There are over 4 Billion internet users now, accounting for 56% of the globe’s total population. This has doubled in the past 6 years and the stats show this will continue this pace. Social media has experienced a similar growth. We are now in the interconnected industrial age – the Internet. The convergence of physical, digital and biological domains including the developments in AI, mobile internet and cloud computing.
Digital services has been a core constituent to this revolution; financial services – online and digital banking, digital financial technological (Fintech) start-ups and Cryptocurrency (Block chain, Bit Coin). This is a double edged sword however, the benefits of digital connectivity has the downside of the exposure to the risks that is may bring for our own personal and corporate information.
For most institutions and sectors, the risk from the internet, data breach, hacking or theft ‘intrusion’ is not a key risk to organisations and persons. Data is now key, currency is now just ones & zeros in digital storage, be it your local shop or the central bank of your country. The Bank of England’s 2018 H2 Systemic Risk Survey referenced cyber-attack as the second most cited source of risk to the UK financial system.
What is Cyber Risk?
As cyber risk is a global, cross-cutting and topical subject, they are agnostic of boundaries, countries, companies or people. We all are potential sources of information that can be traded. We are cattle to be bought and sold to hackers; our personal information is a form of currency.
- Cyber risk relates to any device that has an electronic component driven by the ability of a user (human or artificial) to interact with it. It may be connected to other computers or standalone but in the most part it is the connected technology that we use to keep abreast of information in this digital age. How we live our lives now, the risk that the loss or breach of this device, information or connection can cause to the two way engagement that if affords.
- Systems are also automated and dependent on hyper-connected data sources and feeds. Hence attacks can propagate without human awareness or intervention.
- Cyber risk involves the presence of a malicious entity: somebody seeking to corrupt or upset normal operating equilibria. Importantly, this means that an attacker may be able to choreograph the attack so as to maximise systemic impact. For example, by timing an attack on a key institution to coincide with a period of heightened uncertainty.
cyber incident -specific Meanings
- A ‘threat agent’ is a malicious actor whose intentions are to attack a socio-technical asset (e.g. system, network, and person).
- ‘Vulnerability’ is a flaw in a socio-technical information asset that may be exploited (either via a person, a process or technology).
- A ‘cyber attack’ is the act of a malicious agent exploiting vulnerability to compromise the socio-technical information asset.
- A ‘control’ is a countermeasure to identify, protect, detect, respond and recover from a cyber-attack.
- An ‘impact’ is a result of the attack. This is typically seen as a breach of confidentiality, integrity, availability, utility, possession or authenticity of the information asset.
Those that observe the aftermath of a cyber-attack tend to cite the activities of criminals, hacktivist, insiders with a grudge and hostile states as evidence of the ability to attack a system and cause a cyber shock. Conversely, Danielsson, Fouché and Macrae (2016) contend that ‘the only actors with sufficient resources to cause a systemic crisis are the largest sovereign states’ and that they must ‘be very lucky’. They suggest it ‘might be just as easy to…[make] credible threats to world trade’
Cyber Gangs at work
Just yesterday 16th May 2019, an international crime gang which used malware to steal $100m (£77m) from more than 40,000 victims has been dismantled. They were spread across multiple countries; USA, Germany, Georgia and Ukraine with different skill sets, all connected by their activities in cyber-attacks.
A cyber-attack frequently combines different groups of attackers; their activities stimulated by a black-market economy where the exchange of tools and knowledge cuts through traditionally defined boundaries. As an example, the WannaCry global ransomware attack which impacted legacy technology within the NHS was reportedly rooted in a compromise of US government intelligence tools, was monetised by Russian-linked criminals and weaponised by the North Korean state (DPRK)
Cyber Attack is the new cold war weapon of choice. We hear about the numerous times that foreign state sponsored organisations have breached western state organisations, but little on how western state organisations have breached others. The NSA (USA) or GSHQ (UK) do not develop intrusion based software programs just for the good of it. Its not all one way.
Could a cyber attack cause a systemic impact in the financial sector?
Many organisations have IT systems and process based on 10 year old technology, legacy programs. A previous organisation I worked in, had a 12 year old ERP system running on Unix been held together by the knowledge of the IT manager alone.
Consider the risks in that to that organisation, the what if’s?
In the current unrest in the Ukraine, traditional weapons – bombs, missiles have been used, but also has cyber-attacks. Breach of the Ukraine power network using a Sandworm malicious platform. Therefore, some nation states have the offensive capability to supplant the need to rely on luck for achieving a systemic impact. Trade wars can have a generalise effect on a country, but cyber can target an individual organisation. Cyber attacks have a low cost compares to the price of a missile or an airplane. The internet offers the ability to hide and mask your identify where a plane can be tracked and the damage its payload does, leaves evidence.
Keeping Systems Up to Date
What about patches, keeping a system current, locked down and safe from intrusions? Jan 2020 Windows 7 goes end of life support from Microsoft, I won’t consider how many computers out there running key functions of legacy operations are still operational with Win7. Older systems are more vulnerable to an attack, weaknesses are known and new issues may not have any upgrades available, this is the risk that IT can pose to an organisation.
Similarly, there is an emerging skills gap in the cyber security sector; gradually reducing the capability among defenders and therefore increasing the chances of success for would-be attackers.
As of Dec 2018, the Information Systems Security Certification, there are 3 million IT professional unfilled roles presently, and this gap is growing.
Could a cyber attack cause a systemic impact in the financial sector?
Data loss is another example of cyber risk which is building up in organisations. Loss or breach of a data base with the theft or exposure of personal, sensitive or critical information, e.g. financial services records for credit provision.
It is our trust in an organisation, we use their services on the basis that information provided will be kept confidential. The breach of Equifax of May 2017, compromised 15.2 million personal records and according to the National Cyber Security Centre (NCSC), ‘the majority of these … [contained]…the name and date of birth of certain UK consumers’
immune to cyber Attacks?
On the flip side, are we not getting immune to the cyber breach in this organisation or another, it is so common these days that unless it is a big story does it spark our attention. And from my own experiences, do the general public, understand, care and more importantly know how to react if their personal information has been compromised, you bet most don’t. Probably will still use the same log in details, passwords as before, we are creatures of habit.
What if our banks were hit, or more the central clearing houses (interconnection between bank payments & transfers). If their key assets were attacked and could not be easily replaced, the disruption to the payments systems – your wages, mortgages, the banks clearing and settlement systems, what would that do to a country.
I remember a few years ago, an upgrade to the systems of AIB, one of the main pillar banks in Ireland. https://www.thejournal.ie/aib-mobile-and-internet-banking-down-2887990-Jul2016/ caused headaches for all. Money was locked in their accounts when the mobile ability for customers to interact was broken.
Question, when was the last time you stepped inside your own bank? It’s been months for me.
Cyber Crime Financial Impact
In April 2018, a UK Finance and KPMG report claimed that cybercrime had a ‘global impact exceeding $450 billion a year as crime, extortion, blackmail and fraud move online’. UK Finance (2018a). Yet, at present, cybercrime has not currently led to an obvious failure in the provision of service. Therefore, while it is a vitally important system-wide issue, we hope it won’t yet bring down the systems of organisations that we depend on.
Lastly, human factors.
We are all human; we make mistakes, errors in judgement, sharing of information. It may not be the critical issue with a cyber incident, but it has its fair share of news headlines.
We trust that the person we are engaged with is professional and trustworthy, same as ourselves to fulfill their work function. We are probably only just beginning to understand the relationship between the authenticity of information and its role within organisations. The early signs suggest a relationship which could be easily undermined by a savvy attacker; leading to typical behavioural responses seen in financial risk, such as capital flight. How safe is your Facebook or social media accounts, can they be attacked,
Local county council CEO was away on holidays, criminals found out and 4 million euro was scammed from the finance department of the council.
No two factor authentication for transfer of funds…..
We are seeing a further growing gap between the technology environment we operate and our ability to understand and secure it. As we build automated processes and artificial intelligence into its services, this will, by definition, compound the problem; making the mitigation of attacks significantly more challenging.
Information Technology is getting more complicated, more linked and have less people understand how it works, technology is a key benefit but also a risk to us all.