As US government adds banks, Wall Street and telecom companies to its planned simulated cyber attack on critical infrastructure, Corvil’s CBDO David Murray, hypothesizes the methods and motives that could lead to an attack.
The National Infrastructure Advisory Council (NIAC) has announced plans to widen the scope of its annual exercise (undertaken with utility companies), to include other types of critical infrastructure and essential services deemed vulnerable to cyber attacks. November’s “GridEx IV Security Exercise” will now test the resilience of big banks, Wall Street, the telecommunication industry as well as the power grid. This move, in a backdrop of sophisticated and exponentially growing cyber attacks, is both prudent and necessary.
Large-scale attacks on national critical infrastructure are not new. In December 2016, nefarious actors demonstrated their capabilities on Ukraine’s power grid when they succeeded in shutting off critical energy systems supplying heat and light to millions of homes. This was widely acknowledged by experts as the first example of hackers shutting off critical energy systems.
The technology that controls national critical infrastructure such as oil and gas, power plants, traffic management, etc. (i.e., Supervisory Control And Data Acquisition networks and Industrial Control Systems) is different from the technology used in Financial systems. Notwithstanding, for threat actors intent on causing maximum havoc, a successful attack on any of these systems would pay big dividends. But what would happen should the world’s financial institutions become their target?
Most financial institutions have robust information security solutions and protocols in place; however, the implications to the financial system of a major breach are significant, as called out by ESMA, IOSCO, the SEC, and other regulators. These organizations all recognize that a cyber attack or breach on one or multiple financial institutions is a real and imminent threat, which can result in a loss of market confidence and disruption to the global financial system, potentially leading to instability within the global economy.
Financial markets are prime targets for security breaches for a number of reasons – pure theft or criminal activity, espionage, hacktivism and nation state attacks. If a malicious individual or organization wished to target today’s financial markets, their motives could be to make money, steal valuable information, and/or disrupt or create havoc in an individual organization, economic segment, or nation.
Personal data stored by banks can be extremely valuable beyond direct theft purposes, as it is also a means to develop very rich phishing and social engineering methods. This data includes not only personal information (including all info required to open and maintain accounts), but also credit card details, checking and savings account details, brokerage and retirement account information, loan and debt information, vendor and payments information, as well as integrated financial plan details. Arguably, only the credit reporting agencies have more Personally Identifiable Information (PII) and we have just witnessed their vulnerability with the breach announced by Equifax.
One significant concern of banks and regulators is compromised brokerage accounts – both for theft reasons and the potential implications of some entity being able to initiate trade or transfer activity across numerous accounts. While individual investors don’t typically move the market, if someone were to aggregate activity across a number of hijacked brokerage accounts – especially of less-frequently traded securities – he/she might have an impact. While challenging to accomplish, this example does raise an interesting point – one need not necessarily steal data or money to create disruption or achieve one’s goal. This scenario, however, is minor, in contrast to more systemic disruption.
Bad actors may seek to influence markets by controlling the flow of data to which algorithms respond. Stock, bond, commodities, and derivatives markets are predominantly electronically-operated and traded by an intricate set of computer programs reacting often autonomously to flows of data. These algorithms buy and sell securities in less than a hundredth of a second across dozens of markets and thousands of participants. Because algorithmic trading occurs in “machine-time,” organizations often lack complete transparency into what is transpiring in their networks when it’s transpiring. Therefore, anomalies can be extremely hard or near impossible to spot. The cautionary tale of errant algorithms rendering a company insolvent in the course of a lunch hour is a good example.
Financial institutions have implemented and are required by some regulations to deploy a “circuit breaker” or an “overseer” algorithm that can halt activity when anomalous conditions beyond a certain acceptable limit are detected. Intended to be a safety net, this can shut down parts of the trading network, causing unintentional and unforeseen consequences to the market. Anomalous activity, like flooding the market, may trigger multiple circuit breakers, causing disruption to markets. Using a similar mechanism, they could target a specific company and attempt to mimic a flash crash on that stock, which could then create an avalanche effect before anyone has a chance to react.
How many times have we witnessed “flash crashes” in which tens or hundreds of millions of dollars of value have evaporated due to simple “glitches?” It took years to unwind the cause of the 2010 flash crash, and it was more than five years before anyone was indicted on charges of manipulation. It took five federal agencies nine months to determine there was no single cause of volatility in the late-2014 Treasuries market flash volatility. Regulators are challenged in aggregating data to reconstruct the events of the crash. The speed at which it occurred made it impossible to tell what happened first, and therefore difficult to establish cause and effect. Since then, volumes have only increased.
Creating a large scale attack on a nation’s economy may involve similar disruption or manipulation of markets. While certain protections exist in regulated markets, a cyber attack that manipulates or disrupts market data or market operations and the automated buying and selling of securities, thereby eroding investor confidence, can start a detrimental chain of events. Market activity for one type of security is often influenced by what happens in other markets. For example, take the nearly $20 trillion dollar US treasuries market that finances the US government. It is not unusual for computer programs to buy and sell treasuries to manage risk.
A disruption or seizing of markets, starting with the actual selling and devaluation of securities (and erosion of consumer confidence) can lead individuals to make investment decisions driven by emotion (not to mention the automated reactions by algorithms). This also impacts direct buying and hiring tolerances of small and large businesses alike, which in turn impacts a company’s creditworthiness, borrowing capacities, and ability to expand, which may in turn impact employment levels, and so on. Aspects of such situations can play out in minutes and hours while others do in weeks or months. Regardless, creating ample disruption to shake investor confidence in markets as well as induce fear and distraction from consumers, means businesses and governments may be a fine objective of a nation-state bad actor.
A digital “run on the banks,” as seen in the 1930s, is not inconceivable as well. While people are unlikely to withdraw their money to stuff in mattresses, it may promote a reaction that has lasting impact or disruption to the global economy.