The attack begins with confusion. Traders, accustomed to shouting themselves hoarse about prices and interest rates, begin barking instead that transactions are taking forever to complete. Emails asking for help go unanswered, partly because the system’s down, partly because Bob in IT is more concerned about the wiper malware that seems to be rampaging through the institution’s databases than the integrity of the grain derivatives market. Within hours, swathes of data on loan agreements, hedging models, current account balances and other, more arcane parcels of financial information are lost – and the boardroom is left hoping, praying that even just a fragment of these records exist somewhere, anywhere, on paper.
This is the waking nightmare of IT security professionals in the financial sector: the idea that a major bank can be brought to the brink of collapse by a well-planned cyberattack. Fleshing out the consequences of such a disaster has mainly been the province of film and television writers – see series two through four of Mr Robot – but now central banks have lately got in on the act. Last autumn, the Bank of England (BoE) underscored the importance of its occasional cyber security wargames by pronouncing that cyberattacks constituted the greatest threat to the integrity of the UK’s financial sector. Similar exercises have been conducted everywhere from Australia to Bahrain.
Such wargames are not uncommon, with central banks regularly chiding their retail brethren for neglecting this or that aspect of their cyber security position. But the threat environment has changed rapidly in recent years. Russia’s invasion of Ukraine shone a spotlight on its attempts to hack not only Kyiv but all of its allies, while other rogue nations like North Korea and Iran are also perfectly capable of mounting sophisticated cyberattacks to advance their national goals. These nations are usually in league with what are often described as cybercrime cartels – the Lazarus Gang, Darkside, REvil and Trickbot’s of the world, all on the lookout for juicy targets.
Banks are increasingly tempting in this respect. For years, financial institutions have defined good practice as making sure their own systems are well-protected. Meanwhile, banks have overlooked the fact that so many of the systems they outsource to third parties are increasingly vulnerable to subversion. “I suspect that central banks globally are under pressure from their governments to say, actually, our financial instructure is now critical infrastructure and that we need to approach it as we would gas and electric,” says Buck Rogers, professor of cyber security at the University of Gloucestershire and the former CISO for the BoE. “I think that the concern would be, at what point does this stuff crystallise so that it has an impact on US Plc, UK Plc, or Europe?”
Not every central bank shares these concerns. A recent study by the IMF found that more than half of the 51 financial jurisdictions it surveyed ‘do not have a national cyber strategy for the financial sector,’ while 64% do not mandate cyber security testing or even guidance on what banks should do if they’re hacked. What’s more, those countries that do organise wargames are often concentrating on the wrong type of threat, says Tom Kellermann, senior vice-president of cyber strategy at Contrast Security. “They’re really focused on denial of service attacks,” says Kellermann. “I don’t think that’s the worst-case scenario.”
Cyber security 101
Classifying the financial services sector as vulnerable to cyberattack seems, at first, counterintuitive. Most banking, after all, now takes place online: ensuring the lines of communication between the firm and its customers remain secure, therefore, has become the sine qua non of doing business. That attitude has helped keep the sector at the forefront of cyber security practice, says Rogers, primarily “because they’re happy to throw money at the problem – rightly so – to make it better”.
A recent survey by the BoE found that 74% of banking executives believed cyberattacks constituted the greatest threat to their businesses. What worries Rogers, though, is that many of these same executives don’t fully understand the advice they’re being given on how best to prevent them. “Do they understand the risk management around that, and have mitigations and processes in place to manage that risk?”
The consequences of not understanding will likely result in a warping of the decision-making process about cyber within the institution. “If you’re not careful, security decisions are going to be made by non-security people,” says Rogers. A CFO, for example, may decide to outsource a portion of the HR department’s operations to a third-party software provider. “Unless you are a well-versed and senior CSO, this decision may pass you by. And so, suddenly, you’ve got a supply chain risk.”
This, adds Rogers, is the hidden threat that not enough people inside and outside the industry truly appreciate. While banks have invested countless millions in shoring up their cyber security and, by extension, the confidence of retail customers in their operations, a great deal of this has involved outsourcing key services to third parties. “They’re embracing fintechs, APIs, modern applications, multi-cloud [strategies],” says Kellermann. “As a result, their attack surface has gotten greater.”
A judiciously planned attack on a managed service provider (MSP) a la Solarwinds, for example, could paralyse operations at multiple financial institutions overnight. One such breach at Ion Cleared Derivatives, which supplies the software used to process millions of futures trades every day, resulted in swathes of that market being paralysed for several days. The same could be achieved by hacking the APIs that form the connective tissue between multiple banking systems, affording them multidirectional access. “No one’s paying attention to API security!” Kellermann laments, despite the fact that such hacks rose by 257% year-on-year in 2022.
There are also more insidious ways for hackers to work their will on banks, he continues. “Most of the cybercrime conspiracies today don’t just involve wire transfer, fraud or ransomware,” says Kellermann. “They really focus on targeting non-public market information, and hijacking the digital transformation of the institution to use it to attack their constituency.” These so-called watering hole attacks, where perfectly legitimate online infrastructure is poisoned with malware by cybercriminals, haunt Kellermann, especially now that so many banks are now deeply enmeshed in decades-long digital upgrades.
These kinds of cyberattacks are undoubtedly complex – but not beyond the capabilities of rogue nations that see the Western financial sector as an especially vulnerable target. “They could leverage attacks with their cybercrime communities that could turn the financial sector on itself,” says Kellermann. Russian groups have already attempted over a dozen destructive cyberattacks against major Western financial institutions, he adds, thwarted only because UK and US intelligence services shared critical intelligence at the right time.
“That’s the only reason we haven’t seen [it] occur,” says Kellerman. “But they tried 14 times.”
In short, banking executives need to ditch the mental image they have of would-be hackers in hoodies chugging energy drinks all night long. The threat they face is much more sophisticated than that. “We’re against professionals with a HR department, with objectives, with money they’ve got to earn, a family to support,” says Rogers. “And we need to match that.”
Stress-testing the best
What happens when these groups target another MSP – or worse, use that as a springboard into more lucrative parts of the bank, perhaps with the goal of holding an entire institution or three to ransom, or leaking sensitive information into the wider market? As far as the consequences go, explains Rogers, the worst-case scenario would be a general sapping of public confidence in the financial sector itself. While the initial consequences might be patched up easily enough with the deployment of IT security teams and the odd bailout, the political contagion could be massive and long-lasting.
Indeed, this prospect was demonstrated recently with the collapse of Silicon Valley Bank, explains Rogers: “You’ve got a tech bank in the US [collapsing], and suddenly it gets the UK prime minister stepping in and looking at how HSBC, in this case, would buy it.”
Any stress-testing of a bank’s cyber security resilience needs to take into account that the attack surface has fundamentally changed – and that reliance on third-party software providers “is not going to go away,” says Rogers. “I’m sure the big ones will have thousands and thousands of critical third parties.” Future stress tests, he continues, should involve the central bank quantifying and raising awareness about that risk and whether “they have a plan B, and a plan C”.
That should involve reaching further down into the supply chain than ever before. Most big banks, says Rogers, “are really good on their top, critical suppliers, wherever they may be. My concern would be the ones below the threshold”. Financial institutions should be honest about how bad the impact could be if even these smaller services were subverted by hackers. “If something happened to them,” says Rogers, in the voice of a former central banker, “will it make you wobble?”.
Some legislative action has already been taken on this front: the European Parliament, for example, recently passed the Digital Operational Resilience Act, which makes banks responsible for the cyber security of their third-party security vendors. Joining up all the different stress-testing standards for cyber security might also help, argues Rogers, echoing a similar call from the G20’s Financial Stability Board. For the multinational banks, at least, international agreement on commonalities between these rules could make an enormous difference in how they position themselves when a breach occurs in one country but impacts on their operations on a completely different side of the world.
Banks also need to fundamentally rethink how they devise their basic cyber security strategies, Kellermann stresses. It’s no longer the case that institutions should only be thinking about defending their own premises, or that they can always succeed in preventing hackers from snooping inside their systems. “They really need to invert the security paradigm to defend from within, and to really focus on intrusion suppression,” says Kellermann.
That necessarily involves increased investment in runtime protection for applications, the micro-segmentation of networks and infrastructure, extended detection response services, and above all people. If banks can’t get good personnel – there is, you might have heard, a global IT security skills shortage – then the next best thing they can do is hire a managed detection and response firm specialising in financial cyber security, argues Kellermann. And they shouldn’t be afraid to look for attackers in places traditionally considered off-limits to most security teams, like the computers used daily by senior leadership.
Rogers also thinks that information exchange also needs to improve. Forums do exist where banks can converse all the live-long day about threat actors and attack vectors, but these need to be harnessed by the industry in a more systematic way. Banks, says Rogers, “just need to use them properly”.
Overall, though, the former central banker is hopeful that the Western financial institutions can and will get their acts together. Rogers is especially encouraged by the attitude of UK regulators, who he argues have been “laser-focused” when it comes to the City’s cyber security. And if the industry gets this right, he explains, it can only serve as a positive example for other corporate managers of critical infrastructure to begin re-evaluating their threat landscape. In the meantime, though, banks need to get talking to one another about where the threats lie.
“My call would be, let’s talk more and exchange information,” says Rogers. “Because if we want to be taken as a profession, then we need to act like one.”