nnConsidered to be the first online bank robbery, we look back at thisndefining moment in cybersecurity history three decades ago, just as thenCISSP certification came into being. How did this incident change thencybersecurity landscape and the need for greater education andnawareness?nn
nnIn 1963, then British Prime Minister Harold Wilson gave one of the mostnfamous political speeches in history, talking about then‘whitenheat of technology’ and how a technology and science revolution was keynto pulling Western economies out of the doldrums. His timing was off, butnthe point was proven.n
nnSome 30 years on from that speech, computers were indeed dominating thenbusiness world. The second wave of digitalization was in full force,nbuilding on the so-called technology ‘big bang’ of the 1980s, led bynclient/server computing and early forms of connectivity to produce a modern,ninterconnected, computerized new way of working. Nowhere was this morenapparent than in banking, a sector that until that point was still decidedlynoffline, paper-based and slow in its operations, despite also investing innmainframes and ATMs in the 1970s and 80s.n
nnBanks across the world now embraced computers in both the front and backnoffices as a way of speeding up operations, cutting costs and tapping intoncompetitive advantages. The U.S. was among the leading banking markets thatnembraced computing, but with it left itself exposed to the earliest forms ofncomputer hacking, with many banks embracing the technology faster thanntraining, education and security measures could match.n
nn
nThe Digital Heist That Changed Things
nn
nnCitibank is one of the largest banking providers in the U.S. and arguablynthe world in the mid 90s. It’s size and prestige made it a target, while itsnextensive use of connected IT created a risk factor. One that annopportunistic criminal took full advantage of in 1994.n
nnFrom a computer terminal in his apartment in St. Petersburg, Russia,nnRussian software engineer Vladimir Levin broke into a Citibank computernsystem in New Yorknnand, with support from several accomplices, stole $10.7 million byntransferring the funds to accounts around the world. The incident came tonunderscore the vulnerability of banks and financial institutions at thentime, as they increasingly relied on electronic transactions but lackednknowledge and countermeasures to protect these new systems.n
nnIt was precisely incidents like this that had brought both ISC2 and thenCISSP certification into existence. The timing of the Citibank incident,nalong with the fact the story was made public due to attempts to extraditenthe accused, could not have been more appropriate. It underlined the neednfor highly-educated and skilled cybersecurity leaders that could grasp andnsolve these challenges for banks and other major institutions, as well asngovernment itself and its agencies.n
nn
nNot the Only Banking Target
nn
nnThe Citibank incident was not the only one of the moment. Back at the time,nEugene Schultz, a computer security expert at SRI International estimatednthat three dozen cases of computer intruders stealing sums of more than $1nmillion had occurred each year in the early 90s in the U.K., mainland Europenand the U.S. The difference was that these incidents never made the news andnwere kept as quiet as possible by risk adverse and publicity-shy bankingnleaderships, who had contingency funds set aside to cover incidents of fraudnand bad debts.n
nnBanks were working hard to convince customers to transfer money, pay billsnand perform other transactions electronically. They simply didn’t want tonfrighten the public away from low-cost electronic activities because of anperceived fraud risk. Computing was allowing banks across the world to cutnthe cost of running branches and machine rooms. Savings they were in nonhurry to reverse.n
nn
nWhat Happened to Levin?
nn
nnIn March 1995, Levin was arrested in London as he disembarked a flight fromnMoscow. Following two years of ultimately fruitless attempts to fightnextradition, he was handed over to U.S. law enforcement in September 1997.nAs part of a plea bargain, he admitted to only one count of conspiracy tondefraud, and to stealing $3.7 million, far lower than the total amountnCitibank initially lost. In February 1998 he was convicted and sentenced tonthree years in prison, as well as being ordered to pay back $240,015.n
nnCitibank claimed that all but $400,000 of the stolen $10.7 million had beennrecovered.n
nnBy virtue of becoming public knowledge, this incident reshaped attitudesntowards information and network security. Not just in banking, investment inncybersecurity measures and dedicated cybersecurity teams grew from thisnpoint, as the Citibank story served as a stark case study for what couldnhappen to other organizations.n
nn
nCISSP – Understanding the Future of Cybersecurity
nn
nnIt was a decade before the Citibank incident when early cybersecuritynpioneers planted the seeds for what would become the CISSP certification.nThe ‘big bang’ of the early 80s that had seen rampant investment inntechnology by major stock markets, banks, schools, government agencies, thenmilitary and the home computer revolution ultimately defined a need for anstandardized, vendor-neutral certification program that provided structurenand demonstrated competence amongst those who would become our firstncybersecurity professionals.n
nnIn November 1988, the Special Interest Group for Computer Security (SIG-CS),na member of the Data Processing Management Association (DPMA), broughtntogether several like-minded organizations to pursue the certification goal.nISC2 was formed in mid-1989 as a non-profit organization and by 1990, thenfirst working committee to establish a Common Body of Knowledge (CBK) hadnalso been formed. The first version of the CBK was finalized by 1992, andnthe CISSP credential that CBK supported was launched in 1994, just in timento support the changing perception and heightened importance ofncybersecurity following the publicization of the Citibank incident.n
nnHow critical are cybersecurity certifications for banking organizations andntheir professionals? The most recentnnFBI Internet Crime Reportnnillustrates how the risk to banking has grown in subsequent years alongsidenother cybersecurity threats. The FBI report details more than 800,000ncybercrime-related complaints filed in 2022. Meanwhile, total losses werenover $10 billion, up from $6.9 billion a year earlier. Reported cybercrimentoday, just in the U.S., overshadows the $10.7 million taken in 1994. Withngreater focus on cybersecurity processes, countermeasures, education andnculture led by CISSP certified professionals, organizations are betternequipped to deal with modern attacks such as phishing, ransomware, socialnengineering, deepfakes as well as more traditional intrusion techniques likenthose used 30 years ago.n
n- n
- n Find out more about the CISSP certificationn n heren n n
- n Download then n CISSP Ultimate Guiden n to learn more about the CISSP along with the career and qualificationn pathways it supportsn n
- n Then n CISSP exam changes on April 15, 2024n n , read about the changes and our Peace of Mind Protection that includes an second exam sitting, if neededn n