The Persistent Concerns about Altered Financial Data

Remember that weird passage in the President’s Review Group Report warning against changing the account numbers in financial accounts as part of offensive cyberattacks?

(2) Governments should not use their offensive cyber capabilities to change the amounts held in financial accounts or otherwise manipulate the financial systems;

Second, governments should abstain from penetrating the systems of financial institutions and changing the amounts held in accounts there. The policy of avoiding tampering with account balances in financial institutions is part of a broader US policy of abstaining from manipulation of the financial system. These policies support economic growth by allowing all actors to rely on the accuracy of financial statements without the need for costly re-verification of account balances. This sort of attack could cause damaging uncertainty in financial markets, as well as create a risk of escalating counter-attacks against a nation that began such an effort. The US Government should affirm this policy as an international norm, and incorporate the policy into free trade or other international agreements.

It was the kind of warning that left the strong impression that the US had already been engaged in such books-baking.

It’s back again, in James Clapper’s Global Threats Report (curiously, it was not in last year’s Global Threats Report).

Integrity of Information

Most of the public discussion regarding cyber threats has focused on the confidentiality and availability of information; cyber espionage undermines confidentiality, whereas denial-of-service operations and data-deletion attacks undermine availability. In the future, however, we might also see more cyber operations that will change or manipulate electronic information in order to compromise its integrity (i.e., accuracy and reliability) instead of deleting it or disrupting access to it. Decisionmaking by senior government officials (civilian and military), corporate executives, investors, or others will be impaired if they cannot trust the information they are receiving.

  • Successful cyber operations targeting the integrity of information would need to overcome any institutionalized checks and balances designed to prevent the manipulation of data, for example, market monitoring and clearing functions in the financial sector.

Altering data to misinform decision-makers is not new — part of the Stuxnet attack involved making the Iranians believe everything was going swimmingly even though centrifuges were spinning out of control (though it’s not clear how much of this involved data and how much visuals).

But the persistent concern that the US not engage in such behaviors and now the apparent rising concern that someone would do the same to us sure raises questions about which financial institutions have already had their books cyber-cooked.

image_print
13 replies
  1. William A. Hamilton says:

    Stolen copies of PROMIS database software were the main software NSA sold to banks for its Follow the Money bank surveillance project that began in 1982. One knowledgeable source claimed that there would be another American Revolution if the public ever learns what the government has done to the integrity of the banking system through NSA’s installation of stolen copies of PROMIS on bank computers.

  2. William A. Hamilton says:

    Stolen copies of PROMIS database software were the main software NSA sold to banks for its Follow the Money bank surveillance project that began in 1982. One knowledgeable source claimed that there would be another American Revolution if the public ever learns what the government has done to the integrity of the banking system through NSA’s installation of stolen copies of PROMIS on bank computers.

    • wallace says:

      ummmm..are you THE Bill Hamilton??????????????????? Inventor of Promis ?

      If so…

      omg. Who’ll show up next, Catherine Austin Fitts? (insert fainting smiley here)

  3. Mick Savage says:

    I’m usually content to lurk and read postings, but I really have to crawl out from under my bed with my wet diaper cuz I’m so fearful all the time with this comment:
    The policy of avoiding tampering with account balances in financial institutions is part of a broader US policy of abstaining from manipulation of the financial system.
    Crikey, this boner’s nose should be out about Mongolia with that epic lie.

  4. bloopie2 says:

    Next time my spouse looks at my bank account and asks me “Where did all our money go?”, can I cite this article in support of my protestations of innocence?

  5. bloopie2 says:

    If a cyber “actor” goes into a financial account and (for example) decreases an account balance, does that actor get the extra money? Or is it simply gone, as if it were never really there?

    • Anon says:

      I suspect the latter. While much of money transfer is electronic no currency but Bitcoin is actually represented as an electronic record so if the NSA were say to go into the Russian National Bank and delete a bunch of roubles they would have no way of generating new roubles in the U.S. from the data.
      .
      What they could do is delete a million or so from one account and then suspiciously add it to another account at the same institution to make it look like a sketchy transfer but such a thing would have to be done carefully to make it look legit. Far better would be to take the Office Space approach and just make money bleed out as fractions over time.
      .
      Knowing this does make the Mt. Gox case that much more interesting since the money disappeared but they still havent figured out how. Perhaps the FED really doesn’t like competition.

  6. earlofhuntingdon says:

    It must be a good thing, then, that US firms can choose not to financially account for certain transactions in the interest of national security. What’s good for defense contractors must be good for everybody then.

  7. Rayne says:

    How interesting. 13 months between these two Global Threat reports, and the revelation that JP Morgan Chase’s +76 million accounts were “treasure mapped” sandwiched in between.

    Consider also offshore discoveries, like those in the HSBC money laundering scandal. This past November India’s govt investigators chasing “blackmoney” revealed ~300 or so of 600 accounts were empty. The Swiss are also looking into blackmoney and HSBC now — including a raid less than 3 weeks ago — with some of the targets “alleged arms dealers.” (You’ll also recall HSBC’s deferred prosecution here in US is causing problems for confirmation of Loretta Lynch to replace Eric Holder.)

    Makes me wonder how much of the JPMC “treasure mapping” might have been to identify accounts in global shell game intended to receive money from HSBC accounts under intense scrutiny?

  8. Badtux says:

    Eh, the U.S. government can cook the books much more easily by just seizing the bank account under RICO. Blammo, balance in one account zero, balance in other account biggo. This does bring to mind another issue though: the EFT system is ridiculously insecure. If you are a state actor with a bank hooked to the EFT system at your beck and call, you can basically drain any bank account anywhere in the world just knowing the routing number and account number. No authentications or authorizations needed. It just does it. Now, you can’t tell me that this ludicrously insecure system was built like this by accident…

Comments are closed.