September 11 brought a low-tech surprise attack. Financial industry security strategists don,t want to be caught napping for what might come next: information warfare and cyberterrorism.
By Steven Brull and John Wagley
November 2001
Institutional Investor Magazine
Exactly one week before the devastation of September 11 brought financial markets to a halt, a different kind of crash afflicted two of the biggest banks in the U.S. Though easily forgotten after the mayhem that followed, the earlier incident provided an eerie foreshadowing of the risks and vulnerabilities that financial institutions would soon have to confront far more urgently and rigorously than ever before.
What happened on September 4 seemed, at the time, serious , even catastrophic , to the banks and customers affected. It was the day after Labor Day, and that afternoon one of the busiest electronic banking networks , the 2,000 automated teller machines owned by Citibank, as well as its debit card and online banking systems , suffered a complete breakdown. The failure was nationwide, but its effects were most noticeable in New York, where thousands of customers scurried from bank to bank and from supermarket to bodega in a vain search for machines that would accept their cards.
Citibank was off-line for about five hours and wasn,t back to normal for a full 24 hours. By that time, rival J.P. Morgan Chase & Co. had ATM problems of its own: Many of its 1,900 machines would not let customers finish transactions that they had started.
That Citibank’s problem was followed so closely by another, albeit less serious, outage at a close competitor raised some disturbing possibilities: Were the breakdowns coincidental? Were the banks, which issued terse statements blaming their problems on software glitches, hiding a more harrowing truth? Could they have been victims of organized electronic sabotage?
“That was our initial reaction,” recalls William Marlow, chief strategy officer of Predictive Systems, a New York,based consulting firm that specializes in information security. But Marlow gets paid to think that way. His company administers the Financial Services Information Sharing and Analysis Center, a voluntary association of major financial institutions. The center, known as FS/ISAC (there are corresponding ISACs for other “critical infrastructure” industries, such as energy and transportation), serves as a clearinghouse and reference source on computer viruses, hacking incidents and other technology threats and nuisances.
When Citibank’s troubles surfaced, FS/ISAC sprang into action. It didn,t take long for Marlow and his team to conclude that there had been no external attack on the ATM network and to spread the word. At Citibank a routine systems upgrade had simply gone haywire. The software defect at J.P. Morgan was unrelated, a true coincidence.
Computer programmers and operators, the world was reminded, are only human. And sometimes their actions cause unexpected consequences. On September 4 and 5 they provided an education, inadvertently exposing the fragility of an automated 24/7 service that millions of consumers had blithely taken for granted. And in that lesson lurked clues to what could happen if a skilled criminal cabal or hostile power somehow did to the financial infrastructure what the hijackers did to the World Trade Center and the Pentagon.
Once the towers fell, the nation turned its attention to terror in all its forms, whether by hijackings, bombs and bullets or biological or chemical agents. The technological specter of cyberterrorism may appear less visible than the others, but not in the eyes of policymakers who had long been alarmed about cyberrisks and whose concerns were only reignited on that most terrible of September Tuesdays.
Within days, the U.S. Federal Bureau of Investigation issued a warning to corporations and government agencies to be on guard against hacking and other electronic assaults on their computer networks; Attorney General John Ashcroft listed “weapons of mass disruption” alongside “weapons of mass destruction” as a major government and military concern; and the congressional General Accounting Office issued a report faulting the government for being too slow to prepare for cyberattacks, including state-sponsored information warfare.
In early October President George W. Bush responded by appointing veteran Central Intelligence Agency counterterrorism expert Richard Clarke to head a new federal cybersecurity office. Its mandate for bolstering so-called critical infrastructure protection extends to private sectors, such as financial institutions, which, witness FS/ISAC, were already on a heightened state of alert.
Last month FS/ISAC members convened in Fort Myers, Florida, to assess their cyberdefenses and determine how they will have to change in light of recent developments. The conferees had plenty on their minds. Just seven days after the World Trade Center tragedy, the Nimda virus struck tens of thousands of computer servers around the globe. Computer industry analysts were estimating that the damage it caused could exceed the $2 billion to $3 billion cost of its summertime predecessor, the Code Red worm. That pales next to the $50 billion to $100 billion of insurance claims likely to be related to September 11, but the Nimda virus remains a potent symbol of corporate preparedness. “Firms are still suffering from that virus. It shows that they still don,t have their acts all together,” says Wolfgang Friedel, chief executive officer of Zurich IC2, a risk management consulting subsidiary of Zurich Financial Services Group.
Shared knowledge within and among affected industries can serve as a line of defense, and that,s where FS/ISAC comes in. “We,ve done some serious analysis and come up with some gaps that definitely need answers , and a lot of these require 90-day solutions,” says Stanley Järocki, chairman of FS/ISAC and vice president of security operations at Morgan Stanley. (Because of Järocki’s elected office, Morgan Stanley is one of only a handful of institutions whose participation in the 40-member FS/ISAC is made public. Other members with officers or directors include American Express Co., Bank of America Corp. and Merrill Lynch & Co. Järocki emphasizes that he speaks only in his capacity as leader of the information sharing group.)
For reasons of security, Järocki won,t discuss the specifics of any recently identified vulnerabilities , or solutions. But he says: “Right now in the cyberattack world, it’s a horse race. The cyberattackers have been winning. They,re always several furlongs ahead. My theory is that we can get to a photo finish. Then we could significantly reduce the risk and cost to our sector.”
Some initial reactions to the terrorism were very apparent in the financial community. Physical security , entry barriers, personal searches and the like , has been tightened. Corporations also besieged insurance companies with applications for a new class of policies, on the market only for the past year or two, that offer protection against a variety of cyberrisks, including terrorism.
Especially in the New York financial district, institutions have begun reexamining and reemphasizing contingency planning, now translated into a buzzword: business continuity. Bank of New York Co., a major clearer and custodian of securities, became an object lesson: Its primary and backup processing sites were both close enough to the World Trade Center to be disrupted for days. The resulting delays in transaction settlements required liquidity infusions from the Federal Reserve Board and forbearance by counterparties, which under ordinary circumstances would have been subject to untold financial risks.
The obvious answer is to put more distance between operating centers; but some firms faced difficulties more extreme than BoNY,s, according to Kenneth Ammon, CEO of Netsec, a network security management firm in Herndon, Virginia. At least two small tenants of one World Trade Center tower had been backing up their data at the other one, says Ammon, though he won,t name them.
“As an industry we are taking it upon ourselves to improve procedures by learning from what we did over those first two to three weeks,” says John Panchery, vice president of information technology at the Securities Industry Association. “There are things we can do to plan ahead, for example, by making sure people have clear instructions on where to go if an event like this happens.”
Such responses don,t come a minute too soon. Says Jay Ehrenreich, a PricewaterhouseCoopers expert on cybercrime, “We in the United States have got the most to lose, and therefore we have to do more to protect our assets.” And, he adds, threats to the financial system are neither idle nor theoretical. “We,ve already seen cyberwar,” he says.
Official or quasiofficial cyberforces have recently faced off in the conflicts between India and Pakistan and between the Israelis and the Palestinians, with one or both sides defacing or disabling Web sites on the other side. And hackers toyed with U.S. government sites for weeks after China forced down an American spy plane last April. That led some investigators to suspect that China was the source of the debilitating Code Red worm, but as usual there was no proof.
Citing such incidents, the Institute for Security Technology Studies at Dartmouth College recently warned that the U.S. is all but certain to be subjected to cyberattacks in the current confrontation with Islamic extremists. California Attorney General Bill Lockyer believes they may have already happened. He said in October that he was launching an investigation into more than 100 attacks over a three-month period, many against California companies, that appeared to be coordinated and that stopped abruptly and suspiciously on September 10.
In a September report the Dartmouth institute,s director, Michael Vatis, noted that the banking and financial infrastructure makes an especially inviting target for cyberattackers.
The good news is that much of the banking world,s data and money reside on and move over private networks that tend to be insulated from Internet threats. The downside is that banks, brokerages and mutual fund complexes now pride themselves on the Internet-based e-business infrastructures that they have assembled over the past half decade. These systems are meant to be welcoming and convenient to customers and business partners. They don,t have the same hardened perimeter security of mainframe computers and private communications lines.
Timothy Shimeall, senior analyst with the Computer Emergency Response Team at Carnegie Mellon University in Pittsburgh, a leading repository of computer threat data, says, “The biggest risk would be that bank information is corrupted to the point where the bank can,t trust the information on its own computers.” But he notes that financial institutions in general have maintained a high level of concern , and readiness. “They,re pretty well defended and, more important, pretty vigilant about their systems,” he says.
Technological defenses , what PricewaterhouseCoopers’s Ehrenreich calls “logical security” , are one thing. But cybersecurity has a more physical and human side that a growing chorus of security experts are saying has been dangerously neglected. All the firewalls and encryption systems in the world won,t stop a disgruntled employee or an unscrupulous consultant who possesses the right passwords or knows how to penetrate software defenses. “Companies give many people access to a more damaging level of information than you would believe,” says Taher Elgamal, chief executive officer of Securify, a Mountain View, California, security management firm.
Outside contractors, Netsec’s Ammon estimates, comprise 50 percent or more of the head count in many companies, technology departments, and they can easily fall through security cracks. “We,ve seen more than a handful of cases where inside consultants are disgruntled and create ,back doors, to give them access [to computer systems] once they,re gone,” Ammon says.
Winn Schwartau, author of Information Warfare: Chaos on the Electronic Superhighway, and president of Seminole, Florida,based consulting firm Interpact, looks below the tech employee radar screen: “Think about the office cleaning staff or the security guards.” Schwartau expects to see more digging into the personal backgrounds of people in sensitive jobs , and from now on more jobs will be viewed as sensitive.
Says Ehrenreich: “As many as 90 percent of IT thefts are done by employees or former employees. So if you do a security assessment, your perimeter defense often isn,t as important as internal defense.”
Even as they bolster their physical and personnel defenses, financial institutions are also applying a dose of good old-fashioned risk management: They are buying insurance against the new cyberrisks , hacker intrusions, viruses, theft or loss of intellectual property, denial-of-service attacks, computerized extortion or embezzlement and cyberterrorism.
It was certainly timely that several major insurance companies had a specialized line of cyberpolicies in place before the terrorist assault. But it took them awhile to get there.
Serious losses from computer crime have been a concern at least since 1994, when a 24-year-old Russian programmer relieved Citibank of $10 million. As damage claims mounted over the years, major European and American reinsurers became increasingly reluctant to provide coverage under policies then in force. Primary insurers, in turn, added exclusions to their policies. To fill that gap, insurance companies began over the past couple of years to fashion the new coverage, and marketing by the likes of American International Group, Hartford Financial Services Group, St. Paul Cos. and Zurich Financial Services Group had just kicked into high gear this year.
Ty Sagalow, chief operating officer of AIG eBusiness Risk Solutions, notes that interest in cyberpolicies has risen steadily since AIG introduced them two years ago. “But our natural growth was nothing near what I,ve seen since September 11,” he says. “Demand is at least double what it was just before.”
At Chubb Corp., which provides cyberinsurance mainly to financial institutions, applications in September were up 50 percent from August. “There’s the old saying about why people rob banks , because that’s where the money is,” says Tracey Vispoli, cybersolutions manager at Warren, New Jersey,based Chubb. “We have a lot of interest from the banking community, both large and community banks.” She adds that broker-dealers, mutual fund companies and investment advisers have also been inquiring more than ever.
That’s also the case at Zurich North America. “We,re fielding a lot more calls and seeing an increase in applications,” says David O,Neill, the company’s vice president of e-business solutions. “Cyberterrorism and viruses overall have captured people’s attention. They are reading their [existing] contracts and realizing there is no remuneration for many cyberevents, which explains why our industry wants to separate this area into stand-alone products.”
Corporations, interest in cyberinsurance reinforces the notion that information technology crimes are epidemic. According to the San Francisco,based Computer Security Institute’s most recent survey of large U.S. corporations and government agencies, 85 percent of 538 respondents suffered security breaches in 2000, and 64 percent sustained financial losses. For the 186 entities that disclosed loss details, the total amounted to $378 million. The leading causes of harm: proprietary information theft, financial fraud and computer viruses.
CERT in Pittsburgh says it received 34,754 reports of security incidents in the first nine months of this year , 12,998 more than in all of 2000.
“It’s amazing, the type of losses I,m seeing,” says Michael Rossi, president of Los Angeles,based Insurance Law Group, which advises large companies on insurance coverage. According to Rossi, a computer virus can cost a single company up to $15 million. “The largest cyberextortion loss I,ve seen was for about $20 million,” he says, referring to cases such as those when credit card numbers are stolen from online merchants, computers and held for ransom. “The biggest trade secret theft I,ve seen was for about $50 million,” he adds.
According to scuttlebutt among cybercrime watchers like CERT’s Shimeall, the biggest of all losses was £400 million ($577 million), suffered at the hands of hackers by a group of unnamed U.S. and U.K. banks in 1996. The incident was reported in the London press, but no banks ever came forward and confirmed the loss.
Given the ready availability of cyberinsurance, Rossi says, “companies should be actively reviewing their existing policies and thinking of alternative plans before their next insurance renewal.”
Carriers say that many clients are already changing their cyberinsurance priorities. Before September 11 they mainly sought coverage for unauthorized system intrusions and cyber-extortion, says AIG’s Sagalow. “Now cyberterrorism is on the minds of more people. They are analyzing all aspects of their business continuity and disaster recovery and looking at ways to back up and protect data,” he notes.
Cyberterrorism even has to concern a small bank in the heartland, says David Hadley, chief technology officer at DeepGreen Bank, a $330 million-in-assets online subsidiary of Third Federal Savings and Loan Association of Cleveland. “The vulnerabilities are part of doing business in the cyberworld. Insurance is really the last line of defense,” says Hadley. He notes that DeepGreen bought cybercoverage before it opened a year ago.
After the World Trade Center attack, FS/ISAC, CERT and other monitors detected nothing besides Nimda that could have passed for cyberwarfare. “If anything, attacks were going the other way , hackers on our side were as upset as anybody, and they went after sites in the Middle East,” says Christopher King, head of the security practice at White Plains, New York, consulting firm Greenwich Technology Partners.
Indeed, self-styled “hacktivists” launched a campaign to break into Afghanistan government Web sites, causing noticeable havoc with the one operated by the Afghan mission to the United Nations. One group in Europe claimed to have penetrated a Sudanese bank linked to Osama bin Laden’s al Qaeda organization.
Rogue hacktivism can, of course, go in any direction. And it doesn,t require a direct assault to bring down the financial infrastructure. Securify,s Elgamal says that it can be done indirectly by cutting off power or telecommunications. “It would only take several hours for a nasty collection of people to bring down the East Coast power grid via the Internet,” he warns. In that same vein, Netsec’s Ammon says: “You could dig up a couple of fiber-optic cables and create a nightmare. You,re only as good as your weakest link.”
To FS/ISAC’s Järocki, effective security requires awareness and strengthening of those links: “The real question is, What are the interdependencies and how do I make a stronger information sharing structure?”
And then there is the issue of money. Executives like Järocki now stand to win long-fought battles for security-budget increases. “Security has gotten an awareness push , it has become very visible,” he says. But now he and his counterparts at other companies are fighting a war that they can,t afford to lose. “It’s a constant vigil,” says Järocki. “That’s the key.”
