You're Hit!

Although downed production servers don't evoke images of burning towers, a silent Russian elementary school gymnasium or a gutted Federal office building, they can be targets of the latest generation of terrorists.

The financial services community has dealt with cyber-crime since it first connected itself to the Internet as disgruntled employees, maladjusted teenagers and organized crime syndicates hacked into computer networks for fun and profit. Now, however, the industry is a prime target of well-financed and well-organized groups whose purpose is the destruction of developed economies.

After the chest-thumping and gory spectacle of previous terrorist attacks, would terrorists focus their efforts specifically on the cyber-infrastructure of investment firms? The industry is not sure, but it's not taking any chances either. One of the major issues in dealing with the threat of cyber-terrorism is actually identifying them amidst the typical mix of distributed denial of services (DDOS) attacks, hacks, worms and viruses.

"The Department of Homeland Security doesn't have a formal or published definition of cyber-terrorism," says Amit Yoran, the director of the National Cyber Security Division within the Department of Homeland Security (DHS). "In fact, I don't know if cyber-terrorism is a defined term that we actively advocate or promote the adoption or use of."

At one end of the cyber-crime spectrum are the hackers and organized crime syndicates "phishing," or deceiving consumers into releasing bank and credit card account information, explains Don Donahue, the COO of the Depository Trust & Clearing Corp. (DTCC). On the other end, he sees advanced capabilities of nation states using cyber-warfare to bring down the command-and-control capabilities of enemy states. "I don't think there's a distinct part of that spectrum that can be called cyber-terrorism," he says.

Many in the cyber-security world believe that there is a large gulf between the amount of out-right fear generated familiar effects of viruses and worms versus what could be accomplished by a sophisticated coordinated attack on the financial industry's infrastructure. Many in the cyber-security world admit that familiar cyber-crimes, such as releasing worms and viruses on to the Internet, won't invoke terror in most individuals, but a well-planned attack would have that capability.

"I'm not an economist, but I can tell you that consumer confidence is a big issue," says David Kotz, an executive director with the Institute for Security Technology Studies (ISTS) at Dartmouth College. "If you can disrupt that confidence in the economy or the banking sector or some other sector, you can have a significant impact nation-wide."

Some on Wall Street agree. "The number one consideration that we must continue to work on is confidence," says Joseph Sack, executive vice president of The Bond Market Association (TBMA). "The number two consideration is confidence and the number three consideration is confidence."

Unlike the numerous physical terrorist attacks in the recent years, the DHS has seen relatively few attacks on cyber-infrastructure, except for the collateral damage from the World Trade Center attacks on Sept. 11, 2001.

"I don't want to say that there have been terrorist attacks," says DHS' Yoran. "We have seen coordinated cyber-activities for a wide variety of issues." The highest-profile incident in recent years occurred when China detained a US Navy EP-3E electronic surveillance aircraft in April 2001, which lead to a great deal of Web site hacking in protest, or "hacktivism."

The financial services industry has so far been spared a major attack, but no one is sitting back and waiting. "The industry is clearly viewed as a key target for cyber attackers, whatever their motivation might be. We're in their crosshairs," says DTCC's Donahue.

"I'm not sure if there is a formal definition of cyber-terrorism, but there are de facto definitions used where preparedness within the industry is concerned," says TBMA's Sack. "The top 20 broker-dealer firms, located in Manhattan, are up to speed on every type of terrorism, including cyber-terrorism."

The key to combating cyber-terrorism is preparedness. Just as Y2K turned into a non-event because of the tireless efforts of programmers addressing the problem, ISTS' Kotz believes the same tack will prove successful in dealing with cyber-terrorism. "You have to ask yourself, was Y2K not a big deal after all, or did all that preparation solve the problem? It was probably a combination," he says, adding that the situation with cyber-attacks is similar. "But at no point can you rest easy and say you're done, because there is always an opportunity to cause harm."

The DTCC's Donahue says the major difference between preparing for Y2K and cyber-terrorism is that Y2K had a definitive end-point and cyber-terrorism does not. "Are we ahead of the curve? Yes, but the curve keeps moving. We are ahead of it now, but a new technique to conduct nefarious activity will arise and we'll have to get ahead of that curve," he says.

"As crazy as it sounds, the physical resiliency issues are almost more straightforward. You understand what the issues are and you understand that they are not going to take a dramatically new form when you build your defenses against them," he says.

Over the past decade, the US government has established numerous organizations and private sector partnerships to detect, defend against and analyze threats to the nation's cyber-infrastructure. In 1999, the financial services industry established the Financial Services Information Sharing and Analysis Center (FS-ISAC) whose mission was to disseminate information on physical and cyber-risks facing the financial industry. A year later, Congress established the Institute of Security Technology Studies with the mandate to study ways to improve cyber-security, as well as develop better technology for first responders. In 2002, the financial services industry and government established the Financial Services Sector Coordinating Council (FSSCC), under the auspices of the Department of the Treasury, to foster and facilitate the coordination of industry-wide voluntary activities and initiatives designed to improve critical infrastructure protection and homeland security. In 2003, the government also established a public-private partnership, known as US-CERT, to coordinate and respond to cyber-threats against the entire US cyber-infrastructure as well as analyze cyber-threats and disseminate threat warnings.

Some feel that the industry's reluctance to reveal anything that shakes clients' confidence, such as a major cyber-incident, might hamper an appropriate response. "There is obvious reluctance to reveal incidents to the public because of the potential harm to reputation. This is closely tied to the desire to invest in strong cyber-security practices," says Yoran.

Industry insiders strongly disagree that such would be the case. "In an emergency, people are not thinking about their competitors; they're thinking of their own survival," says TBMA's Sack. "Do we have the confidence to communicate with each other and deal with the emergency at hand? We think we do. These are things you can't take for granted. Confidence is the watchword in terms of the industry as a whole being responsive and being able to stand up to any kind of emergency."

Sharing information about potential cyber-attacks is necessary and critical, says Yoran, but at the end of the day, it isn't going to win the battle alone. Rather, he says it will be a combination of technological advances and the better use and control of technology in an organizational process. This includes the involvement of risk management practices, which can lead to the greatest improvements. Yoran is also quick to point out that there's no techno-silver bullet that will solve the issue. "The perimeters that have been easier to define are now dissolving. Over the next several years, our ability to conduct a very effective cyber-defense in depth where the perimeters aren't easily defined, where the data is flowing in various XML and Web service-type activities. Our technology and our message in dealing with technical protections for that information need to evolve," he says.

Last October, the financial services and energy sector, along with several federal departments and organizations, decided to take the bull by the horns and set up their own mock cyber-terrorist attack, dubbed LiveWire, which was hosted by the ISTS. The premise behind the exercise was to simulate a month-long, well-funded and well-coordinated attack on the US financial and energy sectors by an enemy nation-state or terrorist organization. A number of the largest industry firms as well as representatives from the White House, Department of Homeland Security, the Central Intelligence Agency, the National Security Agency, Federal Bureau of Investigation and the US Securities and Exchange Commission (SEC) participated in the exercise.

The LiveWire exercise wasn't meant to be an exercise in discovering existing weaknesses in the cyber-infrastructure, explains ISTS' Kotz. "We were interested in the human side of responding," he says. The project was designed to discover which decisions must be made during a cyber-terrorist event, who needed—and had the authority—to make them, and how those decisions could be disseminated quickly and authoritatively.

The institute spent a fair amount of time with the players ahead of the actual exercise to understand and develop a conceivable scenario that wasn't specific to any of the participants' actual network architecture.

Once the scenario had been finalized, all of the players—from the first-responding technicians to CIOs of the affected financial, oil and electrical companies; as well as the respective government agents and industry regulators—were placed in several test sites across the US and played out the scenario as a white-board exercise.

"We sat them in a room for a week and said, 'Okay, now this is happening: A computer has gone offline in your data processing center in a Chicago branch office,'" says Kotz. "That doesn't seem like a big deal, but after awhile, more and more of these things keep happening and you lose your ability to process transactions, or ATMs start spitting out the wrong amount of money or stock prices don't start reconciling properly."

Unlike simple DDOS attacks, the institute developed a scenario in which the cyber-attacks corrupted services and significantly reduced the efficiency of day-to-day business processes.

As this was "happening," the players saw the immediate effects of their decisions on the hypothetical infrastructure. They also watched mock news reports given by a fictitious cable news channel and read Department of Homeland Security press releases that were distributed throughout the exercise. "All of this was computer-generated and driven through a Web browser interface," says Kotz.

The ISTS is still compiling all of it conclusions from the LiveWire exercise, but an immediate conclusion from Kotz was that during the event, those involved didn't know who to turn to when they discovered an event, nor did they know who had the authority to dictate decisions that would cut across organizations. Kotz traces these problems to the nature of the Internet and its lack of ownership or regulation.

During 9/11, for example, the Federal Aviation Administration (FAA) had the authority to ground every single plane in US airspace, but nothing comparable exists in cyberspace. "That was one idea that hung over the entire process and people have to start to think about how to make those decisions," says Kotz.

If the institute can secure additional funding, it is likely that it will host another LiveWire exercise next year, which would include many more participants. And perhaps next time, the test participants will know whom to call in an emergency.