'Snowden Effect' Should Thaw—Not Chill—New Ideas on Systems Intrusion, Detection
In an episode of Seinfeld's very first season—in 1989, when hacking was still a bad cough—Jerry returns to his apartment from a trip to find his electronics stolen. Kramer, it turns out, briefly left the door ajar while Elaine—who is apartment-sitting—goes out shopping as she waits for Jerry's shower water to (finally) to get hot. Kramer explains what happened, and asks,
"You have insurance, right buddy?"
"No," Jerry says, despairingly. "I spent all my money on the Clapgo D-29! It's the most inpenetrable lock on the market today. It has only one design flaw. The door ... must be closed!"
That scene popped to mind last week, as new reporting detailed the ease and creativity with which Snowden was able to hack the NSA's files. Most unbelievable among those details, though, was this: The agency had no effective way of detecting what he was up to because unlike most of its other locations, Snowden's site in Hawaii wasn't outfitted with the sophisticated software to do so.
Someone, in other words, left the door open.
You never point a finger in this industry, so much as empathize and look after your own house. You know you could be next. - Bob Schmeider, Société Générale
At first glance, one might think chief technologists—whether in finance, telecommunications, or elsewhere—will look at that revelation, and breathe a sigh of relief. After all, if the US government arm responsible for “watching” the rest of us can't even capably watch one of its—albeit more shrewd and determined—employees, what chance does anyone else have at prevention?
New Expectations
Of course, the unfair answer is: It doesn't matter. Any seasoned CTO or CIO will tell you that isn't how expectations work.
While a “Snowden Effect” is bandied about, meaning different things—from data-sensitive firms supposedly abandoning the cloud, to libertarians getting on a soapbox over alleged violations of constitutional rights—above all, the whole affair has clearly tickled the public consciousness, including that of shareholders and CEOs.
For financial firms big and small, expectations about actually knowing—and proving you know—what's happening on the systems inside the shop will rise. If the government can make enemies of its own personnel, even its programmers, so too can an investment bank or asset manager. (Just ask Goldman Sachs.) This is interesting, because the past few years have focused more on cybercriminals, their headline-drawing distributed denial-of-service (DDoS) attacks, and advanced persistent threats (APTs), that all originate externally.
It's not exactly a turnabout. Monitoring what one's employees are doing is far from a new IT problem. Snowden, rather, would seem to bring that priority full circle, with perhaps an added wrinkle—knowing how well (or poorly) your own developers and systems monitoring tools can police the IT estate in real time, rather than post-facto.
Bright Side
As one senior staffer at D.E. Shaw nicely put it at Waters USA a few weeks ago, IT's "hard shell" often contains a soft, gooey center. And despite whatever permissioning and education, or policies and containers one can try to wrap around it, goo is still notoriously difficult to control.
There is a bright side to all this. This summer, as I reported for a few weeks in Central Europe for Waters, a couple CIOs I spoke with—from very different kinds of firms—both seemed to exalt, with a palpable enthusiasm, the priority of systems oversight and resilience. In fact, Ralf Schneider, who oversees strategy for a global behemoth, Allianz, and Michal Sanak, the CIO for Czech prop shop RSJ Trading, voluntarily returned to the topic repeatedly. They both appeared to see an opening—rather than a risk—in the new responsibilities that both sides of the Snowden affair imply.
Perhaps they have little choice. As I found elsewhere in his country, Schneider cited Germans' particularly strong disaffection for any kind of data privacy intrusion, given the modern history of surveillance there—especially during its Cold War partition. Sanak, meanwhile, pointed out that in RSJ's role as electronic market-maker, gatekeeping and safety mechanisms are even more natural to the firm's IT DNA than latency reduction or proprietary hardware one might rather expect.
Dr. Schneider leaned on the word "trust" to explain the issue and justify the spend. For Sanak, it was "integrity." (More on that in the Waters January 2014 issue.) Going by these two examples, there is little convincing to do on a cultural level.
Maps and AI
The question, then, and as often, is how. For my part, a few promising answers have already been engineered—if for other more industrial applications. Verdande Technology, for example, has brought case-based reasoning (CBR) logic to finance from the offshore drilling industry, BAE Detica similarly leverages its namesake's defense and aerospace expertise, and Nice Actimize this year began using advanced voice recognition borrowed from its original telecom business.
What do the three providers have in common? For one thing—and coincidentally—none of them is American. But more importantly, they all introduce novel ways of looking at an IT ecosystem, mapping out the interactions taking place within it, and then using different modes of artificial intelligence to decide what is askew, and why.
It could simply be an overburdened server, or a bit of code that slipped through the change management process into production, funneling thousands of bad orders to market at high speeds. It could be a hacker who takes joy in seeing the world struggle for a few hours. Or a disillusioned staff member with his own agenda. The point is identifying which—accurately and quickly—and determining how that augurs a proper response.
Resolving just which technologies are needed is the rub. When Société Générale Americas CTO Bob Schmeider explained to me why firms have focused on infrastructure security in the time since the Jerome Kerviel rogue-trading scheme upended the French bank, he put it simply: "You never point a finger in this industry, so much as empathize, and look after your own house. You know you could be next."
Not So Funny
In the end, as geopolitcal—almost implausible—as the Snowden leak has become, and as promising as new monitoring tools are, an effective combination of technology and leadership probably comes back to fundamentally avoiding that scene in Seinfeld, with multiple actors playing roles they aren't used to, experiencing a sequence of unanticipated events that ultimately leads to an adverse outcome for the protagonist, left without redress.
In the episode, Jerry eventually forgives them—after all, unlike Snowden, Kramer hasn't conspired with Newman to lift Jerry's stuff—but not without one more comedic conceit that, 25 years later in 2014, will feel especially close to those charged with protecting the substance and flow of information,
"[They even stole] my answering machine!" he exclaims. "Boy, I hate the idea of somebody out there returning my calls."
Only users who have a paid subscription or are part of a corporate subscription are able to print or copy content.
To access these options, along with all other subscription benefits, please contact info@waterstechnology.com or view our subscription options here: http://subscriptions.waterstechnology.com/subscribe
You are currently unable to print this content. Please contact info@waterstechnology.com to find out more.
You are currently unable to copy this content. Please contact info@waterstechnology.com to find out more.
Copyright Infopro Digital Limited. All rights reserved.
As outlined in our terms and conditions, https://www.infopro-digital.com/terms-and-conditions/subscriptions/ (point 2.4), printing is limited to a single copy.
If you would like to purchase additional rights please email info@waterstechnology.com
Copyright Infopro Digital Limited. All rights reserved.
You may share this content using our article tools. As outlined in our terms and conditions, https://www.infopro-digital.com/terms-and-conditions/subscriptions/ (clause 2.4), an Authorised User may only make one copy of the materials for their own personal use. You must also comply with the restrictions in clause 2.5.
If you would like to purchase additional rights please email info@waterstechnology.com
More on Trading Tech
Bond tape hopefuls size up commercial risks as FCA finalizes tender
Consolidated tape bidders say the UK regulator is set to imminently publish crucial final details around technical specifications and data licensing arrangements for the finished infrastructure.
If M&A picks up, who’s on the auction block?
Waters Wrap: With projections that mergers and acquisitions are geared to pick back up in 2025, Anthony reads the tea leaves of 25 of this year’s deals to predict which vendors might be most valuable.
The Waters Cooler: A little crime never hurt nobody
Do you guys remember that 2006 Pitchfork review of Shine On by Jet?
Removal of Chevron spells t-r-o-u-b-l-e for the C-A-T
Citadel Securities and the American Securities Association are suing the SEC to limit the Consolidated Audit Trail, and their case may be aided by the removal of a key piece of the agency’s legislative power earlier this year.
After acquisitions, Exegy looks to consolidated offering for further gains
With Vela Trading Systems and Enyx now settled under one roof, the vendor’s strategy is to be a provider across the full trade lifecycle and flex its muscles in the world of FPGAs.
Enough with the ‘Bloomberg Killers’ already
Waters Wrap: Anthony interviews LSEG’s Dean Berry about the Workspace platform, and provides his own thoughts on how that platform and the Terminal have been portrayed over the last few months.
BofA deploys equities tech stack for e-FX
The bank is trying to get ahead of the pack with its new algo and e-FX offerings.
Pre- and post-trade TCA: Why does it matter?
How CP+ powers TCA to deliver real-time insights and improve trade performance in complex markets.