The World is at War (Online)

A few weeks ago, I wrote about the increasing information security threats that are faced by financial institutions, using the acronym CHEW to explain the main antagonists in the cyber arena. Broadly, this refers to Criminals, Hackers, Espionage and War, and although retail banks are rightly concerned with the first letter, capital markets institutions tend to focus on the last three.

Given the complexity of modern markets, it's something of a wonder that anybody outside of advanced operators would be able to do anything of substantial severity to something like, say, a clearing house. But stock exchanges are reporting an increasing number of attacks on their infrastructures, according to the International Organization of Securities Commissions (Iosco), in a report released last week. More than half, in fact, have suffered attacks over the past year.

Nasdaq, of course, has been publicly targeted, most recently with its bulletin board system being compromised. Websites are frequently the subject of distributed denial of service (DDoS) strikes, a favored method of assault from so-called ‘Hacktivist' groups or movements, like Anonymous, where botnets and zombie computers are slaved to launch access overload strategies, crashing servers in the process.

Impending Troubles
There's a growing acceptance of cybersecurity concerns in the industry. But the perpetrators are becoming more advanced, not only in terms of their attacks, but also in their knowledge of targets. Traditionally, the public has been keen to criticize the investment banking industry without necessarily understanding its ins and outs, but with the financial crisis that is starting to change. The Occupy movement, for instance, produced several documents of technical note, particularly through its American arm, and it's not a huge stretch to imagine that other activists (not necessarily related to Occupy) with a bone to pick, technology nous and the time to study market structure, could inflict damage.

This is the real danger, when intrusion and disruption are not necessarily motivated by financial concerns. After all, skimming a retail operation could yield cash, but crashing a depository (and, I've been told, first hand, they frequently get attacks or intrusion attempts that are very deliberate) won't buffer the bank balance. That's where the other letters come in ─ from political activists, or state actors looking to destabilize national infrastructures.

There's a growing acceptance of cybersecurity concerns in the industry. But the perpetrators are becoming more advanced, not only in terms of their attacks, but also in their knowledge of targets.

Prevention
All of this, reinforced by the latest Iosco report, means that new risks are constantly being presented in an organic environment such as modern techno-culture, and must be dealt with. The internet is often labeled as humanity's greatest achievement, the great democratizer and enabler of society, but it also carries its own dangers with it, which are ignored at the peril of those who choose to do so.