CommSec ® - Communications SecurityCommSec ® - Communications Security


CommSec ® - Communications Security - serving the world

Send email to CommSec ®
Email

 

 

Information Warfare and Finance: A Strategic Target

A Technical Paper by:

Stephen M. Parker, Consultant

CommSec ® – Communications Security

Internet web site: http://www.commsec.com

Email: security@commsec.com

October 24, 1997

Foreword

The technology behind the modern operations of banks and interbank transaction systems is an arcane and complex subject. The security of these systems is as well. There are few outside of specialized bank operations, information management, and security fields who understand how the global banking structure works. There are fewer still that are willing to discuss the subject in much detail, due to security considerations. To truly master the subject requires years of study and involvement in this particular segment of the banking industry.

This paper attempts to discuss the subject at a level the general reader can understand. The true value of this paper is the national security viewpoint it brings to bank network security, rather than an in-depth examination of bank operations. The banking industry is the foundation of the modern financial system, and by extension both American and foreign capitalist economies. At some point, every important financial transaction is conducted through the banking system. As such it is vital to economic health. With the advent of information warfare, the electronic, interdependent nature of banking--and finance in general--combined with its critical nature, makes the banking system a likely target for a strategic attack against a country. This is a new viewpoint for an industry focused on crime, traditional financial crises, and the more recent phenomenon of low-level hacking. It is critical, however, that we master this viewpoint and adapt our banking industry to it, for the threats information warfare poses are different than traditional bank security threats, and will increase as the age of information warfare develops. I ask you to please consider this.

 

Information Warfare and Finance: A Strategic Target

Information warfare has emerged in recent years as a new, exciting, and potentially troubling development in national security. As its possibilities have been examined, it has become obvious that information warfare is in fact a double-edged sword for the United States. While most study has been of information warfare’s tactical and operational possibilities, it is the author’s belief that information warfare’s strategic deep strike capabilities pose the most far-reaching and dangerous implications for American national security.

Because of this potential for strategic information warfare, information warfare’s strategic possibilities deserve to be studied and considered in greater depth. Until its advent, only the ICBM/SLBM threatened American domestic life in any appreciable way. The emergence of such vulnerability caused great trauma among the American people during the Cold War, and it is likely that the widespread knowledge of information warfare’s capabilities, perhaps magnified by actual instances, will cause similar apprehension in the near future. As one report concludes, "major dislocations in American society could be caused by targeting sensitive but unclassified data, such as power systems, electronic funds transfer systems [emphasis added], the PSN [telephone network] and the national airspace management system." While the actual results of such an attack are still unknown, it is likely that any lesser effects of information warfare, as compared to nuclear war, will be at least partially offset by its cheapness, easy accessibility, and difficulty in monitoring, detection, and tracking.

It is the thesis of this paper that the United States and its current information infrastructure is highly susceptible to an attack focused not on military targets, but rather on critical information infrastructures that American society depends upon, such as finance, telecommunications, or transportation. A strategic attack would likely be focused directly at the American public, and would likely be an attempt to strike directly at the economic/political engine of America’s global power, when it would otherwise be impossible. It might also be an attempt to divert attention so that forces inimical to American interests can act within a certain critical period without hindrance on the world stage.

The United States is more and increasingly vulnerable to this form of attack than any other nation because of its highly automated and computerized society. This source of strength is likely America’s Achilles’ heel as well, and enemies will not hesitate to explore its possibilities. Information warfare has the additional advantages for such enemies of stealth, cheapness, quick acquisition, and global reach. "A ‘Third World’ nation could procure a formidable, modern IW capability virtually off-the-shelf." For the cost of a bomber, submarine, or other conventional weapon system, a large and sophisticated information cell could be set up with supercomputers, multiple high-bandwidth network connections, and a great deal of necessary brainpower from various individual, commercial, and military sources. The United States needs to respond to this threat by developing a more robust, self-monitoring infrastructure capable of withstanding repeated attacks. These attacks will be frequent in the next century, and difficult to defeat.

In order to demonstrate the potential of a strategic information strike on the United States, this research focuses on the international banking sector of the American economy. International finance is a particularly tempting target for an information strike, because of its decentralized character, highly computerized infrastructure, incredible speed, and size. It is vital to the continued functioning of American capital markets. The unique aspects of finance, and the vulnerabilities they cause, are discussed. The full implications this threat poses the United States will help illustrate the potential of strategic information warfare. Some solutions are suggested, as are further ideas for protection. Finally, the implications raised relative to international finance are examined in the more general context of the American economy, and a course of action in this new information age is suggested.

Strategic Information Warfare:

First it is necessary to examine some criticisms of information warfare, to truly illustrate the critical nature of the issues being considered. Many charge that information warfare is nothing revolutionary, but rather a faddish rehash of orthodox military ideas. One author states "information warfare has become so expansive a term that it now threatens to become a tautology by encompassing nearly everything beyond the most primitive forms of combat." He goes on to state that "most of the suggestions on potential measures, enemy reactions, and ultimate consequences are speculative beyond plausibility." Such beliefs strongly contrast with the urgency and near-term danger of the issues that are presented. The possibilities of a strategic attack on the financial system are both very plausible, likely, and dangerous to the national security of the United States.

While the scenarios raised in this paper will implicitly contradict such assertions, there are two root causes of information warfare’s powerful new possibilities as a weapon of strategic attack. Foremost is the pervasiveness of information and information systems in all aspects of modern life. Due to this, the effects of information manipulation are becoming both more widespread and more effective than at any prior time. Second is the combination of these systems around computers to create highly automated command and control systems that, for the first time, present a central target that will cause widespread effect.

A perfect example of this is the Federal Aviation Administration’s "Free Skies" policy using the American military’s Global Positioning System (GPS). Rather than relying on traditional ground control stations (VOR/VORTAC’s), the policy seeks to decentralize control to the transiting planes through the use of automated navigational systems dependent on the highly accurate GPS. This has the potential to remove large inefficiencies in the current system. However, it also provides a central target to incapacitate or control the American (and likely someday global) air transit system. Where before it would have been necessary to target thousands of ground VORTAC navigational beacons, the introduction of GPS creates just one critical target. The United States military’s ability to encrypt, stop specific geographic service, control accuracy, and otherwise deny service indicates the existence of a central "switch." No matter how well protected electronically and physically (and it is well protected), the existence of such a target will tempt attacks, and it is possible that one will someday succeed.

This is the powerful and revolutionary nature of information warfare. While the field does indeed incorporate old and established tenets of military action, as critics charge, its potentials are established in the new pervasiveness and computerization of modern information systems. This is immediately obvious in the modern foundations of American life, like credit cards, ATM’s, computer networks, telephones, and airplanes, and will continue to grow. This is the danger that American life faces in the new information era.

Finance as a Target:

Because of a number of unique characteristics, finance is an almost certain target for a strategic information strike against the United States. The financial industry is information-based, highly computerized, decentralized, interdependent, and manages the intangible product of money, whose value is based entirely on global perception of its economic value. Together, these characteristics create a target by nature vulnerable to information warfare, critical to the health of American society, and so basic to society as to propagate the effects of an attack through every sector of life. An attack would at the least divert American attention to a domestic crisis; at most it might cause a financial crisis of global proportions, and even an economic meltdown.

The financial industry is variously defined by the handling, holding, transferring, accounting for, and general information about money, the lifeblood of America’s capitalist society. Nearly every daily interaction involves money in some way. Money and finance are therefore a critical node of American life. When the telephone fails, it is extremely inconvenient. When the plane does not fly, business and vacations suffer. But when ATM’s, credit cards, checks, and wire transfers do not work, the modern economy stops. Because money is really nothing more than a form of information that keeps "score" in an incentive-based system, it is highly prone to computerization and automation.

Because it is an industry with intangible information as its basic commodity, the financial sector is deeply interdependent. In fact, it forms a single macrosystem in which the whole is greater than the sum of the parts. Because the industry is so large--the American industry itself transfers nearly two trillion dollars a day, larger than the entire money supply of the United States--the global financial system is largely decentralized (even accounting for recent merger trends), which increases interdependence. In addition, as an information-based industry, finance is very susceptible to misinformation and perception of information. Everything in the industry is predicated on perception. Even the value of money relies solely on a general social perception of its worth. This unique combination of interdependence, highly developed information infrastructure, decentralization, intangibility, perception, and importance to the continued functioning of society, makes it a nearly perfect target of information warfare.

Among the various sectors of finance, international banking is perhaps the most vulnerable, because of its lack of a central authority or funds transfer system. There exists what may be termed "stateless money--a vast, integrated global money and capital system, almost totally outside of all government regulation, that can send billions of Euro-Dollars . . .and other ‘stateless’ currencies hurtling around the world 24 hours a day." Though central banks and bank regulators have adapted to this new electronic order in the fifteen years since it first became apparent, it is still largely true today. Walter Wriston, the former Chairman of Citicorp, recently stated: "Money goes where it is wanted, and stays were it is well treated . . .technology has overwhelmed public policy [emphasis added] . . .Now the Fed could tell us [Citibank] to buy $100 million [on the foreign exchange market to support the US currency] and this would be pooping money down a well [it would have little effect]."

American domestic banking and funds transfer is tightly controlled and regulated by the Federal Reserve System (commonly referred to as the "Fed"), which has the full faith and backing of the US Government and its seven trillion dollar economy. The same is true of nearly every developed nation of the world. In effect, the domestic banking system is secured by the American economy as collateral. International banking has no such guarantee. Instead, it is governed by bank-to-bank relationships, as well as cooperative private agreements, organizations, and standards. "The failure of one or more participants [of these cooperative payment organizations] to settle end-of-day deficits could result in unacceptable demands on central banks as lenders of last resort, or in a cascade of settlement failures that would precipitate national or even international financial crises." The only security for these systems is the collateral of the member banks, which compared to the trillions transferred daily, is small. While pledged collateral levels have been designed to maintain system integrity during a mid-level banking crisis (in one case, the failure of three major U.S. banks), they cannot withstand a full-fledged collapse. In addition, these safeguards have been designed with naturally occurring economic or financial crises ("natural crises"), fraud, and low-level hacking (the local Legion of Doom chapter or bored college student) in mind, not a large scale, destructive attack that could be mounted by a foreign nation or sophisticated terrorist group with economic sabotage in mind.

In addition to these vulnerabilities, international banking faces the same Access vs. Security Dilemma that confronts the entire banking sector. In order to maintain money’s liquidity, the banking industry must be highly accessible to its customers, as illustrated by ATM’s, credit cards, and the ability to transfer funds between any two banks in the world. This is the basis of the industry’s high interdependence. At the same time, it is necessary that customers’ accounts and funds be kept secure. Without such assurance, the banking industry’s perception of reliability is destroyed, customers’ trust is lost, and the system falls apart. The epitome of security is an isolated network that is inaccessible to the outside, which is directly antithetical to interdependence and accessibility. Banking must find a balance that maintains the most security possible without disrupting access. Whatever that balance, the necessity of access and interconnection will always make the possibility of unauthorized access a danger.

Together, the characteristics of international banking create a system with many points of attack, but a number of central targets, which would propagate effects throughout the United States and the developed world. Two major targets are the New York Clearinghouse Interbank Payment System (CHIPS), which handles 95% of all worldwide American dollar fund transfers, and the Society for Worldwide Interbank Financial Telecommunications (SWIFT), the main international interbank funds wire network.

The largest target of all would be Fedwire, the Federal Reserve’s fund wire system, and the internal Fed database accounts of all member banks. The entire domestic banking system, the CHIPS system, and much of the world’s capital markets hinge on the continued operation and integrity of the Federal Reserve System. It is perhaps the crucial lynchpin in the world economy, because it is the "owner" of the American dollar, the single most important currency in the world. Even with the resurgence of Japan and Germany, the dollar is by far the most used currency of international transactions.

Therefore, should the Federal Reserve fail, the effects would be catastrophic. However, the corruption of CHIPS or SWIFT poses nearly as much danger. Points of attack on any of these targets may be the Fed’s or cooperative private organizations’ central computers, member institutions, or any financial institution that is connected indirectly to these systems. Focused correctly, a well-prepared attack could cause chaos throughout the international system.

IW Strike on International Banking:

Any information strike seeking to cause damage to the American financial system by attacking international banking would focus on a several large vulnerabilities in current bank security and the banking structure. An attack would exploit these vulnerabilities through three basic methods:

  1. Attack a bank’s internal systems to modify accounts and/or cause unauthorized transactions.
  2. Attack the interbank fund transfer systems to cause unauthorized transactions between banks.
  3. Use some combination of both for a greater effect.

The purpose of an attack could be anything from causing distraction to causing a massive economic crisis in America. Whatever the focus of an attack, an IW strike would seek to damage the banking system in three separate ways:

  1. Corrupt/deny service to the underlying technology systems that bank operations rely on, disrupting business and cause harm to individual or multiple banks.
  2. Perpetuate an artificially caused crisis by causing a chain of events that would use the banking system itself to amplify and propagate it throughout the system.
  3. Subtlely corrupt various systems over an extended period of time to cause quiet erosion of confidence by the public rather than an immediate crisis.

The last option would require the most patience, take the longest time, and require the greatest skill. It would be well suited for an enemy that wanted to conduct "guerrilla infowar" rather than confront the US immediately or directly. Its effects, by undermining public confidence, causing economic inefficiencies, and damaging the liquidity of money, could be tremendous, but in order to be effective it would have to be done subtly on a grand scale. For these reasons, and the fact that it would utilize some of the same vulnerabilities discussed below, and likely be detected by the same policies, the research below will concentrate on the first two modes of attack.

An information strike on the international banking sector could target a number of vulnerabilities in the banking infrastructure to successfully prosecute these attacks. Among these are the lag time in international funds transaction monitoring, a lack of manpower to deal with significant problems, a dynamic market that leaves little room to pause and make corrections, and the possibility of creating a self-sustaining crisis by utilizing public perception and causing panic.

It is very important to emphasize that the banking system is very well protected, and security is improving. Banks, their brethren in financial securities, and interbank structures have invested billions of dollars over the last twenty years in sophisticated security measures. As a result of advancing technology and incidents such as the recent American Savings & Loan (S&L) debacle, regulatory organizations in the US, Japan, and Europe have strengthened regulations to limit both operational (underlying technology systems) and systemic (overall banking structure and business method) risks.

New rules have been put in place to regulate credit risks of interbank transactions. The sudden advent of the microprocessor caused serious security risks because of newly empowered hackers and unsecured, decentralized LAN’s. These threats have been considered and integrated into the overall security measures of banks with the implementation of technologies such as firewalls. Encryption measures have increased and become more sophisticated, especially on the international scene. Multitudes of security layers have been put in place. Individual bank personnel have limited access and power--the system is somewhat analogous to the dual-key operation required for nuclear missile operation. Checks and counterchecks are almost too numerous to count, much less easily defeated, to avoid long-term detection.

The result is that banks are extremely confident of their security measures. While a successful attack may have been conceivable a decade ago, there is a general belief today that while not impossible, it is so unlikely as to be unimportant. Even so, banks continue to improve their security measures with a view to the increasing sophistication of criminals.

This is a rational mindset, because there are indications that there are still holes in security systems, even at major banks. The recent $12 million Citicorp break-in by Russian crackers in St. Petersburg is a prime example. It took Citibank nearly five months to detect and stop the intrusions into their cash-management system, the very core of Citibank’s funds system.

There are other indications as well. While not substantiated, it is widely known that a number of banks have been blackmailed by crackers who have threatened to damage or destroy accounts unless a "ransom" was paid. The crackers’ ability to carry out these threats were usually substantiated by demonstrating access to highly critical and secure bank systems, or actually corrupting systems and holding data "hostage." In addition, there are reports that travel through the underground cracker community detailing vulnerabilities and methods of attacks, as well as successful crimes. One such report which the author received caused concern at a major US bank. It detailed a successful attack, again on Citibank’s funds-transfer systems, through a mind-numbing trial-and-error process, that eventually allowed the crackers to lift enough money electronically to pay for the remainder of their college education. All these incidents seem to give lie to banks’ beliefs in their safety.

These incidents have not damaged banks’ general belief in their security systems, however. While the St. Petersburg criminals penetrated Citibank’s cash-management network, the industry belief is that it would have been impossible for even a group of well-experienced crackers to break Citibank’s security without insider cooperation. Even so, the operation was detected and preventive action taken. For the job to have been much more effective, they would have needed the cooperation of an unlikely number of insiders.

This viewpoint exposes the vulnerability in the banks’ security precautions, and an institutional blind spot. No current security measures have been designed with a large-scale destructive electronic attack in mind. Little, if any, work is being conducted to incorporate such precautions in future systems. The industry belief is that the current mostly strong precautions and continuing efforts against fraud and natural errors will also protect banks against additional threats from information warfare. Specific protection against such attacks is a very low priority, if one at all. Little consideration has been applied to the fact that a large, sophisticated terrorist group, or an enemy nation, could mount a long and patiently prepared, lightning quick, large-scale parallel attack on the banking system. This could possibly overcome existing defenses through scale and preparation, and be over before current systems detect the attack or prepare a response. A useful analogy is the Coalition campaign against Iraqi forces in the closing days of the Persian Gulf War.

Individual Bank Vulnerabilities:

The largest vulnerability in bank security systems is the lag time in fund monitoring. Nearly all checks are on daily, weekly, or monthly time-scales. Even newer, more stringent regulations require banks to know their business position only two or three times a day. These precautions are adequate when one considers that they have been put in place to guard against natural problems (human error, bank failures due to improper planning and fund management, etc.), or fraud, which must be conducted subtly over long periods to be successful and retrieve funds.

These precautions are not sufficient when one considers that the actual attack during an information strike can be accomplished in minutes or hours, with enough preparation and resources (in people and computing power/access). There is no need to hide the activity after a certain threshold of damage (unless one is conducting the long, subtle confidence attack), because the very point of the attack is to cause noticeable damage. It does not matter how many checks and counter-checks there are if they do not detect the attack until after it has been successfully prosecuted and a serious, perhaps uncorrectable, crisis has begun.

With the cost of information warfare so low as compared to conventional methods, and the necessary amounts of brainpower cheap and available with the breakup of the Soviet bloc and the spread of commercial computer technology and know-how, it would be little problem for even a "Third World" nation to use a window smaller than an hour. Even the St. Petersburg criminals, with a small operation, could have caused significant, though obvious, damage to Citibank had they not cared about being detected within hours. With the access they had, the severity of the attack would have been significant, perhaps limited only by the rank of the supposed insider cooperation. The higher the status of the insiders, the more probable that large fund values could have been affected.

The second most dangerous bank vulnerability is the question of personnel. The most time-honored method of subverting security systems is to suborn the people in control. One IW author points out that with all of contemporary literature’s treatment of computer systems as automated, corporate beings, it is still people that are in charge, and therefore a logical target. The banks have taken reasonable precautions to spread operational control and authority throughout their organizations to make individual or small-group sabotage unlikely. However, they have not considered the time, money, and incentives a foreign government or sophisticated terrorist organization would have in order to overcome this difficulty.

Any such enemy might have years in which to recruit personnel, introduce moles, or conduct any other intelligence operations that governments routinely deal with, but which companies are mostly unused to. Most importantly, such an enemy just might have the resources to conduct such an operation at many banks, introducing the possibility of initiating a financial crisis at multiple points to overwhelm security regulations focused on preventing smaller-scale attacks. Again, the institutional blind spot against a massive attack that would be likely in a strategic IW strike leaves a large gap in existing defenses.

There are a number of difficulties with this approach. Foremost, the more people one contacts and tries to subvert, the more likely the operation will be discovered, and the advantage of strategic surprise lost. Secondly, moving one’s own people into sensitive positions could take years, and they might only be of use one time. For these reasons, the author believes that electronic attack is of a greater danger. However, there are a number of other factors that partly balance these complications. Bank employment and internal clearance is not nearly as linked to nationality as national security careers are. For this reason, it might be easier to place agents. Secondly, it might be possible to disguise an operation with a facade of fraud, hiding the true national security threat that might otherwise test an individual’s national loyalty, or hiding the disastrous results that might test a person’s sanity.

Another vulnerability dealing with personnel is the industry’s lack of appropriately qualified computer systems people. In the case of any large-scale attack, the banking industry simply would not have enough people of suitable skills to track down all the problems and rectify them with current technology and legacy systems. Banks have just enough personnel to deal with current problems of the natural, criminal, and cracker natures.

In one recent case, a major American bank had problems combining two separate operations networks after a merger with another bank. One symptom of these difficulties was dropped or lost transaction messages. While the bank recorded that transactions were sent, the actual messages never did leave due to operational errors. The number of times this happened because of these "natural" problems is small compared to what the bank could expect in an information strike. However, the bank’s personnel strained to keep up with and correct even these relatively few irregularities, and took a good deal of time correcting the problem. In a strategic attack, they would likely be inundated. To worsen matters, each bank currently operates a basically custom internal network, so additional information management (IM) personnel from other banks or industries would be of limited use at the most critical time, while they familiarized themselves with bank’s systems.

Interbank System Vulnerabilities: CHIPS, SWIFT, and Fedwire:

In attacking the international banking structure, the most centralized vulnerabilities are in the interbank payment systems. The big three for American banking are the Federal Reserve’s Fedwire fund transfer system and its internal bank accounts, the New York CHIPS dollar transfer system, and the international SWIFT communications network. Penetrating the latter two would have disastrous consequences. Penetrating the Fed systems, even if only the Federal Reserve Bank of New York, would be an utter nightmare.

CHIPS is illustrative of the strengths and vulnerabilities of these systems. Its security is highly sophisticated. The main computers are located in a fort-like Manhattan building that would be appropriate to a secure military facility. A back-up site is located in New Jersey for instant redundancy. There may well be another site, but if so it is well hidden and not discussed. Both sites have multiple back-up power and communications sub-systems. In total, physical security is excellent.

Members of the CHIPS network are connected to two central computers at each site, either of which can handle the entire system load by themselves, through dedicated land-lines. Communications are encrypted and digitally signed to add additional redundancy. If there is any irregularity, the dedicated line is severed from the central computers, and the member bank is consequentially removed from the system until the problem is resolved. This system of redundant checks guarantees the electronic integrity of the CHIPS system.

Additionally, there are a number of checks against the systemic (business method, rather than technological) risks CHIPS introduces. The danger inherent in the CHIPS system is that it makes transfers by authorizing debits/credits, which result in positive or negative positions at member banks during the day. Negative positions are not covered until end of day settlement; during the day, fund transfers that are to cover a negative position may not yet be received. The large volumes and values of transfers make them difficult to handle and settle immediately or intra-daily. At the end of the day, a final tally of each bank’s position is made, and appropriate funds are transferred through a special escrow account at the New York Federal Reserve to make the member banks’ positions at the Federal Reserve match their CHIPS end-of-day accounts (see Figure 1).

Figure 1

This system introduces the danger that a member bank may not have the funds at the close-of-business (COB) to fulfill a negative position. In fact, this occurred a decade ago during the Latin American debt crisis, when Brazil’s national bank (Banco do Brazil) did not have enough funds in its various accounts one night to balance accounts debited by the CHIPS system. The crisis was handled by the other members cooperatively lending Banco do Brazil enough to meet its obligations, then removing it from the system.

Today, to prevent a similar situation, with perhaps more disastrous consequences, CHIPS uses a sophisticated real-time monitoring system to monitor caps, established by members, on the amount of money that can be owed at any one time ("daylight overdrafts") by one bank to another bank (bilateral limit), and by one bank to all the banks in the system (multilateral or overall debt limits). In addition, each member of the system has pledged enough securities (held in a special Federal Reserve account), so that the system as a whole can cover three major bank failures.

Should all these precautions fail, and should for some reason the Federal Reserve not act as a lender of last resort, the last option CHIPS has is to unravel all the day’s transactions to isolate the failed institution or institutions. Analyses have indicated that if this option were ever used, an additional 20-25 banks would be temporarily insolvent, causing financial gridlock until the situation were cleared up and that day’s payments again honored.

Again, however, the publicized security precautions (there may be others that are kept secret) do not adequately consider a large-scale attack. Even with the safeguards CHIPS has, there are several possible ways to cause a general crisis. The current safeguards are focused against natural disasters like the Banco do Brazil crisis, not meditated penetrations seeking destructive consequences. Utilizing penetration, either by electronic attack, insider personnel, or forced entry by special operations forces, an enemy might seek to quietly corrupt the daylight overdraft limits so that the system is no longer as well secured against bank failure. It might also initiate unauthorized CHIPS transactions to confuse or enlarge daylight overdrafts for multiple members, causing end-of-day settlement failures for banks. Less likely, due to the fourfold redundancy of the central computers, it might try to saturate the system with a critical threshold of transactions (perhaps by inserting viruses or other automated programs) to cause the system to overload, make mistakes, or hopelessly confuse accounts.

Any of these actions would have the potential to affect over a trillion dollars a day in transactions. It is possible that if accounts and transactions were corrupted enough through any of these means (or through separate individual attacks against member banks to cause settlement failure at COB), and enough major banks were artificially insolvent and unable to settle at day’s end, the Federal Reserve might choose to undo the day’s transactions to correct the crisis, rather than give the banks enough funds to cover their overdrafts and then try to clean up while business continued. If such were the case, the situation would get worse before getting better, perhaps closing the international banking system for days, or even weeks, while the crisis was repaired. In such a case, the IW attacker would have managed a masterful job of maneuvering the Fed into a difficult position, and forcing it to worsen the crisis in order to fix it.

Again, the personnel issue arises in evaluating CHIPS security. A lot of precautions have been taken to keep CHIPS from becoming the venue for the largest bank heist in history through insider cooperation. However, it is likely that a foreign government could obtain the cooperation of internal personnel, or place moles on the inside, through various methods familiar to the intelligence community. Alternatively, it is likely that a government could use special operations forces to penetrate the physical security of the interbank systems, and even the back-up systems.

On a more arcane and destructive level, a large, sophisticated enemy might also have access to EMF or similar weapons to cause denial-of-service rather than corruption, and could target such weapons at these central payments systems. The effects of denial-of-service would be disastrous. With the path for $1.2 trillion a day blocked, the financial system would virtually halt in its tracks. The financial system would find some other routes for fund transfers because of its complexity and redundancy, but the sheer size and importance of CHIPS makes it impossible to replace or do without in the short-run. The full effects of any such situation are unpredictable, but frightening to contemplate.

Other attacks, operating under different limitations and circumstances, but utilizing similar approaches, could be used against Fedwire and SWIFT. Both have similar, but little discussed, security measures. Fedwire actually does transfer funds, so CHIPS’s systemic risk is not an issue. Technologically, the Fed is extremely secretive about Fedwire’s security precautions, so there is little information to focus on vulnerabilities. It is likely, however, that a foreign government with a sophisticated intelligence setup could probably find some weaknesses and plot an attack.

SWIFT, as a more general financial communications network, has the fewest safeguards. It is not actually a fund transaction system, but rather a dedicated network for financial communication utilized by commercial and investment banks. It is, however, the dominant international fund transaction network because banks use it to transfer bilateral non-revocable debit/credit messages that credit an internal account at one bank and debit a corresponding internal account at another. This credit/debiting account-balancing scheme is the way international fund transactions are conducted (see Figure 2).

Figure 2While a breach of integrity in this network is unlikely due to authentication precautions similar in sophistication to CHIPS, a successful penetration could give a group the ability to send thousands of illegitimate transaction messages to nearly any bank in the world. Banks would honor these messages and make the dictated credit/debit transactions. The perpetrators would then have a period of time before the illegitimate transactions would be discovered to prosecute their attack.

The current state of transaction monitoring for international transfers would give the crackers approximately a 48-72 hour window to prosecute such an attack before detection. The travails of the major US bank, which had problems merging its systems, are illustrative of this point. It can take as long as 48 hours before banks notice that funds did not arrived where and when they were supposed to. Unless the amounts were visibly large or an unacceptable overdraft resulted, the customer also may not be aware of the missing credits.

The customer may first assume that the bank failed to make the transfer due to an internal error. Even so, the customer may also be concerned that a business partner could not make the payment. Once the customer discovers differently, it will check with the involved bank, which checks its records and discovers the irregularity, if it has not done so already. The problem may still not be resolved, however, because transactions are non-revocable on SWIFT. The bank must then trace the problem down and discover where the fund transfer instruction was misrouted, i.e. where the money "went," if it did at all. This process can easily take another 24-48 hours.

If such problems are possible simply through incompatible systems and internal or personal mistakes, the danger of exploiting the system for information warfare is tremendous. In the case above, by the time the irregularities were detected, tracked down, and solved, a major information strike that utilized illegitimate messages and other means could have been already completed with disastrous consequences. Together, attacks like these on SWIFT, CHIPS, and Fedwire, or utilizing their weaknesses when attacking individual banks, has the potential to spread the effects of an attack throughout the industry.

Further Vulnerabilities: Dynamism and Perception

The international banking sector, and the banking industry as a whole, share two additional vulnerabilities that a potential attacker might exploit in designing an information strike. These are the very dynamism and speed at which the industry operates, and its dependence on perception. The dependence on perception is perhaps the single greatest threat to banking.

Because of the speed at which the industry operates, no single bank can afford close its doors long enough to try to sort out the effects of an attack. Every day, the rest of the industry continues conducting business and transmitting uncounted transactions. If a bank tried to shut down, waiting transactions would geometrically or exponentially grow daily. Eventually processing them would become impossible. Putting those transactions on hold would also alienate customers, drive away capital, and cause as much difficulty as the IW attack. The result is that banks must likely stay open while attempting to clean up an information strike. This leads to a possibility that the effects could get worse as the bank attempts to conduct business with corrupted systems. It also introduces the possibility that an attacker may leave viruses or logic bombs to continue the damage after the initial attack.

Even the Federal Reserve would have difficulty declaring an artificial bank holiday to give the industry time to correct the crisis. The rest of the international financial system would continue, payments in the US would effectively be halted, and individuals and corporations would find themselves without capital. This is especially true considering the small amount of cash left in the modern economy. Today, cash covers about one percent of total transaction values in the US; this is totally incapable of sustaining the economy. Even a few days would be burdensome. Anything beyond a week would cause economic disaster as firms and people run out of funds to pay for basic operating expenses and the necessities of life.

Checks might fill some of the vacuum, but they are not legal tender. The monetary value of checks might disappear during an attack, as people doubt an issuing bank’s ability to pay. Additionally, in the near future checks are likely to slowly fade away, as they are eclipsed by electronic technologies such as debit and smart cards. The result is that banks will have little time to correct the results of a strategic IW attack.

Banks face their greatest danger from an information strike in public perception, however. The possibility of public perception during an information strike precipitating an even greater crisis is the greatest danger and the single largest potential of a strategic information strike on the banking industry. It is possible that an attacker could utilize public perception to create a panic and potentially cause a collapse similar to the 1930’s.

The main cause of the bank runs during the Great Depression was a distrust of the security of the banking system. Safeguards such as the Federal Deposit Insurance Corporations (FDIC) and Federal Reserve regulations have assuaged this problem, as the recent Savings & Loan (S&L) crisis amply demonstrated (the failure was severe, but because of government safeguards, the public trusted the banking system and didn’t perceive the full scope of the problem). Their greatest value is not in securing the American banking system, but rather in assuring the global public of its security. The complex paradox of the modern financial system is that as long as people believe that a government or governments can handle a crisis, those institutions usually can. The banking industry depends then on public perception of its health and security to maintain it.

The American public put the S & L fiasco down to criminal incompetence on the part of bankers. People and institutions believe that their own bank officials are competent--otherwise he or she would not use that institution. It is the same mindset that the American people use to reelect incumbents while complaining bitterly about politicians. The result is that the general American public believes their money is safe in bank accounts--the mattress-stuffing behavior of the Great Depression generation is gone from the American psyche, which is good for banks, fund liquidity, and banks’ ability to deal with financial crises.

IW commits an end run around the safeguards that have been sufficient to maintain this perception of security. First, if an information strike is successful against a major US bank, or against a number of large banks, it demonstrates that even the most sophisticated systems are vulnerable. The issue is then the ability of even the most competent professionals to safeguard accounts. Second, incompetence isn’t contagious--an IW attack may be, in terms of spreading through the banking system, corrupting one system after another. Finally, the greatest assurance of security in the mind of the public--bank deposit insurance under the FDIC system--depends on accurate records in order to know how much each person lost when the bank failed. The integrity/safety of those records is unlikely in an IW attack.

The greatest danger public perception poses is not from the individual American consumer, however. Rather, it is from the large international corporations and institutions that have great sums of capital invested in American dollar accounts. In the case of a serious, widespread American financial crisis, these institutions would likely try to cut their losses by moving capital out of the country into other currencies. This would have the dual effect of collapsing the American dollar, and collapsing major American banks that hold these accounts.

For example, assume that Mitsubishi has a billion dollar account with Citibank, and worried by the indications of a major American crisis, orders Citibank to convert those dollars to deutchmarks, yen, pounds, or any other convertible currency in order to move their funds out of the US. Citibank, even if untouched by the information strike that touched off the financial crisis, simply may not have such capital immediately available. It would likely become insolvent, especially if other customers were making similar demands. Even if Citibank could deliver Mitsubishi’s funds, attempting to find buyers for billions of American dollars would drive foreign exchange rates down and lower the international value of the American dollar. Multiple institutions attempting the same transactions would collapse the American dollar in an unprecedented way.

The international implications of such a large-scale currency collapse are staggering. The American dollar is still considered the most dependable currency in the world, and more assets are denominated in dollars than in any other currency. Should a currency collapse occur, literally trillions of dollars in international assets would disappear. Such a crisis might make the New York Stock Exchange Crash of 1929 and subsequent bank runs look mild by comparison. This is the true potential of the negative spiral that could be induced by an information strike utilizing public perception.

A Possible Scenario: International Chaos

In 1994, following a spurt of literature on information warfare in American and Russian professional military journals, the People’s Liberation Army of China activated an IW cell to evaluate and prepare China for information warfare. As part of this preparation, a program was put in place to prepare an information strike against the Group of Seven industrial nations. Primary focus was on the United States, as the foremost economy and financial system. The program’s designers emphasized that any such attack would have far-reaching effects, and rebound against China as a major US trading partner. It was never meant to be used. . . .

In July 1997, during the succession struggles following Deng Xioping’s death, deeply reactionary elements in the PLA and Communist Party activated the American part of the program in an effort to cause global chaos and discredit their rival internationalist factions vying for power.

On July 12th, at 1015 hours, personnel at five major American banks uploaded and executed programs onto their bank’s networks, as they had been paid to do two years prior. Within thirty minutes, the programs had gained access to the cash management systems at each bank, and began executing a multitude of unauthorized transactions. At the same time, further programs began infiltrating and gaining control of the multiple nets that together made up those banks’ operations systems. Access was opened to the outside assailants, who further continued to compromise the network and coordinate the attack.

By 1230, billions of dollars had disappeared through a multitude of paths—CHIPS and Fedwire transfers, false SWIFT transactions, internal transfers that disappeared before reaching their destination, accounts which simply disappeared. The first indications of trouble appeared during an intraday check mandated by the Federal Reserve, but the scope of the crisis remained hidden.

By 1400, the crisis was becoming more apparent. Customers were finding themselves without funds. Associated banks that depended on the banks for CHIPS service were discovering incorrect transactions. Bank officers returning from lunch were confronted by multiple messages from their clients demanding explanations. Officers working with accounts were finding problems. Personnel talking over cubicle walls were beginning to figure out that this was not just their account, but widespread. Questioning calls were being made to Operations. However, there were still too many people out to lunch to evaluate the situation, coordinate, and clearly grasp the situation. Between 1200 and 1500, nothing but routine business is conducted in the industry

By 1500, the full scope of the crisis was becoming apparent. Enough decision-makers had returned from business lunches and various other activities to start collecting information on a large scale and coordinating efforts. What they were finding was almost incomprehensible in scope. Personnel were beginning to find evidence of the logic bombs that had been used. Word of the crisis was growing, as stories of executives quickly recalled to their desks spread.

By 1530, the chairmen of the five affected banks were called and appraised of the crisis by Operations. The full situation was still being explored, but it was becoming obvious three banks had suffered severe damage. Two others had somehow managed to escape the full effects of the attack through a combination of good fortune and security procedures. Motives were unknown, but bank robbery or sabotage was suspected. The chairmen, with an eye to close-of-business, ordered an evaluation of the bank’s positions. The FBI and Federal Reserve were called and appraised of the situation. Other banks by this time were demanding information and beginning to stop trading with the affected banks.

By 1600, the banks were beginning to realize just how much money had disappeared or been illegitimately transferred. Communication between banks was slowly making it apparent that the sabotage was not isolated to one bank. The worst case was becoming obvious—the banks would be insolvent at close-of-business, without enough money to settle daylight overdrafts. The chairmen were notified of their likely insolvency. The chairmen asked that the situation be cleared and the needed funds found by 1700.

By 1715, the chairmen of the affected banks were appraised that the banks were not going to find the necessary funds to settle. The chairmen called the New York Fed President and the Federal Reserve Board Chairman to report their situation. The Fed Chairman immediately ordered that CHIPS be kept open past close-of-business as the banks attempted to clear up the crisis and find the missing funds. At about the same time, additional programs left in the bank began to execute, crashing large portions of the networks and destroying data.

By 1800, operations were working feverishly to fix the crisis. Employees at many banks remained at their desks past the end of the day. At a meeting of the CHIPS member banks, a full report of the situation was made. The artificial nature of the crisis was confirmed by comparing available records from the day and various accounts. It became obvious that not only the three main banks were unable to settle, but also a number of the associate banks whose business they handled and who had also been affected. The second attack was also reported, and the likelihood that fixing the crisis would take much longer as a result. The Fed Chairman ordered CHIPS to remain open until 2100 while the banks cleared up their accounts. Word began to reach the rest of the world that CHIPS had been kept open, indicating some sort of financial crisis.

By 2030, the chairmen of the affected banks had received reports that the banks were still unable to satisfy their obligations. The chaos caused by the initial attack, and then the second destructive attack, was simply too much to correct in so little time. The chairmen called the Fed Chairman to report the news. The Chairman ordered CHIPS to be kept open until midnight, and another meeting at 2230.

By 2130, word that CHIPS was still open was spreading through the international financial community. Never before had CHIPS remained open so late—even during the Banco do Brazil crisis over a decade earlier, the crisis had been settled by 2100. In London, Paris, Frankfurt, Geneva, and other European financial centers high-ranking executive were woken up. In Tokyo, fourteen hours ahead, the news rippled through the foreign exchange markets, depressing the dollar.

By the 2230 meeting, it had become obvious that no matter how late CHIPS stayed open, the three major banks would be unable to settle, as would a number of associate banks also affected by the crisis. The issue that now faced the meeting was how to minimize the crisis. The securities held by the Federal Reserve for such a contingency were not enough to handle such large multiple insolvencies. The Federal Reserve had the option of either loaning the remaining amount in order to settle and close CHIPS, or unraveling the day’s CHIPS transactions. Unraveling the day’s CHIPS transactions, never before seriously considered, was pushed by the affected banks that wanted to clear up their positions. The Chairman chose to lend the remaining money and then close CHIPS and the insolvent banks pending correction of the crisis.

When the news was announced when the meeting ended at 2345, the international tumult became full blown. The heads of seven major national banks and the Bank of International Settlements were demanding explanations. Most financiers were awake by this time in Europe and starting to react to rumors. All that was known was that an unprecedented crisis was occurring in the US financial sector. The American dollar was plummeting on international exchanges in response to rumors. A number of international institutions were attempting move capital from American dollars to other currencies. The news of the closing of three major American banks sent shockwaves through the international community. The dollar plummeted even further, causing trillions of dollars in assets to vanish. Upon the opening of the European exchanges, the crisis spread even further. Trading in dollars had to be suspended across Europe by midmorning

Attempting to cut their losses, major international customers ordered their American banks to convert their accounts to other currencies. These demands caused many of the healthy American banks that had escaped the crisis the day before to become insolvent. The crisis spread further, and a number of other institutions began to fail under the strain. The value of the American dollar collapsed even further.

The President was awoken early the next morning to news of the night’s disaster. By midmorning that day, the Fed Chairman was forced to order a bank holiday, closing the American financial system and stemming the losses. Meetings with the heads of state, national banks, and Treasury minister were arranged for later that day, or the next morning. By that time, trillions of dollars had been lost. Financial institutions throughout the world were failing from the collapse of the American currency. The global financial system was on the verge of collapse.

A Likely Scenario?:

Written above is a worst-case scenario. It is likely that bankers involved would anticipate the results of such a crisis, and take actions to head it off during the night. Even this might only stem losses, however. The collapse of the American dollar and banking system would still be possible, as would subsequent international crises caused by the sudden closure of the American system, and the losses suffered by major institutions the day before. And the scenario does not consider the effects of such a crisis on other portions of the financial industry, such as the major stock and futures markets. The securities industry might not be greatly affected, but it is more likely that the complex interactions between the commercial and investment banking industries would exacerbate the crisis.

At the very least, the developed world would be too pre-occupied with handling the crisis as the Chinese reactionaries took control, North Korea invaded South Korea, Iran launched an attack on Saudi Arabia, or some other scenario. It is likely that only a rogue state, madman, or terrorist group would attempt a strike against the American financial system, because of its far-reaching effects. For these groups, however, an IW strike against American finance is an ideal attack.

It is also important to note that a similar attack against another infrastructure, such as telecommunications or transportation, might be effective as well, without as many international implications. The United States needs to be prepared for any of these attacks.

Finally, the use of a financial information strike is not limited to the United States. Many other developed countries are almost as vulnerable, and will continue to become more so as their information infrastructures become more complex. Indeed, for smaller nations, the financial attack is ideal, for the effects would be just as great for that nation, while affecting the international system less than would attacking the linchpin of the world economy that is the United States.

An attack on the banking structure, utilizing attacks on interbank systems, in concordance with large-scale attacks on individual banks, could conceivably cause the largest banks in the United States could find themselves suddenly insolvent at the end of a day, with interbank systems corrupted, internal records in disarray, funds lost, and no one sure what happened or where to start. There is no real certainty as to what might happen at that point. There may only be a small effect that requires weeks of sleepless nights by involved personnel, while the US economy rolls on.

On the other hand, a large enough attack might create enough damage to eventually cause a chain reaction and, potentially a meltdown, first in the financial community, then the general economy, as everyday payments stop. The effects might make the bank failures of the Great Depression look mild by comparison. There is no way to know--the banking system is terribly complex, and no in-depth study of projected results is known. In the author’s opinion, however, the potential for damage is great. There are tremendous safeguards and redundancies built into the banking system, but beyond a certain threshold of damage, it is likely that the very complexity and vitalness to the American economy would cause an uncontrollable reaction, with disastrous consequences.

Solutions to Financial Vulnerability:

The information age, like the nuclear age, has come and will never leave. Instead, society will always face the threat of an information strike, and must learn to live with it as it has the nuclear umbrella. Society’s institutions must adapt in a permanent way to incorporate information security into basic daily operations. There are no silver bullets in information security operations--instead, a constant vigilance is necessary. This must be done through upgraded technology and modification of organizational structures.

In the case of international banking, the scenarios developed above make it obvious that the speed and complexity of modern funds transfers has far outstripped the ability of current auditing schemes to keep up. In addition, the development of information warfare dictates the need for more vigilant monitoring and security systems to guard against sophisticated attack. While a sophisticated terrorist group or foreign government can mount many forms of attack, electronic attack is the most likely. Special operations (physical force) are possible, but unlikely, and only the federal government truly has the resources to defend against them. The use of inside personnel is very likely, but can be combated through more stringent security checks, and greater checks against authority within banks’ computer networks.

That leaves the Byzantine system of separate internal bank networks and inadequate monitoring, open to electronic attack and penetration, as banks’ greatest vulnerability. Its anonymity, cheapness, and global range make it the most likely tool of such a strategic attack. The author suggests the adoption of a decentralized security system spanning the industry, in which each bank is responsible for its own security and the security of its interactions with other institutions. Specifically,

  1. An initiative to push the development of internal, real-time automated auditing/monitoring systems (RAM’s) to track account databases, transactions, and fund transfers for questionable activity. This would allow second-to-second monitoring of all funds within the bank, as well as funds moving between two banks, enabling real-time detection of errors, fraud, or attacks.
  2. Develop intrabank security centers (ISC’s) to provide a birds-eye view of all fund activity within a bank to appropriate officials. This would give banks the ability to quickly and actively detect these attacks and correct the situation. These ISC’s would monitor all internal bank activity, as well as any direct interbank transactions through cooperation with the other bank’s ISC. The ISC would apply human judgment and control of an evolving crisis.
  3. Combine the RAM and ISC with an operational control capability of the bank’s internal networks and fund transaction systems to create an integrated security intrabank system (ISIS) that has the eye’s and ears to detect an attack, human judgment to organize and coordinate against it, and the network control muscle to defeat it.

The decentralized aspect of this proposal has three major advantages. Foremost, it mirrors the organization of the international financial sector as a whole. As such, it will be compatible with current or future monitoring systems in CHIPS, SWIFT, or the Federal Reserve. It will also be both compatible with, and a strong building block of, any future national IW defense system, should one be deemed necessary. Secondly, it divides security responsibility into portions manageable and able to be implemented by individual institutions. This makes decisive action to correct today’s dangerous vulnerabilities likely, rather than delaying while awaiting the completion of a drawn out, centrally designed, and standardized process. Third, it protects proprietary monetary information, which has its own value to financial institutions. Thus, the proposed security apparatus conforms to the needs of the industry, and avoids the creation of a costly, centralized security bureaucracy that on the international scene may pose a threat to national sovereignty.

Real-time Automated Monitoring:

Intrabank real-time automated auditing/monitoring is the necessary foundation on which any defense against information strikes must be built. Current transaction monitoring systems, both intra- and interbank, are designed to catch natural (i.e. not intentionally caused) or fraudulent errors. As such, the auditing systems operate on multi-day and multi-weekly time-scales. This is acceptable for catching conventional operational problems that cause unexpected fund activity (e.g. unintended fund payments/receipt of payments, or the lack thereof) before serious harm is incurred. Any naturally dropped payments are likely to cause simple compensation or overdraft penalties, unlikely to seriously hurt the bank position or the banking system. Fraudulent activity is likely to occur either subtlely or over extended periods of time in order to avoid notice, retrieve the stolen funds, and succeed with the crime. For example, the infamous St. Petersburg attacks on Citibank occurred over a span of five months.

However, a two-to-three day lag in error detection and correction is unacceptable in an age of information strikes, characterized by lightning-fast attacks where the attacker rapidly disappears. For one, the perpetrator is likely long gone by the time the transaction errors are detected. Secondly, the attack is likely to commit intense damage within a short period of time. The attacker’s actions are not limited by the need to retrieve funds, as they are in fraud; instead, his likely objective is to destroy or cripple the targeted system to wreak havoc or destruction. Even long-term attacks, prepared over weeks or months, are likely to be executed within minutes or hours.

Operating under such parameters, the attacker will attempt to cause enough damage before detection so as to make quick correction impossible. The window of attack then becomes the lag time in system monitoring, and the longer the gap, the more probable the attacker will accomplish his goals. Eliminating that window makes the attacker’s mission much more difficult.

Current technology supplies the ability to build a system that could monitor the second-to-second movement of funds within a bank organization, and use available analysis tools to sift for suspicious patterns in fund or account activity that might point to a network intrusion. The development of real-time automated auditing/monitoring systems (RAM’s) would allow much more in-depth and comprehensive monitoring than is possible with current technology and manpower. This would tremendously reduce the window that the IW attacker operates within in terms of time and security.

A real-time system is predicated on the automation of transaction record entry. Currently, data is often entered into corporate ledgers manually from a multitude of sources--faxes, phones, telexes, and mail. Because of this limitation, the New York Foreign Exchange Committee still seeks to reach an industry-average, daily reconciliation of accounts. Within that period, a deeply destructive attack could easily be accomplished. Current technology is already automating the transaction process; automated record keeping is an easy addition, and makes real-time monitoring possible.

Real-time systems already exist to a limited extent on the interbank level, such as in the CHIPS network, where the speed of fund transactions makes it utterly essential. The extensive employment of such RAM’s throughout the industry would create the time necessary for banks to catch up with unauthorized fund transfers before the money has spread so much as to make correction difficult.

A RAM would use computers’ natural strengths in data processing and pattern recognition to sift through the tremendous amounts of customer accounts and fund transactions for questionable activity. It could use any number of suspect profiles that the bank feels important or indicative of intrusion. Some possible examples include (but are not exclusive):

  • Macrofund movement: Large changes in the entire reserves of the bank. These might be caused by massive tampering with the banks systems, causing either massive fund transfers or simple disappearance of funds from accounts.
  • Non-transaction account changes: Changes in accounts of customers without attendant transactions. This might indicate a serious breach of integrity in the mission-critical accounts-databases that the bank’s business depends on.
  • Non-congruent pattern shifts: Changes in the pattern of activity in a single account. For instance, if GM regularly transfers $200 million on the first of the month to an account in Europe, and instead transfers $300 million, or transfers $200 million on a different date or to a different account, a change in the pattern of activity for the account occurred.
  • Microfund movement: Transactions of extremely small amounts, such as tenths of a cent. For instance, the removal of a hundredth of a cent from multiple accounts or transactions.
  • Random Sampling: A random check of every tenth, hundredth, or thousandth transaction or account to monitor overall system integrity. The ratio of transactions or accounts monitored could set to balance security needs against system load, and changed to meet the bank’s changing security environment (i.e., in a high threat environment, while under attack, the bank could reduce the ratio to increase security at the expense of slowing down the bank’s transaction systems).
  • Large-fund movement: Monitoring of all transactions above a certain limit (e.g. above $100 million).

These suspect profiles may detect simple changes in customer behavior, system or operator errors, fraud, or a systemic information strike. Acting as a filter, they would allow an operator to make a final human judgment and take appropriate actions. In addition, a RAM would have the ability to trace any transaction within the bank, and to another bank during an interbank transaction, while a human operator is making a decision on its authenticity. While tracing is not currently feasible for every single transaction, it would be quite possible for transactions flagged by suspicious profiles

Finally, patterns and activity developed by an automated real-time system could be stored in special databases for later analysis. This might lend further understanding of modern fund activity, allow the development of security scenarios, keep records from which to recover accounts after an attack, help develop better security and other operational policies, or create additional highly profitable data-mining capabilities.

Central Control and the ISC:

The intrabank security center fulfills the need for a guardian of a bank’s network systems. This recognizes the more general principle of risk management, which posits that it is impossible to build an impervious computer system. Instead, dynamic and proactive protection of interconnected information systems is necessary.

A military application of this principle is the proposed need for an IW officer on each E-8 Joint STARS in order to prevent intrusion and manipulation by the enemy, while still maintaining the accessibility that permits ground forces to leverage the system to full capability.

The ISC concept does this for the much larger and more complicated banking industry. It follows general industry risk management recommendations to separate Sales & Trading (the business of banking) from Operations (the underlying bank systems that hold accounts and process transactions). The ISC creates a permanent central internal bank agency responsible for all aspects of fund and account security within the bank, and between banks during a direct transaction with another. The ISC would control detection, coordination, and prevention of intrusions. It would formulate, guide, and implement network security issues within the bank. It would also confirm transactions within a bank and with other banks, and cooperate with other institutions in dealing with unauthorized interbank transactions or a widespread information strike. In effect, it would centralize a number of now disparate activities to improve security.

Recent events, such as the attacks on Citibank, demonstrate the need for such an organization. After the first attacks, Citibank set up a command center to monitor the attacks, trace the attacker, stop the illegal transactions, and coordinate industry and law-enforcement action. Had a center existed before the attacks, they might have been detected and stopped faster. If the perpetrators had been focused on attack rather than thievery, with the access they had, it is possible they might have driven Citibank to disaster in minutes or hours.

The ISC would use the real-time automated auditing/monitoring system as its central tool to accomplish its security responsibilities. In essence, the RAM system gives the security center a bird’s eye view of the evolving funds transaction/security situation within its. The ISC would maintain a second-by-second view of the fund flows within the bank through the RAM’s automated up-to-date record keeping. This would make immediately obvious any macro changes in bank activity to ISC personnel. In addition, the RAM’s profile filters would provide ISC personnel an in-depth view of fund activity with minimal manpower (see Figure 2).

The Dynamic Protection of ISIS:

The integrated security intrabank system combines the RAM and ISC with the ability to operationally control the bank’s networks to create an effective defense and response method to attacks. The combined system uses the RAM to detect a breach and operational control to respond to one, with the ISC directing the response by providing central control, coordination, and human judgment. During an IW attack on a bank, its ISC personnel would quickly detect a breach of integrity by noticing peculiar macro activity and/or an increase in filtered notifications of specific activity; notify the rest of Operations and the S&T group, national/security/regulatory authorities, and law enforcement; and quickly implement crisis management procedures. These might be directed towards recording all activity for later evidence and recovery operations, detecting the source of intrusion, eliminating the attacker’s access, and implementing a "hot pursuit" to discover from whom and where the attack is originating for law enforcement or retaliatory measures.

During a crisis, the ISC might cancel all filtered transactions pending later examination, temporarily cancel all S&T activity, or isolate such actions to the area of attack while working to insulate "clean" regions from the attack. Whatever the crisis management procedures, the defense would by dynamic, real-time, and proactive from the first moments of attack, rather than the damage being the first signs of crisis.

While ISIS’s value is obvious on the intrabank level, where it has complete sight and control, its potential is just as great at the interbank level, both domestically and internationally. Whether fund transfers are conducted over Fedwire, or through credit/debit instructions transferred via SWIFT and CHIPS, fund transfers in the banking system can be thought of at the most basic level as bilateral transactions. Because of this, communication between two parties’ ISC’s can protect the integrity of interbank fund transfers.

When a transfer is made, the sending bank’s ISC could contact the ISC of the receiving bank and send information on the transaction (amount, time, source, destination, etc.). The receiving ISC would accept the information, monitor the transaction from its end, compare information, and send a confirmation to the originating ISC. Should the transaction get dropped or confused at some point, or the interbank payment system compromised, the two ISC’s would detect a difference in the transaction from one end to the other, and cooperate to isolate the irregularity (see Figure 3).Figure 3

In addition, should an interbank fund transfer be flagged as suspicious, one ISC could request the other track the transaction through its network. Should the transfer split from there and travel to still other banks, the cooperating bank could then specify the third-party recipients to the originating ISC, which could then establish new bilateral relationships and continue the trace. Should the transaction be determined to be illegitimate, the final recipients’ ISC’s could assert operational control, cancel further transactions, and return the funds or reconcile accounts, depending on the payment system and time involved.

The establishment of ISIS systems, combining real-time monitoring, central control, and operational control capability (i.e. the ability to stop transactions), that can communicate creates a decentralized security system for the entire banking industry. It makes independent confirmation, tracing, and cooperation highly practical. For instance, in the case of an industry-wide information attack, ISC’s could cooperate to isolate the damage to parts of the banking system, much as an ISC would do internally in the case of an attack. Thus, each bank is responsible for its own security, and protects information about its own internal working, but together the entire industry is responsible for collective security.

The means of communication between ISIS’s is open to question. Using current interbank networks such as SWIFT would limit costs but might leave ISIS intercommunication open to corruption should the network’s integrity be breached. On the other hand, a separate ISIS network for ISC’s to communicate on would be very secure, but have additional cost. A third option would be to use the general telecommunications grid and "virtual private networks" to establish dedicated links when needed. This would also avoid concentrating the data pathways so as to create a tempting target for attack. The banking industry must determine which approach or combination to take that optimizes security and cost (see Figure 3).

The ISIS concept is compatible with current structures in the banking system, and because of its decentralized nature, will likely be compatible with any future national security organizations. For instance, CHIPS already has integrated security and real-time monitoring of member banks’ accounts and transactions. The ISIS concept complements rather than interferes with this. Through the use of bilateral communication of two banks’ ISC’s, the two banks could independently confirm transactions that use the CHIPS system. Should CHIPS become compromised, the bilateral confirmation would detect any unauthorized transactions made by the payment system. The same is true of Fedwire or SWIFT.

Additionally, should the Federal Reserve or the federal government establish an information warfare-monitoring center for either the industry or the nation, the ISIS concept would be an excellent foundation on which to build. Individual ISC’s could communicate the real-time status of their institution to the monitoring agency, which could then compile all the information into an industry- or nationwide picture similar to the one developed by the banks’ ISIS RAM’s.

Implications for National Defense:

ISIS’s hold a great deal of potential for solving the security vulnerability within the banking system. However, the promise of the idea goes far beyond banking, or even finance. The ISIS concept is applicable to nearly every institution in which interconnection and information security is important. The combination of real-time monitoring and operational control capability under a security-devoted organization creates a constant institutional guardian for dynamic protection and risk management--essential elements of any security system in an age where there are no permanent answers to security. The idea could be used throughout the United States in all industries to create a more secure economy in the era of information warfare

The reader may note that the ISC portion of the ISIS concept is similar to a military command center. There is no coincidence in this. The ISC is built to handle crises where time is of the essence; this is applicable throughout military situations. Secondly, in the ISC corporations are creating an organization to defend themselves. The US military has neither the time, manpower, nor money to protect the entire national infrastructure from attack. "There are many information functions critical to our national security that lie outside the military’s defensive purview." Yet large portions of that infrastructure are vital to the health of the United States. The military must depend on the private sector to protect the American homeland from virtual attack while it presents a forward line against physical attack. Only together can an effective defense be mounted in an age of information warfare.

In addition to being extended to other critical industries, the ISIS concept is an excellent building block for a national information warfare defense. While the structure is beyond the scope of this discussion, some sort of national monitoring agency combining military, intelligence, and law enforcement elements with a real-time view of the national situation would be an effective deterrent against a large scale, strategic information strike. With coordination at the national level, an integrated defense could be executed, and an effective retaliatory strike prepared against a traced enemy. We take this for granted in traditional national security affairs; why should it be any different in an information strike? Only with national resources and coordination are we likely to give the President enough information to act upon. The ISIS concept provides the basic level of monitoring necessary to build such a national strategic picture, and the basic level of action to mount an effective defense.

The ISIS concept is not a final solution to the information age’s security/access dilemma. The IW attacker is resourceful and adaptable; he will eventually find ways around most defenses. This is the basic principle that originally predicated the need for the ISIS system and a dynamic and proactive defense. It would be natural then to attack the ISIS system itself. Eventually, the IW attacker might learn to be successful. This approach would have great potential because the ISIS system contains both monitoring and operational control of accounts and transactions. Should the attacker gain access or control of the system, it could be used directly against the bank while keeping security officials ignorant of the attack.

However, this does not eliminate the value of the system. ISIS provides yet another line of defense against attack. No matter how confident banks are of their security measures, the Citibank example shows the potential for attack. A foreign government or terrorist group prosecuting an attack against the United States is likely to have many more resources than the Russian civilians that attacked Citibank, with consequently greater chances of success. Even should ISIS be targeted during an attack, that is one more layer that must be penetrated and corrupted, and more than one target. Additionally, the proactive and dynamic nature of the ISIS system makes the success of ongoing efforts to defend itself as well as the operational systems likely. It also requires that multiple attacks be initiated to be successful, eliminating some of the lure of SWIFT and CHIPS. In the end analysis, the ISIS concept provides a reasonable and practical response to the dangers of strategic information warfare. Combined with additional awareness of the national security implications of information security in critical infrastructures, and tough screening of officials, it will be possible to build with ISIS an international system robust enough to survive in the information age.

Conclusion:

Information and information-based technologies have emerged as a dominant aspect of life in the modern era. It has changed, and will continue to change American society and life. This has been reflected in military affairs by the advent of information warfare. While often ill-defined, its potential is large. Its effectiveness is predicated on the growing pervasiveness of information systems, and their combination around computers to created automated systems ripe for manipulation.

For the United States, the vulnerabilities that information warfare creates are particularly important, because of the great degree to which American society depends on information systems. The concept of strategic information warfare presents a direct threat to the United States, because it obviates most of America’s military advantages. No longer does America’s physical isolation protect it from attack. Nor are large investments required to meet American military strength. With relatively little money and from anywhere, an enemy can attack the basic fabric of American life.

Major industries, such as transportation, telecommunications, and finance are at danger from a strategic information strike. Finance is particularly vulnerable, because money is essentially information and perception, and the financial industry is highly interdependent and interconnected. International finance is especially vulnerable, because of its lack of central regulation and control, and the large lag times in accountability of transactions. This vulnerability is dangerous for the health of the United States, because of the vital nature of finance to American capitalism.

Real-time automated auditing/monitoring systems and intrabank security centers present a solution with great promise. The real-time aspect closes the window an IW attacker has to work in, forcing him to instead meet an active and dynamic defense. The intrabank security center organizes and controls this defense. By combining real-time monitoring and operational control capability within one organization devoted to continual information security, the ISIS presents a versatile guardian for the information age. Because of their internal aspect and limited scope, ISIS’s are quickly implemented. But because of bilateral communication, ISIS’s have the ability to create a decentralized security system throughout the banking system, without the need for international organizations that might be a threat to national sovereignty.

Indeed, ISIS’s can be implemented throughout most industries for information protection. They can be the basic building block of an effective, decentralized security system that will prepare the United States for the Twenty-First Century. Without some sort of system focused on the likelihood of virtual attack, the United States will remain at the mercy of a double-edged sword, and information will become our nemesis.

 

Works Cited

Niel Munro. "The Pentagon’s New Nightmare: An Electronic Pearl Harbor." The Washington Post 16 Jul. 1995. Online. Internet: vislab-www.nps.navy.mil. 21 September 1996.

R.L. DiNardo, Daniel Hughes. "Some Cautionary Thoughts on Information Warfare." Airpower Journal Winter 1995. Online. Internet: www.cdsar.af.mil. 10 October 1996.

Fedpoints. Federal Reserve Bank of New York. Online. Internet: www.ny.frb.org. 9 November, 1996.

Schiller, Herbert I. Who Knows: Information in the Age of the Fortune 500. Dorwood: Ablex Publishing Corp., 1981.

Bass, Thomas A. "The Future of Money." Wired, Oct. 1996: 140-143, 200-205.

United States. Cong. Office of Technology Assessment. US Banks and International Telecommunications. Washington: US Government Printing Office, 1992.

Clearing House Interbank Payment System--CHIPS. New York Clearing House Association. Online. Internet: www.theclearinghouse.org. 17 September 1996.

William Carley, Timothy O’Brien. "Cyber Caper: How Citicorp System Was Raided and Funds Moved Around World." The Wall St. Journal. Online. Internet, National Times: www.enews.com. 18 November 1996.

Passel, Peter. "Fast Money." The New York Times Magazine. Oct. 12 1992: 42-43, 66, 77.

Stephen Katz. "Global Finance: Protection in the Age of Electronic Conflict." infoWarcon5: Electronic Civil Defense for the 21st Century. The Convergence of the Commercial and Military Sectors: Vulnerabilities, Capabilities, and Solutions, Arlington, VA 5-6 Sept. 1996.

The New York Foreign Exchange Committee. Management of Operational Risks in Foreign Exchange. April 1996. Online. Internet, Federal Reserve Bank of New York: www.ny.frb.org. 18 Oct. 1996.

Lt. Col. Price Bingham. "Revolutionizing Warfare through Interdiction." Airpower Journal Spring 1996. Online. Internet: www.cdsar.af.mil. 25 Sept. 1996.

Major Rishard Aldrich. "The International Legal Implications of Information Warfare," Airpower Journal Fall 1996. Online. Internet: www.cdsar.af.mil. 5 Dec. 1996.

Anonymous, personal interviews, 12 September 1996-26 November 1996.

McCarthy, Gen. J. P. Personal interviews. 21 Aug 1996, 15 Oct. 1996, 22 Oct. 1996, 4 Nov. 1996.

Fullerton. Maj. R. L. Personal interviews. 3 Oct. 1996, 15 Oct 1996, 7 Nov. 1996.

Anonymous. E-mail to the author. 2 Dec. 1996

Anonymous. E-mail to Gen. James P. McCarthy. 4 Nov. 1996.

Anonymous. E-mail to the author. 7 Oct. 1996.

 

CommSec ® - Communications SecurityQuestions or comments? Email: webmaster@commsec.com
Copyright © 1996-2000 CommSec ® - Communications Security
Last modified: Friday, 01 January 1999 22:01 --  Revision:  7.6