Almost 90% of the world’s financial exchanges believe that cyber-crime poses a systemic risk to the securities industry, according to a report (pdf) published by the International Organisation of Securities Exchanges (Iosco) and the World Federation of Exchanges this week. More than half of those exchanges have faced cyber attacks in the last year, and financial firms have had to invest huge sums of money to maintain their security. At least so far, they seem to have been mostly effective at warding off hackers.
These precautions hardly stop them from envisioning the worst-case scenario, however. Despite the momentary market freak-outs that a single, strong attack—a false tweet, a trading glitch, or the odd denial of service (DDoS) attack—could cause, these kind of attacks aren’t really exchanges’ top concerns. Instead, what keeps them up at night is a drawn-out attack that slowly corrupts their systems from the inside, and could be absolutely devastating if not caught in time.
These involved attacks are what technology experts term “advanced persistent threats,” or APTs. “[They] are usually directed at business and political targets for political ends,” the report explains. “APTs involve stealth to persistently infiltrate a system over a long period of time, without the system displaying any unusual symptoms.” In the worst case scenario, this kind of attack would disrupt investors’ faith in the way markets function. Cyber criminals could shut down markets for an extended period of time, stop clearing houses from being able to process trades, compromise investors’ access to markets. It’s the kind of confidence-destroying attack that would prompt anyone with investments in the market to exit them immediately—if they were even able to.
The problem is that this kind of attack could seem run-of-the-mill until it’s too late. A representative of an exchange interviewed for the report explained:
A systemic risk scenario might involve infiltration of several exchanges, probably most easily by email phishing campaigns involving stealth malware, access built up and maintained over a length of time, potentially involving contractors or malicious inside employee assistance, and over time enough reconnaissance done to identify key internal systems attackable from the infiltration point, and a coordinated attack from that internal toe-hold against multiple institutions. Clever attackers would probably mask such real threats with the noise of the traditional network based DDOS’s we’ve seen in prior years.
Remember that next time you open a suspicious email—especially if you work for an exchange.