A problem shared…
From large-scale threats to the entire industry to the response tactics of smaller firms, greater coordination can reduce cybersecurity risks
Financial institutions and market infrastructures are more vulnerable to a 9/11-style, black swan cybersecurity event than other critical infrastructures on which society relies, such as telcos or even power grids. Sibos 2018’s Big Issue Debate on cybersecurity grappled with how global market operators and participants should collaborate, innovate and work to improve resilience against cybersecurity threats.
Jacqueline McNamara, head of cybersecurity at Australian telecommunications giant Telstra, explained how her firm runs scenario testing in order to plan and test responses to attacks on network resilience or network outages. She said the company’s Network 2020 plan focuses on resilience, pointing out that the imminent arrival of fifth generation mobile phone networks would reduce vulnerability of systems hitherto dependent on a single cable or physical installation. Noting the efforts made by Australia to implement collaborative frameworks between business and government to protect critical infrastructure against security threats, McNamara said that a cyber-attack impacting financial service infrastructures could be as big a challenge to a country as an attack on its telecommunications network.
“When you have significant impact to financial systems, or people can’t get to their money, they can cause just as much duress to the system as a major network outage for example,” she said.
The biggest threat of a black swan cybersecurity event in the financial service industry comes not from state-sponsored cyberwarfare, terrorists or hackers, but rather from organised criminals, via the dark web, said Dmitry Samartsev, chief executive officer of BI.ZONE, a Russian cybersecurity firm. Organised cybercrime is increasing every year, he asserted, and is absorbing more resources to develop tools that leverage artificial intelligence for use in more sophisticated attacks. Samartsev also noted that cybercriminals will collaborate in ways that institutions and governments do not.
“The worst case scenario is when cybercriminals attempt several attacks simultaneously,” he said. “For example they’re making DDOS attacks and then at the same time they’re making huge informational attacks on social networks – spreading fake news claiming that the biggest banks are going down. Can you imagine the domino effect it will have? This will lead to troubles with liquidity, troubles with central banks or troubles with the government. Cybercrime has no borders and there must be cooperation between countries and companies.”
By treating cybersecurity threats as a business risk, rather than an IT consideration, organisations are better able to manage the potential repercussions throughout the organisation, Sibos delegates were told in the SWIFT Institute session titled ‘Cyber – How you can mitigate the business risk?’ Dr Maria Milosavljevic, government chief information security officer for the Australian state of New South Wales, suggested that while the understandable initial organisational response to cyber risk is to focus on putting controls on technology access, a more holistic view would seek to put in place mitigation strategies as well.
“What else increases your likelihood of something going wrong?” she asked. “Poor contact management arrangements, not being able to hold people to account when things go wrong, buying from the wrong suppliers, not knowing where your critical assets are.”
A persistent message across all the cybersecurity sessions at Sibos 2018 was that organised cybercrime is already collaborating and sharing information, and thus has a potential significant knowledge advantage over financial institutions if the sector does not step up its efforts to collaborate. However, speakers acknowledged that there are real barriers to sharing information across institutions, such as privacy regulations and the protection of customer data.
“Significant barriers are associated with sharing material, from the point of view of customer relationship management and ensuring there is appropriate focus on privacy,” said David Pegley, managing director, Australian Financial Crimes Exchange, a non-profit, cross-industry organisation. “The challenges within each institution lie in their legal and compliance requirements – the interpretation of the law between different jurisdictions is important in considering sharing of material. We do our best to deal with this within constituencies, primarily through standardising exactly what we share, how we share and, more importantly, the behaviours recipients of that information will adopt.”
Experts emphasised the need for greater collaboration on a number of fronts: at a pre-competitive level between financial institutions themselves; between institutions and government and regulators; and across supply chains. This can take up significant resource for global organisations, but there are also complex issues facing smaller and medium sized institutions, which can be less prepared and thus more vulnerable to attacks that can spread throughout the supply chain.
Kathryn Taylor, a researcher with the Cyber Policy Initiative at the Carnegie Endowment for International Peace, presented research commissioned by the SWIFT Institute in a session entitled ‘Protecting the ‘long-tail’ of smaller organisations from cyber attacks’, in which she noted that governments are attempting to build resources and processes for smaller firms. In one example, Taylor cited the UK’s National Cyber Security Centre, which has issued a guide for smaller businesses outlining governance and operational approaches to managing cyber risks.
Managing how staff responds to risks, in addition to managing technology controls, is an area that organisations, large or small, can address, said Andrew Pade, chief information security officer (CISO) at the Reserve Bank of Australia, noting that the majority of cybersecurity breaches occur due to staff action, such as clicking on a link in a phishing attack.
“The technologists love to buy technology, because it solves problems,” Pade said. “[But] if you’re in a small organisation, you can educate your staff on how to identify the typical phishing campaigns. Not only are you securing your organisation, but you’re also securing your home life.”
Incident response training is also a key part of any organisation’s cybersecurity strategy, due to the importance of managing the aftermath of an attack to its impact and recovery, said Chris Hockings, CTO for IBM Security in Australia and New Zealand, in the same panel discussion. To help clients improve incident response, IBM has built a truck, the interior of which serves as a simulation room in which executive teams and CISOs test their response plans to a cyberattack, Hockings explained.
“When we started, we thought people would be doing exercises on computers, but in reality they needed to realise how would they coordinate during an incident,” Hockings said. “Panic can set in. You [must] work out who your leaders are when you immerse them into an unfamiliar circumstance: ‘Your response plan is not there. Your systems are offline. What are you going to do?’ You don’t know until you test it. Compliance is necessary, practice is essential.”
This level of immersive training may not be available to smaller organisations, acknowledged Hockings, but the principle of running simulations and testing plans is still possible.
In the time of Sigmund Freud, solving an identity crisis necessitated a therapist and a couch. But in the 21st century, an identity crisis has different implications – and demands a different response – compared with an existential loss of self. Identity theft is a growing aim of cybersecurity attacks, requiring banks to invest and plan accordingly.
In a session entitled ‘How do we solve the identity crisis in a digital world?’, representatives from banking, payments, market supervision and the legal world considered the risks and possible solutions to identity theft.
The stakes are high and the probability is rising. Michael Bui, head of identity and access management at Commonwealth Bank of Australia, noted that a person has a one in 15 chance of having their identity stolen or being a victim of a data breach each year.
“We are in a world where the opportunity of identity theft is quite high,” admitted Marc Bayle de Jessé, director general for market infrastructure and payments at the European Central Bank, noting also the cross-sectoral nature of the threat as more of our daily lives become digitised.
In terms of the legal and regulatory framework, Bayle noted the efforts of EU member state governments to coordinate on the introduction of electronic identities, adding that legislation such as Europe’s recent Payment Services Directive (PSD2) is already playing a role in protecting customers and payment service providers.
“PSD2 helps to increase interaction between actors in a digital payments world,” Bayle de Jessé said. “This also creates the necessity to strengthen standards to make sure people are well identified when they initiate payments or circulate information about their accounts. There are already a range of authentication techniques available; FinTech can bring more and we are open to that. As a central bank, we support innovation and believe that is good for the development of our economy.”
In terms of innovative solutions, Nick Abrahams, global head of technology and innovation at Norton Rose Fulbright, called facial recognition technology a “game changer” to protect identity.
“I think we’ll become much more comfortable with biometrics,” Abrahams said. “We’ve seen a lot of start-ups trying to solve the identity issue with blockchain. But it’s going to be very difficult for one organisation to own the solution. It needs to be a consortium. The government obviously has a significant role to play, and the banks.”
As with broader cybersecurity threats, panellists suggested that coordination between organisations can increase the ability of institutions and individuals to respond in the event of identity theft. A recent Australian industry-wide review, cited by Victoria Richardson, chief strategy officer at the Australian Payments Network, highlighted the need for real-time sharing of actionable information, consistent incident response management and awareness generation.
“The good guys have to exert caution around who they share information with, and the bad guys don’t,” Richardson said. “They share the information with everyone.” To address this issue, the Australian federal government is leading an initiative to support cross-industry collaboration and secure information sharing through the establishment of a network of Joint Cyber Security Centres (JCSC).
“The JCSC initiative is looking at this from an economy-wide perspective. I think it’s really important that governments facilitate that kind of conversation. The concept of safe harbour is very important here too,” she added.