Cyberwar-ready

September 11 brought a low-tech surprise attack. Financial industry security strategists don,t want to be caught napping for what might come next: information warfare and cyberterrorism.

By Steven Brull and John Wagley
November 2001
亚博赞助欧冠机构投资者杂志

Exactly one week before the devastation of September 11 brought financial markets to a halt, a different kind of crash afflicted two of the biggest banks in the U.S. Though easily forgotten after the mayhem that followed, the earlier incident provided an eerie foreshadowing of the risks and vulnerabilities that financial institutions would soon have to confront far more urgently and rigorously than ever before.

What happened on September 4 seemed, at the time, serious , even catastrophic , to the banks and customers affected. It was the day after Labor Day, and that afternoon one of the busiest electronic banking networks , the 2,000 automated teller machines owned by Citibank, as well as its debit card and online banking systems , suffered a complete breakdown. The failure was nationwide, but its effects were most noticeable in New York, where thousands of customers scurried from bank to bank and from supermarket to bodega in a vain search for machines that would accept their cards.

Citibank was off-line for about five hours and wasn,t back to normal for a full 24 hours. By that time, rival J.P. Morgan Chase & Co. had ATM problems of its own: Many of its 1,900 machines would not let customers finish transactions that they had started.

That Citibank's problem was followed so closely by another, albeit less serious, outage at a close competitor raised some disturbing possibilities: Were the breakdowns coincidental? Were the banks, which issued terse statements blaming their problems on software glitches, hiding a more harrowing truth? Could they have been victims of organized electronic sabotage?

"That was our initial reaction," recalls William Marlow, chief strategy officer of Predictive Systems, a New York,based consulting firm that specializes in information security. But Marlow gets paid to think that way. His company administers the Financial Services Information Sharing and Analysis Center, a voluntary association of major financial institutions. The center, known as FS/ISAC (there are corresponding ISACs for other "critical infrastructure" industries, such as energy and transportation), serves as a clearinghouse and reference source on computer viruses, hacking incidents and other technology threats and nuisances.

When Citibank's troubles surfaced, FS/ISAC sprang into action. It didn,t take long for Marlow and his team to conclude that there had been no external attack on the ATM network and to spread the word. At Citibank a routine systems upgrade had simply gone haywire. The software defect at J.P. Morgan was unrelated, a true coincidence.

Computer programmers and operators, the world was reminded, are only human. And sometimes their actions cause unexpected consequences. On September 4 and 5 they provided an education, inadvertently exposing the fragility of an automated 24/7 service that millions of consumers had blithely taken for granted. And in that lesson lurked clues to what could happen if a skilled criminal cabal or hostile power somehow did to the financial infrastructure what the hijackers did to the World Trade Center and the Pentagon.

Once the towers fell, the nation turned its attention to terror in all its forms, whether by hijackings, bombs and bullets or biological or chemical agents. The technological specter of cyberterrorism may appear less visible than the others, but not in the eyes of policymakers who had long been alarmed about cyberrisks and whose concerns were only reignited on that most terrible of September Tuesdays.

Within days, the U.S. Federal Bureau of Investigation issued a warning to corporations and government agencies to be on guard against hacking and other electronic assaults on their computer networks; Attorney General John Ashcroft listed "weapons of mass disruption" alongside "weapons of mass destruction" as a major government and military concern; and the congressional General Accounting Office issued a report faulting the government for being too slow to prepare for cyberattacks, including state-sponsored information warfare.

在10月初总统乔治•布什(George w . Bush) responded by appointing veteran Central Intelligence Agency counterterrorism expert Richard Clarke to head a new federal cybersecurity office. Its mandate for bolstering so-called critical infrastructure protection extends to private sectors, such as financial institutions, which, witness FS/ISAC, were already on a heightened state of alert.

Last month FS/ISAC members convened in Fort Myers, Florida, to assess their cyberdefenses and determine how they will have to change in light of recent developments. The conferees had plenty on their minds. Just seven days after the World Trade Center tragedy, the Nimda virus struck tens of thousands of computer servers around the globe. Computer industry analysts were estimating that the damage it caused could exceed the $2 billion to $3 billion cost of its summertime predecessor, the Code Red worm. That pales next to the $50 billion to $100 billion of insurance claims likely to be related to September 11, but the Nimda virus remains a potent symbol of corporate preparedness. "Firms are still suffering from that virus. It shows that they still don,t have their acts all together," says Wolfgang Friedel, chief executive officer of Zurich IC2, a risk management consulting subsidiary of Zurich Financial Services Group.

Shared knowledge within and among affected industries can serve as a line of defense, and that,s where FS/ISAC comes in. "We,ve done some serious analysis and come up with some gaps that definitely need answers , and a lot of these require 90-day solutions," says Stanley Järocki, chairman of FS/ISAC and vice president of security operations at Morgan Stanley. (Because of Järocki's elected office, Morgan Stanley is one of only a handful of institutions whose participation in the 40-member FS/ISAC is made public. Other members with officers or directors include American Express Co., Bank of America Corp. and Merrill Lynch & Co. Järocki emphasizes that he speaks only in his capacity as leader of the information sharing group.)

为了安全起见，Järocki不会讨论任何最近发现的漏洞或解决方案的细节。但他说：“现在在网络攻击的世界里，这是一场赛马。网络攻击者已经赢了。他们总是领先几毛。我的理论是我们可以拍一张照片。这样我们就可以大大降低我们行业的风险和成本。”

金融界对恐怖主义的一些初步反应非常明显。人身安全、进入壁垒、个人搜查等都得到了加强。保险公司还向保险公司申请了一种新的保险单，这种保险单仅在过去一两年才在市场上推出，可以防范包括恐怖主义在内的各种网络风险。

Especially in the New York financial district, institutions have begun reexamining and reemphasizing contingency planning, now translated into a buzzword: business continuity. Bank of New York Co., a major clearer and custodian of securities, became an object lesson: Its primary and backup processing sites were both close enough to the World Trade Center to be disrupted for days. The resulting delays in transaction settlements required liquidity infusions from the Federal Reserve Board and forbearance by counterparties, which under ordinary circumstances would have been subject to untold financial risks.

The obvious answer is to put more distance between operating centers; but some firms faced difficulties more extreme than BoNY,s, according to Kenneth Ammon, CEO of Netsec, a network security management firm in Herndon, Virginia. At least two small tenants of one World Trade Center tower had been backing up their data at the other one, says Ammon, though he won,t name them.

"As an industry we are taking it upon ourselves to improve procedures by learning from what we did over those first two to three weeks," says John Panchery, vice president of information technology at the Securities Industry Association. "There are things we can do to plan ahead, for example, by making sure people have clear instructions on where to go if an event like this happens."

Such responses don,t come a minute too soon. Says Jay Ehrenreich, a PricewaterhouseCoopers expert on cybercrime, "We in the United States have got the most to lose, and therefore we have to do more to protect our assets." And, he adds, threats to the financial system are neither idle nor theoretical. "We,ve already seen cyberwar," he says.

官方或准官方的网络力量最近在印度和巴基斯坦以及以色列和巴勒斯坦之间的冲突中对峙，一方或双方破坏或禁用另一方的网站。去年4月，中国击落一架美国间谍飞机后，黑客在美国政府网站上玩了数周。这使得一些调查人员怀疑，中国是“红色代码”蠕虫的源头，但和往常一样，没有证据。

Citing such incidents, the Institute for Security Technology Studies at Dartmouth College recently warned that the U.S. is all but certain to be subjected to cyberattacks in the current confrontation with Islamic extremists. California Attorney General Bill Lockyer believes they may have already happened. He said in October that he was launching an investigation into more than 100 attacks over a three-month period, many against California companies, that appeared to be coordinated and that stopped abruptly and suspiciously on September 10.

In a September report the Dartmouth institute,s director, Michael Vatis, noted that the banking and financial infrastructure makes an especially inviting target for cyberattackers.

The good news is that much of the banking world,s data and money reside on and move over private networks that tend to be insulated from Internet threats. The downside is that banks, brokerages and mutual fund complexes now pride themselves on the Internet-based e-business infrastructures that they have assembled over the past half decade. These systems are meant to be welcoming and convenient to customers and business partners. They don,t have the same hardened perimeter security of mainframe computers and private communications lines.

Timothy Shimeall, senior analyst with the Computer Emergency Response Team at Carnegie Mellon University in Pittsburgh, a leading repository of computer threat data, says, "The biggest risk would be that bank information is corrupted to the point where the bank can,t trust the information on its own computers." But he notes that financial institutions in general have maintained a high level of concern , and readiness. "They,re pretty well defended and, more important, pretty vigilant about their systems," he says.

Technological defenses , what PricewaterhouseCoopers's Ehrenreich calls "logical security" , are one thing. But cybersecurity has a more physical and human side that a growing chorus of security experts are saying has been dangerously neglected. All the firewalls and encryption systems in the world won,t stop a disgruntled employee or an unscrupulous consultant who possesses the right passwords or knows how to penetrate software defenses. "Companies give many people access to a more damaging level of information than you would believe," says Taher Elgamal, chief executive officer of Securify, a Mountain View, California, security management firm.

Outside contractors, Netsec's Ammon estimates, comprise 50 percent or more of the head count in many companies, technology departments, and they can easily fall through security cracks. "We,ve seen more than a handful of cases where inside consultants are disgruntled and create ,back doors, to give them access [to computer systems] once they,re gone," Ammon says.

Winn Schwartau, author of Information Warfare: Chaos on the Electronic Superhighway, and president of Seminole, Florida,based consulting firm Interpact, looks below the tech employee radar screen: "Think about the office cleaning staff or the security guards." Schwartau expects to see more digging into the personal backgrounds of people in sensitive jobs , and from now on more jobs will be viewed as sensitive.

Says Ehrenreich: "As many as 90 percent of IT thefts are done by employees or former employees. So if you do a security assessment, your perimeter defense often isn,t as important as internal defense."

Even as they bolster their physical and personnel defenses, financial institutions are also applying a dose of good old-fashioned risk management: They are buying insurance against the new cyberrisks , hacker intrusions, viruses, theft or loss of intellectual property, denial-of-service attacks, computerized extortion or embezzlement and cyberterrorism.

It was certainly timely that several major insurance companies had a specialized line of cyberpolicies in place before the terrorist assault. But it took them awhile to get there.

Serious losses from computer crime have been a concern at least since 1994, when a 24-year-old Russian programmer relieved Citibank of $10 million. As damage claims mounted over the years, major European and American reinsurers became increasingly reluctant to provide coverage under policies then in force. Primary insurers, in turn, added exclusions to their policies. To fill that gap, insurance companies began over the past couple of years to fashion the new coverage, and marketing by the likes of American International Group, Hartford Financial Services Group, St. Paul Cos. and Zurich Financial Services Group had just kicked into high gear this year.

Ty Sagalow, chief operating officer of AIG eBusiness Risk Solutions, notes that interest in cyberpolicies has risen steadily since AIG introduced them two years ago. "But our natural growth was nothing near what I,ve seen since September 11," he says. "Demand is at least double what it was just before."

丘伯保险锁公司,提供cyberinsurance主要ly to financial institutions, applications in September were up 50 percent from August. "There's the old saying about why people rob banks , because that's where the money is," says Tracey Vispoli, cybersolutions manager at Warren, New Jersey,based Chubb. "We have a lot of interest from the banking community, both large and community banks." She adds that broker-dealers, mutual fund companies and investment advisers have also been inquiring more than ever.

That's also the case at Zurich North America. "We,re fielding a lot more calls and seeing an increase in applications," says David O,Neill, the company's vice president of e-business solutions. "Cyberterrorism and viruses overall have captured people's attention. They are reading their [existing] contracts and realizing there is no remuneration for many cyberevents, which explains why our industry wants to separate this area into stand-alone products."

Corporations, interest in cyberinsurance reinforces the notion that information technology crimes are epidemic. According to the San Francisco,based Computer Security Institute's most recent survey of large U.S. corporations and government agencies, 85 percent of 538 respondents suffered security breaches in 2000, and 64 percent sustained financial losses. For the 186 entities that disclosed loss details, the total amounted to $378 million. The leading causes of harm: proprietary information theft, financial fraud and computer viruses.

CERT in Pittsburgh says it received 34,754 reports of security incidents in the first nine months of this year , 12,998 more than in all of 2000.

洛杉矶保险法集团（Insurance Law Group）总裁迈克尔•罗西（MichaelRossi）说：“这真是太神奇了，我所看到的那种损失。”。根据罗西的说法，一个电脑病毒可以让一家公司损失高达1500万美元。”他说：“我所见过的最大的网络勒索损失约为2000万美元。”他指的是从网上商户、电脑上盗取信用卡号码并勒索赎金的案件他补充说：“我见过的最大的商业秘密盗窃案是5000万美元。”。

According to scuttlebutt among cybercrime watchers like CERT's Shimeall, the biggest of all losses was £400 million ($577 million), suffered at the hands of hackers by a group of unnamed U.S. and U.K. banks in 1996. The incident was reported in the London press, but no banks ever came forward and confirmed the loss.

Given the ready availability of cyberinsurance, Rossi says, "companies should be actively reviewing their existing policies and thinking of alternative plans before their next insurance renewal."

Carriers say that many clients are already changing their cyberinsurance priorities. Before September 11 they mainly sought coverage for unauthorized system intrusions and cyber-extortion, says AIG's Sagalow. "Now cyberterrorism is on the minds of more people. They are analyzing all aspects of their business continuity and disaster recovery and looking at ways to back up and protect data," he notes.

Cyberterrorism even has to concern a small bank in the heartland, says David Hadley, chief technology officer at DeepGreen Bank, a $330 million-in-assets online subsidiary of Third Federal Savings and Loan Association of Cleveland. "The vulnerabilities are part of doing business in the cyberworld. Insurance is really the last line of defense," says Hadley. He notes that DeepGreen bought cybercoverage before it opened a year ago.

After the World Trade Center attack, FS/ISAC, CERT and other monitors detected nothing besides Nimda that could have passed for cyberwarfare. "If anything, attacks were going the other way , hackers on our side were as upset as anybody, and they went after sites in the Middle East," says Christopher King, head of the security practice at White Plains, New York, consulting firm Greenwich Technology Partners.

事实上,自封的“黑客活动分子”推出了一个坎ign to break into Afghanistan government Web sites, causing noticeable havoc with the one operated by the Afghan mission to the United Nations. One group in Europe claimed to have penetrated a Sudanese bank linked to Osama bin Laden's al Qaeda organization.

Rogue hacktivism can, of course, go in any direction. And it doesn,t require a direct assault to bring down the financial infrastructure. Securify,s Elgamal says that it can be done indirectly by cutting off power or telecommunications. "It would only take several hours for a nasty collection of people to bring down the East Coast power grid via the Internet," he warns. In that same vein, Netsec's Ammon says: "You could dig up a couple of fiber-optic cables and create a nightmare. You,re only as good as your weakest link."

To FS/ISAC's Järocki, effective security requires awareness and strengthening of those links: "The real question is, What are the interdependencies and how do I make a stronger information sharing structure?"

And then there is the issue of money. Executives like Järocki now stand to win long-fought battles for security-budget increases. "Security has gotten an awareness push , it has become very visible," he says. But now he and his counterparts at other companies are fighting a war that they can,t afford to lose. "It's a constant vigil," says Järocki. "That's the key."