Yves here. I want to amplify Clive’s point below about “the War on Terror has been around for a while, so why all the noise-making about bank “cybersecurity” now? A contact was a consultant to the Treasury Department on “terrorist finance” in the Bush Administration. This was seen as such a big issue that he could get the head of the ECB, Claude Trichet, on the phone.
By Clive, an investment technology professional and Japanophile
Part 1 of 2 – What’s Taking You so Long?
With all the predictability of night following day, governments are – in the way that only our governments can – combining both aggressive, ambitious talk with a curious helplessness in warning banks (that’s the aggressive bit) they really should be Doing Something about (that’s the helpless bit) the risks posed by terrorists, rogue states and badly behaved dogs (okay, I made that last one up) to the stability and availability of the finance system.
Here, for example, is the Financial Times taking to the fainting couch “Cyber attacks set to jump in 2016 after Iran deal, Israel warns” (you may need to search on the title) after having an Israeli-induced attack of the vapours over the possibility that the financial system may be targeted by countries and groups which the US has annoyed.
That august body the IMF got in on the act too in their most recent Financial Sector Assessment Program note which wagged its finger thusly (pg. 20):
Operational risks: Cybersecurity threats, infrastructure vulnerabilities, and other operational risks remain a top priority for the (Financial Stability Oversight Council (FSOC)), and regulators should continue to take steps to improve financial institutions’ ability to prevent operational failures and improve resiliency.
If reports like that one in general, and paragraphs like that one in particular, have the same effect on you as they do on me, you may well have glossed over the details of this quote but please do summon your strength and study the language used carefully despite its attempts to make heavy the eyelids. This item was “number 3” in the IMF’s threat hit parade so we (and the FSOC) are presumably meant to take it seriously. But it is very light on prescriptive action. Even allowing for official-ese it contains the sort of sentences which would have earned me a red wriggly line from my 3rd grade English teacher Mrs. Crawford. You cannot work out who is supposed to be getting whom to do what, and how. There’s a reason for that which we’ll elaborate on in our concluding section of this article.
It is simply too tedious for me to check the exact date which George W. Bush first declared the “War on Terror” but it was well over a decade ago to my certain knowledge. In the context of upgrading IT systems (which are the backbone of our financial system today) that is at least one, probably two hardware upgrade cycles and near half a dozen major software releases. That’s plenty of time – and opportunity – to redesign and make substantial improvements in the robustness of the sub-systems and so reduce the risks of potential threats from doing some actual damage to the system as a whole.
I can practically hear at this point a small army of hardware vendors, software suppliers and their salesforces, consultants and even government officials whose interests are, well, let’s just say “aligned” to this we’re-trying-we’re-really-really-trying-but-it-will-always-be-a-work-in-progress mantra chiming in with explanations such as the sophistication of the threats are always increasing, the added complexity because people want more features creates new attack surfaces or similar. To which I can only reply, it’s been ten years or more already.
If you’re not within sight of completing a programme in that kind of timeframe and your schedule still doesn’t have an end date, you are never going to achieve your objectives. Chances are, you’re trying to fit a square peg in a round hole or looking for your keys under the streetlight. If you cannot remove a risk, your efforts to reduce a risk are not delivering an improvement in reducing that risk’s impact but rather they are constantly being overwhelmed (or so you claim) and, finally, you’ve decided you can’t live with the risk, then it’s time to mitigate it with an alternate approach. By which I mean, if I have to transport a heard of hippopotamuses from London to New York, but the hippos won’t fit in an aeroplane then I can either begin a huge undertaking to modify a plane so that it could, one day, eventually, carry my hippos across the Atlantic. Or I can put them on a boat. It will be slower; it may cost more (but that depends on the lengths I am going to in order to try to get the aeroplane-based solution to work) but it will unquestionably achieve what I’ve said I want.
Leaving my hippopotamus analogy behind and returning to the financial system, this means that if governments and the operators of the financial system (primarily the big banks and the central banks or treasury departments of governments) want better resistance to cyberattacks, they can, if that is indeed what they really want, come up with a new system which inherits none or significantly fewer of the vulnerabilities of the existing system. Pick any threat, pick any system, pick any time in history prior to about 1990 and that is exactly what happened.
Different subscribers did though have differing needs and differing budgets. It was fine, for instance, if when you tried to call your mom in Florida from your home in New York on her birthday you got a “no trunks” message. You could try again later. That probably wouldn’t be acceptable if you were the President and were trying to reach a general in Cheyenne Mountain in a crisis. But the government could not just demand that AT&T install new capacity and harden the system. AT&T was a private company. Mindful of its profitability, it usually did “just enough” to enhance its network for residential subscribers.
If commercial users wanted more capacity, enhanced features or better than standard service availability, then AT&T would happily calculate the cost and charge them accordingly. But with no incentive to provide strategic, national-scale planning the system was enhanced sporadically, piecemeal and based only on what the market would pay for. Actually, AT&T was, by comparison with business today, very far-sighted and tried to have a long-term approach to growing its business. It could not, however, take blatantly uncommercial risks especially in the provision of long-distance services. It certainly would not go throwing its stockholders money around on expensive hardened infrastructure. If the Bell system got toasted in a nuclear strike, AT&T and its equity investors wouldn’t be around to care.
We have governments, though, to do just that – care about things which “the market” won’t bother worrying about.
So the DoD did a perfectly rational thing. It figured out what it wanted (a survivable – the requirement was to withstand a 20 megaton hydrogen bomb airburst 5 to 10 miles away from major switching nodes – resilient and robust telecommunications system). It then told AT&T to go and build it. And it paid AT&T to do so. AT&T built it. Then AT&T operated it on behalf of the DoD but also, again, very sensibly, utilised the same system for civilian customers to both improve the service to non-military subscribers and to reduce the unit cost to the defence users.
We are not talking about trivial complexities or budgets here. The system (this enthusiast site coldwarcomms.org/l5 gives a feel for it, there’s plenty of other material online if you search) cost billions to build and billions to run.
One could argue that the financial system is just as important today as the phone system was in the Cold War. So why the reticence of governments – not just in the US but in other countries which have a similar dependency on a robust financial system which is resistant to interruptions (either man-made or even natural) – to specify what they want then just jolly well go out and buy it?
I believe it is because governments are so trapped in their own neoliberal ideologies they have rendered themselves incapable of taking effective action to make the financial system more resilient. The banks who own and operate the financial system are exactly the same as AT&T and the phone system was. They will only do what their profitability analysis tells them they should do. While governments can whinge on about the risks to the system – and there’s no shortage of professional panic-ers at places like the Department of Homeland Security – all they can do with the policy tools they have restricted themselves to is besiege the banks to magically fix it for them.
Of course, banks are subject to regulation and the provision of banking licences is conditional on banks complying with certain mandates imposed by the regulators (and so, by proxy, governments). But there are severe limits to this approach. AT&T was a regulated utility too and it was able to argue – successfully and somewhat justifiably – that residential or business subscribers couldn’t be made to cross-subsidise what they didn’t want or weren’t able to pay for. Governments – and their regulatory sock puppets – cannot arbitrarily seize private property. While they can require certain minimum standards to be met they will face legal challenges – which, again, in our increasingly neoliberal-leaning courts are likely to get a sympathetic hearing – if they start to demand major overhauls that impose significant costs to a business. If it (fees to cover government-dictated enhancements to the financial services infrastructure) looks like a tax, walks like a tax and quacks like a tax, then it’s probably going to be judged to be a tax.
So expect banks to continue what they have been doing up until now in respect of improving the ability of the financial system to survive cyberwarfare. Make all the right noises but do as little as they can get away with. It’s a case of Banks to Government: “you want it, honey, you pay for it”.
Returning to the IMF report from earlier (the one which managed to achieve an unusual feat of being both scolding yet strangely ineffectual at the same time) and having now read the above analysis, I’m sure readers can understand why the IMF awoke suddenly to find itself stuck up a gum tree, but then realised it was its own policies which got it there and hence the ambiguous phrasing in their report. If the US Financial Stability Oversight Council was a developing country in difficulties, the IMF would be telling it to decide what it wanted, work out what it all costs and then decide what its priorities were. If it wants it, it has to put up the money to pay for it. No one, the IMF would say administering its unpleasant medicine, not wanting to spare the rod and spoil the child, owes anyone a free ride. Well if that’s true for a developing country, it’s true for the Financial Stability Oversight Council and the financial system too. So why is it expecting the banks to act like charities?
But if you’ve got a heard of hippopotamuses to move and you’re only talking to Boeing or Airbus, they’ll keep tinkering about with their airframes and engines’ designs yet still be unable to come up with an effective solution for you. And if you’re not willing to put any money on the table and keep hoping for market-based approaches to pay off, then even that will have painfully slow progress. They’re highly unlikely to give you the phone number of a transatlantic shipping company.
In this, Part 1, we’ve explained how governments’ have because of their deeply embedded small-government non-interventionist ideologies shirked their own responsibility to safeguard the financial system which, for better or worse, is, nevertheless, something we are forced to rely on. To be fair, governments do at least appreciate the risks of a rickety financial system.
In Part 2, I’ll cover how the banks themselves are far from innocent in allowing the continued vulnerabilities of the financial system to persist, why they are quite happy to not do anything other than the bare minimum about it and what they could quickly and easily implement to reduce our exposure to their risks. I won’t give the plot away here, but you might not be stunned to learn that if it is a choice between owning the costs and risks themselves – or shifting them onto someone else – the banks are just ever so slightly leaning towards the latter.