A problem shared…
The ability of organised gangs of cyber criminals to inflict significant damage on the global financial system was a spectre raised at Sibos. Such gangs are not only organised, they are also increasingly collaborating with each other to create much more sophisticated distributed denial of service (DDOS) and other attacks.
While delegates at Sibos identified nation states as their chief concern, chief executive officer of Russian cybersecurity organisation BI.Zone, Dmitry Samartsev, said organised gangs posed the more immediate threat. Recent arrests back this claim. In March 2018, Spanish police arrested the suspected leader of a gang of cyber criminals who stole up to €1 billion from banks by altering account balances and instructing automated teller machines to issue cash. In August the same year, the US Department of Justice (DOJ) announced the arrest of three Ukrainian citizens suspected of being part of a ‘prolific hacking group’.
The men were accused of using malware to attack more than 120 US companies, along with companies in the UK, France and Australia. The group had skimmed more than 15 million payment card details from more than 6500 payment check-out points in the US alone. The information was then sold via the dark web.
In September, the US DOJ charged a North Korean man with the 2017 WannaCry ransomware attack and the 2014 cyber-attack on Sony Corp. (The Sony attack was originally attributed to ‘North Korea’ and the administration of President Barack Obama imposed a series of sanctions on three North Korean organisations and ten individuals.)
Samartsev estimated cybercrime cost the global economy around $1 trillion in 2017. "The worst-case scenario is when cyber criminals make several attacks at once, say, starting with a DDOS and then following that up with attacks on social networks," Samartsev told Sibos delegates. "It would enable the domino effect of citizens then all simultaneously going to their accounts to take their money out and put it under the mattress. That then starts trouble with liquidity and central banks, and then you have the problem of cooperating across borders to fight against it."
He said the advantage enjoyed by cyber criminals on the dark web is their ability and willingness to collaborate. Financial institutions need to do the same and make up for the lost time that criminals have used to their advantage. He expressed concern that police and security agencies such as Interpol were not collaborating enough to fight cyber threats. Geopolitical tensions were exacerbating this lack of action.
At Interpol’s 87th general assembly in Dubai in November 2018, then senior vice-president of the organisation, Kim Jong Yang, said in the age of "unprecedented information exchange", police the world over are increasingly facing new challenges. Interpol must continue to strengthen its "global early warning system" by means of policing capabilities, to detect and prevent the flows of transnational crime. "It is a swiftly transforming environment, not least in terms of scope and technologies. This is the era of artificial intelligence, cyberspace unknowns and intensive digital activity." Interpol provides a neutral, well-connected platform to gather best practices into an international model, he said.
During the Sibos cyber 9/11 session, the head of cybersecurity for major Australian telco Telstra, Jacqueline McNamara, agreed with Samartsev’s call for greater collaboration. "I think the issue we have is there is a lot of financial incentive for cyber criminals to collaborate and get on with it," she said. "But for us, when we are told that we need to collaborate to fight against it, we can see it as a distraction and taking us away from our day-to-day jobs. We need to be more preventative."
Speaking to Club@Sibos, Brett Lancaster, global head of customer security at Swift, said the global and transaction nature of the finance sector links institutions together to a degree that isn’t matched in many other industries. "When it comes to cyber threats, this brings a significant element of shared risk. Sharing threat and attack information is vital to promoting collective security. It helps institutions to take preventative action before an attack takes place and improves the chances that incidents that do occur can be contained."
Lancaster said there had been important progress in recent years with financial institutions sharing threat information. Swift highlights its customers’ contractual obligation to share attack and breach information immediately. A dedicated Customer Security Intelligence team at Swift shares anonymised information on attacks. In addition, Swift’s Information Sharing and Analysis Centre (ISAC) is a global information sharing platform that enables Swift members to take mitigating action to defend against further attacks. "Swift ISAC disseminates its information as a browser portal and as a feed in industry standard STIX/TAXII format," said Lancaster.
Like the speakers at Sibos, Lancaster recognises that cyber criminals work together to share tools, targets and intelligence. "The only option for us to stay ahead is to remain vigilant and work more closely together. In many cases, the mechanisms for information sharing are already there, so we need to ensure that financial institutions understand the value of transparency and are making full use of the channels and intelligence available to them."
Another plank in Swift’s cyber security platform is the Customer Security Programme (CSP), which was designed to address cyber security systematically across a community with members differing in size, complexity and location. Lancaster says the level of response to the CSP demonstrates the financial industry’s commitment to combatting the persistent threat of cyber-attacks. "By the end of 2017, 89% of all Swift customers had attested their level of compliance with the security controls framework — accounting for over 99% of all FIN messages sent over the Swift network. The number of attestations continues to rise as we draw towards the 31 December 2018 deadline for re-attestation," he said.
These CSP controls establish a minimum baseline for cyber security hygiene, and Swift customers must ensure compliance with the mandatory controls by the December deadline. "As we can never lose sight of the rapidly changing cyber threat, there will be more work to do to drive security improvements in 2019 and increase transparency across the financial community," he said.
In the past, financial institutions have been reluctant to share information about cyber-attacks and instances of fraud. Lancaster said this was due to a "natural reluctance" of companies to share sensitive information, "particularly where it has the potential to highlight their vulnerabilities to peers or customers". However, as the cyber threat has increased and diversified in recent years, financial institutions have recognised their shared risks and the benefits of collaboration and sharing, he added. "For victims, a comprehensive response plan with rapid sharing of information maximises the chances of recalling fraudulent payments, freezing beneficiary accounts, and the recovery of funds."
Elsewhere during Sibos, Sebastian Kuntz, head of business development at Dutch cyber security company Belleron, explained how difficult it was for banks to deal with financial crime in such as "fast moving and innovative world" as banking. Building systems that are fully secure is impossible, he observed, and banks should assume they are compromised and focus on managing the risk.
For example, he said attacks usually happen when financial institutions are most vulnerable — Friday nights when everyone in the bank is "at the pub" or during the Christmas break. He cited the attack on the UK’s Tesco Bank in November 2016, during which £2.26 million was stolen from 9000 customers. The UK regulator, the Financial Conduct Authority, fined the bank £16.4 million for failings it said allowed the attack to happen.
Kuntz noted the attack on Tesco Bank began at 9:30pm on a Friday; 52 hours passed before the retail chain shut down all its payment systems for a full three days. It would have been better to manage the attack with minimal impact to the other functions of the company, he said.
"You should close down only the part of your banks that is under attack. We would have only stopped payments from Spanish and Brazilian florists," he said. "You manage the risk and stop the attack before it gets massive." The vast majority of transactions in the attack on Tesco Bank came from Brazil and used a payment method known as PoS 91, which is widely used outside of Europe and does not limit the value of or number of transactions. The perpetrators of the attack remain unknown.
While payments have been a focal point of cyber-security concerns following successful attacks in recent years, securities firms were urged to adopt frameworks and standards amid a growing threat.
"We have currently seen no attacks within our customer base in the securities market, but it’s always a comma, yet," said Swift’s Lancaster. Around 30% of all the payments on the Swift network are related to securities.
Panellists at Sibos agreed that the level of sophistication and the impact of cyberattacks are rising and that there are multiple functions of the securities markets that are vulnerable.
These range from disruption or ransom attacks on central securities depositories, clearing houses and custodian banks, which have a high level of systemic reach, to aspects such as standing settlement instructions, corporate actions and data, which could be open to manipulation. While less likely to occur, attacks on major infrastructures are a particular concern for the industry due to the potential impact. A disruption of these services can significantly impact the functioning of financial markets by, among other things, impeding credit and liquidity flows.
"These central infrastructures we rely on so much have to be incredibly resilient because of the motivation for disruption. If you were looking to disrupt, you might go for the central utilities," said William Hodash, managing director, enterprise data management, DTCC.
Mark Gem, head of compliance at Clearstream, said the cyber threat to the securities industry was no different from that in the payments industry but was "sometimes overlooked. When people think about cyber defences and what to do if another bank they are connected to is compromised and sends fraudulent messages, our fear is that they see that as purely payments. But they must remember that they also have a securities business and the cyber defences need to cover that as well," he said.