Financial Industry Faces Up to Cybersecurity Challenges

On the morning of July 18, 2013, the market infrastructure of the US came under sustained attack through cyberspace. Over 50 organizations, including investment banks, exchanges, regulators and the Department of Homeland Security scrambled to protect routes into the system that were open to the internet, while internal incident response plans kicked in. Such an event was unprecedented in the history of the world’s financial system—except it wasn’t real.

Held by the Securities Industry and Financial Markets Association (Sifma), Quantum Dawn II was a one-day simulation designed to test responses and system strengths against a hypothetical cyberattack. The fact that this was staged at all shows that cybersecurity is being taken seriously by the capital markets. Many say, however, that there is still a knowledge gap at all levels when it comes to cybercrime and avenues of intrusion.

“I’ll give you a quick education and break cybercrime down into four categories,” says Ernest J Hilbert, managing director at Kroll Advisory Solutions, and a former cyber special agent with the Federal Bureau of Investigation (FBI). “You have regular cybercrime, which is profit-motivated, and you have cyber espionage, which is the long-term collection of information. It’s not about stealing in one fell swoop—it’s not targeted to one particular thing, but everything. Then you have cyber warfare, which is to destroy, and finally, you have cyber activism, which is about embarrassing companies, and ultimately hurting their bottom lines. If you take those, you have four different vectors to consider.”

CHEW
The four categories that Hilbert explains fit neatly into the acronym CHEW—crime, hacktivism, espionage, and war. For financial market participants, the last three activities are the ones that cause the most concern.

“From the market infrastructure side, it’s much harder for criminals to monetize attacks directly,” says Mark Clancy, managing director and chief information security officer (CISO), technology risk management, at the Depository Trust & Clearing Corp. (DTCC). “There’s market manipulation that can happen on the brokerage side, but retail banking is really where you see the crime, because you can monetize the proceeds. In terms of market infrastructure, we tend to see risk-related activities more on the hacktivism, espionage and warfare threat vectors.”

“The different infrastructures—IT, telco, and energy—are at different levels of maturity in their cyber preparedness compared to financial services. Very few of them face the pervasive criminal threats seen in financial services.” —Mark Clancy, Depository Trust & Clearing Corp.

The idea that cybercrime is committed by individuals no longer applies. Instead, it is the motivation behind that attack that shapes the defense against it. Low-level criminality, for instance, will focus on skimming money directly for personal benefit, and will usually come in the form of isolated attacks on industry targets. Distributed denial of service (DDoS) attacks, too, such as those popularized in recent years by the hacktivist collective, Anonymous, are more reputational boosters for the group itself than aimed at causing specific or long-term damage, unless coupled with a virus injection. The criminal element affects institutional markets when it’s organized and professional.

“People focus on the common criminal with the botnet, distributed denial of service (DDoS) attacks and the like, and think that’s the real problem,” says Hugh Cumberland, solution manager, financial services, at global telecoms provider, Colt. “Terrorism and state actors are something that you need to worry about, but for wholesale, professional services, where the retail-side risk is not as great, it’s important not to overlook the risk from professional, organized crime, and the resources that they have at their disposal in terms of being able to invest in some of the best external hacking and penetration techniques. There are multiple threats, and there’s a tendency to overlook the fact that organized crime has and will move into this area.”

Cyber Risk
The degree to which cybersecurity is given an individual focus within an institution varies greatly. One person at a major European bank, who asked not to be named, says that their institution sees it as a distinct risk in and of itself, and it is managed accordingly by an internal structure, given their experience with the bank’s retail operation. Another source at a European exchange says that cybersecurity isn’t a risk discipline itself in the same way that risk is traditionally perceived, but one that spans all areas of a firm’s technology and business ecosystem. The common thread, however, is that while the issue has gained an enormous amount of traction among senior management, more work needs to be done.

“These kinds of issues fall under classic risk management,” says Joram Borenstein, vice president of marketing at Nice Actimize. “It’s different in that we’re not talking about credit or liquidity risk per se, but we are talking about data risk, information risk and security risk. A lot of market participants aren’t focused on those issues—they certainly have people who own those domains, and those bailiwicks, but for the most part, they’re not in a central focus. To date, there haven’t been any significant incidents against depositories or broker-dealers that we know of, or that have been publicized, and some of these folks aren’t as aware as their counterparts on the retail side.”

The Human Factor
Recent events have highlighted another aspect of cybersecurity that financial institutions, in particular, are vulnerable to, which do not necessarily have anything to do with DDoS attacks, viruses, worms or Trojan horses, but with people instead.

“My experience is that the one threat vector that keeps coming up is the insider,” says Brian Contos, vice president and CISO at IT security provider Blue Coat. “That’s not to say that activism, espionage, warfare and others aren’t critical, but the human element is always there, whether it’s careless or malicious.”

Carelessness can come from incidents such as using unauthorized cloud storage services for confidential data, plugging corrupted USB drives into workstations, or connecting insecure communications devices that can be used as back doors into a firm’s network, none of which are driven by malice. The more sinister angle is that of a human operator who has no need to hack into the internal file structure of an organization like a bank or a clearinghouse, because he or she already has the passcodes and the authorization necessary to do so. Several interviewees for this article draw parallels with the Edward Snowden case, where the contractor was able to lift sensitive files from National Security Agency (NSA) systems, before passing that information on to journalists.

Ultimately, preventing the threat of an internal breach can prove impossible. An inside individual determined to steal information or cause damage will likely be able to succeed. The technology strategy, therefore, turns to risk mitigation, rather than 100 percent prevention.

“I’ll use an example that a Secret Service agent once told me: If somebody wants to shoot the US president, they will,” says Kroll’s Hilbert. “The difference is that they’re going to get shot, too, but you can’t stop a fanatic. You can take mitigating factors, and there are three basic ones. Number one is understanding the data that you have; number two is controlling access to the data that you have; and number three is monitoring how that data is utilized. It may not stop people from getting it, but it may stop it from appearing on the web, for example, or you may know that they’ve planted a logic bomb to blow up your system.”

Dependency Reduction
In many ways, risk mitigation techniques learned from other infrastructural disciplines, and the principles behind them, can be applied to cybersecurity strategies, particularly when it comes to assessing chinks in an organization’s armor. These may not necessarily be at an investment firm’s own systems, for instance, but in ancillary providers and utilities that a business depends on, such as power grids, datacenters or third-party vendors.

“Over the years, we’ve done an excellent job of building resilience to physical events, like a fiber cable being cut by a construction operator, and what we’ve been working on is how to make market infrastructure resilient to cyber threats,” says the DTCC’s Clancy. “The different infrastructures—IT, telco, and energy—are at different levels of maturity in their cyber preparedness compared to financial services. Very few of them face the pervasive criminal threats seen in financial services. But now, they’re starting to do the calculus on the hacktivist, espionage and warfare fronts, which are becoming more of a concern, and they’re focusing on the need for their institutions to combat and strengthen their resiliency to these threats. So, we’ve been working with those industries at the financial sector level. There’s still some work to do, but we’ve put mitigation measures in place to reduce our exposure to any single provider.”

There is no one industry sector that provides a golden example of how to go about implementing a secure cyber defense strategy, though. Some say that the capital markets side of banks can learn lessons from their counterparts on the retail side, but even stretching outside of financial services, other industries prove strong in one area while being weak in another.

“There’s no point going to the military, looking at what they do and then basing your solution on that,” says Chris McIntosh, CEO at ViaSat UK, who also served as a lieutenant colonel in the Royal Corps of Signals, the British Army’s specialist communications regiment. “They’re very good at, for example, data-at-rest, like protecting against a helicopter falling out of the sky and ensuring that nobody gets that information. Finance is very good at data-in-transit protection, in terms of how they encrypt and encode data moving through the air. If you look at the oil industry, and how they secure and encrypt their slow data-rate systems that send out internationally from different rigs, then they’re the leading edge. In order to improve, you need to have feelers out to all of the best-of-breed, so you can tailor a solution to fit the needs of your organization.”

A Thousand Cuts
Despite grandiloquence about the possibility of a cyber event that has the potential to topple the industry, the evidence of standard operating procedures, so far, doesn’t seem to point in that direction for when the big attack comes. Take Stuxnet—the virus that infected Iranian computers, discovered in June 2010 and believed to be a joint US–Israeli development—which works on a slow and methodical basis before its cyber-warfare components become apparent. It has been monstrously destructive, but subtle in the way that it sits within systems and learns their subroutines, mimicking them before taking over and fulfilling its cyberwarfare function. It’s the worm, rather than the nuclear bomb, that financial institutions should be concerned about.

“In the US, particularly, there’s been talk of a cyber-Armageddon, a lot of fearmongering about the possibility of a huge attack happening, but the truth is that it won’t happen like that,” says Kroll’s Hilbert. “It’ll be slow, it’ll be methodical, and it’ll use a threat vector that nobody has thought of before.”

The internet may be a communications tool first and foremost, but the way in which it interconnects the world’s nations also makes it one of the most powerful forces in history, not least of all for business related to the financial markets.

Trades can zip from Tokyo to London at speeds measured in nanoseconds, while the soil between New York and Chicago is stitched together with high-speed, fiber-optic cable. Even the airwaves ring with data, a constant, pulsing flow of information that represents one of the crowning accomplishments of modern civilization. Ironically, the very apparatus by which globalization is most stridently achieved also serves as the delivery mechanism by which the markets may face their greatest threat in years to come—that stemming from cyberspace.

Salient Points

• While the retail side of banking has long been the target of cyber attacks, the institutional markets are also beginning to experience them, too. The World Federation of Exchanges and the International Organization of Securities Commissions recently released a joint report, stating that more than half of the world's stock markets had suffered a cyber attack in the past year.
• Banks, in particular, are attractive targets to organized criminals who know how to monetize the vast amounts of information they hold, while threats from corporate and state espionage, activism, and cyberwarfare are very real.
• Education and awareness are some of the key defenses for any cybersecurity strategy, particularly at senior levels, but also among the rank-and-file workforce.
• 100-percent prevention of attacks may not be possible, but mitigation of the attack's effects is equally important.