Are We Ready for a Financial Cyber Attack?
Source: Wall Street Journal
An assault on Estonia in 2007 disrupted banking and other services for over a week.
Last week, the European Union revealed that its headquarters had come under a major cyber attack, likely state-sponsored, on the eve of the EU summit. Earlier this month, the French announced that they had been hit with a cyber assault at the end of 2010, probably launched by Chinese hackers, aimed at pilfering sensitive G-20 documents from finance ministry computers in Paris. Last fall, the Nasdaq suffered what looks like an organized-crime attack on a service it provides to corporate executives for exchanging confidential files.
But what if e-espionage aimed at the financial sector suddenly escalated into e-war? What if, for example, China, North Korea or Iran initiated a crippling assault against the West’s electronic financial network, where trillions of dollars worth of transactions occur every day?
Such an event would mean a massive and potentially long-lasting disruption to the flow of dollars and euros among banks, businesses and consumers. At a minimum, it would mean the loss or corruption of financial data at major stock and commodity exchanges.
Experienced Washington hands, such as former Homeland Security Secretary Michael Chertoff, rightly worry about insidious Stuxnet-type worms that might be insinuated into financial networks. Such worms can wreak havoc slowly and methodically by corrupting financial data without creating immediate alarm.
“At some point people would no longer have confidence in the ability to trust the transactional records,” Mr. Chertoff cautions. “We’ve seen what happens when you have a meltdown in public confidence in the financial sector in 2008. And I think that would be small potatoes compared to what we would see if we had this kind of attack.”
As things currently stand, the Department of Defense protects military assets against the global cyber threat, while the Department of Homeland Security protects critical government institutions and facilities. Other than some enhanced information-sharing between Homeland Security and leading private financial institutions, there’s not much, if any, cyber-war defense planning going on in the financial world. So, who’s protecting the banks and the stock exchanges against a direct cyber attack? No one.
Most attacks to date have been launched by either criminal or hacker elements “phishing” for information about bank clients and investment positions. While the financial industry, working with government, has done a decent job identifying those threats, much more needs to be done when it comes to global financial network resilience—the ability to absorb an attack by a nation-state.
In the banking district of London, war-gaming exercises involving the banks and government are taking place this month, though under the radar. Here in the U.S., similar simulations have been discussed but have not been put into action.
The U.S., working with EU and NATO countries, must do all it can to provide and receive real-time intelligence about the financial sector in periods of heightened geopolitical tensions, privacy issues notwithstanding. Should such an attack occur, friendly governments will need to provide cross-border authority to identify, investigate and pursue the attacker servers in the source country.
Even with agreement to work collectively, what could governments do to contain the attack? Could they isolate a single large bank or financial institution that may have come under cyber assault or become infected with a disabling worm? “We’re still not appropriately positioned to take any individual major financial intermediary out of the picture—be it for cyber or financial instability reasons,” acknowledges Jane Carlin, global head of operational risk management at Morgan Stanley in New York.
Perhaps the toughest question, and one that will reside squarely within the Oval Office, is when to strike back, and against whom, if a state-sponsored cyber weapon is launched against our financial backbone. How do we prove who did it, and do we have to prove attribution before we respond? “Are we helpless in the face of those who would hijack servers in third countries to mount attacks?” asks Mr. Chertoff.
Such a strike can be swift, silent and damaging. Estonia—and its two major banks—experienced what many believe was a cyber attack originating in Russia in 2007. It heavily disrupted online banking and other financial services for more than a week.
No single approach can address all the nuances and layers of cyber war, particularly when it comes to the global financial system. But it’s crucial for practitioners to come up with a plan, perhaps as members of a White House Cyber Council, that will enable the financial network to survive what surely one day will materialize as the silent shot heard ’round the world.
Mr. Getler, a former correspondent for the International Herald Tribune and The Wall Street Journal, is an international risk-management adviser in Washington, D.C
New Cyber Security Bill Kills the ‘Kill Switch’
By Michael Hickins
Senators Joe Lieberman (I, Conn.), Susan Collins (R, Maine) and Tom Calpers (D, Del.) introduced the “Cybersecurity and Internet Freedom Act of 2011″ on Thursday. The bill is intended to “establish the essential point of coordination across the Executive branch” in the event of a crippling or catastrophic cyber attack against United States critical infrastructure, Ms. Collins said in a statement made on the floor of the Congress.
The bill seeks to protect vital U.S. interests from “catastrophic” cyber attacks by establishing an office within the executive branch of government that would coordinate strategy and defense from cyber attacks. The Office of Cyberspace Policy would be checked by both legislative and judicial oversight, according to language contained in the bill.
Ms. Collins said that the United States needs to change its “disjointed and uncoordinated” approach to cyber security.
Mr. Lieberman addressed critics of an earlier version of the bill in a separate statement, saying that “there is no so-called ‘kill switch’ in our legislation… The ‘internet kill switch’ debate has eclipsed discussion of actual, substantive provisions in this bill, [which establishes] a new national center to prevent and respond to cyber attacks.”
- Louie Palu/Zuma Press Senators Joe Lieberman and Susan Collins, seen Feb. 3, 2011.
The new bill seems to have won over at least one skeptic.
Michael Chertoff, director of the Department of Homeland Security until 2009, told Digits a few days ago that giving a president the authority to shut down the Internet would be “troubling, at least for me personally.”
Reached Thursday evening, Mr. Chertoff said via email that, while he hadn’t had a chance to review the new bill in detail, he found it “valuable from a number of standpoints.” He also noted that the bill, as he understands it, “dispels any notion of a kill switch where government steps in and shuts down the Internet.”
He added that defining what can be done in an emergency and creating appropriate liability protections are important steps.
Recent events, including the discovery that a foreign government has gained online access to parts of the U.S. electric grid, have raised awareness of the threat of cyber attacks on U.S. infrastructure. Ms. Collins noted in her statement that “in March 2010 the Senate’s Sergeant at Arms reported that the computer systems of Congress and the Executive Branch agencies are now under cyber attack an average of 1.8 billion times per month… Devastating cyber attacks could disrupt, damage, or even destroy some of our nation’s critical infrastructure, such as the electric power grid, oil and gas pipelines, dams, or communications networks.”
The WSJ reported today that hackers targeted Canadian government institutions last month from computer servers traced to China. Earlier this month, the WSJ also reported that U.S. oil firm computers were attacked by hackers who appear to be based in China.