This may seem far-fetched, but it is just one of several possible scenarios that concern regulators as the threat of cyber-crime and terrorism intensifies. “This is not science fiction,” said Larry Ponemon, founder of information security think tank the Ponemon Institute. “A cyber-war is happening today.”
The rise of hostile cyber-activity has led to a series of high-profile incidents in recent years. During the past six weeks, for example, several US banks have suffered sustained attacks from hacktivist group Izz ad-Din al-Qassam Cyber Fighters that have taken their websites offline, according to reports. And last month a stand-off between a spam-filtering company – Spamhaus – and a group blacklisted by the firm reportedly slowed the entire European internet.
And this might be only a glimpse of what could come. The European Commission cites research by the World Economic Forum, which says there is a 10% chance that a cyber-related incident could result in a critical national infrastructure breakdown in the coming decade, costing an estimated $250bn.
Governments and regulators are rattled. In February, the European Commission, alarmed by the increasing “frequency, magnitude and complexity” of the cyber-threat, unveiled a new cyber-strategy and a proposed directive for national information security.
Currently, only Europe’s telecommunications industry is subject to direct regulation of information security controls, but the directive proposes to extend this regime to other economically critical institutions, including banks, stock exchanges and market infrastructure firms. The rules will require these institutions to report big online attacks to national authorities, disclose security breaches and implement basic standards.
Financial News has also learnt that the International Organization of Securities Commissions, the global body that represents the world’s major securities regulators, is also working in conjunction with the World Federation of Exchanges on research into cyber-attacks. This may form the basis of a Iosco report and potential cyber-security standards for market infrastructure firms.
The move to directly supervise cyber-security controls reflects a growing realisation among regulators that cyber-attacks present a form of systemic risk, according to one member of a research team at a regulatory institution.
He said: “This is a sensitive topic that has been in the back of regulators’ minds but it has largely been seen as an IT issue out of their control. It is clear, however, that the impact of a successful attack on a stock exchange or a service provider could be significant for the financial markets.”
IT experts agree that the threat to securities markets is growing. Historically, hostile cyber-activity in the financial services sector has involved criminal gangs targeting retail bank platforms in a bid to steal customer funds. The growth of so-called hacktivism, state-sponsored cyber-espionage and cyber-terrorism, however, has resulted in more attacks on market infrastructure firms.
In 2011 the Hong Kong Exchanges and Clearing group was forced to suspend trading in certain stocks as a result of an attack on its website, and in February 2012 Bursa Malaysia, the Kuala Lumpur-based stock exchange, experienced a similar assault.
These attacks have typically targeted firms’ web-facing services and applications that are vulnerable to external assaults through direct hacks or so-called distributed denial of service (Ddos) onslaughts designed to overwhelm a website with extreme levels of web traffic.
Michael Cooper, chief technology officer at BT Radianz Services, a provider of trading infrastructure, said: “All sorts of market participants are susceptible. In particular, the increase in the number of instances of distributed denial of service attacks is self-evidently a concern.”
He added: “All trading infrastructures are being probed all day long.”
Although attacks on exchanges’ web-facing services have proved disruptive for the firms concerned, IT experts have long believed that they could not result in widespread disruption to the markets because trading networks are private, resilient and isolated from the internet.
But the growing sophistication of socially engineered attacks, which are designed to target specific individuals within a firm, has led security experts to question this assumption.
Ponemon said: “Closed telecommunications systems are in fact vulnerable. More recently we have seen attacks become more stealthy, and getting into the transactional layer.”
Mark Clancy, managing director of technology risk management at the Depository Trust & Clearing Corporation, the US post-trade giant, said people are the biggest challenge. “Someone surfing the internet could serve as a bridgeable channel between the outside world and a closed network. As a result, companies are having to create greater isolation between those two areas.”
One individual at a regulatory body said it was “a matter of if, not when” a socially engineered attack resulted in a significant trading disruption.
According to the European Commission, Europe’s thus-far fragmented approach to cyber-security has hindered co-operation between all but a handful of member states. It hopes that the proposed rules, which have yet to enter negotiations, will promote information sharing on the nature of the threat, allowing firms to better defend against it.
The DTTC’s Clancy said: “Europe has a particular challenge with respect to cyber-security due to its composition of several member states. It is drafting a strategy similar to that of the US, but there is a need for greater co-ordination in the EU. The region has a big challenge around privacy and civil liberty concerns with respect to sharing information regarding cyber-attacks. It needs to come up with a way to share information that doesn’t raise concerns on a privacy front.”
Udo Helmbrecht, executive director of the European Network and Information Security Agency, Europe’s cyber-security body, which is expected to play a greater role under the new regulatory regime, said another challenge for legislators as they come to negotiate the final text would be in setting the reporting threshold.
He said: “One of the questions is to whom should companies report breaches, how often and to what extent. This has to be defined and quickly.”
Mark Waghorne, senior manager in KPMG risk consulting, warned against creating a new compliance burden for the financial sector, which has traditionally proved extremely skilled in dealing with cyber-threats.
He said: “Banks and other financial services organisations are extremely good at working co-operatively on cyber-security issues. I think the Commission proposal is well intentioned but it may produce a compliance burden, which could actually deflect resources away from existing defences. Firms might be compliant, but not, in fact, secure.”
The European Network and Information Security Agency was first established in 2004 as Europe’s cyber-security agency, acting as a centre for cyber-security expertise and information-sharing. The Crete-based agency has long-suffered from a lack of financial and political support among member states, and possesses no enforcement powers. But its fortunes are changing.
Amid the rising tide of cyber-attacks, UK Conservative MEP Giles Chichester, who sits on the Industry, Research and Energy Committee in the European Parliament, has led a campaign to beef up the agency.
Last week, the European Parliament voted to extend Enisa’s mandate by a further seven years and expand its responsibilities, in what European Commission vice-president Neelie Kroes described in a statement last week as a “new start” for the agency.
Enisa is also set to play a key role in establishing network and information security standards under the European Union’s recently proposed EU cyber-security strategy and network information security directive.
Udo Helmbrecht, executive director of Enisa, said: “During the past five years, we’ve seen increasing political awareness regarding cyber-security. When we came into force in 2004, some member states were reluctant. We’re now in good shape. We’ve received great support from Giles, but we’re not dependent on party politics.”