SEC Says Hackers Like NSA Are Biggest Threat to Global Financial System

Reuters reports that, in the wake of criminals hacking the global financial messaging system SWIFT both via the Bangladesh central and an as-yet unnamed second central bank, SEC Commissioner Mary Jo White identified vulnerability to hackers as the top threat to the global financial system.

Cyber security is the biggest risk facing the financial system, the chair of the U.S. Securities and Exchange Commission (SEC) said on Tuesday, in one of the frankest assessments yet of the threat to Wall Street from digital attacks.

Banks around the world have been rattled by a $81 million cyber theft from the Bangladesh central bank that was funneled through SWIFT, a member-owned industry cooperative that handles the bulk of cross-border payment instructions between banks.

The SEC, which regulates securities markets, has found some major exchanges, dark pools and clearing houses did not have cyber policies in place that matched the sort of risks they faced, SEC Chair Mary Jo White told the Reuters Financial Regulation Summit in Washington D.C.

“What we found, as a general matter so far, is a lot of preparedness, a lot of awareness but also their policies and procedures are not tailored to their particular risks,” she said.

“As we go out there now, we are pointing that out.”

Of course, the criminals in Bangladesh were not the first known hackers of SWIFT. The documents leaked by Snowden revealed NSA’s elite hacking group, TAO, had targeted SWIFT as well. Given the timing, it appears they did so to prove to the Europeans and SWIFT that the fairly moderate limitations being demanded by the Europeans should not limit their “front door” access.

Targeting SWIFT (and credit card companies) is probably not the only financial hacking NSA has done. One of the most curious recommendations in the President’s Review Group, after all, was that “governments” (including the one its report addressed, the US?) might hack financial institutions to change the balances in financial accounts.

(2) Governments should not use their offensive cyber capabilities to change the amounts held in financial accounts or otherwise  manipulate the financial systems;

Second, governments should abstain from penetrating the systems of financial institutions and changing the amounts held in accounts there. The policy of avoiding tampering with account balances in financial institutions is part of a broader US policy of abstaining from manipulation of the financial system. These policies support economic growth by allowing all actors to rely on the accuracy of financial statements without the need for costly re-verification of account balances. This sort of attack could cause damaging uncertainty in financial markets, as well as create a risk of escalating counter-attacks against a nation that began such an effort. The US Government should affirm this policy as an international norm, and incorporate the policy into free trade or other international agreements.

After which point, James Clapper started pointing to similar attacks as a major global threat.

I don’t mean to diminish the seriousness of the threat (though I still believe banksters’ own recklessness is a bigger threat to the world financial system). But the NSA should have thought about the norms they were setting and the impact similar attacks done by other actors would have, before they pioneered such hacks in the first place.

Marcy has been blogging full time since 2007. She’s known for her live-blogging of the Scooter Libby trial, her discovery of the number of times Khalid Sheikh Mohammed was waterboarded, and generally for her weedy analysis of document dumps.

Marcy Wheeler is an independent journalist writing about national security and civil liberties. She writes as emptywheel at her eponymous blog, publishes at outlets including the Guardian, Salon, and the Progressive, and appears frequently on television and radio. She is the author of Anatomy of Deceit, a primer on the CIA leak investigation, and liveblogged the Scooter Libby trial.

Marcy has a PhD from the University of Michigan, where she researched the “feuilleton,” a short conversational newspaper form that has proven important in times of heightened censorship. Before and after her time in academics, Marcy provided documentation consulting for corporations in the auto, tech, and energy industries. She lives with her spouse and dog in Grand Rapids, MI.

4 replies
  1. P J Evans says:

    Clapper is now claiming hackers are targeting presidential campaigns.
    ttp://www.rawstory.com/2016/05/hackers-target-presidential-campaigns-u-s-spy-chief/

    I’m sure that hackers target them, but they target everything that’s high-profile. What I wonder is, what is Clapper trying to distract us from, this time?

  2. earlofhuntingdon says:

    Thanks for this, EW.

    Banks are notoriously bad at managing themselves, IT especially. Usually hidden in a consumer’s monthly bill, for example, are adhesion contracts that you need a halogen bulb and magnifying glass to read. Assuming any of it was intelligible to a layperson, one would find terms that seek to absolve the bank from its own negligence and incompetence. Fail to detect it and tell the bank within 30 days. Out of luck. Wanna fight it? Go to mandatory, bank-controlled arbitration process. Two years later, you lose.

    Banks have gone to great lengths to absolve themselves of their own incompetence, indeed their own recklessness. IT systems included, even though modern banking is as dependent on IT systems as a car is on gasoline. Instead of crying about bad guys trying to enter their porous systems – a problem, but a great chunk of it owing to the banks themselves – banks could develop better IT standards and practices. Most of them would rather hide, lobby or contract their way out of liability. Too big to fail or too big to manage themselves? Our Masters of the Universe are made of clay, not marble.

  3. Ian says:

    EMPTYWHEEL(Marcy) SAID:

    SEC Says Hackers Like NSA Are Biggest Threat to Global Financial System
    .

    I SAY:
    While the SEC Chair did say on Tuesday May 17,2016 that Cyber Security is the biggest risk facing the US portion of the financing & payments systems used in this country, she wasn’t the only one saying such a thing during May 2016.
    .
    On May 17,2016 under the title: “Russia strengthens banking system security standards”—the specialist IT news source SCMagazineUK.com said this:
    .
    “New standards and regulations to improve Russian bank responses to cyber-attacks – and help prevent insiders taking advantage of cyber-attacks to cover criminality.
    .
    “……..Amid the ever growing number of cyber-attacks on the Russian banking system, the country’s Central Bank has announced its plans to design new requirements and standards, which should strengthen the level of its cyber-security.
    These plans have already been confirmed by Artem Sychev, deputy head of the department of Security and Information Protection of the Central Bank.
    .
    As Sychev told SCMagazineUK.com, attacks on Russian banks have become increasingly sophisticated, and hackers have started to focus on destroying the entire infrastructure of the bank, which helps them to more efficiently cover their tracks when illegally withdrawing funds from the accounts of these banks.
    Plans for new standards have already begun being drawn up by experts at the Russian Central Bank, which plans to complete its work over the next few months.
    .
    It is planned that the new standards will oblige Russian banks to provide the Central Bank, and in particular its recently established Centre for the fight against cyber-threats (FinCERT), with information about cyber-attacks on their accounts on a regular basis. Simultaneously the position of cyber-security officer is being established at each Russian bank to deal with the issues of cyber-security.
    .
    Other details are currently not disclosed.
    .
    It is also reported that the new standards should help the Central Bank to tighten controls on the activities of Russian banks, following recent suspicions that cyber-attacks were being used by some banks as a tool to cover the illegal withdrawal of funds from their accounts.
    .
    Georgy Luntovsky, the first deputy chairman of the Central Bank of Russia told SC in February that the Central Bank has serious concerns that such mechanisms could be used by certain Russian banks to cover their previous crimes, as well as illegally withdraw money from their accounts.
    According to official statistics from the Russian Central Bank, last year the number of cyber-attacks in the Russian banking sphere increased by 30 percent, compared to 2014, with up to 64,000 cases reported, however, according to the Russian Ministry of Internal Affairs, the real figure is about ten times higher than the figures provided by the Central Bank.
    .
    To date, banks have been very reluctant to transfer data to FinCERT, as no one wanted to publicise their concerns to their competitors and the Central Bank.
    .
    The new standards should also strengthen the level of cyber-security of the Russian Central Bank which is being improved following a recent cyber-attack on the Central Bank of Bangladesh, which resulted in the illegal withdrawal of more than US$ 80 million from accounts at the bank……….”
    .
    IN ADDITION TO RUSSIA WE HAVE http://www.THECITYUK.com [the main lobbying group
    for the Professional & Financial Service industries of both the City of London & also Great Britain] launching its equivalent Report to anything the SEC might get round to doing also on 17 May 2016: —-

    .“CYBER AND THE CITY—– Making the UK financial and professional services sector more resilient to cyber attack May 2016”
    .
    with its insistent that UK Corporations Law & Practice should be changed to A-COMMAND-IN-LAW that Board’s of Directors and senior managers should be REQUIRED to have a duty to arrange “cyber resilience” for their corporations—rather than just leaving it for the “folks in IT to worry about”
    .
    Finally, while Washington & Moscow & the general British business world is getting used to the idea that “cyber attacks” are one of the “cost of doing business in 2016” the “Grand Organizer of them all” —the Bank of England itself has just recently summarized the steps that have already been taken since Q2 2015 and will be taken in the near future to ensure “ALL important financing industry entities” (within Britain) are subject to the cyber-security equivalent of the Annual Financial Audit—the Bank of England so-called CBEST [Cyber Best Practice] [USA’s Financial equivalent =FASB standards of GAAP performed by AICPA members] requirements by organizations coordinated by a body called CREST–Council for Registered Ethical Security Testers [www.crest-approved.org]—– who are routinely conducting “Penetration Testing(“hacking”) by “Ethical Testers”/White Hats and absorbing “Threat Intelligence Information” from GCHQ (in Cheltenham) and others to “model” likely attacks
    ./
    CBEST [= the cyber equivalent to the USA’s FASB’s] tested by members of CREST[USA=AICPA] is explained thus:……
    .
    .”…. CREST provides organisations wishing to buy penetration testing services with confidence that the work will be carried out by qualified individuals with up to date knowledge, skill and competence of the latest vulnerabilities and techniques used by real attackers. All examinations used to assess individuals have been reviewed and approved by GCHQ, CESG. They will also know that the penetration testers are supported by a company with appropriate policies processes and procedures for conducting this type of work and for the protection of client information.
    .
    Working alongside the Bank of England (BoE), government and industry, CREST developed a framework to deliver controlled, bespoke, intelligence-led cyber security tests. STAR (Simulated Target Attack and Response) incorporates penetration testing and threat intelligence services to accurately replicate threats to critical assets. The STAR scheme is a prerequisite for membership of the BoE CBEST scheme, used to provide assurance to the most critical parts of the UK’s financial services.
    .
    Penetration testing, STAR and cyber incident response services provided under CREST are also supported by comprehensive codes of conduct for both the company and individual………………..”

    ALL IN ALL MAY 17 2016 WAS A BUSY DAY IN RECOGNIZING CYBER THREATS TO THE WORLD’s FINANCING INDUSTRIES—As SEC Chair White is clearly doing.

Comments are closed.