Over the past month, computer hackers penetrated computer systems at the OMX.Nasdaq stock market and the European Union's system of registries that keep track of carbon offsets. Headlines around the world warned that the "market breaches" represented a "severe blow" to "investor confidence" in stocks and carbon offsets.
Those headlines, however, have proven to be horribly off-base.
The breaches were, on close inspection, completely avoidable and didn't impact the trade-matching function of either market. They were carried out not because sophisticated hackers managed to penetrate the financial world's most sophisticated defenses, but because the financial world failed to implement its most sophisticated defenses on certain parts of its terrain.
In the case of Nasdaq, hackers didn't get into order-routing or funds-transfer territory; they got into information territory.
Specifically, they hacked the exchange's Directors Desk service, which is a tool that boards of directors use to arrange and execute board meetings. That includes sharing confidential documents, which could have given hackers access to insider information. The hackers gained access because the heads of Directors Desk didn't see information as being worthy of the same level of security as stocks and bonds. Changing that perception will change the level of security.
In the case of the carbon credit breach, hackers gained access to the EU's carbon registries by going after the weakest links in a system that was in the midst of an upgrade.
And, like the Nasdaq breach, the hackers didn't get into the order-routing system – they got into the registry system. Registries don't match trades, and they haven't, until recently, seen themselves as being custodians of anything that anyone would want to steal. What they do is keep track of where credits originate, and who owns them in succession. The goal is to make sure that every credit represents a bona fide emission reduction, and to prevent companies from double-dipping by selling the same offset more than once. They were set up to guarantee environmental integrity – and early designers didn't see any reason someone would want to steal that. Furthermore, because every carbon credit has a serial number and a history, it can't be sold on an open market. It can only be transferred within the system, and has no value without it.