Cyber attack: Is your bank safe?

Criminals have long targeted banks for the simple reason that this is where the money is, but now financial institutions have another threat to contend with: state-sponsored cyber attacks. No longer simply a topic of conspiracy theories, state-sponsored cyber threats are a reality and are pushing financial institutions to rethink how they share information, among themselves, as well as with other industries and government entities.

Cyber security in the finance industry has been mostly focused on attacks conducted by groups or individuals with criminal motivations. But, says Mark Clancy, chief information officer at US financial services firm Depository Trust and Clearing Corporation (DTCC), “in the past two years we have started to see some activities that cannot be explained by criminal motivations”.

Worming its way in

Distributed denial of services (DDOS) attacks – where websites are overloaded with requests so that they cannot function – hit many of the major US banks back in late 2012. It may first have appeared to be the work of hacker activists, or ‘hactivists’, looking to make a point, but the sophistication of the attacks indicate that it was not the work of amateurs. Izz ad-Din al-Qassam Cyber Fighters, an Islamist group that many believe to be state-sponsored, claimed responsibility for the attacks.

A few months later, in March 2013, the 'Dark Seoul' attacks on South Korean banks and other institutions, in which data was deleted from hard drives, were believed to be part of an espionage campaign – possibly state-sponsored – against South Korea.

Even those financial institutions that have not had such dramatic wake-up calls, are now taking the threat of state-sponsored attacks seriously. It is not that there has been a dramatic increase in the number of attacks since these major incidents, but rather that there is now a heightened awareness among financial institutions. “The difference right now is that people know about it and people are talking about it,” says Stefan Tanase, senior security researcher at internet security specialist Kaspersky Lab.

This comes at a time when cyber tools are increasingly being used in feuds between countries; as well as foot soldiers, many countries now also have cyber troops.

When the Stuxnet worm attacked a nuclear facility in Iran, it was a watershed moment: it was the first time that a cyber weapon had caused physical damage – it destroyed centrifuges within the nuclear plant. US and Israeli intelligence agencies are alleged to be behind the attack, but theories abound regarding the ultimate goal of such a weapon. One possibility is that it was a testing exercise for capabilities that could be even more destructive and far-reaching.

In this context, banks, stock exchanges, clearing houses, payment processors – and other parts of the financial system – need to reconsider how they are interconnected and how they can best respond to the cyber threat.

An exponential crisis

In May 2014, a report on cyber security in the banking sector by the New York State Department of Financial Services (DFS) noted that all types of cyber attacks were becoming more frequent, more sophisticated and more widespread. Fredrik Hult, a cyber resilience expert who advises multinational corporations and governments, says: "Cyber should be viewed as an ongoing battle between the competing innovation curves of attackers and defenders. The bad guys are innovating very quickly, so banks need to innovate quickly as well to match the capabilities of those looking to harm them.”

But this comes at a time when banks are under innovation pressures – with little budget to invest in their systems – and are struggling to keep up with the regulatory demands that are being placed on them.

A switch has occurred in cyber space, says Mr Tanase. In the past, governments watched cyber criminals using malware and learnt from them. Now it is the other way around. “Governments have learnt from these criminals and are applying the same techniques and taking it to a whole different level,” he says.

Banks are targets because of the information they hold: on their customers, intellectual property and on mergers and acquisitions, for example, all of which can be of interest to foreign intelligence agencies. “We are living in the age of information warfare,” says Mr Tanase. “You have to fight this threat in a different way."

Information can be useful for intelligence agencies spying on other countries, or economic espionage could be part of a state-sponsored programme. Such economic espionage, notes Eric Guerrino, executive vice-president at the Financial Services Information Sharing and Analysis Centre (FS-ISAC), is nothing new. It is just that “the tools have changed”.

Economic espionage

A 2013 report by US cyber security firm Mandiant outlines how large the scale of state-sponsored economic espionage can be. The report described APT1 (Advanced Persistent Threat) as “one of the most prolific cyber espionage groups in terms of the sheer quantity of information stolen” and stated that the group had stolen data from at least 141 organisations in 20 major industries, estimating that it was an organisation with at least dozens, potentially hundreds, of human operators.

In its report, Mandiant claimed that APT1 is Unit 61398 of the Chinese People’s Liberation Army, though China’s Ministry of Defence has previously stated that it is unprofessional and groundless to accuse the Chinese military of launching cyber attacks without any conclusive evidence.

Such economic espionage was cited as the motivation behind an attack on stock exchange operator Nasdaq in a recent article in Bloomberg's Businessweek magazine. In July 2014, 'The Nasdaq Hack' was splashed across the cover of the magazine, along with the words 'How Russian hackers stole the Nasdaq'. However, it was not actually the stock exchange that was attacked back in 2010, but rather Nasdaq’s directors' desk solution – a portal that helps company directors organise board meetings. A Nasdaq spokesperson says that there was no evidence that any information was exfiltrated. 

Mr Clancy at the DTCC divides the cyber threat landscape into four categories: criminals, hactivists, espionage and war. State-sponsored threats are emerging in the espionage and war categories. And, in terms of cyber war capabilities, the tools are being ramped up. Mr Hult cites a 2013 report by the Stockholm International Peace Research Institute (Sipri) that shows that spending on physical arms is decreasing while cyber capabilities are increasing. “There is a dramatic militarisation of cyber – with [some countries having] massive capabilities – it looks like an arms race,” he says.

Sipri estimates that global public and private spending on cyber security totalled approximately $60bn in 2011, roughly 3.5% of world military expenditure. The report cites estimates that the cyber security market should double in size by 2017 to approximately $120bn.

“As in any arms race, there are some countries that are better than others. The biggest issue with [trying to determine] how sophisticated your adversary is [is that it is] based on what you observe. A truism is that your opponent usually only reveals as much capability as they need in order to achieve their objectives. You may think that your opponent is a pitch-fork mob, but they may be keeping their special forces team in reserve... if [their defensive line] is good,” says Mr Hult.

Unlike cyber crime, where certain countries and regions account for the majority of activity, all countries are playing in the cyber war games, says Mr Tanase. Countries have a choice of investing in defensive or offensive programmes. With the offence programmes, he says: “Every country that can afford it is already doing it. The countries that are not doing it, for sure, are working out how to take part."

Preparing for war

No one is expecting an imminent cataclysmic cyber attack on the finance industry, but the prospect of cyber warfare raises questions about how the private sector should communicate with government agencies, and the role each of them should play in a crisis situation.

Information sharing has to occur between the industry and government entities. Doug Johnson, senior vice-president of risk management policy at the American Bankers Association (ABA), says that there was widespread agreement after the DDOS attack that the role that the public sector should take in terms of protecting organisations from attacks needed to be clarified. “That is an ongoing conversation,” he says.

The relationship between governments and the industry has to be one of partnership, says Mr Johnson. There can be discomfort in the banks when it comes to discussing their vulnerabilities with the regulators, and a fear of fines in other parts of the industry. But Mr Johnson says: “This is not a compliance exercise – it is a risk management exercise.”

The financial system is critical to a country’s economy. But, as Ilias Chantzos, senior director, government affairs for Europe, the Middle East and Africa, global critical infrastructure and privacy advisor at US tech company Symantec, points out, in a cyber war situation it is industries such as energy and telecommunications that are more likely to be targeted. Without electricity, for example, a country is less able to fight back. Banks are more likely to be targeted as part of an escalation of tensions or a signal that the attacker is capable of causing more damage.

Under the radar

In building their cyber defences, financial institutions need to adjust their thinking in order to deal with these new emerging capabilities. Mr Hult points out that the measures banks have in place for physical world hazards – such as flooding and hurricanes – are dramatically different to those needed in the cyber world. “All the previous assumptions may be dead,” he says of defending against cyber hazards. He adds that it is important to study bedrock assumptions, and how they could be undermined, in order to remain resilient.

Mr Clancy explains that, in the past, an institution’s resiliency was about availability, for example, keeping systems running in the event of a blackout or an incident such as the 9/11 terrorist attacks. With cyber, the risk is “a loss of integrity of our environment”. For DTCC, as the ultimate source of information on ownership of securities in the US and a provider of critical clearing and settlement services, integrity of the data is paramount.

Mark Graff, chief information security officer at Nasdaq OMX, says that institutions need to assess their operations and assets in much the same way as they would to prepare for physical world threats. One thing that is different with cyber, he says, is the distance. “In the physical world, we do not think about being attacked from thousands of miles away,” he says.

Added to this is the communication that is now possible on the internet. People with similar beliefs and goals – who previously would not have had the chance to meet – can connect online. And, unlike the physical world, where it is possible to track advancing armies' movements, it is difficult to anticipate who might be working with whom and what they might be doing, says Mr Graff.

In the dark

Another issue with the cyber world is attribution. Stephen Doherty, a senior threat intelligence analyst in Symantec’s security response team, explains that it is hard to determine whether attacks are perpetrated by a country or cyber criminals, and it is always possible for the attackers to hide their actions behind many layers of machines.

When asked if it is important to know who the attacker is, Mr Clancy says: “As a defender, in some ways, it does not matter. Knowing what kind of group it is helps understand how persistent they are likely to be.” Criminals will try as hard as they need to steal money, but if it is too hard they will find another victim. “If it is a country they will keep trying and will increase their capabilities.” And, as Mr Tanase at Kaspersky says: “They have all the money in the world and all the patience in the world.”

The attribution problem may make it impossible for financial institutions to always know where attacks are coming from, however, each institution needs to have a situational awareness of its own particular threats. “Firms have to have a clear understanding themselves of who is attacking them,” says Mr Hult, adding that the threat profile depends on so many factors, such as where they operate or what kind of clients they have.

Banks need to think about the sponsor of the attacks, says Mr Hult, and understand why someone would be incentivised to harm them.

On guard

Banks that do not think they are under attack might have more serious problems than they realise. One interviewee commented that if an institution believes it has not been targeted by a state-sponsored entity, it is likely that it has been attacked but does not realise it. Mr Hult says of cyber resilience: “Underperformance in cyber is silent. The worse you are at identifying threats and detecting attacks, the safer you feel.”

The DFS report on cyber security states that “the amount of money spent on a cyber programme is by no means the best reflection of its strength” and later adds “much more relevant is an institution’s ability to identify its top cyber risks and design a programme around those risks”.

When an attack does strike, institutions need to respond quickly and communicate with others. ABA's Mr Johnson says that information sharing is a big issue for the industry at the moment. Currently, there are discussions about how to bring clarity to the information-sharing environment and the industry is working towards having a common understanding of the rules of sharing information, he says. Also, there is a need to share information among financial companies internationally and across sectors.

Mr Graff also highlights information sharing as a key issue for the industry. “I want to encourage the facilitation of information sharing between government entities and the private sector,” he says. This desire for collaboration with other security experts is the reason Mr Graff founded and chairs the cyber security working group at the World Federation of Exchanges, an international association of exchanges with 62 members.

Another information sharing network is the US-based FS-ISAC. The group's executive vice-president, Mr Guerrino, says that, in recent years, information sharing among US banks has improved and started to increase significantly after the DDOS attacks in 2012. Since then, there has been a push by the US authorities to focus on cyber resilience and more institutions are joining FS-ISAC. The organisation is now looking to expand internationally – with increased interest from UK and European institutions – and is planning its first European summit in London this November

“Co-operation and sharing is the best approach to defending assets. All financial institutions are interconnected,” says Mr Guerrino. When asked how information sharing would change in a cyber warfare situation, Mr Guerrino says: “If there were a serious attack [by a country] it would be even more important to share information quickly." 

Political hot potato

In a cyber war situation, there could be an issue for global banks operating in foreign jurisdictions if the ideology of the host country is in conflict with that of the bank’s home government. On this point, Mr Hult says: “Larger banks have to please different countries that may have conflicting geo-political objectives [to their home country].”

A foreign bank may find itself in a situation where it is being pulled between the interests of the local government and its home country. “It is like a child in a divorce where both the parents want exclusive loyalty,” says Mr Hult.

The industry agrees that information sharing is a good idea but, because of the sensitive nature of state-sponsored attacks, it is not a good idea to share information with everyone. William Nelson, president and CEO of FS-ISAC, explains that the group's board decided that financial institutions cannot join the network if they are headquartered in countries that appear on sanctions lists. “The practical reason is that it would not be a good policy to share information with organisations from countries that may be attacking your country’s infrastructures. Otherwise, those attacking countries might know ‘what you know’ about their campaigns, tactics and procedures and can quickly take countermeasures against your defences,” he says.

Another situation that could arise, given the global nature of the finance industry, is that a foreign institution could become critical to its host country’s infrastructure. If that institution is a state-owned bank from a country that engages in state-sponsored espionage, for example, the host country’s intelligence services may be reluctant to share information about threats.

When asked whether the sharing of information could provoke conflicts of interest for institutions that are domiciled in different countries, Mr Graff says: “We share information [on cyber threats] with corporations in the US and around the world that are our competitors – to do that, actually, is to our advantage. Cyber security is everywhere and all exchanges agree that we can collaborate. So far, there have not been any issues with international boundaries. International co-operation is to be expected and is effective.” 

Mr Clancy at the DTCC is of a similar opinion. “Attackers are global, institutions are global, defence has to be global," he says.