Breaches of financial systems have been in the news a lot recently, with the recent admission by US bank JP Morgan of a massive compromise, and the revelation that the same group of hackers had targeted other financial institutions. Following this breach, in the UK the Treasury Select Committee has been reviewing the security of the financial sector, amid some scary sounding headlines. So how vulnerable is the financial sector? Could cyber criminals bring the system to its knees?
Are banks particularly vulnerable to cyber crooks?
Banks have it tough in many ways. Generally when talking about the critical national infrastructure (the CNI consists of those things considered vital to our way of life – check out the CPNI web site if its new concept for you) we cyber security experts expect the important components under discussion, for instance a water pumping station or electricity transformer, not to be connected to the internet and huff and puff if it is. Banks however have to connect their systems to the internet, as we all love using online banking. It’s not much easier for investment banks – they might not have millions of retail customers wanting to connect to core systems from poorly secured home computers, but they do have traders who need insistent access to huge swathes of information and lots of other demands which mean segregation from the internet is not practical.
READ ROBERT PRITCHARD’S BLOG, The Cyber Security Expert
Additionally banks are large organizations, often multinational, that grow by acquisition. Ensuring a common high standard of security across tens of thousands of employees, distributed across multiple countries with different cultures and working practices, combined with a range of outsourcing contracts and a variety of legacy systems plus the demand from all sides that this cobbled together collection of infrastructure be connected to the internet and innumerable third party exchanges, is quite a challenge. To be clear I know nothing about security standards at JP Morgan, and they did actually detect this breach so kudos to them for that, but large organizations are a difficult beast to secure.
Finally we have the fact that banks hold a lot of money. All the money really. So if any organizations are going to attract the attention of cyber crooks, it’s banks.
So in summary, yes, banks are vulnerable to cyber crooks. Cyber criminals mainly appear to focus on the softer underbelly of banking i.e. the consumer, but there is no real reason some particularly ambitious group couldn’t try and pull off some sort of large heist. Citibank suffered a large breach in 2011. In 2013 a branch of Barclays was compromised in a fairly ambitious attack involving remote controlled hardware. In 2005 the then National High Tech Crime Unit disrupted a plot to compromise Sumitomo Bank which was described as like something from Mission Impossible.
Could hackers cause a bank to ‘disappear’?
Disappear perhaps not, but cause outages, certainly. Similar things have happened in the past. UBS Paine Webber was taken almost entirely offline in 2002 by a disgruntled sysadmin. In 2013 three banks in South Korea suffered outages when computers were wiped in an attack blamed on the north. So clearly the business operations of banks can be disrupted by hackers. However the overall impact is harder to gauge. Neither of these examples had any long term impact on the function of the bank, and no clients lost any money. Indeed, the UBS sysadmin bet the stock price of UBS would fall following the outage, and lost money when that didn’t happen.
Also banks suffer outages all the time. Natwest has suffered a couple of significant outages that impacted consumers in recent years. Again, the long term impact of even relatively significant outages seems minimal.
Is the financial system vulnerable to a devastating cyber attack?
Banks are clearly vulnerable to cyber criminals, and suffer from the joint disadvantage of having to have systems connected to internet, and being a huge target because of all the money. However, I think a cyber attack which causes some sort of systemic failure is unlikely. Banks are large diverse organizations, which makes them hard to secure properly, but also means that core financial systems run on a variety of software and hardware, The South Korean incident targeted only Windows operating systems, making it hard for employees to do any work, but not apparently impacting core systems.
Equally, the financial system seems quite robust. Banks suffer outages frequently, as do stock exchanges. The NASDAQ suffered an ‘unprecedented‘ outage in 2013 blamed on technical failures, and just googling ‘stock exchange outage’ shows numerous reports of failures and outages at a variety of exchanges. None of these led to any sort of systemic failure.
Obviously the success of the financial system hinges rather heavily on confidence. If a significant outage was found to have been caused maliciously it may well lead to a loss in confidence in the organization(s) affected. That impact is harder to gauge. But a cyber attack causing a financial crisis on the scale of the one we’re still struggling to recover from I think is exceedingly unlikely.
So the headlines are overhyped?
Somewhat, though I emphasise I think banks need to take security very seriously (which, of course, they do). It’s still not clear if the compromise of JP Morgan was purely financially motivated, or something more insidious, with fingers being pointed at hacking groups in Russia and possible links to the state. Past examples of financial institution compromises and outages suggest that large scale maliciously induced failures that tip the word into financial meltdown are unlikely.
Robert Pritchard has over 13 years of experience in cyber security working for both the government and large multinational organizations. In 2012, Pritchard played a key role in preparations for the Olympics as deputy head of the UK’s Cyber Security Operations Centre. He is well versed both in proactively defending against cyber threats, and dealing with the aftermath when things have gone wrong, with extensive experience briefing and educating on cyber security.
