Cyber attacks are increasingly thought of as a threat to modern society. Fears that attackers will use computers to disable critical infrastructure, like the power grid or transportation networks, crippling everyday functions, are touted as the next frontier in threats to security.
However, such threats go beyond physical infrastructure. Attacks facing the financial markets are now a current, valid, and present risk. The Depository Trust Clearing Corporation (DTCC), the company that ensures the settlement of the vast majority of equity trades in the US, recently released a white paper discussing the systemic risks facing the financial markets. The white paper covers some familiar systemic threats: high frequency trading, counterparty risk, and the central exposures consolidated in clearing corporations. But more interestingly, DTCC builds on an IOSCO (The International Organization of Securities Commissions, an organization of securities regulators.) report on cybercrime and the securities market and identifies cyber threats as a systemic risk to the financial markets.
The threat of an attack is taken seriously by the industry as a whole. The Securities Industry and Financial Markets Association (SIFMA), a key industry group whose membership includes hundreds of participants, from Goldman Sachs, Citibank and Bank of America to smaller participants like privately-held proprietary trading firms, recently released key findings from its Quantum Dawn 2 exercise, which simulated a systemic cyber attack across some fifty participants, including banks, exchanges, regulators, the FBI, and representatives from the Department of Homeland Security. The exercise went well, according to SIFMA’s after-action summary: “Quantum Dawn 2 demonstrated the industry’s resiliency when faced with serious cyber attacks that aimed to steal money, crash systems and disrupt equity market trading.” (The full after-action report is only available to exercise participants).
SIFMA is on the right track in exercising such scenarios. IOSCO reports that 53% of exchanges globally have experienced a “cyber attack” in the last year. Fortunately–at least for the time being–the majority of these attacks were directed at non-transactional services (like exchanges’ web pages) and did not threaten the critical trading infrastructure of the financial markets. That small comfort aside, the increasing complexity and connectivity of our global financial market infrastructure increases its vulnerability to cyber threats. Further, the financial system is vulnerable to indirect, as well as direct, attacks. April’s @AP twitter hacking incident and the subsequent drop of the US securities market is an example of a type of cyber attack with direct economic consequences to the financial markets and to investors.
Though cyber attacks against media and information vendors have affected the broader marketplace, there are specific categories of attacks that could directly impact the core infrastructure of the global exchanges (Including broader concerns like clearing and settlement infrastructure.). These reports, and SIFMA’s exercise, address the evolving nature of the such attacks. Indeed, through an analysis of known cyber attacks, including those on non-financial infrastructure, it is possible to develop a view as to where the financial industry is most vulnerable, and thus a view as to how defend those vulnerabilities.
In sum, the most threatening attacks could come in one of two forms:
Targeted attacks that are programmed to lay dormant until they can attack a specific computer. Like the Stuxnet worm that damaged centrifuges at a particular Iranian nuclear enrichment facility, a computer virus targeting financial infrastructure could lay dormant until it encountered a computer with a specific signature, for example one running software communicating via the industry-standard FIX protocol or exchange-specific proprietary protocols. Even if computers with key infrastructure are isolated from the public internet, such a virus could hide itself on a USB memory stick and wait until a systems administrator unknowingly plugged the memory stick into an exchange’s hardware and delivered the Trojan worm (It is in this manner that Stuxnet jumped the air gap and infected computers controlling centrifuges).
Insider threats, highlighted by Mr. Snowden’s removal of data from the National Security Agency, represent a source of vulnerability at the opposite end of the spectrum. If a sophisticated agency like the NSA (with an extensive awareness of cybersecurity) is unable to secure its critical infrastructure from the actions of a rogue employee, financial institutions should be concerned that their information and infrastructure are vulnerable.
Defending against such threats involves combining a long term commitment to security with an approach that addresses both technical and organizational vulnerabilities. A successful approach will highlight skepticism, acknowledge that defenses are imperfect, and incorporate training on how to craft a real-time response to a successful attack, precisely what Quantum Dawn 2 exercised. However, such exercises are only effective when they are realistic enough to capture the stress and uncertainty of real-time decision making.
One of the outcomes of the Quantum Dawn II exercise was the “successful execution by the Market Response Committee to close the markets.” Recent history shows several instances where firms and exchanges face difficulty stopping trading, highlighted during both the Knight Capital incident and NASDAQ’s decision to continue the Facebook IPO despite technical glitches. As such, while practice makes perfect, it seems premature to translate the success of this response to the real world, where business imperatives and regulatory pressures to continue trading are immense.
These real-world pressures highlight the importance of realistic simulations in forming cohesive responses to crises. Rather than discourage such an exercise, SIFMA should be praised for its work to create a more stable market. Indeed, perhaps the next exercise could tackle a topic less “sexy” than cyber security, as the industry has shown itself vulnerable to disruption even when the “attacker” is the market’s own technology systems, rather than a third-party or insider threat with aims of destruction or theft.
So where does this leave us? Perfect security will never be achieved, but a successful approach to protecting critical financial infrastructure from systemic threats will be grounded in a skeptical mindset that acknowledges the inherent systemic vulnerabilities and that practices responses to real-time incidents in a way that doesn’t depend on idealized, best-case responses.
Image by Alexandre Dulaunoy
As originally published in Forbes.