Thursday, August 25, 2011

Just in: Market Share Stolen by Hackers!

A Wall Street Journal article today carries the following quote:
Chinese state television has broadcast footage of what two experts on the Chinese military say appears to be a military institute demonstrating software designed to attack websites in the U.S.
DailyTech blog captured screenshots including the image below.

We've felt, feared, or suspected as much for years now, but evidence is becoming undeniable that we are engaged in a new Cold War which is being fought in cyberspace. This new Cyber Cold War is the most unconventional and asymmetric war the world has ever seen. Control is extremely decentralized. Weapons are easily acquired. The risk of retaliation is low. Battles are waged remotely. The prosecutors and victims of the war can be anyone or any group of people. Governments, individuals, and businesses are all players, like it or not.

The WSJ article shows, however, that more conventional power structures are now on the battlefield. Whereas many in the LulzSec group may have simply been bored, over-caffeinated students who wanted some celebrity, my clients and I are increasingly seeing evidence to support the WSJ's case: governments, particularly those of Russia, China, and the US are quietly backing attacks.

Many people would laugh at the notion that a foreign military might wage an online attack on a US financial institution. Consider, however, two factors which might give them motivation:
  1. Sovereign Wealth Funds (SWFs) increasingly own debt and equity of governments AND businesses. This gives them a financial interest in the success (or failure) of certain companies as well as economies. Hack a bank, leak a headline, and watch the share price drop until a buying opportunity has emerged.
  2. Many emerging market countries have discovered that they don't have to create an economy as big as the US in order to have companies which compete on a global scale. These companies can be jump-started with some quiet government support. As a result, it has become common policy to support "national champions" which successfully compete against the largest and most mature global (though still mostly US-based) companies. Government-sponsored hackers might help these champions by hacking the competition and stealing trade information or by creating bad headlines.
Like it or not, we have to acknowledge that certain governments have the means, the motive, and the opportunity to commit cyber attacks against financial institutions. In all likelihood, this has been going on for at least several years. Consider a March 2009 Telegraph.co.uk article:
"A vast Chinese cyber-espionage network, codenamed GhostNet, has penetrated 103 countries and infects at least a dozen new computers every week, according to researchers ... [GhostNet] is the latest sign of China's determination to win a future 'information war'... In 2003, the Chinese army announced the creation of 'information warfare units'."
Fox News added to the story:
"The Chinese government on Monday denied it was behind GhostNet"
Banking has the notion of security at its core. Think of a bank branch and you'll instantly visualize vaults, armed guards and video surveillance. Behind the scenes, banks all have hardened ATMs, teller stick-up procedures, passwords and permissions. In other words, security is tightly integrated with their physical channels.

It is also tightly integrated into their physical products through watermarks, microdot printing on checks, serial numbers on other financial instruments, signature specimens, etc.

Ironically, banks have been dangerously slow to understand how this relates to the online world. Today's banks are dot-coms. Online banking is now a core product. Moreover, it is the "face of the bank" for many customers. It is the gateway or channel through which all other products and services are offered.

Dot-com execs have an advantage in the realm of security and fraud inasmuch as their core product is a piece of technology which intrinsically has a set of permissions and security controls built in. The tools their engineers use also have permissions and security controls at their core. Bank execs need to think like dot-commers. Online security and fraud prevention are just as intrinsic to their core products as signature cards, credit scores, personal relationships, and armed guards once were.

The logical conclusion is that banks need to be organized, staffed, and run more like dot-com businesses to survive in the current Cyber Cold War. Security must be "baked in" to everything they do, just as credit scores and ratings have been baked into lending and trading decisions for decades. Executives should make no mistake: on the current battlefield, market share is not stolen by a bank down the street who might lure customers away with better rates and free toasters. Market share is "stolen" by hackers who ruin the bank's reputation or steals clients' identities and thus causes customers to flee.

It is no longer a sci-fi fantasy that these hackers may be shadow agents of a competitor or even a government intent on manipulating markets, economies, or even specific businesses.