|
Email
| |
Information Warfare and Finance: A
Strategic Target
A Technical Paper by:
Stephen M. Parker, Consultant
CommSec ® – Communications Security
Internet web site: http://www.commsec.com
Email: security@commsec.com
October 24, 1997
Foreword
The technology behind the modern operations of banks and
interbank transaction systems is an arcane and complex subject. The security of these
systems is as well. There are few outside of specialized bank operations, information
management, and security fields who understand how the global banking structure works.
There are fewer still that are willing to discuss the subject in much detail, due to
security considerations. To truly master the subject requires years of study and
involvement in this particular segment of the banking industry.
This paper attempts to discuss the subject at a level the
general reader can understand. The true value of this paper is the national security
viewpoint it brings to bank network security, rather than an in-depth examination of bank
operations. The banking industry is the foundation of the modern financial system, and by
extension both American and foreign capitalist economies. At some point, every important
financial transaction is conducted through the banking system. As such it is vital to
economic health. With the advent of information warfare, the electronic, interdependent
nature of banking--and finance in general--combined with its critical nature, makes the
banking system a likely target for a strategic attack against a country. This is a new
viewpoint for an industry focused on crime, traditional financial crises, and the more
recent phenomenon of low-level hacking. It is critical, however, that we master this
viewpoint and adapt our banking industry to it, for the threats information warfare poses
are different than traditional bank security threats, and will increase as the age of
information warfare develops. I ask you to please consider this.
Information
Warfare and Finance: A Strategic Target
Information warfare has emerged in recent years as a new,
exciting, and potentially troubling development in national security. As its possibilities
have been examined, it has become obvious that information warfare is in fact a
double-edged sword for the United States. While most study has been of information
warfare’s tactical and operational possibilities, it is the author’s belief that
information warfare’s strategic deep strike capabilities pose the most far-reaching
and dangerous implications for American national security.
Because of this potential for strategic information
warfare, information warfare’s strategic possibilities deserve to be studied and
considered in greater depth. Until its advent, only the ICBM/SLBM threatened American
domestic life in any appreciable way. The emergence of such vulnerability caused great
trauma among the American people during the Cold War, and it is likely that the widespread
knowledge of information warfare’s capabilities, perhaps magnified by actual
instances, will cause similar apprehension in the near future. As one report concludes,
"major dislocations in American society could be caused by targeting sensitive but
unclassified data, such as power systems, electronic funds transfer systems
[emphasis added], the PSN [telephone network] and the national airspace management
system." While the actual results of such an attack are still unknown, it is likely
that any lesser effects of information warfare, as compared to nuclear war, will be at
least partially offset by its cheapness, easy accessibility, and difficulty in monitoring,
detection, and tracking.
It is the thesis of this paper that the United States and
its current information infrastructure is highly susceptible to an attack focused not on
military targets, but rather on critical information infrastructures that American society
depends upon, such as finance, telecommunications, or transportation. A strategic attack
would likely be focused directly at the American public, and would likely be an attempt to
strike directly at the economic/political engine of America’s global power, when it
would otherwise be impossible. It might also be an attempt to divert attention so that
forces inimical to American interests can act within a certain critical period without
hindrance on the world stage.
The United States is more and increasingly vulnerable to
this form of attack than any other nation because of its highly automated and computerized
society. This source of strength is likely America’s Achilles’ heel as well, and
enemies will not hesitate to explore its possibilities. Information warfare has the
additional advantages for such enemies of stealth, cheapness, quick acquisition, and
global reach. "A ‘Third World’ nation could procure a formidable, modern IW
capability virtually off-the-shelf." For the cost of a bomber, submarine, or other
conventional weapon system, a large and sophisticated information cell could be set up
with supercomputers, multiple high-bandwidth network connections, and a great deal of
necessary brainpower from various individual, commercial, and military sources. The United
States needs to respond to this threat by developing a more robust, self-monitoring
infrastructure capable of withstanding repeated attacks. These attacks will be frequent in
the next century, and difficult to defeat.
In order to demonstrate the potential of a strategic
information strike on the United States, this research focuses on the international
banking sector of the American economy. International finance is a particularly tempting
target for an information strike, because of its decentralized character, highly
computerized infrastructure, incredible speed, and size. It is vital to the continued
functioning of American capital markets. The unique aspects of finance, and the
vulnerabilities they cause, are discussed. The full implications this threat poses the
United States will help illustrate the potential of strategic information warfare. Some
solutions are suggested, as are further ideas for protection. Finally, the implications
raised relative to international finance are examined in the more general context of the
American economy, and a course of action in this new information age is suggested.
Strategic Information Warfare:
First it is necessary to examine some criticisms of
information warfare, to truly illustrate the critical nature of the issues being
considered. Many charge that information warfare is nothing revolutionary, but rather a
faddish rehash of orthodox military ideas. One author states "information warfare has
become so expansive a term that it now threatens to become a tautology by encompassing
nearly everything beyond the most primitive forms of combat." He goes on to state
that "most of the suggestions on potential measures, enemy reactions, and ultimate
consequences are speculative beyond plausibility." Such beliefs strongly contrast
with the urgency and near-term danger of the issues that are presented. The
possibilities of a strategic attack on the financial system are both very plausible,
likely, and dangerous to the national security of the United States.
While the scenarios raised in this paper will implicitly
contradict such assertions, there are two root causes of information warfare’s
powerful new possibilities as a weapon of strategic attack. Foremost is the pervasiveness
of information and information systems in all aspects of modern life. Due to this, the
effects of information manipulation are becoming both more widespread and more effective
than at any prior time. Second is the combination of these systems around computers to
create highly automated command and control systems that, for the first time, present
a central target that will cause widespread effect.
A perfect example of this is the Federal Aviation
Administration’s "Free Skies" policy using the American military’s
Global Positioning System (GPS). Rather than relying on traditional ground control
stations (VOR/VORTAC’s), the policy seeks to decentralize control to the transiting
planes through the use of automated navigational systems dependent on the highly accurate
GPS. This has the potential to remove large inefficiencies in the current system. However,
it also provides a central target to incapacitate or control the American (and likely
someday global) air transit system. Where before it would have been necessary to
target thousands of ground VORTAC navigational beacons, the introduction of GPS creates
just one critical target. The United States military’s ability to encrypt, stop
specific geographic service, control accuracy, and otherwise deny service indicates the
existence of a central "switch." No matter how well protected electronically and
physically (and it is well protected), the existence of such a target will tempt attacks,
and it is possible that one will someday succeed.
This is the powerful and revolutionary nature of
information warfare. While the field does indeed incorporate old and established tenets of
military action, as critics charge, its potentials are established in the new
pervasiveness and computerization of modern information systems. This is immediately
obvious in the modern foundations of American life, like credit cards, ATM’s,
computer networks, telephones, and airplanes, and will continue to grow. This is the
danger that American life faces in the new information era.
Finance as a Target:
Because of a number of unique characteristics, finance is
an almost certain target for a strategic information strike against the United States. The
financial industry is information-based, highly computerized, decentralized,
interdependent, and manages the intangible product of money, whose value is based entirely
on global perception of its economic value. Together, these characteristics create a
target by nature vulnerable to information warfare, critical to the health of American
society, and so basic to society as to propagate the effects of an attack through every
sector of life. An attack would at the least divert American attention to a domestic
crisis; at most it might cause a financial crisis of global proportions, and even an
economic meltdown.
The financial industry is variously defined by the
handling, holding, transferring, accounting for, and general information about money, the
lifeblood of America’s capitalist society. Nearly every daily interaction involves
money in some way. Money and finance are therefore a critical node of American life. When
the telephone fails, it is extremely inconvenient. When the plane does not fly, business
and vacations suffer. But when ATM’s, credit cards, checks, and wire transfers do not
work, the modern economy stops. Because money is really nothing more than a form of
information that keeps "score" in an incentive-based system, it is highly prone
to computerization and automation.
Because it is an industry with intangible information as
its basic commodity, the financial sector is deeply interdependent. In fact, it forms a
single macrosystem in which the whole is greater than the sum of the parts. Because the
industry is so large--the American industry itself transfers nearly two trillion dollars
a day, larger than the entire money supply of the United States--the global financial
system is largely decentralized (even accounting for recent merger trends), which
increases interdependence. In addition, as an information-based industry, finance is very
susceptible to misinformation and perception of information. Everything in the industry is
predicated on perception. Even the value of money relies solely on a general social
perception of its worth. This unique combination of interdependence, highly developed
information infrastructure, decentralization, intangibility, perception, and importance to
the continued functioning of society, makes it a nearly perfect target of information
warfare.
Among the various sectors of finance, international
banking is perhaps the most vulnerable, because of its lack of a central authority or
funds transfer system. There exists what may be termed "stateless money--a vast,
integrated global money and capital system, almost totally outside of all government
regulation, that can send billions of Euro-Dollars . . .and other ‘stateless’
currencies hurtling around the world 24 hours a day." Though central banks and bank
regulators have adapted to this new electronic order in the fifteen years since it first
became apparent, it is still largely true today. Walter Wriston, the former Chairman of
Citicorp, recently stated: "Money goes where it is wanted, and stays were it is well
treated . . .technology has overwhelmed public policy [emphasis added] . . .Now the
Fed could tell us [Citibank] to buy $100 million [on the foreign exchange market to
support the US currency] and this would be pooping money down a well [it would have little
effect]."
American domestic banking and funds transfer is tightly
controlled and regulated by the Federal Reserve System (commonly referred to as the
"Fed"), which has the full faith and backing of the US Government and its seven
trillion dollar economy. The same is true of nearly every developed nation of the world.
In effect, the domestic banking system is secured by the American economy as collateral.
International banking has no such guarantee. Instead, it is governed by bank-to-bank
relationships, as well as cooperative private agreements, organizations, and standards.
"The failure of one or more participants [of these cooperative payment organizations]
to settle end-of-day deficits could result in unacceptable demands on central banks as
lenders of last resort, or in a cascade of settlement failures that would precipitate
national or even international financial crises." The only security for these systems
is the collateral of the member banks, which compared to the trillions transferred daily,
is small. While pledged collateral levels have been designed to maintain system integrity
during a mid-level banking crisis (in one case, the failure of three major U.S. banks),
they cannot withstand a full-fledged collapse. In addition, these safeguards have been
designed with naturally occurring economic or financial crises ("natural
crises"), fraud, and low-level hacking (the local Legion of Doom chapter or bored
college student) in mind, not a large scale, destructive attack that could be mounted by a
foreign nation or sophisticated terrorist group with economic sabotage in mind.
In addition to these vulnerabilities, international
banking faces the same Access vs. Security Dilemma that confronts the entire banking
sector. In order to maintain money’s liquidity, the banking industry must be highly
accessible to its customers, as illustrated by ATM’s, credit cards, and the ability
to transfer funds between any two banks in the world. This is the basis of the
industry’s high interdependence. At the same time, it is necessary that
customers’ accounts and funds be kept secure. Without such assurance, the banking
industry’s perception of reliability is destroyed, customers’ trust is lost, and
the system falls apart. The epitome of security is an isolated network that is
inaccessible to the outside, which is directly antithetical to interdependence and
accessibility. Banking must find a balance that maintains the most security possible
without disrupting access. Whatever that balance, the necessity of access and
interconnection will always make the possibility of unauthorized access a danger.
Together, the characteristics of international banking
create a system with many points of attack, but a number of central targets, which would
propagate effects throughout the United States and the developed world. Two major targets
are the New York Clearinghouse Interbank Payment System (CHIPS), which handles 95% of all
worldwide American dollar fund transfers, and the Society for Worldwide
Interbank Financial Telecommunications (SWIFT), the main international interbank funds
wire network.
The largest target of all would be Fedwire, the Federal
Reserve’s fund wire system, and the internal Fed database accounts of all member
banks. The entire domestic banking system, the CHIPS system, and much of the world’s
capital markets hinge on the continued operation and integrity of the Federal Reserve
System. It is perhaps the crucial lynchpin in the world economy, because it is the
"owner" of the American dollar, the single most important currency in the world.
Even with the resurgence of Japan and Germany, the dollar is by far the most used currency
of international transactions.
Therefore, should the Federal Reserve fail, the effects
would be catastrophic. However, the corruption of CHIPS or SWIFT poses nearly as much
danger. Points of attack on any of these targets may be the Fed’s or cooperative
private organizations’ central computers, member institutions, or any financial
institution that is connected indirectly to these systems. Focused correctly, a
well-prepared attack could cause chaos throughout the international system.
IW Strike on International Banking:
Any information strike seeking to cause damage to the
American financial system by attacking international banking would focus on a several
large vulnerabilities in current bank security and the banking structure. An attack would
exploit these vulnerabilities through three basic methods:
- Attack a bank’s internal systems to modify accounts
and/or cause unauthorized transactions.
- Attack the interbank fund transfer systems to cause
unauthorized transactions between banks.
- Use some combination of both for a greater effect.
The purpose of an attack could be anything from causing
distraction to causing a massive economic crisis in America. Whatever the focus of an
attack, an IW strike would seek to damage the banking system in three separate ways:
- Corrupt/deny service to the underlying technology systems
that bank operations rely on, disrupting business and cause harm to individual or multiple
banks.
- Perpetuate an artificially caused crisis by causing a chain
of events that would use the banking system itself to amplify and propagate it throughout
the system.
- Subtlely corrupt various systems over an extended period of
time to cause quiet erosion of confidence by the public rather than an immediate crisis.
The last option would require the most patience, take the
longest time, and require the greatest skill. It would be well suited for an enemy that
wanted to conduct "guerrilla infowar" rather than confront the US immediately or
directly. Its effects, by undermining public confidence, causing economic inefficiencies,
and damaging the liquidity of money, could be tremendous, but in order to be effective it
would have to be done subtly on a grand scale. For these reasons, and the fact that it
would utilize some of the same vulnerabilities discussed below, and likely be detected by
the same policies, the research below will concentrate on the first two modes of attack.
An information strike on the international banking sector
could target a number of vulnerabilities in the banking infrastructure to successfully
prosecute these attacks. Among these are the lag time in international funds transaction
monitoring, a lack of manpower to deal with significant problems, a dynamic market that
leaves little room to pause and make corrections, and the possibility of creating a
self-sustaining crisis by utilizing public perception and causing panic.
It is very important to emphasize that the banking system
is very well protected, and security is improving. Banks, their brethren in financial
securities, and interbank structures have invested billions of dollars over the last
twenty years in sophisticated security measures. As a result of advancing technology and
incidents such as the recent American Savings & Loan (S&L) debacle, regulatory
organizations in the US, Japan, and Europe have strengthened regulations to limit both
operational (underlying technology systems) and systemic (overall banking structure and
business method) risks.
New rules have been put in place to regulate credit risks
of interbank transactions. The sudden advent of the microprocessor caused serious security
risks because of newly empowered hackers and unsecured, decentralized LAN’s. These
threats have been considered and integrated into the overall security measures of banks
with the implementation of technologies such as firewalls. Encryption measures have
increased and become more sophisticated, especially on the international scene. Multitudes
of security layers have been put in place. Individual bank personnel have limited access
and power--the system is somewhat analogous to the dual-key operation required for nuclear
missile operation. Checks and counterchecks are almost too numerous to count, much less
easily defeated, to avoid long-term detection.
The result is that banks are extremely confident of their
security measures. While a successful attack may have been conceivable a decade ago, there
is a general belief today that while not impossible, it is so unlikely as to be
unimportant. Even so, banks continue to improve their security measures with a view to the
increasing sophistication of criminals.
This is a rational mindset, because there are indications
that there are still holes in security systems, even at major banks. The recent $12
million Citicorp break-in by Russian crackers in St. Petersburg is a prime example. It
took Citibank nearly five months to detect and stop the intrusions into their
cash-management system, the very core of Citibank’s funds system.
There are other indications as well. While not
substantiated, it is widely known that a number of banks have been blackmailed by crackers
who have threatened to damage or destroy accounts unless a "ransom" was paid.
The crackers’ ability to carry out these threats were usually substantiated by
demonstrating access to highly critical and secure bank systems, or actually corrupting
systems and holding data "hostage." In addition, there are reports that travel
through the underground cracker community detailing vulnerabilities and methods of
attacks, as well as successful crimes. One such report which the author received caused
concern at a major US bank. It detailed a successful attack, again on Citibank’s
funds-transfer systems, through a mind-numbing trial-and-error process, that eventually
allowed the crackers to lift enough money electronically to pay for the remainder of their
college education. All these incidents seem to give lie to banks’ beliefs in their
safety.
These incidents have not damaged banks’ general
belief in their security systems, however. While the St. Petersburg criminals penetrated
Citibank’s cash-management network, the industry belief is that it would have been
impossible for even a group of well-experienced crackers to break Citibank’s security
without insider cooperation. Even so, the operation was detected and preventive
action taken. For the job to have been much more effective, they would have needed the
cooperation of an unlikely number of insiders.
This viewpoint exposes the vulnerability in the
banks’ security precautions, and an institutional blind spot. No current security
measures have been designed with a large-scale destructive electronic attack in mind.
Little, if any, work is being conducted to incorporate such precautions in future systems.
The industry belief is that the current mostly strong precautions and continuing efforts
against fraud and natural errors will also protect banks against additional threats from
information warfare. Specific protection against such attacks is a very low priority, if
one at all. Little consideration has been applied to the fact that a large, sophisticated
terrorist group, or an enemy nation, could mount a long and patiently prepared, lightning
quick, large-scale parallel attack on the banking system. This could possibly overcome
existing defenses through scale and preparation, and be over before current systems detect
the attack or prepare a response. A useful analogy is the Coalition campaign against Iraqi
forces in the closing days of the Persian Gulf War.
Individual Bank Vulnerabilities:
The largest vulnerability in bank security systems is the
lag time in fund monitoring. Nearly all checks are on daily, weekly, or monthly
time-scales. Even newer, more stringent regulations require banks to know their business
position only two or three times a day. These precautions are adequate when one considers
that they have been put in place to guard against natural problems (human error, bank
failures due to improper planning and fund management, etc.), or fraud, which must be
conducted subtly over long periods to be successful and retrieve funds.
These precautions are not sufficient when one considers
that the actual attack during an information strike can be accomplished in minutes or
hours, with enough preparation and resources (in people and computing power/access). There
is no need to hide the activity after a certain threshold of damage (unless one is
conducting the long, subtle confidence attack), because the very point of the attack is to
cause noticeable damage. It does not matter how many checks and counter-checks
there are if they do not detect the attack until after it has been successfully prosecuted
and a serious, perhaps uncorrectable, crisis has begun.
With the cost of information warfare so low as compared to
conventional methods, and the necessary amounts of brainpower cheap and available with the
breakup of the Soviet bloc and the spread of commercial computer technology and know-how,
it would be little problem for even a "Third World" nation to use a window
smaller than an hour. Even the St. Petersburg criminals, with a small operation, could
have caused significant, though obvious, damage to Citibank had they not cared about being
detected within hours. With the access they had, the severity of the attack would have
been significant, perhaps limited only by the rank of the supposed insider cooperation.
The higher the status of the insiders, the more probable that large fund values could have
been affected.
The second most dangerous bank vulnerability is the
question of personnel. The most time-honored method of subverting security systems is to
suborn the people in control. One IW author points out that with all of contemporary
literature’s treatment of computer systems as automated, corporate beings, it is
still people that are in charge, and therefore a logical target. The banks have taken
reasonable precautions to spread operational control and authority throughout their
organizations to make individual or small-group sabotage unlikely. However, they have not
considered the time, money, and incentives a foreign government or sophisticated terrorist
organization would have in order to overcome this difficulty.
Any such enemy might have years in which to recruit
personnel, introduce moles, or conduct any other intelligence operations that governments
routinely deal with, but which companies are mostly unused to. Most importantly, such an
enemy just might have the resources to conduct such an operation at many banks,
introducing the possibility of initiating a financial crisis at multiple points to
overwhelm security regulations focused on preventing smaller-scale attacks. Again, the
institutional blind spot against a massive attack that would be likely in a strategic IW
strike leaves a large gap in existing defenses.
There are a number of difficulties with this approach.
Foremost, the more people one contacts and tries to subvert, the more likely the operation
will be discovered, and the advantage of strategic surprise lost. Secondly, moving
one’s own people into sensitive positions could take years, and they might only be of
use one time. For these reasons, the author believes that electronic attack is of a
greater danger. However, there are a number of other factors that partly balance these
complications. Bank employment and internal clearance is not nearly as linked to
nationality as national security careers are. For this reason, it might be easier to place
agents. Secondly, it might be possible to disguise an operation with a facade of fraud,
hiding the true national security threat that might otherwise test an individual’s
national loyalty, or hiding the disastrous results that might test a person’s sanity.
Another vulnerability dealing with personnel is the
industry’s lack of appropriately qualified computer systems people. In the case of
any large-scale attack, the banking industry simply would not have enough people of
suitable skills to track down all the problems and rectify them with current technology
and legacy systems. Banks have just enough personnel to deal with current problems of the
natural, criminal, and cracker natures.
In one recent case, a major American bank had problems
combining two separate operations networks after a merger with another bank. One symptom
of these difficulties was dropped or lost transaction messages. While the bank recorded
that transactions were sent, the actual messages never did leave due to operational
errors. The number of times this happened because of these "natural" problems is
small compared to what the bank could expect in an information strike. However, the
bank’s personnel strained to keep up with and correct even these relatively few
irregularities, and took a good deal of time correcting the problem. In a strategic
attack, they would likely be inundated. To worsen matters, each bank currently operates a
basically custom internal network, so additional information management (IM) personnel
from other banks or industries would be of limited use at the most critical time, while
they familiarized themselves with bank’s systems.
Interbank System Vulnerabilities: CHIPS, SWIFT, and
Fedwire:
In attacking the international banking structure, the most
centralized vulnerabilities are in the interbank payment systems. The big three for
American banking are the Federal Reserve’s Fedwire fund transfer system and its
internal bank accounts, the New York CHIPS dollar transfer system, and the international
SWIFT communications network. Penetrating the latter two would have disastrous
consequences. Penetrating the Fed systems, even if only the Federal Reserve Bank of New
York, would be an utter nightmare.
CHIPS is illustrative of the strengths and vulnerabilities
of these systems. Its security is highly sophisticated. The main computers are located in
a fort-like Manhattan building that would be appropriate to a secure military facility. A
back-up site is located in New Jersey for instant redundancy. There may well be another
site, but if so it is well hidden and not discussed. Both sites have multiple back-up
power and communications sub-systems. In total, physical security is excellent.
Members of the CHIPS network are connected to two central
computers at each site, either of which can handle the entire system load by themselves,
through dedicated land-lines. Communications are encrypted and digitally signed to add
additional redundancy. If there is any irregularity, the dedicated line is severed from
the central computers, and the member bank is consequentially removed from the system
until the problem is resolved. This system of redundant checks guarantees the electronic
integrity of the CHIPS system.
Additionally, there are a number of checks against the
systemic (business method, rather than technological) risks CHIPS introduces. The danger
inherent in the CHIPS system is that it makes transfers by authorizing debits/credits,
which result in positive or negative positions at member banks during the day. Negative
positions are not covered until end of day settlement; during the day, fund transfers that
are to cover a negative position may not yet be received. The large volumes and values of
transfers make them difficult to handle and settle immediately or intra-daily. At the end
of the day, a final tally of each bank’s position is made, and appropriate funds are
transferred through a special escrow account at the New York Federal Reserve to make the
member banks’ positions at the Federal Reserve match their CHIPS end-of-day accounts
(see Figure 1).
This system introduces the danger that a member bank may
not have the funds at the close-of-business (COB) to fulfill a negative position. In fact,
this occurred a decade ago during the Latin American debt crisis, when Brazil’s
national bank (Banco do Brazil) did not have enough funds in its various accounts one
night to balance accounts debited by the CHIPS system. The crisis was handled by the other
members cooperatively lending Banco do Brazil enough to meet its obligations, then
removing it from the system.
Today, to prevent a similar situation, with perhaps more
disastrous consequences, CHIPS uses a sophisticated real-time monitoring system to monitor
caps, established by members, on the amount of money that can be owed at any one time
("daylight overdrafts") by one bank to another bank (bilateral limit), and by
one bank to all the banks in the system (multilateral or overall debt limits). In
addition, each member of the system has pledged enough securities (held in a special
Federal Reserve account), so that the system as a whole can cover three major bank
failures.
Should all these precautions fail, and should for some
reason the Federal Reserve not act as a lender of last resort, the last option CHIPS has
is to unravel all the day’s transactions to isolate the failed institution or
institutions. Analyses have indicated that if this option were ever used, an additional
20-25 banks would be temporarily insolvent, causing financial gridlock until the situation
were cleared up and that day’s payments again honored.
Again, however, the publicized security precautions (there
may be others that are kept secret) do not adequately consider a large-scale attack. Even
with the safeguards CHIPS has, there are several possible ways to cause a general crisis.
The current safeguards are focused against natural disasters like the Banco do Brazil
crisis, not meditated penetrations seeking destructive consequences. Utilizing
penetration, either by electronic attack, insider personnel, or forced entry by special
operations forces, an enemy might seek to quietly corrupt the daylight overdraft limits so
that the system is no longer as well secured against bank failure. It might also initiate
unauthorized CHIPS transactions to confuse or enlarge daylight overdrafts for multiple
members, causing end-of-day settlement failures for banks. Less likely, due to the
fourfold redundancy of the central computers, it might try to saturate the system with a
critical threshold of transactions (perhaps by inserting viruses or other automated
programs) to cause the system to overload, make mistakes, or hopelessly confuse accounts.
Any of these actions would have the potential to affect
over a trillion dollars a day in transactions. It is possible that if accounts and
transactions were corrupted enough through any of these means (or through separate
individual attacks against member banks to cause settlement failure at COB), and enough
major banks were artificially insolvent and unable to settle at day’s end, the
Federal Reserve might choose to undo the day’s transactions to correct the crisis,
rather than give the banks enough funds to cover their overdrafts and then try to clean up
while business continued. If such were the case, the situation would get worse before
getting better, perhaps closing the international banking system for days, or even weeks,
while the crisis was repaired. In such a case, the IW attacker would have managed a
masterful job of maneuvering the Fed into a difficult position, and forcing it to worsen
the crisis in order to fix it.
Again, the personnel issue arises in evaluating CHIPS
security. A lot of precautions have been taken to keep CHIPS from becoming the
venue for the largest bank heist in history through insider cooperation. However, it is
likely that a foreign government could obtain the cooperation of internal personnel, or
place moles on the inside, through various methods familiar to the intelligence community.
Alternatively, it is likely that a government could use special operations forces to
penetrate the physical security of the interbank systems, and even the back-up systems.
On a more arcane and destructive level, a large,
sophisticated enemy might also have access to EMF or similar weapons to cause
denial-of-service rather than corruption, and could target such weapons at these central
payments systems. The effects of denial-of-service would be disastrous. With the path for
$1.2 trillion a day blocked, the financial system would virtually halt in its tracks. The
financial system would find some other routes for fund transfers because of its complexity
and redundancy, but the sheer size and importance of CHIPS makes it impossible to replace
or do without in the short-run. The full effects of any such situation are unpredictable,
but frightening to contemplate.
Other attacks, operating under different limitations and
circumstances, but utilizing similar approaches, could be used against Fedwire and SWIFT.
Both have similar, but little discussed, security measures. Fedwire actually does transfer
funds, so CHIPS’s systemic risk is not an issue. Technologically, the Fed is
extremely secretive about Fedwire’s security precautions, so there is little
information to focus on vulnerabilities. It is likely, however, that a foreign government
with a sophisticated intelligence setup could probably find some weaknesses and plot an
attack.
SWIFT, as a more general financial communications network,
has the fewest safeguards. It is not actually a fund transaction system, but rather a
dedicated network for financial communication utilized by commercial and investment banks.
It is, however, the dominant international fund transaction network because banks use it
to transfer bilateral non-revocable debit/credit messages that credit an internal
account at one bank and debit a corresponding internal account at another. This
credit/debiting account-balancing scheme is the way international fund transactions are
conducted (see Figure 2).
 While a breach of integrity in this network is unlikely due to
authentication precautions similar in sophistication to CHIPS, a successful penetration
could give a group the ability to send thousands of illegitimate transaction messages to
nearly any bank in the world. Banks would honor these messages and make the dictated
credit/debit transactions. The perpetrators would then have a period of time before the
illegitimate transactions would be discovered to prosecute their attack.
The current state of transaction monitoring for
international transfers would give the crackers approximately a 48-72 hour window to
prosecute such an attack before detection. The travails of the major US bank, which had
problems merging its systems, are illustrative of this point. It can take as long
as 48 hours before banks notice that funds did not arrived where and when they were
supposed to. Unless the amounts were visibly large or an unacceptable overdraft resulted,
the customer also may not be aware of the missing credits.
The customer may first assume that the bank failed to make
the transfer due to an internal error. Even so, the customer may also be concerned that a
business partner could not make the payment. Once the customer discovers differently, it
will check with the involved bank, which checks its records and discovers the
irregularity, if it has not done so already. The problem may still not be resolved,
however, because transactions are non-revocable on SWIFT. The bank must then trace the
problem down and discover where the fund transfer instruction was misrouted, i.e. where
the money "went," if it did at all. This process can easily take another 24-48
hours.
If such problems are possible simply through incompatible
systems and internal or personal mistakes, the danger of exploiting the system for
information warfare is tremendous. In the case above, by the time the irregularities were
detected, tracked down, and solved, a major information strike that utilized illegitimate
messages and other means could have been already completed with disastrous consequences.
Together, attacks like these on SWIFT, CHIPS, and Fedwire, or utilizing their weaknesses
when attacking individual banks, has the potential to spread the effects of an attack
throughout the industry.
Further Vulnerabilities: Dynamism and Perception
The international banking sector, and the banking industry
as a whole, share two additional vulnerabilities that a potential attacker might exploit
in designing an information strike. These are the very dynamism and speed at which the
industry operates, and its dependence on perception. The dependence on perception is
perhaps the single greatest threat to banking.
Because of the speed at which the industry operates, no
single bank can afford close its doors long enough to try to sort out the effects of an
attack. Every day, the rest of the industry continues conducting business and transmitting
uncounted transactions. If a bank tried to shut down, waiting transactions would
geometrically or exponentially grow daily. Eventually processing them would become
impossible. Putting those transactions on hold would also alienate customers, drive away
capital, and cause as much difficulty as the IW attack. The result is that banks must
likely stay open while attempting to clean up an information strike. This leads to a
possibility that the effects could get worse as the bank attempts to conduct business with
corrupted systems. It also introduces the possibility that an attacker may leave viruses
or logic bombs to continue the damage after the initial attack.
Even the Federal Reserve would have difficulty declaring
an artificial bank holiday to give the industry time to correct the crisis. The rest of
the international financial system would continue, payments in the US would effectively be
halted, and individuals and corporations would find themselves without capital. This is
especially true considering the small amount of cash left in the modern economy. Today,
cash covers about one percent of total transaction values in the US; this is totally
incapable of sustaining the economy. Even a few days would be burdensome. Anything beyond
a week would cause economic disaster as firms and people run out of funds to pay for basic
operating expenses and the necessities of life.
Checks might fill some of the vacuum, but they are not
legal tender. The monetary value of checks might disappear during an attack, as people
doubt an issuing bank’s ability to pay. Additionally, in the near future checks are
likely to slowly fade away, as they are eclipsed by electronic technologies such as debit
and smart cards. The result is that banks will have little time to correct the results of
a strategic IW attack.
Banks face their greatest danger from an information
strike in public perception, however. The possibility of public perception during
an information strike precipitating an even greater crisis is the greatest danger and
the single largest potential of a strategic information strike on the banking
industry. It is possible that an attacker could utilize public perception to create a
panic and potentially cause a collapse similar to the 1930’s.
The main cause of the bank runs during the Great
Depression was a distrust of the security of the banking system. Safeguards such as the
Federal Deposit Insurance Corporations (FDIC) and Federal Reserve regulations have
assuaged this problem, as the recent Savings & Loan (S&L) crisis amply
demonstrated (the failure was severe, but because of government safeguards, the public
trusted the banking system and didn’t perceive the full scope of the problem). Their
greatest value is not in securing the American banking system, but rather in assuring the
global public of its security. The complex paradox of the modern financial system is that
as long as people believe that a government or governments can handle a crisis, those
institutions usually can. The banking industry depends then on public perception of its
health and security to maintain it.
The American public put the S & L fiasco down to
criminal incompetence on the part of bankers. People and institutions believe that their
own bank officials are competent--otherwise he or she would not use that institution. It
is the same mindset that the American people use to reelect incumbents while complaining
bitterly about politicians. The result is that the general American public believes their
money is safe in bank accounts--the mattress-stuffing behavior of the Great Depression
generation is gone from the American psyche, which is good for banks, fund liquidity, and
banks’ ability to deal with financial crises.
IW commits an end run around the safeguards that have been
sufficient to maintain this perception of security. First, if an information strike is
successful against a major US bank, or against a number of large banks, it demonstrates
that even the most sophisticated systems are vulnerable. The issue is then the ability of
even the most competent professionals to safeguard accounts. Second, incompetence
isn’t contagious--an IW attack may be, in terms of spreading through the banking
system, corrupting one system after another. Finally, the greatest assurance of security
in the mind of the public--bank deposit insurance under the FDIC system--depends on
accurate records in order to know how much each person lost when the bank failed. The
integrity/safety of those records is unlikely in an IW attack.
The greatest danger public perception poses is not from
the individual American consumer, however. Rather, it is from the large international
corporations and institutions that have great sums of capital invested in American dollar
accounts. In the case of a serious, widespread American financial crisis, these
institutions would likely try to cut their losses by moving capital out of the country
into other currencies. This would have the dual effect of collapsing the American dollar,
and collapsing major American banks that hold these accounts.
For example, assume that Mitsubishi has a billion dollar
account with Citibank, and worried by the indications of a major American crisis, orders
Citibank to convert those dollars to deutchmarks, yen, pounds, or any other convertible
currency in order to move their funds out of the US. Citibank, even if untouched by the
information strike that touched off the financial crisis, simply may not have such capital
immediately available. It would likely become insolvent, especially if other customers
were making similar demands. Even if Citibank could deliver Mitsubishi’s funds,
attempting to find buyers for billions of American dollars would drive foreign exchange
rates down and lower the international value of the American dollar. Multiple institutions
attempting the same transactions would collapse the American dollar in an unprecedented
way.
The international implications of such a large-scale
currency collapse are staggering. The American dollar is still considered the most
dependable currency in the world, and more assets are denominated in dollars than in any
other currency. Should a currency collapse occur, literally trillions of dollars in
international assets would disappear. Such a crisis might make the New York Stock Exchange
Crash of 1929 and subsequent bank runs look mild by comparison. This is the true potential
of the negative spiral that could be induced by an information strike utilizing public
perception.
A Possible Scenario: International Chaos
In 1994, following a spurt of literature on information
warfare in American and Russian professional military journals, the People’s
Liberation Army of China activated an IW cell to evaluate and prepare China for
information warfare. As part of this preparation, a program was put in place to prepare an
information strike against the Group of Seven industrial nations. Primary focus was on the
United States, as the foremost economy and financial system. The program’s designers
emphasized that any such attack would have far-reaching effects, and rebound against China
as a major US trading partner. It was never meant to be used. . . .
In July 1997, during the succession struggles following
Deng Xioping’s death, deeply reactionary elements in the PLA and Communist Party
activated the American part of the program in an effort to cause global chaos and
discredit their rival internationalist factions vying for power.
On July 12th, at 1015 hours, personnel at five
major American banks uploaded and executed programs onto their bank’s networks, as
they had been paid to do two years prior. Within thirty minutes, the programs had gained
access to the cash management systems at each bank, and began executing a multitude of
unauthorized transactions. At the same time, further programs began infiltrating and
gaining control of the multiple nets that together made up those banks’ operations
systems. Access was opened to the outside assailants, who further continued to compromise
the network and coordinate the attack.
By 1230, billions of dollars had disappeared through a
multitude of paths—CHIPS and Fedwire transfers, false SWIFT transactions, internal
transfers that disappeared before reaching their destination, accounts which simply
disappeared. The first indications of trouble appeared during an intraday check mandated
by the Federal Reserve, but the scope of the crisis remained hidden.
By 1400, the crisis was becoming more apparent. Customers
were finding themselves without funds. Associated banks that depended on the banks for
CHIPS service were discovering incorrect transactions. Bank officers returning from lunch
were confronted by multiple messages from their clients demanding explanations. Officers
working with accounts were finding problems. Personnel talking over cubicle walls were
beginning to figure out that this was not just their account, but widespread. Questioning
calls were being made to Operations. However, there were still too many people out to
lunch to evaluate the situation, coordinate, and clearly grasp the situation. Between
1200 and 1500, nothing but routine business is conducted in the industry
By 1500, the full scope of the crisis was becoming
apparent. Enough decision-makers had returned from business lunches and various other
activities to start collecting information on a large scale and coordinating efforts. What
they were finding was almost incomprehensible in scope. Personnel were beginning to find
evidence of the logic bombs that had been used. Word of the crisis was growing, as stories
of executives quickly recalled to their desks spread.
By 1530, the chairmen of the five affected banks were
called and appraised of the crisis by Operations. The full situation was still being
explored, but it was becoming obvious three banks had suffered severe damage. Two others
had somehow managed to escape the full effects of the attack through a combination of good
fortune and security procedures. Motives were unknown, but bank robbery or sabotage was
suspected. The chairmen, with an eye to close-of-business, ordered an evaluation of the
bank’s positions. The FBI and Federal Reserve were called and appraised of the
situation. Other banks by this time were demanding information and beginning to stop
trading with the affected banks.
By 1600, the banks were beginning to realize just how much
money had disappeared or been illegitimately transferred. Communication between banks was
slowly making it apparent that the sabotage was not isolated to one bank. The worst case
was becoming obvious—the banks would be insolvent at close-of-business, without
enough money to settle daylight overdrafts. The chairmen were notified of their likely
insolvency. The chairmen asked that the situation be cleared and the needed funds found by
1700.
By 1715, the chairmen of the affected banks were appraised
that the banks were not going to find the necessary funds to settle. The chairmen called
the New York Fed President and the Federal Reserve Board Chairman to report their
situation. The Fed Chairman immediately ordered that CHIPS be kept open past
close-of-business as the banks attempted to clear up the crisis and find the missing
funds. At about the same time, additional programs left in the bank began to execute,
crashing large portions of the networks and destroying data.
By 1800, operations were working feverishly to fix the
crisis. Employees at many banks remained at their desks past the end of the day. At a
meeting of the CHIPS member banks, a full report of the situation was made. The artificial
nature of the crisis was confirmed by comparing available records from the day and various
accounts. It became obvious that not only the three main banks were unable to settle, but
also a number of the associate banks whose business they handled and who had also been
affected. The second attack was also reported, and the likelihood that fixing the crisis
would take much longer as a result. The Fed Chairman ordered CHIPS to remain open until
2100 while the banks cleared up their accounts. Word began to reach the rest of the world
that CHIPS had been kept open, indicating some sort of financial crisis.
By 2030, the chairmen of the affected banks had received
reports that the banks were still unable to satisfy their obligations. The chaos caused by
the initial attack, and then the second destructive attack, was simply too much to correct
in so little time. The chairmen called the Fed Chairman to report the news. The Chairman
ordered CHIPS to be kept open until midnight, and another meeting at 2230.
By 2130, word that CHIPS was still open was spreading
through the international financial community. Never before had CHIPS remained open so
late—even during the Banco do Brazil crisis over a decade earlier, the crisis had
been settled by 2100. In London, Paris, Frankfurt, Geneva, and other European financial
centers high-ranking executive were woken up. In Tokyo, fourteen hours ahead, the news
rippled through the foreign exchange markets, depressing the dollar.
By the 2230 meeting, it had become obvious that no matter
how late CHIPS stayed open, the three major banks would be unable to settle, as would a
number of associate banks also affected by the crisis. The issue that now faced the
meeting was how to minimize the crisis. The securities held by the Federal Reserve for
such a contingency were not enough to handle such large multiple insolvencies. The Federal
Reserve had the option of either loaning the remaining amount in order to settle and close
CHIPS, or unraveling the day’s CHIPS transactions. Unraveling the day’s CHIPS
transactions, never before seriously considered, was pushed by the affected banks that
wanted to clear up their positions. The Chairman chose to lend the remaining money and
then close CHIPS and the insolvent banks pending correction of the crisis.
When the news was announced when the meeting ended at
2345, the international tumult became full blown. The heads of seven major national banks
and the Bank of International Settlements were demanding explanations. Most financiers
were awake by this time in Europe and starting to react to rumors. All that was known was
that an unprecedented crisis was occurring in the US financial sector. The American dollar
was plummeting on international exchanges in response to rumors. A number of international
institutions were attempting move capital from American dollars to other currencies. The
news of the closing of three major American banks sent shockwaves through the
international community. The dollar plummeted even further, causing trillions of dollars
in assets to vanish. Upon the opening of the European exchanges, the crisis spread even
further. Trading in dollars had to be suspended across Europe by midmorning
Attempting to cut their losses, major international
customers ordered their American banks to convert their accounts to other currencies.
These demands caused many of the healthy American banks that had escaped the crisis the
day before to become insolvent. The crisis spread further, and a number of other
institutions began to fail under the strain. The value of the American dollar collapsed
even further.
The President was awoken early the next morning to news of
the night’s disaster. By midmorning that day, the Fed Chairman was forced to order a
bank holiday, closing the American financial system and stemming the losses. Meetings with
the heads of state, national banks, and Treasury minister were arranged for later that
day, or the next morning. By that time, trillions of dollars had been lost. Financial
institutions throughout the world were failing from the collapse of the American currency.
The global financial system was on the verge of collapse.
A Likely Scenario?:
Written above is a worst-case scenario. It is likely that
bankers involved would anticipate the results of such a crisis, and take actions to head
it off during the night. Even this might only stem losses, however. The collapse of the
American dollar and banking system would still be possible, as would subsequent
international crises caused by the sudden closure of the American system, and the losses
suffered by major institutions the day before. And the scenario does not consider the
effects of such a crisis on other portions of the financial industry, such as the major
stock and futures markets. The securities industry might not be greatly affected, but it
is more likely that the complex interactions between the commercial and investment banking
industries would exacerbate the crisis.
At the very least, the developed world would be too
pre-occupied with handling the crisis as the Chinese reactionaries took control, North
Korea invaded South Korea, Iran launched an attack on Saudi Arabia, or some other
scenario. It is likely that only a rogue state, madman, or terrorist group would attempt a
strike against the American financial system, because of its far-reaching effects. For
these groups, however, an IW strike against American finance is an ideal attack.
It is also important to note that a similar attack against
another infrastructure, such as telecommunications or transportation, might be effective
as well, without as many international implications. The United States needs to be
prepared for any of these attacks.
Finally, the use of a financial information strike is not
limited to the United States. Many other developed countries are almost as vulnerable, and
will continue to become more so as their information infrastructures become more complex.
Indeed, for smaller nations, the financial attack is ideal, for the effects would be just
as great for that nation, while affecting the international system less than would
attacking the linchpin of the world economy that is the United States.
An attack on the banking structure, utilizing attacks on
interbank systems, in concordance with large-scale attacks on individual banks, could
conceivably cause the largest banks in the United States could find themselves suddenly
insolvent at the end of a day, with interbank systems corrupted, internal records in
disarray, funds lost, and no one sure what happened or where to start. There is no real
certainty as to what might happen at that point. There may only be a small effect that
requires weeks of sleepless nights by involved personnel, while the US economy rolls on.
On the other hand, a large enough attack might create
enough damage to eventually cause a chain reaction and, potentially a meltdown, first in
the financial community, then the general economy, as everyday payments stop. The effects
might make the bank failures of the Great Depression look mild by comparison. There is no
way to know--the banking system is terribly complex, and no in-depth study of projected
results is known. In the author’s opinion, however, the potential for damage is
great. There are tremendous safeguards and redundancies built into the banking system, but
beyond a certain threshold of damage, it is likely that the very complexity and vitalness
to the American economy would cause an uncontrollable reaction, with disastrous
consequences.
Solutions to Financial Vulnerability:
The information age, like the nuclear age, has come and
will never leave. Instead, society will always face the threat of an information strike,
and must learn to live with it as it has the nuclear umbrella. Society’s institutions
must adapt in a permanent way to incorporate information security into basic daily
operations. There are no silver bullets in information security operations--instead, a
constant vigilance is necessary. This must be done through upgraded technology and
modification of organizational structures.
In the case of international banking, the scenarios
developed above make it obvious that the speed and complexity of modern funds transfers
has far outstripped the ability of current auditing schemes to keep up. In addition, the
development of information warfare dictates the need for more vigilant monitoring
and security systems to guard against sophisticated attack. While a sophisticated
terrorist group or foreign government can mount many forms of attack, electronic attack is
the most likely. Special operations (physical force) are possible, but unlikely,
and only the federal government truly has the resources to defend against them. The use of
inside personnel is very likely, but can be combated through more stringent security
checks, and greater checks against authority within banks’ computer networks.
That leaves the Byzantine system of separate internal bank
networks and inadequate monitoring, open to electronic attack and penetration, as
banks’ greatest vulnerability. Its anonymity, cheapness, and global range make it the
most likely tool of such a strategic attack. The author suggests the adoption of a
decentralized security system spanning the industry, in which each bank is responsible for
its own security and the security of its interactions with other institutions.
Specifically,
- An initiative to push the development of internal, real-time
automated auditing/monitoring systems (RAM’s) to track account databases,
transactions, and fund transfers for questionable activity. This would allow
second-to-second monitoring of all funds within the bank, as well as funds moving between
two banks, enabling real-time detection of errors, fraud, or attacks.
- Develop intrabank security centers (ISC’s) to
provide a birds-eye view of all fund activity within a bank to appropriate officials. This
would give banks the ability to quickly and actively detect these attacks and correct the
situation. These ISC’s would monitor all internal bank activity, as well as any
direct interbank transactions through cooperation with the other bank’s ISC. The ISC
would apply human judgment and control of an evolving crisis.
- Combine the RAM and ISC with an operational control
capability of the bank’s internal networks and fund transaction systems to create an integrated
security intrabank system (ISIS) that has the eye’s and ears to detect an attack,
human judgment to organize and coordinate against it, and the network control muscle to
defeat it.
The decentralized aspect of this proposal has three major
advantages. Foremost, it mirrors the organization of the international financial sector as
a whole. As such, it will be compatible with current or future monitoring systems in
CHIPS, SWIFT, or the Federal Reserve. It will also be both compatible with, and a strong
building block of, any future national IW defense system, should one be deemed necessary.
Secondly, it divides security responsibility into portions manageable and able to be
implemented by individual institutions. This makes decisive action to correct today’s
dangerous vulnerabilities likely, rather than delaying while awaiting the completion of a
drawn out, centrally designed, and standardized process. Third, it protects proprietary
monetary information, which has its own value to financial institutions. Thus, the
proposed security apparatus conforms to the needs of the industry, and avoids the creation
of a costly, centralized security bureaucracy that on the international scene may pose a
threat to national sovereignty.
Real-time Automated Monitoring:
Intrabank real-time automated auditing/monitoring
is the necessary foundation on which any defense against information strikes must be
built. Current transaction monitoring systems, both intra- and interbank, are designed to
catch natural (i.e. not intentionally caused) or fraudulent errors. As such, the auditing
systems operate on multi-day and multi-weekly time-scales. This is acceptable for catching
conventional operational problems that cause unexpected fund activity (e.g. unintended
fund payments/receipt of payments, or the lack thereof) before serious harm is incurred.
Any naturally dropped payments are likely to cause simple compensation or overdraft
penalties, unlikely to seriously hurt the bank position or the banking system. Fraudulent
activity is likely to occur either subtlely or over extended periods of time in order to
avoid notice, retrieve the stolen funds, and succeed with the crime. For example, the
infamous St. Petersburg attacks on Citibank occurred over a span of five months.
However, a two-to-three day lag in error detection and
correction is unacceptable in an age of information strikes, characterized by
lightning-fast attacks where the attacker rapidly disappears. For one, the perpetrator is
likely long gone by the time the transaction errors are detected. Secondly, the attack is
likely to commit intense damage within a short period of time. The attacker’s actions
are not limited by the need to retrieve funds, as they are in fraud; instead, his likely
objective is to destroy or cripple the targeted system to wreak havoc or destruction. Even
long-term attacks, prepared over weeks or months, are likely to be executed within minutes
or hours.
Operating under such parameters, the attacker will attempt
to cause enough damage before detection so as to make quick correction impossible. The
window of attack then becomes the lag time in system monitoring, and the longer the gap,
the more probable the attacker will accomplish his goals. Eliminating that window makes
the attacker’s mission much more difficult.
Current technology supplies the ability to build a system
that could monitor the second-to-second movement of funds within a bank organization, and
use available analysis tools to sift for suspicious patterns in fund or account activity
that might point to a network intrusion. The development of real-time automated
auditing/monitoring systems (RAM’s) would allow much more in-depth and
comprehensive monitoring than is possible with current technology and manpower. This would
tremendously reduce the window that the IW attacker operates within in terms of time and
security.
A real-time system is predicated on the automation of
transaction record entry. Currently, data is often entered into corporate ledgers manually
from a multitude of sources--faxes, phones, telexes, and mail. Because of this limitation,
the New York Foreign Exchange Committee still seeks to reach an industry-average, daily
reconciliation of accounts. Within that period, a deeply destructive attack could easily
be accomplished. Current technology is already automating the transaction process;
automated record keeping is an easy addition, and makes real-time monitoring possible.
Real-time systems already exist to a limited extent on the
interbank level, such as in the CHIPS network, where the speed of fund transactions makes
it utterly essential. The extensive employment of such RAM’s throughout the industry
would create the time necessary for banks to catch up with unauthorized fund transfers
before the money has spread so much as to make correction difficult.
A RAM would use computers’ natural strengths in data
processing and pattern recognition to sift through the tremendous amounts of customer
accounts and fund transactions for questionable activity. It could use any number of
suspect profiles that the bank feels important or indicative of intrusion. Some possible
examples include (but are not exclusive):
- Macrofund movement: Large changes in the entire
reserves of the bank. These might be caused by massive tampering with the banks systems,
causing either massive fund transfers or simple disappearance of funds from accounts.
- Non-transaction account changes: Changes in accounts
of customers without attendant transactions. This might indicate a serious breach of
integrity in the mission-critical accounts-databases that the bank’s business depends
on.
- Non-congruent pattern shifts: Changes in the pattern
of activity in a single account. For instance, if GM regularly transfers $200 million on
the first of the month to an account in Europe, and instead transfers $300 million, or
transfers $200 million on a different date or to a different account, a change in the
pattern of activity for the account occurred.
- Microfund movement: Transactions of extremely small
amounts, such as tenths of a cent. For instance, the removal of a hundredth of a cent from
multiple accounts or transactions.
- Random Sampling: A random check of every tenth,
hundredth, or thousandth transaction or account to monitor overall system integrity. The
ratio of transactions or accounts monitored could set to balance security needs against
system load, and changed to meet the bank’s changing security environment (i.e., in a
high threat environment, while under attack, the bank could reduce the ratio to increase
security at the expense of slowing down the bank’s transaction systems).
- Large-fund movement: Monitoring of all transactions
above a certain limit (e.g. above $100 million).
These suspect profiles may detect simple changes in
customer behavior, system or operator errors, fraud, or a systemic information strike.
Acting as a filter, they would allow an operator to make a final human judgment and take
appropriate actions. In addition, a RAM would have the ability to trace any transaction
within the bank, and to another bank during an interbank transaction, while a human
operator is making a decision on its authenticity. While tracing is not currently feasible
for every single transaction, it would be quite possible for transactions flagged by
suspicious profiles
Finally, patterns and activity developed by an automated
real-time system could be stored in special databases for later analysis. This might lend
further understanding of modern fund activity, allow the development of security
scenarios, keep records from which to recover accounts after an attack, help develop
better security and other operational policies, or create additional highly profitable
data-mining capabilities.
Central Control and the ISC:
The intrabank security center fulfills the need for
a guardian of a bank’s network systems. This recognizes the more general principle of
risk management, which posits that it is impossible to build an impervious computer
system. Instead, dynamic and proactive protection of interconnected information systems is
necessary.
A military application of this principle is the proposed
need for an IW officer on each E-8 Joint STARS in order to prevent intrusion and
manipulation by the enemy, while still maintaining the accessibility that permits ground
forces to leverage the system to full capability.
The ISC concept does this for the much larger and more
complicated banking industry. It follows general industry risk management recommendations
to separate Sales & Trading (the business of banking) from Operations (the underlying
bank systems that hold accounts and process transactions). The ISC creates a permanent
central internal bank agency responsible for all aspects of fund and account security
within the bank, and between banks during a direct transaction with another. The ISC would
control detection, coordination, and prevention of intrusions. It would formulate, guide,
and implement network security issues within the bank. It would also confirm transactions
within a bank and with other banks, and cooperate with other institutions in dealing with
unauthorized interbank transactions or a widespread information strike. In effect, it
would centralize a number of now disparate activities to improve security.
Recent events, such as the attacks on Citibank,
demonstrate the need for such an organization. After the first attacks, Citibank set up a
command center to monitor the attacks, trace the attacker, stop the illegal transactions,
and coordinate industry and law-enforcement action. Had a center existed before the
attacks, they might have been detected and stopped faster. If the perpetrators had been
focused on attack rather than thievery, with the access they had, it is possible they
might have driven Citibank to disaster in minutes or hours.
The ISC would use the real-time automated
auditing/monitoring system as its central tool to accomplish its security
responsibilities. In essence, the RAM system gives the security center a bird’s eye
view of the evolving funds transaction/security situation within its. The ISC would
maintain a second-by-second view of the fund flows within the bank through the RAM’s
automated up-to-date record keeping. This would make immediately obvious any macro changes
in bank activity to ISC personnel. In addition, the RAM’s profile filters would
provide ISC personnel an in-depth view of fund activity with minimal manpower (see Figure
2).
The Dynamic Protection of ISIS:
The integrated security intrabank system combines
the RAM and ISC with the ability to operationally control the bank’s networks to
create an effective defense and response method to attacks. The combined system uses the
RAM to detect a breach and operational control to respond to one, with the ISC directing
the response by providing central control, coordination, and human judgment. During an IW
attack on a bank, its ISC personnel would quickly detect a breach of integrity by noticing
peculiar macro activity and/or an increase in filtered notifications of specific activity;
notify the rest of Operations and the S&T group, national/security/regulatory
authorities, and law enforcement; and quickly implement crisis management procedures.
These might be directed towards recording all activity for later evidence and recovery
operations, detecting the source of intrusion, eliminating the attacker’s access, and
implementing a "hot pursuit" to discover from whom and where the attack is
originating for law enforcement or retaliatory measures.
During a crisis, the ISC might cancel all filtered
transactions pending later examination, temporarily cancel all S&T activity, or
isolate such actions to the area of attack while working to insulate "clean"
regions from the attack. Whatever the crisis management procedures, the defense would by
dynamic, real-time, and proactive from the first moments of attack, rather than the damage
being the first signs of crisis.
While ISIS’s value is obvious on the intrabank level,
where it has complete sight and control, its potential is just as great at the interbank
level, both domestically and internationally. Whether fund transfers are conducted over
Fedwire, or through credit/debit instructions transferred via SWIFT and CHIPS, fund
transfers in the banking system can be thought of at the most basic level as bilateral
transactions. Because of this, communication between two parties’ ISC’s can
protect the integrity of interbank fund transfers.
When a transfer is made, the sending bank’s ISC could
contact the ISC of the receiving bank and send information on the transaction (amount,
time, source, destination, etc.). The receiving ISC would accept the information, monitor
the transaction from its end, compare information, and send a confirmation to the
originating ISC. Should the transaction get dropped or confused at some point, or the
interbank payment system compromised, the two ISC’s would detect a difference in the
transaction from one end to the other, and cooperate to isolate the irregularity (see Figure
3).
In addition, should an interbank fund transfer be flagged
as suspicious, one ISC could request the other track the transaction through its network.
Should the transfer split from there and travel to still other banks, the cooperating bank
could then specify the third-party recipients to the originating ISC, which could then
establish new bilateral relationships and continue the trace. Should the transaction be
determined to be illegitimate, the final recipients’ ISC’s could assert
operational control, cancel further transactions, and return the funds or reconcile
accounts, depending on the payment system and time involved.
The establishment of ISIS systems, combining real-time
monitoring, central control, and operational control capability (i.e. the ability to stop
transactions), that can communicate creates a decentralized security system for the entire
banking industry. It makes independent confirmation, tracing, and cooperation highly
practical. For instance, in the case of an industry-wide information attack, ISC’s
could cooperate to isolate the damage to parts of the banking system, much as an ISC would
do internally in the case of an attack. Thus, each bank is responsible for its own
security, and protects information about its own internal working, but together the entire
industry is responsible for collective security.
The means of communication between ISIS’s is open to
question. Using current interbank networks such as SWIFT would limit costs but might leave
ISIS intercommunication open to corruption should the network’s integrity be
breached. On the other hand, a separate ISIS network for ISC’s to communicate on
would be very secure, but have additional cost. A third option would be to use the general
telecommunications grid and "virtual private networks" to establish dedicated
links when needed. This would also avoid concentrating the data pathways so as to create a
tempting target for attack. The banking industry must determine which approach or
combination to take that optimizes security and cost (see Figure 3).
The ISIS concept is compatible with current structures in
the banking system, and because of its decentralized nature, will likely be compatible
with any future national security organizations. For instance, CHIPS already has
integrated security and real-time monitoring of member banks’ accounts and
transactions. The ISIS concept complements rather than interferes with this. Through the
use of bilateral communication of two banks’ ISC’s, the two banks could
independently confirm transactions that use the CHIPS system. Should CHIPS become
compromised, the bilateral confirmation would detect any unauthorized transactions made by
the payment system. The same is true of Fedwire or SWIFT.
Additionally, should the Federal Reserve or the federal
government establish an information warfare-monitoring center for either the industry or
the nation, the ISIS concept would be an excellent foundation on which to build.
Individual ISC’s could communicate the real-time status of their institution to the
monitoring agency, which could then compile all the information into an industry- or
nationwide picture similar to the one developed by the banks’ ISIS RAM’s.
Implications for National Defense:
ISIS’s hold a great deal of potential for solving the
security vulnerability within the banking system. However, the promise of the idea goes
far beyond banking, or even finance. The ISIS concept is applicable to nearly every
institution in which interconnection and information security is important. The
combination of real-time monitoring and operational control capability under a
security-devoted organization creates a constant institutional guardian for dynamic
protection and risk management--essential elements of any security system in an age where
there are no permanent answers to security. The idea could be used throughout the United
States in all industries to create a more secure economy in the era of information warfare
The reader may note that the ISC portion of the ISIS
concept is similar to a military command center. There is no coincidence in this. The ISC
is built to handle crises where time is of the essence; this is applicable throughout
military situations. Secondly, in the ISC corporations are creating an organization to
defend themselves. The US military has neither the time, manpower, nor money to protect
the entire national infrastructure from attack. "There are many information functions
critical to our national security that lie outside the military’s defensive
purview." Yet large portions of that infrastructure are vital to the health of the
United States. The military must depend on the private sector to protect the American
homeland from virtual attack while it presents a forward line against physical attack.
Only together can an effective defense be mounted in an age of information warfare.
In addition to being extended to other critical
industries, the ISIS concept is an excellent building block for a national information
warfare defense. While the structure is beyond the scope of this discussion, some sort of
national monitoring agency combining military, intelligence, and law enforcement elements
with a real-time view of the national situation would be an effective deterrent against a
large scale, strategic information strike. With coordination at the national level, an
integrated defense could be executed, and an effective retaliatory strike prepared against
a traced enemy. We take this for granted in traditional national security affairs; why
should it be any different in an information strike? Only with national resources and
coordination are we likely to give the President enough information to act upon. The ISIS
concept provides the basic level of monitoring necessary to build such a national
strategic picture, and the basic level of action to mount an effective defense.
The ISIS concept is not a final solution to the
information age’s security/access dilemma. The IW attacker is resourceful and
adaptable; he will eventually find ways around most defenses. This is the basic principle
that originally predicated the need for the ISIS system and a dynamic and proactive
defense. It would be natural then to attack the ISIS system itself. Eventually, the IW
attacker might learn to be successful. This approach would have great potential because
the ISIS system contains both monitoring and operational control of accounts and
transactions. Should the attacker gain access or control of the system, it could be used
directly against the bank while keeping security officials ignorant of the attack.
However, this does not eliminate the value of the system.
ISIS provides yet another line of defense against attack. No matter how confident banks
are of their security measures, the Citibank example shows the potential for attack. A
foreign government or terrorist group prosecuting an attack against the United States is
likely to have many more resources than the Russian civilians that attacked Citibank, with
consequently greater chances of success. Even should ISIS be targeted during an attack,
that is one more layer that must be penetrated and corrupted, and more than one target.
Additionally, the proactive and dynamic nature of the ISIS system makes the success of
ongoing efforts to defend itself as well as the operational systems likely. It also
requires that multiple attacks be initiated to be successful, eliminating some of the lure
of SWIFT and CHIPS. In the end analysis, the ISIS concept provides a reasonable and
practical response to the dangers of strategic information warfare. Combined with
additional awareness of the national security implications of information security in
critical infrastructures, and tough screening of officials, it will be possible to build
with ISIS an international system robust enough to survive in the information age.
Conclusion:
Information and information-based technologies have
emerged as a dominant aspect of life in the modern era. It has changed, and will continue
to change American society and life. This has been reflected in military affairs by the
advent of information warfare. While often ill-defined, its potential is large. Its
effectiveness is predicated on the growing pervasiveness of information systems, and their
combination around computers to created automated systems ripe for manipulation.
For the United States, the vulnerabilities that
information warfare creates are particularly important, because of the great degree to
which American society depends on information systems. The concept of strategic
information warfare presents a direct threat to the United States, because it obviates
most of America’s military advantages. No longer does America’s physical
isolation protect it from attack. Nor are large investments required to meet American
military strength. With relatively little money and from anywhere, an enemy can attack the
basic fabric of American life.
Major industries, such as transportation,
telecommunications, and finance are at danger from a strategic information strike. Finance
is particularly vulnerable, because money is essentially information and perception, and
the financial industry is highly interdependent and interconnected. International finance
is especially vulnerable, because of its lack of central regulation and control, and the
large lag times in accountability of transactions. This vulnerability is dangerous for the
health of the United States, because of the vital nature of finance to American
capitalism.
Real-time automated auditing/monitoring systems and
intrabank security centers present a solution with great promise. The real-time aspect
closes the window an IW attacker has to work in, forcing him to instead meet an active and
dynamic defense. The intrabank security center organizes and controls this defense. By
combining real-time monitoring and operational control capability within one organization
devoted to continual information security, the ISIS presents a versatile guardian for the
information age. Because of their internal aspect and limited scope, ISIS’s are
quickly implemented. But because of bilateral communication, ISIS’s have the ability
to create a decentralized security system throughout the banking system, without the need
for international organizations that might be a threat to national sovereignty.
Indeed, ISIS’s can be implemented throughout most
industries for information protection. They can be the basic building block of an
effective, decentralized security system that will prepare the United States for the
Twenty-First Century. Without some sort of system focused on the likelihood of virtual
attack, the United States will remain at the mercy of a double-edged sword, and
information will become our nemesis.
Works Cited
Niel Munro. "The Pentagon’s New Nightmare: An
Electronic Pearl Harbor." The Washington Post 16 Jul. 1995. Online. Internet:
vislab-www.nps.navy.mil. 21 September 1996.
R.L. DiNardo, Daniel Hughes. "Some Cautionary
Thoughts on Information Warfare." Airpower Journal Winter 1995. Online.
Internet: www.cdsar.af.mil. 10 October 1996.
Fedpoints. Federal Reserve Bank of New York.
Online. Internet: www.ny.frb.org. 9 November, 1996.
Schiller, Herbert I. Who Knows: Information in the Age
of the Fortune 500. Dorwood: Ablex Publishing Corp., 1981.
Bass, Thomas A. "The Future of Money." Wired,
Oct. 1996: 140-143, 200-205.
United States. Cong. Office of Technology Assessment. US
Banks and International Telecommunications. Washington: US Government Printing Office,
1992.
Clearing House Interbank Payment System--CHIPS. New
York Clearing House Association. Online. Internet: www.theclearinghouse.org. 17 September
1996.
William Carley, Timothy O’Brien. "Cyber Caper:
How Citicorp System Was Raided and Funds Moved Around World." The Wall St. Journal.
Online. Internet, National Times: www.enews.com. 18 November 1996.
Passel, Peter. "Fast Money." The New York
Times Magazine. Oct. 12 1992: 42-43, 66, 77.
Stephen Katz. "Global Finance: Protection in the Age
of Electronic Conflict." infoWarcon5: Electronic Civil Defense for the 21st
Century. The Convergence of the Commercial and Military Sectors: Vulnerabilities,
Capabilities, and Solutions, Arlington, VA 5-6 Sept. 1996.
The New York Foreign Exchange Committee. Management of
Operational Risks in Foreign Exchange. April 1996. Online. Internet, Federal Reserve
Bank of New York: www.ny.frb.org. 18 Oct. 1996.
Lt. Col. Price Bingham. "Revolutionizing Warfare
through Interdiction." Airpower Journal Spring 1996. Online. Internet:
www.cdsar.af.mil. 25 Sept. 1996.
Major Rishard Aldrich. "The International Legal
Implications of Information Warfare," Airpower Journal Fall 1996. Online.
Internet: www.cdsar.af.mil. 5 Dec. 1996.
Anonymous, personal interviews, 12 September 1996-26
November 1996.
McCarthy, Gen. J. P. Personal interviews. 21 Aug 1996, 15
Oct. 1996, 22 Oct. 1996, 4 Nov. 1996.
Fullerton. Maj. R. L. Personal interviews. 3 Oct. 1996, 15
Oct 1996, 7 Nov. 1996.
Anonymous. E-mail to the author. 2 Dec. 1996
Anonymous. E-mail to Gen. James P. McCarthy. 4 Nov. 1996.
Anonymous. E-mail to the author. 7 Oct. 1996.
|
Questions
or comments? Email: