered security solutions to defend themselves. Employees should be aware that even plausible-looking e-mails should be treated with suspicion, and IT teams should look at their AV and anti-spam solutions to try and stop malware propagating. Using Web proxies can stop executables and exploit code from reaching desktops, and intrusion detection systems can help spot unusual data traffic movements," David Beesley said.
The internal IMF memo said there was no reason to believe personal information was sought for fraud purposes. However, the IMF has declined to comment officially on the extent or aims of the attack, saying only the organisation remains fully functional.
News of the attack on the IMF has raised fresh concerns that similar cyber attacks could be directed at critical national infrastructure (CNI) organisations with potentially life-threatening consequences.
News of the IMF attack is troubling, providing yet further evident of systematic attacks on critical infrastructures and systems, says Stewart Room, partner at London law firm Field Fisher Waterhouse.
"How long will these attacks be tolerated before politicians react to pass general legislation for cyber security?" Stewart Room asked in a blog post.
According to Room, legislation is desperately needed. The first priority is to protect CNI, he says, but because there is no clear way to determine what is CNI, it would be more appropriate to introduce legislation that contains a general obligation for security.
This would mean that, where a person or organisation is in control of data and/or computer and communications systems, they should be responsible for assuring resilience to prevent harm to national interests, society, the economy or individuals.