Financial institutions must fight cybercrime from inside and out
Bank hacks, social engineering, and digital currency all get time at Cambridge Cyber Summit.
By Brian Eastwood |
October 6, 2016
MIT Sloan professor Stuart Madnick at the Cambrige Cyber Summit. Photo: David Grogan/CNBC
Bank hacks are inevitable in today’s world of cybercrime. The challenges for financial institutions and government agencies alike are twofold: Minimizing the impact of the hack and also understanding the motivations of the hackers.
“The core of the issue is detection and recovery,” said Stuart Madnick, a professor of information technology and engineering systems at MIT Sloan. “The question is how quickly the number can come back up from $0. [A hack] doesn’t mean the money is gone. It just means you can’t see the money.”
Madnick and several other public and private cybersecurity experts spoke Oct. 5 at the Cambridge Cyber Summit, hosted by The Aspen Institute, CNBC, and MIT. The event was held at Kresge Auditorium on the MIT campus.
Bank security has been in the headlines for several months. The global financial messaging system SWIFT has been subject to a series of hacks, including the theft of $81 million from Bangladesh Bank in February of this year.
The attacks can come in many forms, federal officials said at the summit. Sometimes it’s a lone wolf hacking a single bank throughout the day. Sometimes it’s an organization trying to funnel money to an enemy of the state. Sometimes it’s a state-sponsored group targeting an entire network.
Since SWIFT handles as much as $9 trillion in financial transactions per day, Madnick said, the network is an attractive target. Because of the interconnectedness of today’s banks, an attack on one is an attack on all, he added: “You can’t be secure unless you know your partners are secure.”
Digital currency holds potential
Jeremy Allaire, founder and CEO of digital currency firm Circle, described the technology behind financial transactions as “text files floating around the internet,” which is insecure and prone to hacking.
Allaire said blockchain, the data format behind the Bitcoin payment system, can better protect financial data. In a blockchain, each block holds a set of validated transactions, as well as the cryptographic hash connecting that block to the prior block in the chain. In the context of Bitcoin, the blockchain serves as a digital ledger.
Federal banks in a number of countries are considering a digital currency. Don Anderson, senior vice president and CIO of The Federal Reserve Bank of Boston, said he thinks that will happen in the United States “in our lifetime,” but there will be a few challenges along the way.
Digital currency is catching on in countries with limited financial infrastructure, which is not the case in the United States, Anderson said. It’s also more than a question of moving money. “How do you develop monetary policy around a digital currency?” he asked.
Finally, a “new bar” of standards must be set for Circle, Apple Pay, Google Wallet, and other payment systems that seek to replace financial business models that have existed for more than a century, Anderson said.
The biggest threats are inside
During the summit, news broke about the arrest of a National Security Administration contractor for allegedly stealing several terabytes’ worth of top-secret data. The Booz Allen Hamilton contractor, Harold T. Martin of Maryland, is suspected of stealing code, some of it outdated, which could be used to break into other nations’s computer systems.
The incident points to the serious nature of insider threats, and to the need to take a “whole-person approach” to understanding someone’s behavior, said S. Leslie Ireland, assistant secretary for intelligence and analysis in the U.S. Department of the Treasury.
“You look for activity you can’t otherwise explain,” Ireland said. According to The New York Times, Martin’s motives are still unclear; one official said Martin may have simply been a hoarder.
For all the external cyber threats, insiders pose the single greatest risk to financial institutions, the panelists said. In this case, though, it’s a matter of social engineering as opposed to malicious intent.
“You find the naïve people who click on links, find enough ways to communicate with them in earnest, and you get their credentials,” Allaire said. “The more senior person, the better.”