US Financial Markets Need to Do More to Protect Against Large-Scale Hacks

While Wall Street appears to be well guarded against individual hackers, a simulation of systemic attacks suggests that markets are susceptible to large-scale hacks. Mix this with reports that state-sponsored cyberattacks are becoming an increasingly real threat, and it serves as a wake-up call for both trading firms and regulators.

The simulation was conducted back in July, and today results were released by the Securities Industry and Financial 
Markets Association (SIFMA), a trade group that represents both major and minor players in the financial world. Given the decidedly movie-like moniker "Quantum Dawn 2," the exercise simulated a wide range of attacks with goals varying from theft to market disruption, and included dozens of government agencies and private firms.

The broad goal was to simulate attacks individual firms have experienced at a market scale. The complete list of attacks is on page 4 of the SIFMA report, but the Wall Street Journal summed it up nicely:

First, participants posing as hackers executed an automatic selloff of targeted stocks with stolen passwords in a computer simulation. Then they engaged in a series of tactics designed to confuse market participants, including causing problems with telecommunications equipment and issuing fraudulent press releases written to substantiate the price drops. They shut down access to government websites, caused problems with the software many firms use to manage stock orders and spread a virus, degrading exchanges' ability to process trades.

The end result after two simulated days of trading, which took six hours in real time, was the decision by regulators and financial firms to shut down the simulated versions of the US equity markets. This was prompted in part by adverse market reactions. According to SIFMA, the "visible drop in the market index" in the screenshot below "shows reaction of the markets and the ensuing crisis that could happen in a real-world scenario."

As would be expected for a simulation, the attacks were comprehensive—the release of false info and fake press releases via phished emails was a nice touch to add more confusion—and the shutdown of markets is naturally an unwelcome outcome.

SIFMA didn't divulge specifics of what failed, but its main recommendations for improvement were in assessing and responding to systemic attacks. In simple terms, firms need guidelines for assessing and responding to attacks, so that everyone knows they're playing on a level field, especially when it comes to shutting down the market if need be. SIFMA says regulators shut set clear guidelines and that everyone should communicate better, which is pretty standard.

There were positive takeaways, too: SIFMA found that participants did a good job of identifying attacks and coordinating individual responses and action by both regulators and private firms. Still, the problem lay in dealing with attacks on a huge scale—even if participants knew what was happening, information and solutions could not be spread fast enough. And Wall Street has protected itself well against hackers trying to get rich quick, full-scale market disruption is a tougher problem to face.

"Individual hackers are not a major concern. Today organized crime and state-sponsored organizations are performing complex distributed attacks," Jerry Irvine, executive vice president at cybersecurity firm Prescient Solutions, told the Journal.

State-sponsored hacking these days comes down to two major players: the United States and China, that latter of which has become a world leader in cyberespionage in recent years. In an assessment of cyberattacks in 2012, the vast majority recorded by Verizon's security team involved low tech methods. However, of the high-level cyberespionage attacks recorded by the team, 96 percent were attributable to China.

While China using cyberattacks to try to tank the dollar would be a step far beyond its usual, more diplomatic efforts, it's a threat acknowledged by the White House. And along with building a new hacker army, it seems that US firms and regulators need to continue developing their responses to potential attacks. While it may not be China that attacks dollar-based markets, it's increasingly clear that the future of war is digital.

@derektmead