When it comes to information technology there is no such thing as absolute security. The security expert Gene Spafford hit the nail on the head when he said, “The only truly secure system is one that is powered off, cast in a block of concrete and sealed in a lead-lined room with armed guards”. In this article this issue will be addressed of cyber security from a central banker’s standpoint.
There is no such thing as “absolute security”
When it comes to information technology there is no such thing as absolute security. The security expert Gene Spafford hit the nail on the head when he said, “The only truly secure system is one that is powered off, cast in a block of concrete and sealed in a lead-lined room with armed guards”.
Just think of the incident at the central bank of Bangladesh. In February 2016, 81 million US dollars was misappropriated, and the shock among all financial market players was painfully clear. This is understandable; after all, the last German report on the protection of the Constitution stated that cyberattacks bring annual losses of around €55 billion to the German economy. The cost to the global economy is supposedly €400 billion. More than half the businesses in Germany (53%) have fallen prey to cyberattacks in the past two years. One in six businesses (17%) had sensitive digital data stolen during this period, with the attackers primarily getting their hands on e-mails (41%) or financial data (36%). These facts should be a reminder for German businesses to boost their cybersecurity.
It goes without saying that these facts are also spurring us at Bundesbank to ramp up our efforts in securing our own systems. Our infrastructure being up and running is not only crucial for us as an institution, but it’s also critical for the financial system in Germany and the Euro area.
TARGET2 for instance, a wholesale payment system operated by Deutsche Bundesbank, Banca d’Italia and Banque de France. More than 1,000 banks all over Europe are directly connected. The service ensures the speedy and final settlement of national and cross-border payments in central bank money. Each working day, an average of around 350,000 payments with a value of about 1.7 trillion Euro – which equals half the German GDP last year – are processed by the system. TARGET2 is just one example for critical financial market infrastructure for which Bundesbank is in charge. Others include TARGET2 Securities, a service for the settlement of securities in central bank money. Or think of our monetary policy operations, which provide the banking system with liquidity. A proper functioning of these services is crucial for the stability for our financial system.
To what extent has the Bundesbank been hit by attacks?
Cyberattacks also pose a risk to the infrastructures and applications of European central banks, which is not to be underestimated. There are four reasons why central banks, in particular, are a lucrative target for cyber espionage and cyberattacks.
- Because of their economic and policy mandate,
- Because, as a result, information is available to them at an early stage,
- Because of their responsibility for cash-based and cashless payment systems, and
- Because of their prominent role in their country’s financial system.
Last year, the Bundesbank was also the target of isolated distributed denial-of-service attacks. These involve known systems being overloaded by a flood of requests and thus brought to a standstill.
The Bundesbank has used its protective measures to successfully fend off the attacks aimed at it so far. Last year alone, we intercepted around 10,000 e-mails infected with malware and stopped a hundred thousand unauthorised attempts to access the Bundesbank infrastructure.
Possible reasons for broad reach
Cyberattacks like the one recently experienced by the central bank of Bangladesh show, on the one hand, how vulnerable all businesses are once an attacker can take control of the internal network. On the other hand, a clear trend is evident that financially motivated attackers have significantly enhanced their tactics, techniques and processes, making it harder to detect, analyse and remedy the attacks. In targeted attacks like these, it can often be months or years before anyone realises that their systems have been compromised and, in some cases, that data has secretly been siphoned out.
On 12 May 2017, WannaCry infected around 200,000 systems in 150 countries around the world, according to Europol. The malware encrypted all available network data. It was spread by exploiting a vulnerability in the Windows operating system (EternalBlue), which was discovered by the NSA, and stolen and leaked by the hacker group Shadow Brokers.
More recently, attackers have also aimed to cause maximum damage within a short timeframe. The businesses hit by NonPetya weren’t even able to react quickly enough because the damage was already done in a short space of time by wiping parts of the hard disk. The Danish container shipping company Maersk estimates the damage caused by the NonPetya attack at between 200 and 300 million US dollars, according to its own statements. These examples are further proof that businesses have to manage their cyber risks at least as scrupulously as they do their traditional risks.
While banks can offset the losses incurred by the default of an average borrower, just one successful cyberattack can bring the activities of a bank to a standstill, no doubt causing immense reputational damage in the process. What’s more, the financial sector is highly interconnected, meaning that the default of a single participant can lead to disturbances being felt throughout the entire industry. If, for instance, a stock exchange or payment system were to default, thousands of participants would be affected on the spot.
The financial sector is also an obvious target for politically motivated attackers. By hitting a critical infrastructure, attackers would be able to not only inflict direct financial damage but also wreak havoc on the economy at large. For the financial sector, in particular, it is therefore becoming increasingly important to press ahead with measures in order to defend against cyber risk such as:
- Optimise centralised and decentralised protective measures on an ongoing basis.
- Foster a culture of cybersecurity.
- Bolster the resilience of financial market infrastructures.
Is 99% security enough?
While banks can absorb the losses incurred by the default of an average borrower, just one successful cyberattack can bring the activities of a financial market infrastructure to a standstill, causing at least immense reputational damage or in the worst case a financial crisis.
The onus is therefore on banking supervisors to keep an even closer watch than they do now on the potential threats posed by cybercrime. And the central banks have a special responsibility to protect themselves from cyber risks, thereby safeguarding confidence in the financial system. That’s why we’re also working closely together at the international level to reduce cyber risks for ourselves and for the financial market infrastructures.
Examples of cooperation
One example of this cooperation is the “Guidance on cyber resilience for financial market infrastructures”, which was published in 2016. The Bundesbank, in cooperation with the Federal Financial Supervisory Authority (BaFin) as well as the central banks and the supervisory authorities of the other G10 countries, drew up requirements for financial market infrastructures with regard to cyber risks. It is of fundamental importance that not only information technology plays its part. Everyone concerned must bear responsibility: the technical experts, every single user and the supervisors. The global ransomware attacks have once again clearly demonstrated how vulnerable digital infrastructures are.
Last year, BaFin and the Bundesbank, along with representatives from banks and banking associations, discussed the supervisory requirements for information technology. These requirements were drawn up to encourage a more detailed examination of supervisory expectations on the technical and organisational resources specified in the Minimum requirements for risk management (MaRisk), to clarify them and to render them more transparent. Thoughts were fleshed out on the basis of the IT strategy in place in other areas such as access management, application development and the management of externally procured IT services.
Thus, protection against increasingly sophisticated IT threats is and remains a never-ending task. The level of IT security achieved therefore has to be constantly reappraised and improved – as it is true for every other criminal menace.
Cooperation and coordination are key
The examples I have just mentioned illustrate the ongoing potential for optimising the reliability and robustness of the hardware and software we use as well as the eradication of faults.
The systems that manage our reserve assets have a high level of IT security, and the necessary protective measures can be installed in near-real time. It was in this context that the Federal government and the Bundesbank made cybersecurity a focal point of Germany’s G20 presidency. And that is why we spoke about the issue of cybersecurity in great depth at the meeting of G7 finance ministers and central bank governors. This was where, in October 2016, the G7 Fundamental elements of cybersecurity for the financial sector were adopted. The G7 Cyber Expert Group is tasked with presenting the key aspects of an effective assessment of cybersecurity by October of this year.
Together with the cybersecurity experts of the other central banks we are, moreover, continuously monitoring the current global threat level and regularly consult with each other to initiate any countermeasures. And last but not least, we are constantly striving to optimise our detection and defence systems, as we take every attack that is launched against us very seriously. We urgently encourage other institutions, too, to exchange their knowledge and to liaise with each other at the national and international level on their critical infrastructures.
Attack is the best form of defence
There’s no such thing as absolute security, we are not immune to attacks. But it is our job to prepare to the best of our ability for possible threats.
A summary of the speech by Prof Joachim Wuermeling, Member of the Executive Board of the Deutsche Bundesbank.