Considered to be the first online bank robbery, we look back at thisdefining moment in cybersecurity history three decades ago, just as theCISSP certification came into being. How did this incident change thecybersecurity landscape and the need for greater education andawareness?
In 1963, then British Prime Minister Harold Wilson gave one of the mostfamous political speeches in history, talking about the‘whiteheat of technology’ and how a technology and science revolution was keyto pulling Western economies out of the doldrums. His timing was off, butthe point was proven.
Some 30 years on from that speech, computers were indeed dominating thebusiness world. The second wave of digitalization was in full force,building on the so-called technology ‘big bang’ of the 1980s, led byclient/server computing and early forms of connectivity to produce a modern,interconnected, computerized new way of working. Nowhere was this moreapparent than in banking, a sector that until that point was still decidedlyoffline, paper-based and slow in its operations, despite also investing inmainframes and ATMs in the 1970s and 80s.
Banks across the world now embraced computers in both the front and backoffices as a way of speeding up operations, cutting costs and tapping intocompetitive advantages. The U.S. was among the leading banking markets thatembraced computing, but with it left itself exposed to the earliest forms ofcomputer hacking, with many banks embracing the technology faster thantraining, education and security measures could match.
The Digital Heist That Changed Things
Citibank is one of the largest banking providers in the U.S. and arguablythe world in the mid 90s. It’s size and prestige made it a target, while itsextensive use of connected IT created a risk factor. One that anopportunistic criminal took full advantage of in 1994.
From a computer terminal in his apartment in St. Petersburg, Russia,Russian software engineer Vladimir Levin broke into a Citibank computersystem in New Yorkand, with support from several accomplices, stole $10.7 million bytransferring the funds to accounts around the world. The incident came tounderscore the vulnerability of banks and financial institutions at thetime, as they increasingly relied on electronic transactions but lackedknowledge and countermeasures to protect these new systems.
It was precisely incidents like this that had brought both ISC2 and theCISSP certification into existence. The timing of the Citibank incident,along with the fact the story was made public due to attempts to extraditethe accused, could not have been more appropriate. It underlined the needfor highly-educated and skilled cybersecurity leaders that could grasp andsolve these challenges for banks and other major institutions, as well asgovernment itself and its agencies.
Not the Only Banking Target
The Citibank incident was not the only one of the moment. Back at the time,Eugene Schultz, a computer security expert at SRI International estimatedthat three dozen cases of computer intruders stealing sums of more than $1million had occurred each year in the early 90s in the U.K., mainland Europeand the U.S. The difference was that these incidents never made the news andwere kept as quiet as possible by risk adverse and publicity-shy bankingleaderships, who had contingency funds set aside to cover incidents of fraudand bad debts.
Banks were working hard to convince customers to transfer money, pay billsand perform other transactions electronically. They simply didn’t want tofrighten the public away from low-cost electronic activities because of aperceived fraud risk. Computing was allowing banks across the world to cutthe cost of running branches and machine rooms. Savings they were in nohurry to reverse.
What Happened to Levin?
In March 1995, Levin was arrested in London as he disembarked a flight fromMoscow. Following two years of ultimately fruitless attempts to fightextradition, he was handed over to U.S. law enforcement in September 1997.As part of a plea bargain, he admitted to only one count of conspiracy todefraud, and to stealing $3.7 million, far lower than the total amountCitibank initially lost. In February 1998 he was convicted and sentenced tothree years in prison, as well as being ordered to pay back $240,015.
Citibank claimed that all but $400,000 of the stolen $10.7 million had beenrecovered.
By virtue of becoming public knowledge, this incident reshaped attitudestowards information and network security. Not just in banking, investment incybersecurity measures and dedicated cybersecurity teams grew from thispoint, as the Citibank story served as a stark case study for what couldhappen to other organizations.
CISSP – Understanding the Future of Cybersecurity
It was a decade before the Citibank incident when early cybersecuritypioneers planted the seeds for what would become the CISSP certification.The ‘big bang’ of the early 80s that had seen rampant investment intechnology by major stock markets, banks, schools, government agencies, themilitary and the home computer revolution ultimately defined a need for astandardized, vendor-neutral certification program that provided structureand demonstrated competence amongst those who would become our firstcybersecurity professionals.
In November 1988, the Special Interest Group for Computer Security (SIG-CS),a member of the Data Processing Management Association (DPMA), broughttogether several like-minded organizations to pursue the certification goal.ISC2 was formed in mid-1989 as a non-profit organization and by 1990, thefirst working committee to establish a Common Body of Knowledge (CBK) hadalso been formed. The first version of the CBK was finalized by 1992, andthe CISSP credential that CBK supported was launched in 1994, just in timeto support the changing perception and heightened importance ofcybersecurity following the publicization of the Citibank incident.
How critical are cybersecurity certifications for banking organizations andtheir professionals? The most recentFBI Internet Crime Reportillustrates how the risk to banking has grown in subsequent years alongsideother cybersecurity threats. The FBI report details more than 800,000cybercrime-related complaints filed in 2022. Meanwhile, total losses wereover $10 billion, up from $6.9 billion a year earlier. Reported cybercrimetoday, just in the U.S., overshadows the $10.7 million taken in 1994. Withgreater focus on cybersecurity processes, countermeasures, education andculture led by CISSP certified professionals, organizations are betterequipped to deal with modern attacks such as phishing, ransomware, socialengineering, deepfakes as well as more traditional intrusion techniques likethose used 30 years ago.
- Find out more about the CISSP certification here
- Download the CISSP Ultimate Guide to learn more about the CISSP along with the career and qualification pathways it supports
- The CISSP exam changes on April 15, 2024 , read about the changes and our Peace of Mind Protection that includes a second exam sitting, if needed