Understanding Computer System Risk

When an army of high-profile Internet sites was taken down in February by so-called “distributed denial of service attacks,” banks were noticeably absent from their ranks. Experts say that`s because many of the world`s largest banks (and even some not-so-large banks) had advance warning of these cyber-attacks, thanks to the Financial Services Information Sharing and Analysis Center (FS/ISAC), a cooperative venture launched last fall that keeps tabs on computer security threats, vulnerabilities, and potential fixes for banks and other financial services firms. So envious were executives in other industries that many companies are now banding together to support similar ventures. But don`t let this lull you into a false sense of security. Bill Marlow, executive vice president and co-founder of Global Integrity Corp., a Reston, Virginia firm that helped develop and now operates the FS/ISAC, estimates that each month as many as 50 breaches of otherwise secure computer systems occur within the U.S. financial services sector. Emily Freeman, practice leader for e-business risk solutions at Marsh Inc., suggests the number is much larger. She figures that during its first three months in operation, FS/ISAC was used to distribute information on as many as 500 computer system breaches that threatened financial services firms. And that`s just the tip of the icebergu00e2u20ac”the number represents only breaches that were reported. Says Freeman: “It`s pretty damn scary.” It`s even scarier when you consider the interconnectedness of today`s computer systems. Just a few years ago, bank computer networks were basically confined to internal uses. The only way outsiders might access these systems was through a bank`s wire transfer department. Then the Internet came along and changed everything. Today, just about every financial institution has a presence on the Internet. “The result is that we`ve dramatically increased the number of individuals who have the knowledge and the capabilities to attack and break into [bank computer] systems,” explains John Clark, global security practice leader at Andersen Consulting. Fueling this situation is financial institutions` growing reliance on off-the-shelf Internet banking packages and high-speed, “always on” telecommunications channels, he says. While the Internet has expanded the reach and availability of financial services providers, it was never conceived as a commercial network. Created by the Department of Defense in the late 1960s, it was designed as a communications system that could continue to function even if one of the computer centers linked to it were taken down (say by a nuclear attack). Thus, access security wasn`t a part of the Internet`s design, explains Jeffrey Hunker, director of the White House`s Critical Infrastructure Assurance Office. “Security was never part of the design of what our economy now depends on,” Hunker said in a recent speech to corporate executives. But for commercial firms using the Internet, especially banks, security has to be a priority consideration. “The handwriting is on the wall,” says Freeman, noting that last year`s Gramm-Leach-Bliley Act significantly strengthens the hand of regulators with respect to computer security. “Just as it`s the responsibility of the board of directors to ensure that the right kind of locks are on the bank`s vaults, I expect them to ask the necessary questions that ensure the highest levels of safety and soundness have been applied to the implementation of computer systems,” says Clifford Wilke, director of bank technology at the Office of the Comptroller of the Currency. “It`s not a technology issue; it`s an issue of safety and soundness.” Wilke`s office has issued several documents already this year to help bankers better understand computer system risks and the steps the OCC expects them to take to reduce these exposures. “You`ve got your head in the sand if you think you can lock away these systems from exposure,” says Ted Julian, vice president of @Stake, a security services firm based in Cambridge, Massachusetts. Julian, a former analyst at Forrester Research who helped launch @Stake earlier this year, sees computer security as “a particularly serious problem for financial institutions,” not only from a regulatory perspective, but from a cost standpoint. Julian describes a hypothetical computer break-in at a U.S. bank during which hackers are able to initiate $1,000 wire transfers from 1,000 different accounts into an off-shore bank. The result: The U.S. bank has to make its customers wholeu00e2u20ac”that`s $1 million. But the overall financial burden to the bank is much greater, explains Julian. The bank would be responsible for taking down the network to isolate the breach, setting up emergency audits of customer accounts, and employing public relations counsel. In addition, the bank may need to increase premiums for fraud insurance and deal with the loss of customer accounts. The total cost to the bank for dealing with that $1 million theft: about $106 million, Julian estimates. “At the end of the day, it`s a lot of money,” he says. To date, computer security has been more a nuisance than a drain on the balance sheet of banks. “What we`ve seen up to this point are mostly attacks of nuisance, like the Melissa virus,” notes Wilke. But it won`t stay that way for long. “The real scary thing is when you start thinking about the other types of attacks that are on the horizon,” like the destruction of files or damage to core infrastructure systems, says Wilke. “That`s what bankers and bank boards of directors need to be focusing their attention on.”Freeman says the process has begun already. “It`s not simply risk management; it`s a board-level management issue.” The existence of FS/ISAC seems to bear out this opinion. Its board of managers includes senior information security executives from many of the country`s largest financial institutions, including Citigroup, Bank of America, Depository Trust Co., and J.P. Morgan. In all, nine companies are represented on the board. While Marlow declined to discuss the membership roster, he said the total was considerably larger than nine. What makes this type of group particularly appealing is the anonymity it provides banks that are reporting computer security breaches and the speed with which it can pass on to other banks that information, plus associated remedies. According to Marlow, FS/ISAC was able to notify members of the “Love Bug 2” e-mail virus 12 hours before anybody else knew about it. They had about eight hours advance warning of the so-called “Resumu00c3u00a9 Virus,” he says. Each of these attacks was launched across the Internet within weeks of the now-famous “Love Bug,” which appeared in May. While the Love Bug wreaked havoc upon corporate computers (one estimate is that 60% of American firms were affected), Marlow says the Love Bug 2 and Resumu00c3u00a9 Virus were potentially even more damaging. It`s a trend experts say will continue, particularly as recreational hackers give way to organized groups of criminals and revolutionaries. This is not a Hollywood screenplayu00e2u20ac”it`s real life. The White House`s Hunker, in his aforementioned speech said: “At the highest order, we know that there are a number of hostile nation-states that are investing significant sums in offensive cyber-attack capabilities aimed at the U.S.,” including assaults on banking and financial systems. “This is real professional stuff,” says Marsh`s Freeman of the current trend in cyber-attacks. While concrete facts and figures are scarce, Freeman says the anecdotal evidence suggests computer system attacks are increasing in number and severity. “Nobody wants their name in the media,” notes Freeman, adding that the information about breaches that has been leaked to the general public doesn`t come close to depicting the true state of the problem. Getting bankers to talk about breaches, even anonymously through FS/ISAC, is useful, but it`s not a panacea. “The ISAC concept is just one step in the due diligence process,” insists Marlow. Other steps involve continuous assessments of computer systems risku00e2u20ac”with specific policies and procedures addressing problems that are uncoveredu00e2u20ac”and ongoing monitoring. And for things that can`t be fixed, “you`ll need to get an insurance policy,” Marlow advises. The process isn`t far afield from the successful attack plans banks and other companies developed to combat possible Y2K computer problems. “Banks need to take those same skills and methodologies and apply them specifically to IT [information technology] moving forward,” says Wilke. To help make this possible, Congress is considering legislation that would specifically exempt banks and others from certain civil law liabilities, in much the same way they were spared civil liabilities associated with Y2K problems.This will become increasingly important as banks stake out their places in the emerging world of electronic commerce and build adequate security walls to protect their customers and themselves. “The best strategy is to think about security and e-commerce in tandem,” says Julian.