Assume breach: The cyber threat to traders
This is a story about cyber security and its effect on traders.
It’s about vulnerabilities in a financial system that over-relies on technology to make trading faster and more efficient.
For traders and investors, the desire for ease-of-use and functionality that expedites buying and selling has been developed by application developers who typically underestimate security risks.
For brokerages, investment firms and exchanges, cyber security has become one of the most important concerns of the 21st century. The July software glitch at the New York Stock Exchange (NYSE) immediately reminded traders of the 2010 event in which Russian hackers placed a “cyber bomb” on the Nasdaq.
It never detonated, but it’s curious that it took four years for government officials to conclude their investigation and release information to the media. Cyber attacks are a sensitive topic.
No company wants to admit that it has been hacked. No exchange wants to divulge the reality that hackers are constantly looking for vulnerabilities in their systems. And no one wants to explain to traders how they should react after a breach in the markets.
It’s time to have an honest conversation about cyber security.
What are the risks in the future, and, more importantly, what can traders and investors do to ensure they are taking the right steps to protect themselves?
For that answer, Modern Trader took an unconventional approach to understanding the future of cyber security and the threats knocking on the door.
Recently, four hacking experts sat down in a bar proximate to the Chicago Board of Trade to discuss the current threats to our financial system, the simplicity of a possible attack on networks and how they might attack any public company in America, and more importantly, “Why?”
The four representatives are part of a group of “ethical hackers” with global reach aiming to educate financial companies and share their thoughts and concerns about the international cyber security industry.
What follows is a conversation about the markets, cyber security and the coming challenges that investors and traders face in the 21st century economy.
The first round
Four “ethical hackers” sit in a South Loop bar in Chicago, ordering cheeseburgers and beer.
The meal will provide fuel to speak candidly about current threats to the global financial system, trading firms, brokerages and, most importantly, individual traders and investors.
The questions are simple to start: “What were your first thoughts about the July software glitch at the New York Stock Exchange?”
No hesitation preludes an answer. Each expert knows the details. On July 8, trading on the NYSE was suspended for three hours and 38 minutes after the technology underpinning the exchange was compromised by a software malfunction. On the same day, the website of The Wall Street Journal was also offline due to a technical glitch and United Airlines grounded flights for two hours thanks to a similar malfunction.
Terry Bradley, chief technology officer and director of cyber security solutions at PLEX Solutions based in the Washington, DC area, speaks first. “I didn’t want to say it. But it was an enormous coincidence,” he says as he scans the beer menu. “But not everyone wants to cry wolf when something like this happens.” Bradley, a 1990 graduate of the Air Force Academy, started his career in the Department of Defense.
To his left sits Mr. Orange, an elite security specialist who builds systems that allow critical data to be shared across different security environments. Mr. Orange is building his consulting practice and wishes to speak under a pseudonym because he is engaged in several projects that require anonymity. He keeps his thoughts tight and to the point, “I thought, ‘Who screwed up with a fat finger?’”
Next is Erdal Ozkaya, the chief information security officer and vice president of emt Distribution, based in Dubai. A prolific speaker and security specialist, it’s clear why his presentations are popular in the cyber community. His language and personality are supercharged when discussing security. Each answer comes as if it’s been shot out of an electric socket.
“The first thing that comes to mind when these events happen is that it’s a cyber attack from China,” says Ozkaya.
Finally, there’s Mr. Green, a global security consultant spearheading a number of financial certification programs and forums on global cyber security in the banking and defense sectors. He has asked to use a pseudonym because of his current client work as well as his blunt analysis.
He shakes his head and smiles coyly at the thought of the NYSE, The Wall Street Journal and United Airlines all having software glitches on the same day. “Three companies all at once,” he says, leaning in. “I thought, ‘Wow, they’re [screwed]. And they don’t know how much right now.’”
The glitch has been called “coincidental” by government officials. An investigation is ongoing, but it’s clear at this table and across multiple digital media outlets that the full story hasn’t been told.
Regardless of whether the NYSE glitch was nefarious or not, the financial markets now exist in a world where cyber threats are the new normal. In 2010, Debora Plunkett, who then headed the U.S. National Security Agency’s Information Assurance Directorate, said bluntly, “There’s no such thing as ‘secure’ anymore.”
The NSA — and ultimately brokerages, exchanges and other financial companies — have adopted a philosophy that shifted to an assumption that information networks and security systems already have been compromised.
“Debora Plunkett came up with this idea of ‘Assumed Compromise,’” says Bradley.
Unfortunately for Plunkett, that philosophy — grounded in rationality and honest about the current threat environment — didn’t help her maintain her position at the NSA. A new position was created for her in 2014, but this table doesn’t think it was because the NSA needed a new Senior Advisor for Equality.
“They got rid of her for being too negative,” says Mr. Green. “She was just trying to speak sense to the industry. She knew the reality of the world we live in.”
The idea of an assumed breach is just the beginning of a broader conversation about the digital reality facing traders, investors and anyone connected to a digital network. But first, an important lesson must be understood about the cognitive nature of hacking.
Ask a cyber expert in Washington or a chief information security officer (CISO) at a company why hackers break into financial companies or exchanges. Or ask why this idea of assumed breach is now the norm for society today. The near-universal answers will lie in either the desire for data, money or a nefarious actor engaged in nation-state terrorism. But there’s a more simple answer as to why hacking occurs and why the markets face an increase of potential threats, according to Ozkaya.
“These [financial] systems are made by humans,” he says.
Why do hackers do what they do?
Because they can — thanks to the weakest link of any organization: the human element.