James Rundle: Dark Alleys

“Imagine you’re in a bad neighborhood, walking through a dark alleyway at three in the morning,” says one representative from a major US financial utility, speaking to me during a recent visit to London. “You’ll be a lot more aware of your surroundings than you would be in a city center during your lunch hour,” he says. “When it comes to cyberspace, most people involved in security tend to assume that it’s all dark alleys.”

Cybercrime has been at the top of the news agenda for several years now, in particular the mass-organized distributed denial of service (DDoS) attacks orchestrated by so-called “hacktivist” groups or movements like Anonymous. Outside of a political protest, though, DDoS and similar attacks have a serious undertone, and attacks against banks are worth millions of dollars to criminals every year.

Former White House cyber security advisor Richard Clarke, in formulating a manageable yet apt description conveying the threats that companies and governments face from the cyber arena, came up with the acronym CHEW—crime, hacktivists, espionage and war.

Extant Threats
For capital markets-focused institutions, it’s the last three letters of the acronym that really matter. Retail operations are susceptible to the crime element, but securities dealers, clearing houses, depositories and investment banks, given the complexity of the organizations, are likely to face a more sophisticated form of opponent. The designation of several well-known US bodies by the government as Systemically Important Financial Institutions (SIFIs) adds further weight to the level of preparation that needs to be undertaken by sell-side firms, giving a national security impetus rather than simple preservation of integrity.

From the technology perspective, it’s a tough challenge. Segregated systems, redundancy, back-ups, off-site datacenters and other tools have been used for years, but the introduction of new points of egress continue to introduce risks. Take mobile devices, for instance. While remote wiping is an effective way of controlling device proliferation, a determined intruder with a plan in mind potentially gains access through the back door to systems through a stolen device. Likewise, the internal threat from disgruntled employees, or—in the case of espionage and war—planted agents, becomes particularly difficult to defend against.

Cyber risk is rapidly becoming one of the key challenges in the modern era. And executives appear to be listening.

Taking Threats Seriously
The industry is taking this seriously, however, with a high degree of information-sharing between institutions, and the build-out of various systems to analyze, detect and act on threats. All of this is in the process of being fine-tuned, particularly as government regulations develop alongside the evolution of technology. One problem, as those familiar with compliance systems will empathize with, is the generation of alerts for possible intrusion or attack, and coping without drowning in false positives and erroneous determinations. The person I spoke to this month says his institution typically has hundreds of alerts in alarmingly short time frames, although he declines to say exactly how many.

Outside Focus
It is perhaps a sign of the times we live in that the stuff of cyberpunk and science fiction is a reality—or at least, is rapidly becoming one. While market risk, credit risk, operational risk, the greeks, and everything else related to trading and risk management, are intrinsic to the effective running of an investment operation, cyber risk is rapidly becoming one of the key challenges in the modern era. And executives appear to be listening. The person I spoke to likens explaining cyber security to business leaders, as a car’s seat belts—you never fully appreciate them until you’ve been in a car crash. Now, he says, the educational aspect is accomplished, and it’s the solution process that’s in full swing.