Exchanges as Cyber Targets – So What Else is New?
OK, so the exchanges and their operators are now being attacked by cyber-criminals. Wow. (sarcasm) Tell me something new. Or maybe it’s just that the reports of these breaches are now making it into the mainstream press in ways they had not previously.
It’s sort of amazing that the exchange operators are only now talking so publicly about their defenses, the breaches against them, and the various drills such as “Quantum Dawn 2” and “Waking Shark II” they are running via their industry groups. People have known for years that it was only a matter of time until the exchanges were going to turn into targets of cyber-attacks. In fact, if I think back to the many FS-ISAC conferences and other industry events I have attended over the years, it is no secret that the exchange operators are poorly represented, something that has only begun changing in the past 18 months or so.
While I know I am speaking in generalities, it has been a concern and it is good to see that this is changing. After all, the retail banks, the card network operators, card issuers, merchant acquirers, and others have attended such events and participated in such committees and working groups for years. I’d say that, other than the payment gateways and the investment banks, who tend to be less strongly represented at such industry events, the exchanges and their operators are the ones with the least attendance.
But I suspect that this will soon change even more dramatically. As the recent public disclosures demonstrate, it is now quite well-known that the exchanges are vulnerable to attacks and are a likely target. Moreover, this is not unique to any one country. Both the US and the UK ran the aforementioned cyber-warfare drills in recent months. And while the CME recently was in the news having been the victim of such an attack, both the NASDAQ’s operator and Hong Kong stock exchange were hacked in 2011.
Rather than us all suddenly getting up in arms around the exchanges as victims and the focus of such attacks, I think it would behoove the financial services industry specifically, and national security personnel more broadly, to think about the infrastructure and underpinnings of the financial services industry and the economic impact of such attacks.
Additionally, the ones who are probably most at risk of cyber-attack are not the exchanges themselves but rather the people and organizations helping to support the exchanges; this group includes cloud service providers, order management system vendors, data feed providers, reporting platforms, trading algorithm suppliers, and other key vendors, software packages, as well as their personnel. And perhaps most disconcertingly, these vendors and suppliers are perhaps the least likely to perceive themselves as potential targets.
Educating both the operators themselves and these essential providers listed above by encouraging them to educate their people, to bolster their systems, and to think holistically about the risk they pose to the exchanges will benefit all groups involved and could very well help to curtail the likelihood of the exchanges being disrupted.