Considered to be the first online bank robbery, we look back at this defining moment in cybersecurity history three decades ago, just as the CISSP certification came into being. How did this incident change the cybersecurity landscape and the need for greater education and awareness?

In 1963, then British Prime Minister Harold Wilson gave one of the most famous political speeches in history, talking about the ‘white heat of technology’ and how a technology and science revolution was key to pulling Western economies out of the doldrums. His timing was off, but the point was proven.

Some 30 years on from that speech, computers were indeed dominating the business world. The second wave of digitalization was in full force, building on the so-called technology ‘big bang’ of the 1980s, led by client/server computing and early forms of connectivity to produce a modern, interconnected, computerized new way of working. Nowhere was this more apparent than in banking, a sector that until that point was still decidedly offline, paper-based and slow in its operations, despite also investing in mainframes and ATMs in the 1970s and 80s.

Banks across the world now embraced computers in both the front and back offices as a way of speeding up operations, cutting costs and tapping into competitive advantages. The U.S. was among the leading banking markets that embraced computing, but with it left itself exposed to the earliest forms of computer hacking, with many banks embracing the technology faster than training, education and security measures could match.

The Digital Heist That Changed Things

Citibank is one of the largest banking providers in the U.S. and arguably the world in the mid 90s. It’s size and prestige made it a target, while its extensive use of connected IT created a risk factor. One that an opportunistic criminal took full advantage of in 1994.

From a computer terminal in his apartment in St. Petersburg, Russia, Russian software engineer Vladimir Levin broke into a Citibank computer system in New York and, with support from several accomplices, stole $10.7 million by transferring the funds to accounts around the world. The incident came to underscore the vulnerability of banks and financial institutions at the time, as they increasingly relied on electronic transactions but lacked knowledge and countermeasures to protect these new systems.

It was precisely incidents like this that had brought both ISC2 and the CISSP certification into existence. The timing of the Citibank incident, along with the fact the story was made public due to attempts to extradite the accused, could not have been more appropriate. It underlined the need for highly-educated and skilled cybersecurity leaders that could grasp and solve these challenges for banks and other major institutions, as well as government itself and its agencies.

Not the Only Banking Target

The Citibank incident was not the only one of the moment. Back at the time, Eugene Schultz, a computer security expert at SRI International estimated that three dozen cases of computer intruders stealing sums of more than $1 million had occurred each year in the early 90s in the U.K., mainland Europe and the U.S. The difference was that these incidents never made the news and were kept as quiet as possible by risk adverse and publicity-shy banking leaderships, who had contingency funds set aside to cover incidents of fraud and bad debts.

Banks were working hard to convince customers to transfer money, pay bills and perform other transactions electronically. They simply didn’t want to frighten the public away from low-cost electronic activities because of a perceived fraud risk. Computing was allowing banks across the world to cut the cost of running branches and machine rooms. Savings they were in no hurry to reverse.

What Happened to Levin?

In March 1995, Levin was arrested in London as he disembarked a flight from Moscow. Following two years of ultimately fruitless attempts to fight extradition, he was handed over to U.S. law enforcement in September 1997. As part of a plea bargain, he admitted to only one count of conspiracy to defraud, and to stealing $3.7 million, far lower than the total amount Citibank initially lost. In February 1998 he was convicted and sentenced to three years in prison, as well as being ordered to pay back $240,015.

Citibank claimed that all but $400,000 of the stolen $10.7 million had been recovered.

By virtue of becoming public knowledge, this incident reshaped attitudes towards information and network security. Not just in banking, investment in cybersecurity measures and dedicated cybersecurity teams grew from this point, as the Citibank story served as a stark case study for what could happen to other organizations.

CISSP – Understanding the Future of Cybersecurity

It was a decade before the Citibank incident when early cybersecurity pioneers planted the seeds for what would become the CISSP certification. The ‘big bang’ of the early 80s that had seen rampant investment in technology by major stock markets, banks, schools, government agencies, the military and the home computer revolution ultimately defined a need for a standardized, vendor-neutral certification program that provided structure and demonstrated competence amongst those who would become our first cybersecurity professionals.

In November 1988, the Special Interest Group for Computer Security (SIG-CS), a member of the Data Processing Management Association (DPMA), brought together several like-minded organizations to pursue the certification goal. ISC2 was formed in mid-1989 as a non-profit organization and by 1990, the first working committee to establish a Common Body of Knowledge (CBK) had also been formed. The first version of the CBK was finalized by 1992, and the CISSP credential that CBK supported was launched in 1994, just in time to support the changing perception and heightened importance of cybersecurity following the publicization of the Citibank incident.

How critical are cybersecurity certifications for banking organizations and their professionals? The most recent FBI Internet Crime Report illustrates how the risk to banking has grown in subsequent years alongside other cybersecurity threats. The FBI report details more than 800,000 cybercrime-related complaints filed in 2022. Meanwhile, total losses were over $10 billion, up from $6.9 billion a year earlier. Reported cybercrime today, just in the U.S., overshadows the $10.7 million taken in 1994. With greater focus on cybersecurity processes, countermeasures, education and culture led by CISSP certified professionals, organizations are better equipped to deal with modern attacks such as phishing, ransomware, social engineering, deepfakes as well as more traditional intrusion techniques like those used 30 years ago.