Yves here. I want to amplify Clive’s point below about “the War on Terror has been around for a while, so why all the noise-making about bank “cybersecurity” now? A contact was a consultant to the Treasury Department on “terrorist finance” in the Bush Administration. This was seen as such a big issue that he could get the head of the ECB, Claude Trichet, on the phone.
By Clive, an investment technology professional and Japanophile
Part 1 of 2 – What’s Taking You so Long?
With all the predictability of night following day, governments are – in the way that only our governments can – combining both aggressive, ambitious talk with a curious helplessness in warning banks (that’s the aggressive bit) they really should be Doing Something about (that’s the helpless bit) the risks posed by terrorists, rogue states and badly behaved dogs (okay, I made that last one up) to the stability and availability of the finance system.
Here, for example, is the Financial Times taking to the fainting couch “Cyber attacks set to jump in 2016 after Iran deal, Israel warns” (you may need to search on the title) after having an Israeli-induced attack of the vapours over the possibility that the financial system may be targeted by countries and groups which the US has annoyed.
That august body the IMF got in on the act too in their most recent Financial Sector Assessment Program note which wagged its finger thusly (pg. 20):
Operational risks: Cybersecurity threats, infrastructure vulnerabilities, and other operational risks remain a top priority for the (Financial Stability Oversight Council (FSOC)), and regulators should continue to take steps to improve financial institutions’ ability to prevent operational failures and improve resiliency.
If reports like that one in general, and paragraphs like that one in particular, have the same effect on you as they do on me, you may well have glossed over the details of this quote but please do summon your strength and study the language used carefully despite its attempts to make heavy the eyelids. This item was “number 3” in the IMF’s threat hit parade so we (and the FSOC) are presumably meant to take it seriously. But it is very light on prescriptive action. Even allowing for official-ese it contains the sort of sentences which would have earned me a red wriggly line from my 3rd grade English teacher Mrs. Crawford. You cannot work out who is supposed to be getting whom to do what, and how. There’s a reason for that which we’ll elaborate on in our concluding section of this article.
It is simply too tedious for me to check the exact date which George W. Bush first declared the “War on Terror” but it was well over a decade ago to my certain knowledge. In the context of upgrading IT systems (which are the backbone of our financial system today) that is at least one, probably two hardware upgrade cycles and near half a dozen major software releases. That’s plenty of time – and opportunity – to redesign and make substantial improvements in the robustness of the sub-systems and so reduce the risks of potential threats from doing some actual damage to the system as a whole.
I can practically hear at this point a small army of hardware vendors, software suppliers and their salesforces, consultants and even government officials whose interests are, well, let’s just say “aligned” to this we’re-trying-we’re-really-really-trying-but-it-will-always-be-a-work-in-progress mantra chiming in with explanations such as the sophistication of the threats are always increasing, the added complexity because people want more features creates new attack surfaces or similar. To which I can only reply, it’s been ten years or more already.
If you’re not within sight of completing a programme in that kind of timeframe and your schedule still doesn’t have an end date, you are never going to achieve your objectives. Chances are, you’re trying to fit a square peg in a round hole or looking for your keys under the streetlight. If you cannot remove a risk, your efforts to reduce a risk are not delivering an improvement in reducing that risk’s impact but rather they are constantly being overwhelmed (or so you claim) and, finally, you’ve decided you can’t live with the risk, then it’s time to mitigate it with an alternate approach. By which I mean, if I have to transport a heard of hippopotamuses from London to New York, but the hippos won’t fit in an aeroplane then I can either begin a huge undertaking to modify a plane so that it could, one day, eventually, carry my hippos across the Atlantic. Or I can put them on a boat. It will be slower; it may cost more (but that depends on the lengths I am going to in order to try to get the aeroplane-based solution to work) but it will unquestionably achieve what I’ve said I want.
Leaving my hippopotamus analogy behind and returning to the financial system, this means that if governments and the operators of the financial system (primarily the big banks and the central banks or treasury departments of governments) want better resistance to cyberattacks, they can, if that is indeed what they really want, come up with a new system which inherits none or significantly fewer of the vulnerabilities of the existing system. Pick any threat, pick any system, pick any time in history prior to about 1990 and that is exactly what happened.
Different subscribers did though have differing needs and differing budgets. It was fine, for instance, if when you tried to call your mom in Florida from your home in New York on her birthday you got a “no trunks” message. You could try again later. That probably wouldn’t be acceptable if you were the President and were trying to reach a general in Cheyenne Mountain in a crisis. But the government could not just demand that AT&T install new capacity and harden the system. AT&T was a private company. Mindful of its profitability, it usually did “just enough” to enhance its network for residential subscribers.
If commercial users wanted more capacity, enhanced features or better than standard service availability, then AT&T would happily calculate the cost and charge them accordingly. But with no incentive to provide strategic, national-scale planning the system was enhanced sporadically, piecemeal and based only on what the market would pay for. Actually, AT&T was, by comparison with business today, very far-sighted and tried to have a long-term approach to growing its business. It could not, however, take blatantly uncommercial risks especially in the provision of long-distance services. It certainly would not go throwing its stockholders money around on expensive hardened infrastructure. If the Bell system got toasted in a nuclear strike, AT&T and its equity investors wouldn’t be around to care.
We have governments, though, to do just that – care about things which “the market” won’t bother worrying about.
So the DoD did a perfectly rational thing. It figured out what it wanted (a survivable – the requirement was to withstand a 20 megaton hydrogen bomb airburst 5 to 10 miles away from major switching nodes – resilient and robust telecommunications system). It then told AT&T to go and build it. And it paid AT&T to do so. AT&T built it. Then AT&T operated it on behalf of the DoD but also, again, very sensibly, utilised the same system for civilian customers to both improve the service to non-military subscribers and to reduce the unit cost to the defence users.
We are not talking about trivial complexities or budgets here. The system (this enthusiast site coldwarcomms.org/l5 gives a feel for it, there’s plenty of other material online if you search) cost billions to build and billions to run.
One could argue that the financial system is just as important today as the phone system was in the Cold War. So why the reticence of governments – not just in the US but in other countries which have a similar dependency on a robust financial system which is resistant to interruptions (either man-made or even natural) – to specify what they want then just jolly well go out and buy it?
I believe it is because governments are so trapped in their own neoliberal ideologies they have rendered themselves incapable of taking effective action to make the financial system more resilient. The banks who own and operate the financial system are exactly the same as AT&T and the phone system was. They will only do what their profitability analysis tells them they should do. While governments can whinge on about the risks to the system – and there’s no shortage of professional panic-ers at places like the Department of Homeland Security – all they can do with the policy tools they have restricted themselves to is besiege the banks to magically fix it for them.
Of course, banks are subject to regulation and the provision of banking licences is conditional on banks complying with certain mandates imposed by the regulators (and so, by proxy, governments). But there are severe limits to this approach. AT&T was a regulated utility too and it was able to argue – successfully and somewhat justifiably – that residential or business subscribers couldn’t be made to cross-subsidise what they didn’t want or weren’t able to pay for. Governments – and their regulatory sock puppets – cannot arbitrarily seize private property. While they can require certain minimum standards to be met they will face legal challenges – which, again, in our increasingly neoliberal-leaning courts are likely to get a sympathetic hearing – if they start to demand major overhauls that impose significant costs to a business. If it (fees to cover government-dictated enhancements to the financial services infrastructure) looks like a tax, walks like a tax and quacks like a tax, then it’s probably going to be judged to be a tax.
So expect banks to continue what they have been doing up until now in respect of improving the ability of the financial system to survive cyberwarfare. Make all the right noises but do as little as they can get away with. It’s a case of Banks to Government: “you want it, honey, you pay for it”.
Returning to the IMF report from earlier (the one which managed to achieve an unusual feat of being both scolding yet strangely ineffectual at the same time) and having now read the above analysis, I’m sure readers can understand why the IMF awoke suddenly to find itself stuck up a gum tree, but then realised it was its own policies which got it there and hence the ambiguous phrasing in their report. If the US Financial Stability Oversight Council was a developing country in difficulties, the IMF would be telling it to decide what it wanted, work out what it all costs and then decide what its priorities were. If it wants it, it has to put up the money to pay for it. No one, the IMF would say administering its unpleasant medicine, not wanting to spare the rod and spoil the child, owes anyone a free ride. Well if that’s true for a developing country, it’s true for the Financial Stability Oversight Council and the financial system too. So why is it expecting the banks to act like charities?
But if you’ve got a heard of hippopotamuses to move and you’re only talking to Boeing or Airbus, they’ll keep tinkering about with their airframes and engines’ designs yet still be unable to come up with an effective solution for you. And if you’re not willing to put any money on the table and keep hoping for market-based approaches to pay off, then even that will have painfully slow progress. They’re highly unlikely to give you the phone number of a transatlantic shipping company.
In this, Part 1, we’ve explained how governments’ have because of their deeply embedded small-government non-interventionist ideologies shirked their own responsibility to safeguard the financial system which, for better or worse, is, nevertheless, something we are forced to rely on. To be fair, governments do at least appreciate the risks of a rickety financial system.
In Part 2, I’ll cover how the banks themselves are far from innocent in allowing the continued vulnerabilities of the financial system to persist, why they are quite happy to not do anything other than the bare minimum about it and what they could quickly and easily implement to reduce our exposure to their risks. I won’t give the plot away here, but you might not be stunned to learn that if it is a choice between owning the costs and risks themselves – or shifting them onto someone else – the banks are just ever so slightly leaning towards the latter.
Well written and informative. The system as described is logical. The people utilizing the system, manipulating it, are logical also. This calls for a debate about ‘rationality.’
I call it rational absurdity. You usually only need to pile 3 or 4 perfectly rational decisions by perfectly rational actors on top of one another to get an outcome that entirely contradicts at least one of the perfectly rational decisions.
Clive refers to one of my favorite examples. We deregulated AT&T because it was alleged not innovating because, as a monopoly, it had no incentive to. Three or four business moves later, I am left with (a new) AT&T as a de facto monopoly that is virtually unregulated and is way worse than the old AT&T was as far as innovation (and price control) goes.
I love the example of AT&T (as an example at least, the reality is as you say tragic). It should be required study for all students of economics. It is a ready-made case-study in everything that went wrong and remains wrong with economic theory (and practice) today.
Believe it or not:
U.S. President George W. Bush first used the term “War on Terror” on 20 September 2001
We are almost 15 years into this madness.
Don’t you mean “They will only do what is personally beneficial for their executives.”? Giving expensive loans to poor people to buy overpriced houses was not good for profitability (at least not long-term) but it didn’t stop them from doing it (and doing it again, now, astoundingly).
A long time ago, in a galaxy far far away, personal gain wasn’t the only consideration in banking’s executive decisions. That was a time before neoliberalism took hold and govt started dismantling regulations and enforcement.
Although I agree with your general theme that this is an area where only governments can invest successfully. I do have to point out that the ICT landscape has grown and deformed dramatically since the days when AT&T was the only carrier in the US and SWIFT didn’t even exist yet (founded 1973).
There were no PC’s, world wide networks, wireless, Internet, cell phones, ECN’s, alternative trading and payment systems and so on, world wide electronic clearing and settlemt. The list goes on and on.
It was positively simplistic when compared to today’s digital world and I’m of the opinion that the Genie is out of the bottle. There will be no cybersecurity/privacy initiative that can span all the networks, software, hardware, regulatory domains, and general ITC innovation.
As you may know the IETF has recognized this and issued a draft to address this at the protocol level
Privacy Requirements for IETF Protocols – draft-cooper-ietf-privacy-requirements-01.txt
One of the outcomes of this situation I have been contemplating is moving to a fully encrypted Internet with hard Identity management. Which we are seeing with software like Signal, BlackPhone, but its a very long way off.
The issues around our financial system are multi-fold. First we have definitional issues around what constitutes critical infrastructure. International payments systems obviously (e.g. SWIFT), then we have Depository/Trust, Clearing and Settlement, Public and Dark trading venues.
On a national level there are many ACH venues, electronic trading systems, the banking sector itself, as well as very insecure startups like VENMO and alternative payment systems. And, there are multiple entry points into these systems, including clever stuff like SMS vulnerabilities via fake cell towers. Here is a link http://www.rosberg.com/#!verji-smc/c1ks0
Anyway, I’m looking forward to Part 2 – but I’m somewhat skeptical.
Yes, the specifics are different now compared to the 1970’s, but the right approach to solving a problem (define what you want, cost it, build it) is the same now as it ever was.
The questions you raise are valid ones. What is essential in terms of the features offered by the financial system ? SWIFT ? Clearings, Card payments ? Exchanges ? HFT ? What can be left to the private sector to manage as it sees best and what is so vital to the collective wellbeing that it is simply too crucial to be left to the whims of “the market” ?
We have governments in order to define just that kind of policy. I argued, in the above article, that government should live up to their responsibility in making those strategic choices and executing programmes to deliver them. And putting up funding — and ensuring it is spent in a value-for-money way — to do that if required (and I would say that it is required).
Instead we have the current laissez-faire (mis) leadership combined with this bizarre combination of simultaneous hectoring and hand waving from government. Either it is a problem which is worth solving so get on and solve it, or else it isn’t in which case quit with the attempts to frighten us. One or the other, Washington, London and Brussels, please.
Very interesting Clive, thanks for this.
I do wonder if the fatal flaw in modern Capitalism is the neoliberal assumption that governments can’t really do anything. Society has been completely brainwashed to the extent that it has become almost literally unthinkable for governments to just step in and solve problems. Here in Ireland, a State company provided electricity to every household in the country at a reasonable cost. Yet now, just like most countries in Europe, electricity policy is a complete mess, because of an insistence that the private sector must be prodded or bribed into doing anything. It has literally become ‘unthinkable’ that the government could just step in and pay for something and do it, because its important that it should be done. Huge problems are being accumulated, and eventually whole infrastructure systems will simply collapse because of incoherent or inadequate investment.
Very enjoyable read. Governments drank the neoliberal kool-aid, ceded their responsibilities to the Market and now sternly lecture the Market for not acting like a govt. Oh, that’ll work.
Thanks for this post. Looking forward to pt. 2.