In the cyber world, fiction preludes reality.
The 2001 film Swordfish told a story of hackers who stole billions from a massive financial slush fund by installing a computer worm. Since 2013, a real hacking ring has stolen $1 billion from 100 banks in 30 countries — one of the largest banking breaches in world history, using similar techniques mentioned in the film.
For author and cyber security expert Mark Russinovich, parts of his recent novel Rogue Code are coming to life. In August, the SEC announced that 32 people have been indicted in a massive breach that saw hackers and traders cooperating to steal and trade on insider information before it became public.
In December 2014, cyber security firm FireEye issue a sensitive report about a team of hackers that called themselves “FIN4.” FireEye said that the hackers have attempted to breach the e-mail accounts of more than 100 firms. The goal? To obtain confidential information about market events like mergers. FireEye’s list of victims includes biotechnology and healthcare firms, which are part of a sector that has seen a surge in M&A activity since that period.
The hackers and traders conspired to make more than $100 million.
Russinovich’s book centers more on an attack on the New York Stock Exchange, where his main character recognizes that not only have the exchange’s networks been breached, but a conspiracy is in the works. Breaching insider information is central to the plot.
“Front-running access to information was a topic I covered in my third book,” Russinovich says. “This includes the targeting of sensitive e-mails between corporate officers at any major enterprise.”
Recently, Modern Trader sat down with four hackers to question the possibility that hackers and traders could be working together to exploit insider information. All four participants suspected that it was happening.
Exchanges represent a viable target for hackers. With the markets now largely operating almost completely on electronic networks that transfer millions of dollars each second, bad actors could seek to breach or disrupt the exchanges and create a significant amount of damage.
The SEC case has been called the first of its kind, but some suspect this is just part of a larger trend of more sophisticated attacks by both financially and politically motivated cyber criminals.
The SEC case is ongoing, but it’s a chilling example of the lengths hackers will go and the emerging threats to the broader financial sector in the future.
So, will the rest of Russinovich’s novel play out in the future? What threats exist to stock exchanges around the world? What would an attack resemble? How would investors respond?
The new normal
When it comes to assessing the reality of our digital world, are the constant threats on banks, newswires, financial exchanges and various businesses part of a new normal?
“Absolutely,” says Chuck Vice, President and COO of Intercontinental Exchange. “Automated threats beget automated defenses, and the evolution in vulnerabilities and attacks has led to constant testing and refining of defenses. Regulation is shifting to recognize this new truth and we are seeing increased emphasis on evaluating the adaptability and agility of a cyber program via components like threat intelligence analysis and penetration testing.”
The SEC’s recent announcement that cyber hackers have been able to successfully front-run information raises new concerns, not only about the fundamental fairness of trading in the global marketplace, but also about the systems and networks on which they operate.
In July, James Lewis, an author at the Center for Strategic and International Studies, argued in the Washington Post that nearly 20 years of chatter about a cyber Pearl Harbor-style attack has fueled many to misunderstand why hackers operate in the first place.
“Evil mad-genius hackers who want to wreak mass havoc on society because they are in a bad mood don’t exist in real life,” Lewis writes. “Hackers, especially those who focus on financial crime, are professionals, and they want money, not crashes.”
Lewis argues that state actors aren’t going to attack the very places where they make money. “Russian oligarchs and Chinese officials stash their wealth on Wall Street — they are not going to crash it and put their piggy banks at risk.”
But a counter argument can be made when exploring data on the attacks on financial exchanges. According to a 2013 working report by the International Organization of Securities Commissions Research Department and the World Federation of Exchanges, more than 53% of exchanges reported a cyber attack within 12 months of the survey. The authors conclude that the more popular forms of attack are more disruptive in nature than ones seeking financial gain. Denial of service and malware attacks are highly common and financial gains were not reported in any of the report’s responses.
That latter point about the lack of financial gain suggests two things. Attacks on exchanges are being done for the sole purpose of disruption, or financial gain has been sought, but respondents didn’t want to share that information out of personal concern or embarrassment.
The most high-profile, public example came in 2010 when Russian hackers placed a “digital bomb” on the Nasdaq and targeted more than a dozen companies, stealing more than 160 million credit card numbers and fueling hundreds of millions in losses. Bloomberg described the potential attack as one that could cause “severe damage to the computer systems in the stock market and could bring down the entire structure of the financial system of the United States.
Russinovich makes two points about the case of such attacks on exchanges. First, any attack will have a global impact; second, there are few incentives in publicizing such an attack.
“There are different aspects of what motivates an attack,” Russinovich says. “From a nation state perspective, an attack on a financial sector would be in the part of a conflict. The reality is that it’s going to affect the global economy.”
The government will want to delay the release of information about a potential breach, much like it did with the Nasdaq. It took several years before the information was confirmed and made public.
“They’re disincentivized to let people know what the risks are,” Russinovich says, speaking as an author. “The way the recent NYSE event happened was because of software, but it has similarities to a breach. This is ‘Too big to fail.’ Covering that up is probably the right thing to do for the greater good. But if this were a breach, I would hope that the government is going to use that to leverage greater regulations.”
Communication is key
Following the July software glitch, information sharing is critical for exchanges and companies in identifying problems.
“Communication is very effective in this industry,” says Ben Smith, Chief Information Security Officer at IEX Trading. “We’ve made the relationships to better understand the cyber threats and the technology. That is built on trust. When the NYSE event occurred, we were quickly on the phone asking, ‘Is this a software problem, or something more?’ When we heard software, we knew what to do and how to respond.”
In the event of a serious breach, exchanges have emergency plans to bring networks back online through alternative means.
“First, multiple levels of redundancy exist within the infrastructure of an exchange, as well as the capability to shift operations between data centers,” says Vice. “In addition, the modular nature of our technology enables quicker diagnoses, remediation and limits contagion. As a standard procedure, the financial services sector regularly rehearses availability scenarios with participants from the major exchanges, giving us all the opportunity to foster critical relationships with law enforcement, the cyber intelligence community and our peers. Lessons learned from these hypothetical scenarios are instrumental in refining cybersecurity defenses and our collective approaches to recovering from an attack.”
With the stakes getting higher, attacks will only grow more sophisticated.
“Today’s greatest cyber threats to traders are matters of availability,” says Vice. “Whether it be the PCs traders use to monitor positions and manage orders, automated trading systems or the market infrastructure to which they connect, simple loss of availability can be paralyzing. Availability attacks don’t require a state-sponsored level of sophistication and years of planning. Lobbing in a cyber-hand grenade doesn’t require intimate understanding of trading environments or specific targets. A Sony-style attack that wipes computer hard drives could be devastating for any firm. Further, attacks in the wild such as ‘cryptolocker’ and ‘DDoS for Bitcoin’ show a new wave of non-targeted attacks on availability that are affecting all sectors and firms for profit. The same indiscriminate attack that renders a public library’s workstations inoperable could have a massive financial impact if it lands on a trading desk.”
Smith agrees. As he explains, financial criminals are seeking to gather credentials and obtain information on events and activities. But he states that government resources are working constantly to identify these players. “Nation states at a time of war might aim to hack and affect an economy and its power industries. But there are immense resources in play to identify who that person is,” says Smith.
The other threat, he explains, is an activist group that is looking for information on a company and potentially does something damaging.
How should traders prepare?
In this new reality, investors must be prepared for a series of different approaches to ensure their understanding of what is taking place. That starts with an understanding of hardware protocols.
“Traders should model scenarios in which PCs and other computing equipment are suddenly rendered useless,” says Vice. “If phone and fax are your back-ups, you should be testing those regularly. Given the reliance of many attacks on specific vulnerabilities in specific technology, the days of relying on back-up tapes and restoration may be behind us. In the future we may see more reliance on switching to alternate software, operating systems or even hardware in the event of an outage to avoid the vulnerabilities that lead to an initial impact.”
Russinovich argues that investors are largely at the mercy of the exchanges on which they trade. “They’re effectively powerless,” Russinovich says, as he suggests that investors should look to do anything they can to unilaterally free themselves from risks.
“The risk is significant,” Russinovich says. “Like the scenarios I sketched in my book, the financial system is built on trust. If there is a breach, you lose that trust. We’re fortunate that we haven’t seen some of the worst threats yet. Hopefully, this will make everyone think about what should be done.”