Cyber criminals often have the advantage over banks.
The reason why is due to a serious imbalance between the cost of launching cyber attacks and the cost of defending against them.
A cyber criminal sitting alone in Hong Kong could render the website of a bank or securities exchange useless by flooding it with traffic.
The threat has reached such proportions that is now a regular feature of negotiations between the US and China. "Cyber security will be one of the issues discussed" during president Xi Jinping's state visit to Washington on Thursday, US State Department spokesman John Kirby said at a briefing on Monday.
Speaking at George Washington University the same day, national security adviser Susan Rice said: "In his meetings with President Xi, President Obama has repeatedly made plain that state-sponsored, cyber-enabled economic espionage must stop," said Rice in a transcript of the talk released by the White House press office. "This isn’t a mild irritation. It is an economic and national security concern to the United States."
Whether state-sponsored or carried out by individuals, the cost of hacking into systems is miniscule compared to the cost of defending against cyber-incursions.
In fact, on the black market, the attacker can buy the tools to execute this crime for under $1,000, yet the bank may need to spend upwards of $1 million to successfully thwart it.
There are many motivations for cyber crime against financial institutions. In some cases, criminals have a financial motive and are trying to steal money or information from an institution or its customers.
Others are politically motivated and intent on making a statement, known as ‘hacktivists’.Some conduct cyber espionage to steal secrets for economic or other advantage, and others seek destructive attacks to strike at the heart of a firm’s operations.
Financial institutions, including global banks, face these threats each and every day, ranging from operations launched by unskilled hackers to highly sophisticated criminals who write complex malware to gain an edge.
Research consistently shows a continued increase in the number of cyber attacks across all jurisdictions. In fact, almost half of the respondents to The Depository Trust & Clearing Corporation’s (DTCC) Systemic Risk Barometer Study earlier this year cited cyber security as their top concern, with 80% of respondents rating it as a top five systemic risk overall.
This increase in concern reflects the fact that security incidents are rising across the financial markets and other key industry sectors, with respondents citing the growth in the “frequency and sophistication of cyber attacks”.
Of major concern is the type of attack that we witnessed on the Japanese electronics giant Sony late last year where the perpetrator clearly set out to disrupt and destroy the company’s operations. When you have a cyber invader inside your system, it quickly becomes a significant business continuity and reputational issue.
For financial institutions and market infrastructure providers, attacks similar to the Sony hack have become the apex problem. In parts of Asia and the Middle East, where we have seen these types of attacks on a smaller scale, it is concerning that they may become the ‘new normal.’
Unfortunately, good cyber hygiene and fraud management tools are not necessarily helpful because the criminals are trying to disrupt infrastructure rather than steal confidential information or money.
One approach that has garnered interest and support from both the financial industry and regulators is to employ a community defense against cyber crime – that is, the sharing of information between companies to identify and block attacks being made against multiple organisations.
The concept of information sharing has been around for many years, starting in the United States where many organisations came together to battle cyber crime. These types of communities are not as well developed in Asia, but the good news is that we are starting to see real action in Singapore, Japan, and Hong Kong as well as in Australia.
There is growing recognition that sharing information allows a more efficient response to attacks. In fact, the US-based Financial Services Information Sharing and Analysis Center (FS-ISAC), an industry forum for collaboration on critical security threats facing the global financial services sector, recently formed a threat intelligence group in Singapore to build information sharing capabilities in the region.
Regulators in Asia are taking a pragmatic approach, encouraging actions that promote information sharing and proven methodologies rather than rushing into establishing prescriptive static rules. This is incredibly important in a rapidly evolving industry where static rules can quickly become outdated. Asian regulators clearly understand the need to continue to encourage good cyber hygiene and preventative measures while at the same time allowing flexibility for the industry to respond as cyber threats evolve. Indeed, the Hong Kong Monetary Authority is working with the banking industry on establishing a framework and mechanism for the sharing of information on cyber threats.
One goal of information sharing is ultimately to shift more costs to attackers. Many criminals often write one piece of malware and send it to multiple financial institutions – a single investment that can pay high dividends. However, if as a community we can force hackers to write four unique attacks, their costs go up. And if we can share the information, the defender costs go down.
The benefits grow exponentially if we automate this process so companies have access to real-time information sharing that allows firms to focus on threats that have yet to be identified.
It is unlikely we will ever stop cyber attacks, but through a concerted effort to share information, we can significantly dent cyber criminal operations, raising their costs and making it much harder for hackers to threaten financial market participants and other organisations in Asia and across the globe.
Mark Clancy is the CEO of Soltra, a DTCC joint venture. He will be speaking at Sibos in Singapore on cyber security in October.
NOTE: This article has been updated to reflect recent developments in US-China cybersecurity talks.