|Back to Page One|
|Rachel Ehrenfeld & Ken Jensen||January 23rd 2013|
In January 2009, Obama presented his first cyber security strategy plan. That plan, however, mirrored the Bush Administration's blueprint to better protect the nation's federal and commercial cyber security. That plan was followed each successive year with new strategies. New agencies were created and additional personnel were added to the government payroll, only to witness an avalanche of cyber attacks from abroad on U.S. defense and commercial infrastructures. In October 2012, responding to growing criticism on the Administration's failure to provide cyber protection, Obama acknowledged that, "cyber threat is one of the most serious economic and national security challenges we face as a nation," and went on to declare: "America's economic prosperity in the 21st century will depend on cybersecurity."
A month later, when the Senate defeated the Administration's efforts to pass the controversial Cybersecurity Bill, Obama issued a new Executive Order: "National Defense Resources Preparedness." Executive Orders and new legislations, which will be debated endlessly by Congress, take time to implement. In the meantime, cyber attacks from Iran and China are increasing exponentially. If the Obama Administration's first four years -- notably lagging on cyber security -- of any indication, we should all brace ourselves for the next four.
Is Wall Street Ready to Fend-Off Financial Terrorism?
Talk of cyber threats to the U.S. financial sector runs on and on, mostly in terms of attacks on banks from hackers and, now, foreign governments alike. However, the notion that a skillful attacker might actually shut down our financial system seems to remain, at least in the minds of most commentators, a more distant "Cyber Pearl Harbor" scenario than others.
However, Jim Kim, writing for Fierce Finance IT, has asked if Wall Street is ready for financial terrorism. He recalls a study from several years ago conducted for the Pentagon's Irregular Warfare Support Program (IWSP). The study analyzed trading patterns around Lehman Brothers just before it imploded, suggesting that "nefarious external forces may have been involved in some of the relentless short-selling, much of it of the naked variety."
Further, Kim says, "The data shows that small and mid-size firms, via sponsored agreements, saw their short volume surge dramatically as Lehman came under attack. Most people assumed that short volume was legitimate volume from hedge funds. But the report suggests that shadowy foreign forces may also have been at work, aiming to wreak havoc on our financial system, to destabilize it even more. Other financial stocks were targeted as well."
We include this level of detail here because it begins to explain what can be done by an attacker with plenty of money and, say, friends/agents in little-known hedge funds. We shouldn't forget that Lehman Brothers was actually solvent when it came under the short-selling attack. What was it about the attack that made it so effective?
Alas, the answer to Kim's question remains "No. Wall Street isn't ready for financial terrorism," and neither is the U.S. government. The absence of a real-time monitoring system of current trading patterns may facilitate an attack that will crash the market.
Putting the Brakes on HFT
The Wharton School has produced an excellent piece on HFT that not only explains the problems it is suspected of creating for small investors, but also reports that there's been another "Knight Capital" sort of incident. While it hasn't caused another flash crash, it's serious enough.
Earlier in January, the fourth largest exchange in the U.S., BATS Global Markets, admitted that a glitch in its computer system has triggered 440,000 transactions since 2008 at prices lower than the national best bid and offer (NBBO). Investors lost money, but BATS insisted that "the mispriced transactions represented [only] an infinitesimal fraction of total BATS trading volume."
Fierce Finance IT's Jim Kim reported this as well, saying that the fact that so many transactions "could occur away from the NBBO undetected speaks to some huge market-wide issues. If exchanges cannot guarantee the NBBO, then what good is Reg NMS?" Kim also reports the BATS blamed regulation for the mishap: "The order types that produced the error at BATS are used to comply with regulations the SEC implemented in 2007 to ensure all investors get the best prices for equities, the CEO of BATS told Bloomberg, adding that simpler rules would limit such technical mishaps."
Whether there's any truth to what the BATS CEO says remains to be seen. But it's clear that something has to give regarding HFT. Among the proposals that have been made to "put on the brakes," are
"Requiring high-frequency traders to honor bids for a half a second before withdrawing them; imposing fees when ratios of bids transacted exceed a ratio of bids withdrawn; introducing order cancellation fees; limiting the number of orders per second; levying taxes for intraday transactions; imposing size limits; or expanding use of circuit breakers similar to those that NYSE/Euronext has introduced." (See the aforementioned Wharton School piece.)
SEC Forbids NASDAQ a Computerized Trading Tool
The Financial Times has reported that the SEC has, for the first time, disallowed a computerized trading tool. The tool, which NASDAQ OMX proposed, would have provided a "set of widely used computer algorithms that are usually provided to traders by large broker-dealers to engage in a computer-driven trading strategy." NASDAQ officials said "they wanted to offer the new services to drive down costs for smaller trading firms that must rent the proprietary products from larger firms."
The real issue seems to regard the regulatory immunity NASDAQ would have gained from the SEC that would be a shield against liability, while competing algorithm providers offering the same service would assume unlimited liability.
The Best Defense
In touting a new book (Strategy: Cybersecurity on the Offense) Gadi Evron and Michael Davis seem to have been prepared to capitalize on the current tendency in cyber security to pronounce cyber offense the new defense. Not having seen the book, we can't say a great deal about its value in toto. However, the authors do say something new that makes a great deal of sense to us.
Military strategists, they say, believe that, all things being equal, defense is the stronger position. With enough time defenders can ready themselves for any sort of attack. The offense, however, has only one advantage-surprise. And surprise only comes once. None of this obtains in the cyber realm. There, the offense has all the advantages. The simplest way to put it is that defenders simply cannot anticipate every vulnerability and possible avenue of attack. Surprise in the cyber realm will always have the upper hand, as "to gain access and establish a beachhead requires only one vulnerability."
What this says to us is not only that is cyber offense (in retaliation for attack) is the way to go, but also that the best defense must necessarily involve traditional forms of intelligence regarding who the sponsors (contractors) are likely to be. This means watching foreign governments closely, as well as foreign businesses that are likely to find advantage in cyber espionage.
Out of Asia
There's news out of Asia regarding cyber attacks. Vanson Soo, writing for the Asia Sentinel, means to give his primary audience a warning about the exponential growth in cyber attacks he predicts for 2013. What's interesting, is that he says little, if nothing, about what Asia has experienced in this regard and may fear in the coming year. However, there's one very interesting suggestion he makes. Although the already infamous "Red October" malware revealed to us by Kaspersky Labs was obviously concocted by Russian-speakers, Soo suggests that the perpetrators may have actually been Chinese, who apparently first discovered the vulnerabilities that "Red October" exploits. It's easy enough for a cyber attacker to create a false trail. Soo also mentions something that will make the crowd worried about Huawei perk up. It was recently reported that millions of mobile phones in China "unsuspectedly harbor a huge botnet."
Polluted Chinese PCs
Paul Mah reports that Chinese PCs running on bootleg versions of the Windows operating system are prone to security issues. So says Microsoft, which purchased 169 PCs from shops in China. All of them proved to be running counterfeit copies of Windows and 91 percent of them came with malware or deliberate security vulnerabilities. Well-known brands, such as Acer, Dell, HP, and Lenovo, were involved.
Singapore Follows U.S. Democrats on Cyber
OUT-LAW.COM has reported that the government of Singapore has strengthened its cyber attack prevention laws. Following the same path as the White House and U.S. Senate, Singapore has developed stringent mandatory reporting regulations on reporting cyber attacks to the authorities. Also, businesses and even individuals are ordered to "'take such measures or comply with such requirements as may be necessary to prevent, detect or counter any threat to a computer or computer service or any class of computers or computer services' when they are 'satisfied that it is necessary for the purposes of preventing, detecting or countering any threat to the national security, essential services or defence of Singapore or foreign relations of Singapore'."
One wonders if mandatory reporting and/or government-ordered mandatory preventive measures will ever work in the U.S. However, we're willing to bet that, if they work anywhere, it will be in Singapore.
Rachel Ehrenfeld, director of the Economic Warfare Institute (EWI), is author of "Funding Evil- How Terrorism is financed – and How to Stop It." Ken Jensen also writes for Economic Warfare Institute (EWI).