Capitalist societies run on money – no surprise there. But our modern economy is based more on the movement of money and the financial sector that supports commerce. A large-scale cyberattack against that infrastructure would have immediate, dire effects on the U.S. and world economies.
"Think about an economy like ours in the United States and our interconnectedness with the rest of the world," said Gary McAlum, chief security officer at USAA Bank. "Think about the ability – whether a consumer, whether a state agency, whether a private sector enterprise – not being able to transfer money and do e-commerce, that would be a significant issue. You could deal with that for a short amount of time. You can't deal with that for an extended period of time."
Special Multimedia Report
As worldwide markets came to a standstill, the average citizen would be among the first to feel the effects of such an attack, if the past is any indication.
"Go back in history," McAlum said. "Look at some of the cyberattacks that have happened in other places besides North America. I think of Estonia back in the 2006/2007 timeframe. That's a small country in Eastern Europe that was attacked by Russian cyberattackers. During the course of that activity, many normal citizens of that country could not access their financial information, they couldn't withdraw money, there's a lot of things they could do because they are a very digital society over there. So literally, the inability to pay bills, access money and to conduct business on a day-to-day basis was in jeopardy and that cost a loss of confidence in the government."
And confidence is key when it comes to the financial sector, which forces cybersecurity professionals to worry about more than just destructive attacks. Where money and trade are involved, cyberattacks can also be used to erode trust.
A recent spate of breaches of the international Society for Worldwide Interbank Financial Telecommunication (SWIFT) shows just how vulnerable an interconnected financial structure can be. The growing awareness of these weaknesses can corrode the trust that is essential to financial stability.
"SWIFT has relied on the trust within its network – if you receive a SWIFT message, you can be sure it is legitimate and move the money as instructed immediately – to cement its effective dominance of the international payments system over the past four decades," Bloomberg reporters Michael Riley and Alan Katz wrote in a May 26 post.
Former Bloomberg CISO Simon Gibson, who is now a fellow security architect at Gigamon, agreed.
"It's a very complex environment, financial – it's huge, it's fast and it's complicated," he said during an interview with Federal Times in February, before news broke of the SWIFT hacks.
Gibson divided the kinds of attacks targeting the financial sector into three buckets:
"Is it available, can I trust it and can I get to a confidentiality … Can I get my data back in a way that can't be overheard?" he said. "Sometimes you attack a cypher and listen in on a secret conversation; sometimes you attack the data and steal it; sometimes you attack the data and change it; and sometimes you make it unavailable."
Defenders have to prevent all of those outcomes from becoming reality and that means being ever-vigilant.
"The big challenge every day – what I call the 'big bang problem' – is preventing the big data breach, the big compromise of information. We deal with that every day," McAlum said. "On the consumer side of the house, that's the other part of the challenge: Protecting the individual consumers that interact with a financial services organization and the challenge for them is fundamentally an identity and access management problem."
While encryption, firewalls and other traditional defensive techniques are being used to prevent the big bang problem, financial institutions are also hard at work improving user access with things like strong, multi-factor authentication.
"We're definitely going to a world where we're getting away from the legacy security model of user ID and password – we can't get there fast enough," McAlum said.
The world of authentication is moving beyond the password to methods like rotating personal identification number (PIN) codes and biometrics. However, none of that matters if the consumers don't use them.
"Today, security can be very, very effective but people won't want to use it if it's so cumbersome that they can't use it readily," McAlum explained. "One of things we try to do – particularly on our mobile application – is to assure that the use of biometrics, for example, is very easy to do, very easy to use on a day-to-day basis. We've seen good adoption rates on that and we want to get that same level of experience and comfort across our other channels, as well."
While the financial industry is one of the more mature sectors when it comes to cybersecurity, there is still progress to be made and government can help.
"Most businesses are expected to protect their goods. If you have a shop where you're selling something, you probably need a fence and maybe you have a dog in there and an alarm system," Gibson said. "But if a B-52 flies over and is going to drop a 2,000-pound bomb on you, you expect some help from the government."
Information sharing coordinated by the government has provided the most assistance to the sector, he said.
"We're expected to obviously guard the money if you're a bank and guard the access to the data and the trading information," Gibson said. "Then, when larger attacks are happening, the financial sector and the government work really well together to start sharing information and giving a little bit of a heads up on something – like when a B-52 is flying over."
And that information needs to be shared quickly, McAlum said.
"No. 1, the private sector needs timely and accurate threat information," he agreed. "We don't need information that has top secret classifications marked all over; what we need is actual threat indicators and we need them in a time and a format that we can use and ingest very quickly."
Aaron Boyd is an awarding-winning journalist currently serving as editor of Federal Times — a Washington, D.C. institution covering federal workforce and contracting for more than 50 years — and Fifth Domain — a news and information hub focused on cybersecurity and cyberwar from a civilian, military and international perspective.