By Mark Sparkman, Special to CNN
Editor’s note: Mark Sparkman, a former senior officer with the CIA’s National Clandestine Service, is a senior international affairs analyst with the nonprofit, nonpartisan RAND Corporation. The views expressed are his own.
The announcement by prosecutors that charges had been filed against suspected cyber thieves believed responsible for stealing $45 million in a matter of hours from ATM’s in two dozen countries should send a stark message to governments around the world – banks could be the most vulnerable front in cyber space.
Plenty of people have been warning us these days to worry about cyber attacks, but generally we have been worrying about the wrong things. Most “cyber Armageddon” scenarios focus on gaps in our physical infrastructure and even far-fetched scenarios such as infant incubators in hospitals being turned off. But major swathes of the United States have routinely gone without electricity and water for days following natural disasters. Soon enough, life gradually gets back to normal. Want real chaos? Destroy confidence in the banking system (or even a part of it), and just stand back and watch.
Since last fall, a series of Distributed Denial of Service (DDoS) attacks on financial institutions have temporarily denied customers access to their bank accounts, and U.S. officials have pointed an accusatory finger at Iran. Although the attacks were not devastating, U.S. officials are rightly weighing their response options. The fact is that the United States needs to gear up for the coming era of cyber threats – and start by ensuring its financial flank is not catastrophically compromised.
The banking system is built on trust. It’s slow to establish and fragile to keep. That trust must be fiercely protected. Consider some of the ways cyber attacks could quickly undermine our faith in the system. If you suspected that someone was going to steal $1,000 a month from your bank account, wouldn’t you shut it down, regardless of government guarantees on your deposits? If a regional bank discovered that 10 percent of its capital assets were being moved (or removed) every month through cyber manipulation, what would it do? If a national government knew that a hostile actor was manipulating bond prices, how might it respond – and what could that response do to the global bond market?
International commerce depends on billions of electronic transactions each week, ranging from simple bank transfers to complicated debt swaps. The system works only because of the faith people put into it. It is rooted in the trust built up over decades of successful transactions governed by national and international legal and accounting norms. But what if people start to see the banking system as vulnerable to manipulation by terrorist groups, crime syndicates, or countries waging semi-clandestine campaigns to undermine a rival’s economy?
For a decade or more, governments with advanced cyber capabilities and a decent knowledge of financial systems have presumably been able to alter, adjust, and amend financial data to suit their own ends. And many governments have had tempting incentives to do so, from recovering stolen funds to hindering terrorist groups or drug cartels. But so far, the incentives not to change banking data have overwhelmingly carried the day within governments whenever this issue is broached. After all, no responsible, law-abiding government wants to set the precedent that “stealing” money – or even moving it around – is acceptable, no matter how pure their motives. The stability of international financial institutions and banks, and even of states themselves, is grounded in the belief that financial holdings and transactions are sacrosanct – not to be tampered with by any government for any reason. So governments have only frozen or confiscated funds within the confines of international sanctions, often U.N. mandates, or when a company, organization or individual has broken the law.
Government responses to assaults on banks have been restrained thus far because the cyber attacks haven’t been that severe. True, financial institutions have had to weather some DDoS attacks, in which their sites are flooded with huge volumes of data until they collapse. Such attacks can be disruptive and annoying, but most individuals, companies, and governments wake up the next morning with just as much money in their accounts as they did before the attack.
All bets are off, however, in a true offensive cyber attack. Protected data would be changed, manipulated, or destroyed, and depositors might never recover their assets. With the possibility of such an attack looming, governments should be making serious decisions about deterrence, defense, retaliation, and escalation.
That day could be closer than we think. Given the unsettling recent advances in DDoS attacks and the ever-growing scale and speed of international financial transactions, even these heretofore nuisance attacks may be crossing the threshold into outright assault on a nation’s financial infrastructure or economy. Blocking banks, businesses, and individuals from conducting transactions for even a few days could have a major economic impact.
In April, for example, Wells Fargo Bank was slammed by a sustained DDoS attack. To keep up their customers’ trust, Wells Fargo assured them publicly that their personal “information is safe.” But that may not always hold true. Companies, credit card issuers, and medical firms have regularly reported breaches of personal information – and while these have often been disconcerting and sometimes even unnerving, these information breaches or data spills have usually not significantly undermined the trust that individuals and companies place in institutions that failed to adequately protect their data. Why? Simply put, while customers may have fretted about having had their credit card data out in the open for a few days, they ultimately suffered no real losses.
An offensive cyber operation would be something else entirely. Such attacks aim to destroy or alter enough data to harm a target institution or national economy. The most worrisome attacks would involve adversaries deploying cyber weapons to prevent normal financial transactions from taking place. That would undermine companies’ abilities to conduct business and dilute the trust that underpins any stable economy.
A major cyber attack would require a response from the nation at the receiving end – and establish a new field of warfare. States will want to retaliate in ways that deter future would-be cyber attackers. Any nation or group that moves beyond financial espionage, messaging, or annoyance to actually electronically manipulate assets or markets must understand that it will be subject to retaliation that inflicts pain proportionate to the damage done. And if the attackers persist, target nations must be ready to escalate by returning fire at a rate and magnitude that will deter further attacks.
Adversaries cannot be allowed to destroy in a second the trust in our financial systems that has taken centuries to build.