Major British government departments are this month due to conduct a real-life simulation of a concerted cyberattack on the UK’s financial institutions.
Western banks wake up to threat of cybercrime
LONDON // Some of the western economies’ leading financial institutions are starting to wake up to the threat posed to them by their ever growing losses to cybercrime.
The United Kingdom’s treasury, the Bank of England, the Prudential Regulation Authority (PRA) and other relevant government departments are this month due to conduct a real-life simulation of a concerted cyberattack on the UK’s financial institutions.
Named “Operation Waking Shark 2”, the exercise has been designed to test Britain’s financial industry to its limits.
On July 18, a similar exercise in the United States, “Quantum Dawn 2”, conducted with the support of various US government agencies, tested the ability of 43 Wall Street institutions to withstand simulated multiple online attacks.
“The exercise simulated multiple attacks; motives for the attacks included the desire to steal vast amounts of money, disrupt the equities markets, and to degrade firms’ operations capabilities,” the US Securities Industry and Financial Markets Association (Sifma) reports.
But there are growing fears that such exercises may do little to address the banking industry’s underlying lack of transparency concerning rising levels of cybercrime and the resultant losses, which are already being estimated at hundreds of billions of dollars a year.
“The full impact of cybercrime on banks is impossible to quantify unless the banks report their losses. But if they do report losing large sums of money to cybercrime, their risk profile will grow and customer confidence fall,” says E J Hilbert, the security consultancy Kroll’s head of cyber investigations for Europe, Middle East and Africa.
According to Mr Hilbert, one way of calculating how much a bank is losing is to look at how much it is spending on providing security against cyber fraud. Kroll calculates that this figure would generally represent about 10 per cent of its total losses.
“For example, if an institution spent US$100 million a year on cyber security, it would be reasonable to assume its losses to cybercrime were around $1 billion a year,” says Mr Hilbert.
But he adds that usually the stolen money represents only a fraction of the overall cost of cybercrime.
“Liaising with customers who have suffered loss as a result of the crime, issuing new bank cards and other costs incurred mean that the full loss is far higher than the losses themselves,” says Mr Hill.
According to the cyber security industry, it is already likely that the rapidly rising costs of the growing numbers of cyberattacks on the banks are being passed on to customers in the form of increased charges.
“If, for example, a bank has suffered a trillion-dollar loss one year as a result of cybercrime but does not report it as such, a small business customer may be left wondering why the bank’s fees have suddenly risen by 20 per cent,” says Mr Hilbert.
But according to Kroll, the worst may be yet to come in the form of the growing problem of cyber espionage, now affecting banks across the globe. Unless correctly addressed by the banks, continued cyber espionage could ultimately threaten their entire credibility.
“While cybercrime is all about making a short-term profit, cyber espionage is a long-term strategy of using the bank as an information source,” says Mr Hilbert.
“Although the criminal or terrorist will profit from cyber espionage, the bank may be unaware that someone is constantly hacking into its most confidential files.”
He adds that banks should also guard against their vulnerability as key targets in a cyberterrorist attack.
Kroll believes that the nature of computer hacking has changed radically since the1990s, when it was all about amateur hackers breaking into systems just to show they could. In the early 2000s, however, hackers started to take the form of criminals intent on using the internet to defraud banks.
“In Russia, hacking into banks is not seen by many who do it as morally wrong,” says Mr Hilbert.
“Although they might not steal from another individual, the psyche of hackers raised under communism sees institutions like banks as faceless representatives of the state and stealing from them as an essentially victimless crime.”
It appears as though some leading financial institutions are now finally waking up to the severity of the situation.
A Bank of England spokesman says cyberattacks are an emerging information technology-related operational risk. “This was the most frequently highlighted operational risk in the Bank of England’s 2013 H1 [first half] systemic risk survey,” the spokesman says.
“Cyberattacks, where an individual or group seeks to exploit vulnerabilities in IT systems for financial gain or to disrupt services, are increasingly frequent and sophisticated.”
Britain’s central bank is also concerned about the increasingly aggressive nature of cyberattacks, which increasingly take the form of distributed denial of service attacks designed to bring down a bank’s systems.
“Distributed denial of service attacks, which if successful, can result in web-based services being temporarily unavailable. [They] are one manifestation of this risk,” says the bank’s spokesman. “Several large international banks and at least one e-commerce payment system have been affected by such attacks in recent months.”
A UK government cabinet spokesman says estimating the costs of cybercrime is challenging. “As noted in the government’s UK cyber security strategy, a truly robust estimate will probably never be established, but it is clear the costs are high and rising,” the spokesman says.
“As businesses and government move more of their operations online and our networks and systems become more interconnected, so the scope of potential targets will continue to grow.”
But analysts believe that the banks will need to initiate measures to address the growing cyber hacking and not overly rely on government regulation.
Rob Enderle, the principal analyst at the Silicon Valley-based Enderle Group, feels the lack of reporting on cybercrime is an issue. “This fear of publicly reporting the size of the problem is keeping it from being properly addressed because the risk is understated,” he says.
“The banks are gambling that the costs of the thefts will remain below the costs of aggressively increasing the protections. This is a similar risk analysis that led to the last crash because the risks are being massively understated.”