CIA website disruption may have been work of a prankster

Federal officials as of Monday afternoon were still investigating the cause of a Thursday cyber incident that knocked offline the public website of the CIA and its unclassified e-mail system.

Some cyber experts say the disruption may have been caused by a denial of service attack perpetrated by pranksters to show off their skills, rather than a terrorist act committed by a foreign government.

Contrary to previous news reports, the interference was isolated to CIA networks. The U.S. Computer Emergency Response Team, known as US-CERT, received no reports from agencies other than the CIA experiencing technical problems with their unclassified websites or e-mail systems, Homeland Security Department officials said Monday night.

The CIA site, which the spy agency recently retooled to attract more visitors, was back online by 11 a.m. on Friday, and employee e-mail is also now working, CIA officials said Monday. "We continue to analyze the causes of the outage," CIA spokeswoman Marie Harf said.

DoS attacks, in which culprits jam site servers with useless traffic to cripple them, entered the spotlight when activists for the anti-secrets WikiLeaks operation allegedly used the tactic against opponents. In particular, hacktivists targeted sites maintained by financial and web hosting companies that had stopped servicing WikiLeaks.

Many federal agencies have built up strong defenses against such attacks, but there are some exceptions. In 2009, for example, DoS strikes aimed at a slew of agencies shuttered the Federal Trade Commission site. The White House and Defense Department sites were unaffected.

Last week's episode probably represents aggravation for information security managers rather than a national security threat, some specialists say.

A computer security consultant, who requested anonymity due to the national security implications of the matter, said a nation state would not disrupt a government site because that would reveal its capabilities -- in essence showing its cards. This specialist suspects it was an individual or small group that executed the assault to put another notch in its belt.

CIA personnel could have allowed the attack to continue until Friday, under containment, to gain information about the people involved, the consultant added.

"It's concerning to the people who have to deal with it, but it's not out of the ordinary," said George Smith, a senior fellow at the Washington area think tank GlobalSecurity.org. Had the systems been down for days, the situation would be more worrisome, he added.

Some cyber scholars say it is important to understand that the strike, regardless of whether it was a DoS attack, does not appear to have affected the agency's work.

Most CIA employees do not use the unclassified e-mail system, said James A. Lewis, a former Foreign Service senior official whose assignments involved information security. "It sounds to me like it could have been an attack, but it didn't hit them where they live," said Lewis, now a senior fellow at the Center for Strategic and International Studies.

He compared the CIA situation to the incident in which supporters of WikiLeaks' Australian co-founder Julian Assange temporarily allegedly froze MasterCard's site when the firm cut off payments to WikiLeaks.

"When the mighty WikiLeaks went against the credit card companies for being mean to that Australian the public websites were affected, but the actual operations of the company weren't," Lewis said.

Clarification: This story was modified to clarify that the people who attacked the MasterCard website are unknown, but are alleged to be supporters of WikiLeaks.