The numbers are staggering, yet only the tip of the iceberg. More than 145 million American citizens are affected by the Equifax data breach disclosed last month; that’s more than half of the American adult population. At the same time, this is only the latest in a series of cyber incidents targeting financial institutions carried out by criminal as well as state-sponsored hackers.
Victims include private institutions like Equifax as well as government agencies, illustrated by the recent hack of the Securities and Exchange Commission. The incidents range from data breaches to more disruptive and destructive activities that have become a national and international security concern. In fact, James Clapper, former Director of National Intelligence, recently revealed that the U.S. government even considered retaliatory cyber attacks against the Iranian hackers accused of being responsible for the distributed denial of service (DDoS) attacks targeting financial institutions in the U.S. in 2012, but did not do so for fear of a counterattack.
Overall, the threat against financial institutions has become so alarming that the G20’s finance ministers and central bank governors warned in March that malicious cyber activity could “undermine security and confidence and endanger financial stability.” The attempted theft of $1 billion from the Bangladeshi central bank that hit the news in February 2016 had certainly left an impression, and hackers continue to target the SWIFT system. So far, it has been data breaches like the Equifax hack, the theft of money, or DDoS attacks making systems unavailable that have been making headlines.
An example for this disconcerting trend is the Carbanak group, a group of hackers that stole millions of dollars from more than 100 banks in over 30 countries. According to a New York Times article at the time, “the largest sums were stolen by hacking into a bank’s accounting systems and briefly manipulating account balances… for example, an account with $1,000 would be altered to show $10,000. Then $9,000 would be transferred outside the bank. The actual account holder would not suspect a problem, and it would take the bank some time to figure out what had happened.”
The concern is that criminals could become even more daring, or that politically-driven actors could pursue more destructive campaigns with greater destabilizing effects. DARPA, the Pentagon’s Defense Advanced Research Projects Agency, for example, has created a project specifically dedicated to cybersecurity and the financial system.
“We started thinking a couple years ago what it would be like if a malicious actor wanted to cause havoc on our financial markets,” said DARPA program manager Wade Shen.
With North Korea reportedly behind the recent cyber incident in Taiwan targeting SWIFT, this effort certainly seems more probable than only a few years ago.
The potential corruption of the integrity of data, in particular, is what keeps people up at night. A March 2017 study by the Massachusetts Institute for Technology, for example, identifies manipulations of data integrity as the most severe risk to the financial sector based on a workshop with industry experts. According to the study, “Our economy is based on a system of accounts recording who owes what to whom at any moment. Those accounts are digitized, and so are back-up systems… Participants agreed that a slowly rolling attack on an institution might create more havoc than an attack that brought the institution to an immediate halt, for which the larger institutions prepare.”
The good news is that the number of malicious actors with the intent of carrying out such an attack remain relatively small.
In response to the growing threat and growing threat recognition, the G20’s finance ministers and central bank governors tasked the Financial Stability Board, the international body established in 2009 in response to the global financial crisis, in March, to carry out a stock-taking of existing regulations and supervisory practices relating to cybersecurity and financial stability. This builds on actions taken during the past few years to increase the resilience of the sector, especially in countries where cybersecurity is less mature.
In addition, the Carnegie Endowment for International Peace, the Washington think tank where I work, has proposed that the international community could go further by explicitly condemning malicious cyber activity that could undermine financial stability or manipulates the integrity of data, and that states could build stronger cooperative mechanisms to tackle criminal threats.
In short, while cybercrime targeting financial institutions dates back decades, the recent uptick in malicious state-sponsored activity targeting financial institutions has been the source of growing concern among policymakers in government and industry experts alike. Last week, the G20’s finance ministers and central bank governors met again, this time in Washington, DC, and received the stock-take report from the Financial Stability Board and discussed what steps to take next. So stay tuned for new developments when it comes to cybersecurity and the financial system.