Tied to legacy infrastructure, bombarded by regulation and uncertainty over their business model, banks must also face up to the cyber security threat, writes author Stephen Norman.
On Saturday, February 25, 2003, I was roused by the head of disaster recovery at Merrill Lynch to tell me that our networks were down. We – and the entire internet – had been attacked by a vicious worm called SQL Slammer, which fitted inside a single network packet and infected Microsoft databases. Each infection would broadcast, looking for other nodes to infect in such volumes that the network froze. Not just data traffic – we had recently installed an internet protocol-based phone system, so even the phones didn’t work.
Most malware back then was created by young techies, pitting their ingenuity against Microsoft and the establishment. Slammer’s creators made no money from it; they were technically brilliant delinquents having fun. There were other attack types too, such as denial of service, which took down banks’ websites, and phishing, which lured customers into giving away their credentials. The impact was more on retail than commercial banking.
Over the next decade, the banks’ defences became calloused by these constant attacks and a steady state emerged – a kind of weary trench warfare.
A moving target
On February 4, 2016, an unknown group hacked into the computer network of the Bangladesh central bank and sent Swift instructions to make 35 payments from its account at the Federal Reserve Bank of New York. Had the criminals been a little more knowledgeable about Swift messaging conventions, they could have netted almost $1bn instead of the $81m they got away with.
The Bangladesh heist illustrates the dramatic evolution of cyber crime over the past few years. The actors are no longer talented individuals, but a toxic mixture of well-organised gangs and secretive agencies funded by nation states. The gangs want money, rather than glory, and their focus has shifted from retail to commercial banking. Their assaults are carefully planned and the financial rewards are huge.
In one respect, the Bangladesh heist was conventional – it was a robbery. But today’s cyber criminals have found other ways of making money. They can demand ransoms – such as the WannaCry virus that devastated the UK’s National Health Service – or they steal personal data, which can be used later for identity theft.
In November, I received a letter from Equifax to tell me that my personal details had been in the hands of criminal hackers since May 2017. Equifax has presumably sent similar letters to the almost 150 million people in the US and UK whose personal data was stolen. The perpetrators are unlikely to use this data themselves but will have sold it, either directly or via a wholesaler, to those who specialise in identify theft.
One of the reasons why today’s cyber criminals pose a greater threat is because they have created a co-operative black market, in which specialist skills, tools and information are freely traded (see, for example, the National Cyber Security Centre’s white paper, ‘Cyber crime: understanding the on-line business model’, April 2017.)
Criminal behaviour
I have mentioned that the actors have changed. One of the most sinister and troubling aspects of today’s cyberworld is the involvement of nation states on all sides. Most governments understand that the internet infrastructure is as vital to national security as bridges and railroads.
The vulnerability exploited by the WannaCry worm was first discovered by the US National Security Agency (NSA), which did not disclose it, but instead ‘weaponised’ it, presumably for use against the US's enemies. But then someone stole the secret from the NSA.
The seething co-operative of the cyber criminal world extends to sharing weapons, and not only between the criminals but with the police. The open source tool BloodHound was created by penetration testers. Deployed silently across a network, it will sniff out the quickest route to the main administration centre – that is, the room where the keys of the castle are stored. Anyone can learn how to use BloodHound through YouTube videos.
Similarly, password ‘crackers’ are freely available. Their creators studied the common factors of human psychology. Most of us use the same ways to generate passwords: birthdays, children’s names, inserting 1 for l and so on, and in doing so, we make the cracker’s job infinitely easier.
Today’s cyber criminals do not have it all their own way. The successful ones – as with any successful business – make money. But storing and spending illegal takings has been getting harder, especially in US dollars, due to the efforts of the Office of Foreign Assets Control and far-reaching legislation, such as the Foreign Account Tax Compliance Act.
It is significant that WannaCry demanded ransom not in dollars but Bitcoin. The appearance of cryptocurrencies is a godsend to the new generation of cyber criminals. A ransom paid in cryptocurrency is doubly beneficial: WannaCry not only collected money in Bitcoin but it publicised and drove up the value of that currency.
And here again the interests of the criminal fraternity and the leaders of some countries are aligned. Both would like to free themselves from the strictures of know your customer requirements and the US regulators. For example, Russia has shown a great interest in cryptocurrencies and blockchain technology. A well-publicised meeting in June 2017 between Russia president Vladimir Putin and the founder of Ethereum, Vitalek Buterin, led to the creation of Ethereum Russia, a joint venture with Russian state-owned development bank VEB.
Building up defences
Today’s cyber criminals are technically talented, well organised and co-operating together. So how do those in charge of the cybersecurity at financial institutions feel today? I would say 'extremely nervous'. Perhaps driven together by fear, co-operation and consensus are now emerging among the financial market players. The key influences for good here are a common approach, the focus of the regulators, the simplification of infrastructure, and perhaps ‘red teams’, which act as fictitious attackers to help banks improve their cyber security.
As for a common approach, the National Institute of Standards and Technology (NIST) framework for cyber security, first published in 2014, has become the bible for cyber security professionals across all industries. It provides a common vocabulary and method of assessing risks. Using NIST standards, the information security function can articulate where the organisation should best spend its limited resources.
Financial regulators have shifted focus from capital and financial risk to data security and cyber risk. The first key initiative is the EU’s General Data Protection Regulation, which requires all organisations to understand and protect the personal data of their customers. The second is the New York Department of Financial Services’ regulation 23 NYCRR Part 500. This is a wide-ranging catalogue of best practices in cyber security, to which all banks in the jurisdiction are required to comply with by March 2019.
Many banks have been trying to flex their fixed IT costs by moving onto the cloud. I believe – perhaps counterintuitively – that this will improve the banks’ defences against cyber attacks. Even three years ago, external cloud infrastructure was regarded as unsafe; but there is now widespread recognition that these platforms can be more secure than banks’ vast and disparate legacy infrastructures.
Cyber hygiene
WannaCry and the Bangladesh Bank attack taught us the importance of a well-managed, consistent and modern infrastructure. As one chief information security officer said to me recently: “Our biggest risk is not ‘day zero’ vulnerabilities, but resides in all the kit we hardly know is there, effectively unpatched and unmonitored.”
Financial players have increasingly turned to the poachers to improve their stock control. Penetration testing, or attempting to invade a network from outside, has been common practice for more than 20 years. Today, the new trend is red teams, or ‘white hat’ hackers. Red teams use their ingenuity to aggressively find vulnerabilities, both outside and inside the corporate infrastructure.
That’s the state of play today. But all of us in information security remain extremely nervous, not least because the internet is rapidly evolving. The age of the Internet of Things is upon us, bringing with it new categories of risk such as digital attacks that destroy physical infrastructure. For example, in my novel Trading Down, a bank is threatened because a hacker/terrorist shuts down the data centre’s cooling system.
As the maligned chief technology officer in Trading Down says: “Because those things have actually happened, now we take them seriously. But before they happened, they were impossible. Every year the world shuts the stable door on another impossible event.”
We need to adopt the red team mindset. We should be imagining the next impossible thing, before it happens.
Stephen Norman is ex-chief information officer at RBS Global Markets. His cyber crime novel, Trading Down, is published by Endeavour Press and available on Amazon.
