Banks warned to stay out of politics as state-sponsored cyber-attacks get personal
Bankers should watch what they say in public, or risk a devastating computer network attack on their business from state-sponsored hackers. This was the stark warning offered by speakers at the FIX Trading Community conference in London yesterday, where talk of cyber-warfare dominated the afternoon sessions.
Over recent years, banks have had to get used to the reality of denial of service attacks on their websites, theft of millions of dollars by criminal online gangs, and politically motivated interventions by radical groups. But a more basic computer network attack involves deleting the target’s files, destroying the data and wiping out all backups. Perpetrated across an enterprise, a CNA event could force a company into liquidation overnight.
“Saudi oil and gas company Saudi Aramco was allegedly identified as ready to support heightened demand for oil as a result of American sanctions against Iran,” said Alex Fidgen, director at MWR Infosecurity. “Their entire corporate network was wiped clean. Every piece of hardware with a hard drive was wiped. That whole company went down. Thirty thousand machines were gone overnight. All the backups were gone. The entire corporate network became inoperable.”
Banks and financial institutions are increasingly being targeted by hostile state governments. In January, two Russian citizens – Igor Sporyshev and Evgeny Buryakov were charged by the FBI in the US for spying in New York. It is alleged that the two were working for the Russian SVR intelligence agency. Communications between the two centred on how exchange-traded funds might be used to undermine Wall Street, causing as much damage to the US financial system as possible. China has also been exposed for its secret cyber strategy. In 1999 the book Unrestricted Warfare by Chinese military officers Quao Liang and Wang Xiangsui was translated into English and published in the public domain. The book contains sections which advocate cyber warfare against rival states to disrupt their economic and political systems.
“Financial markets could be targeted to bring down a country,” said Fidgen. “For instance, you could potentially use the enormous leveraging of the derivatives market to specifically target a key organisation in such a manner as to put such a specific burden on the central bank of the target country.”
Perhaps the most worrying aspect of these kind of attack is the extent to which they can be directly targeted at a specific individual or company. In February 2014, the Las Vegas Sands casino business was hit by a CNA attack that shut down PCs and servers and wiped hard drives clean. The motivation for the attack was a speech by Sands Corporation owner Sheldon Adelson four months earlier, in which he made controversial remarks to a Tel Aviv audience about the use of nuclear weapons against Iran. The hackers explicitly referred to Adelson during the attack, and made it clear that their action was a response to his political association with Israel. It is estimated the attack cost the company at least $40 million in hardware alone.
According to Luke Beeson, vice president of UK security at BT, one of the best ways to counter the danger of cyber attacks is by information sharing. Already, initiatives such as the Cyber-security Information Sharing Partnership in the UK are doing this. These systems can help to record and raise awareness of new forms of malware, helping to protect companies before they become infected. There are also more sophisticated forms of software that can check for data entering and leaving the system and look for anomalies.
“Data loss prevention software can be a great help,” he said. “But you should also be careful to audit third-party suppliers, because that’s another big source of risk whenever you interface – it makes the attack surface wider. The internet of things is making us more vulnerable than ever before. Keeping payments safe is critical. Knowledge is part of the defence, so knowing how to conduct rigorous tests can help you. Interconnectedness is a risk, but if handled wisely it can also enable better security through better awareness and knowledge.”
For Fidgen, the key realisation is to be aware of what can and cannot be protected. A bank should recognise that it will not be able to keep hackers out indefinitely, he said. Instead, businesses should focus on which areas of the company are absolutely indispensable and which generate the wealth. These should be defended as a core area, while other areas will have to be sacrificed for the greater good. “You can’t defend everywhere,” he said. “It’s a bad situation. The attackers are way out in front of the defenders at the moment, partly because IT security has always been part of the IT department rather than a business process. To compound that, the attackers are hard to track and understand. You will not be able to defend some areas. Factor that into your defence and try and focus your defensive spend (and efforts) around key business assets and critical information flows. It’s a lot to cover. We’ve got to do that now.”