This may seem far-fetched, but it is
just one of several possible scenarios that concern regulators as the
threat of cyber-crime and terrorism intensifies. “This is not science
fiction,” said Larry Ponemon, founder of information security think tank
the Ponemon Institute. “A cyber-war is happening today.”
The rise of hostile cyber-activity
has led to a series of high-profile incidents in recent years. During
the past six weeks, for example, several US banks have suffered
sustained attacks from hacktivist group Izz ad-Din al-Qassam Cyber
Fighters that have taken their websites offline, according to reports.
And last month a stand-off between a spam-filtering company – Spamhaus –
and a group blacklisted by the firm reportedly slowed the entire
European internet.
And this might be only a glimpse of
what could come. The European Commission cites research by the World
Economic Forum, which says there is a 10% chance that a cyber-related
incident could result in a critical national infrastructure breakdown in
the coming decade, costing an estimated $250bn.
Governments and regulators are
rattled. In February, the European Commission, alarmed by the increasing
“frequency, magnitude and complexity” of the cyber-threat, unveiled a
new cyber-strategy and a proposed directive for national information
security.
Currently, only Europe’s
telecommunications industry is subject to direct regulation of
information security controls, but the directive proposes to extend this
regime to other economically critical institutions, including banks,
stock exchanges and market infrastructure firms. The rules will require
these institutions to report big online attacks to national authorities,
disclose security breaches and implement basic standards.
Financial News has also learnt that
the International Organization of Securities Commissions, the global
body that represents the world’s major securities regulators, is also
working in conjunction with the World Federation of Exchanges on
research into cyber-attacks. This may form the basis of a Iosco report
and potential cyber-security standards for market infrastructure firms.
The move to directly supervise
cyber-security controls reflects a growing realisation among regulators
that cyber-attacks present a form of systemic risk, according to one
member of a research team at a regulatory institution.
He said: “This is a sensitive topic
that has been in the back of regulators’ minds but it has largely been
seen as an IT issue out of their control. It is clear, however, that the
impact of a successful attack on a stock exchange or a service provider
could be significant for the financial markets.”
Evolving threat
IT experts agree that the threat to securities markets is growing. Historically, hostile cyber-activity in the financial services sector has involved criminal gangs targeting retail bank platforms in a bid to steal customer funds. The growth of so-called hacktivism, state-sponsored cyber-espionage and cyber-terrorism, however, has resulted in more attacks on market infrastructure firms.
In 2011 the Hong Kong Exchanges and
Clearing group was forced to suspend trading in certain stocks as a
result of an attack on its website, and in February 2012 Bursa Malaysia,
the Kuala Lumpur-based stock exchange, experienced a similar assault.
These attacks have typically
targeted firms’ web-facing services and applications that are vulnerable
to external assaults through direct hacks or so-called distributed
denial of service (Ddos) onslaughts designed to overwhelm a website with
extreme levels of web traffic.
Michael Cooper, chief technology
officer at BT Radianz Services, a provider of trading infrastructure,
said: “All sorts of market participants are susceptible. In particular,
the increase in the number of instances of distributed denial of service
attacks is self-evidently a concern.”
He added: “All trading infrastructures are being probed all day long.”
Although attacks on exchanges’
web-facing services have proved disruptive for the firms concerned, IT
experts have long believed that they could not result in widespread
disruption to the markets because trading networks are private,
resilient and isolated from the internet.
But the growing sophistication of
socially engineered attacks, which are designed to target specific
individuals within a firm, has led security experts to question this
assumption.
Ponemon said: “Closed
telecommunications systems are in fact vulnerable. More recently we have
seen attacks become more stealthy, and getting into the transactional
layer.”
Mark Clancy, managing director of
technology risk management at the Depository Trust & Clearing
Corporation, the US post-trade giant, said people are the biggest
challenge. “Someone surfing the internet could serve as a bridgeable
channel between the outside world and a closed network. As a result,
companies are having to create greater isolation between those two
areas.”
One individual at a regulatory body
said it was “a matter of if, not when” a socially engineered attack
resulted in a significant trading disruption.
Information sharing
According to the European Commission, Europe’s thus-far fragmented approach to cyber-security has hindered co-operation between all but a handful of member states. It hopes that the proposed rules, which have yet to enter negotiations, will promote information sharing on the nature of the threat, allowing firms to better defend against it.
The DTTC’s Clancy said: “Europe has a
particular challenge with respect to cyber-security due to its
composition of several member states. It is drafting a strategy similar
to that of the US, but there is a need for greater co-ordination in the
EU. The region has a big challenge around privacy and civil liberty
concerns with respect to sharing information regarding cyber-attacks. It
needs to come up with a way to share information that doesn’t raise
concerns on a privacy front.”
Udo Helmbrecht, executive director
of the European Network and Information Security Agency, Europe’s
cyber-security body, which is expected to play a greater role under the
new regulatory regime, said another challenge for legislators as they
come to negotiate the final text would be in setting the reporting
threshold.
He said: “One of the questions is to
whom should companies report breaches, how often and to what extent.
This has to be defined and quickly.”
Mark Waghorne, senior manager in
KPMG risk consulting, warned against creating a new compliance burden
for the financial sector, which has traditionally proved extremely
skilled in dealing with cyber-threats.
He said: “Banks and other financial
services organisations are extremely good at working co-operatively on
cyber-security issues. I think the Commission proposal is well
intentioned but it may produce a compliance burden, which could actually
deflect resources away from existing defences. Firms might be
compliant, but not, in fact, secure.”‰
•Empowering Enisa
The European Network and Information
Security Agency was first established in 2004 as Europe’s
cyber-security agency, acting as a centre for cyber-security expertise
and information-sharing. The Crete-based agency has long-suffered from a
lack of financial and political support among member states, and
possesses no enforcement powers. But its fortunes are changing.
Amid the rising tide of
cyber-attacks, UK Conservative MEP Giles Chichester, who sits on the
Industry, Research and Energy Committee in the European Parliament, has
led a campaign to beef up the agency.
Last week, the European Parliament
voted to extend Enisa’s mandate by a further seven years and expand its
responsibilities, in what European Commission vice-president Neelie
Kroes described in a statement last week as a “new start” for the
agency.
Enisa is also set to play a key role
in establishing network and information security standards under the
European Union’s recently proposed EU cyber-security strategy and
network information security directive.
Udo Helmbrecht, executive director
of Enisa, said: “During the past five years, we’ve seen increasing
political awareness regarding cyber-security. When we came into force in
2004, some member states were reluctant. We’re now in good shape. We’ve
received great support from Giles, but we’re not dependent on party
politics.”
Source:http://www.efinancialnews.com
No comments:
Post a Comment