Attack of the Kung Pao Chicken

The criminals watched with unusual patience.

When the managers walked through the office doors each morning, the criminals were watching. When the interns left for lunch, they were watching. When the CEO came and went with his small army of advisers, they were watching. And when the criminals noticed that employees often ordered dinner from the same lowbrow Chinese delivery restaurant, they struck.

Up to that point the criminals had been unable to penetrate the firm’s systems, which were relatively well built to withstand a ransomware or other cyberattack. The Chinese restaurant’s website was another matter. Built for pennies, it was basically a contact page with a PDF menu. For the hackers it was an obvious Trojan horse, admitted by any hungry employee needing to download the menu.

This tale of a “watering hole” attack, and many others, were detailed by former FBI agent David Chaves at a mid-May hedge fund conference in Austin, Texas. Chaves had been involved with insider trading and financial cybercrime investigations before retiring; he had been invited to the event to regale and inform Texas’s hedge fund elite on both topics.

His PowerPoint slides detailed the sordid particulars of past cases — photos of the stripper girlfriend of David Pajcin, an ex–Goldman Sachs trader caught stealing copies of BusinessWeek magazine before they hit newsstands, for example. Chaves’s message was clear: Be hyperaware of danger, “because you’re where the money is.”

He had excellent timing. Days before, starting on May 12, the WannaCry virus had rattled the world — or, more accurately, more than 300,000 computers in 150 countries. Indiscriminately locking down computers for ransom, the virus took advantage of a basic flaw in Microsoft Windows, the operating system likely used by most of the audience’s hedge fund founders and employees. Yet few in the crowd seemed concerned; they focused on the stripper, not the ransomware.

For a group obsessed with risk, the disinterest was striking. According to Chaves, just 0.04 percent of traders will deal in insider information. Statistics on hedge fund hacks are hard to come by, but few observers would argue that only 0.04 percent of traders’ computers are under assault from malware or data theft attempts.

Angelo Calvello, industry gadfly and Institutional Investor columnist, attended the event. After Chaves’s talk, Calvello scoffed when asked if his fellow audience members were taking cyberrisk seriously. “Of course they’re not,” he answered.

Research supports Calvello’s dismissive attitude. According to a recent warning from the baroquely named Securities and Exchange Commission Office of Compliance Inspections and Examinations, 57 percent of investment managers do not conduct penetration tests or vulnerability scans on their most essential systems. And although only 4 percent of asset managers had a “significant number of critical and high-risk security patches that were missing important updates,” that’s still one in 25 with exposure to viruses like WannaCry.

The apathetic Texas crowd had been warned of the potential consequences well before Chaves’s speech. Calvello himself wrote a column on the subject for II last November. “What phone call would Ray Dalio, Larry Fink, or Steve Schwarzman never want to get?” he wrote. “The one, ringing late at night from a panicked underling, informing him that he’d been hacked.” Calling this the doomsday scenario, Calvello envisioned a breach that went beyond ransomware — one that corrupted the most fundamental algorithms underlying these firms’ business. “The affected manager would not only have to immediately cease operations,” he wrote. “He would likely be compelled to shutter the business.”

Yet the audience in Austin remained unmoved. The problem, Calvello believes, is cultural.

“If you still believe men and women are here to pick stocks, you don’t think about technology as a big risk,” he explains. Only “a true quant firm — one that uses some type of AI, not one still using Excel — is likely to think of it that way. The National Security Agency itself was hacked.” The weaknesses WannaCry exploits reportedly were stolen from the NSA, “which means any firm in our business can be hacked. Well, maybe Two Sigma or Bridgewater can’t be breached.”

Except, of course, Bridgewater – or at least one of its vendors – had been breached. The firm announced in 2013 that, although it did not compromise Bridgewater’s proprietary investment systems, a third-party breach had allowed access to former employees’ personal information. And if Bridgewater — or Two Sigma, which has more people working on security than most hedge funds employ in total — can’t guarantee their own safety, what hope is there for the smaller funds that attended the Austin conference?

Chaves, perhaps inadvertently, got at least part of the answer from the group assembled in the JW Marriott ballroom. “State-owned cell towers in some countries — that’s a danger,” he warned. “Even hotel Wi-Fi or bugged hotel rooms — that’s a danger.” Yet none of the attendees, almost all of whom were using the hotel’s wireless because of a poor cellular signal, moved to disconnect.

Kip McDaniel is the Editorial Director and Chief Content Officer of Institutional Investor.