'Flash Freeze' postmortem: Protecting markets from hackers
Nasdaq officials say a "connectivity" problem was what shut down trading for three hours Thursday, but some cybersecurity experts are concerned that hackers may see an opportunity to attack the markets.
"This draws attention to a system that we know," said Alex McGeorge, a senior security researcher at Immunity Inc. "Even if this wasn't a malicious attack, this has some redundancy issues—meaning it is probably ripe for having some other types of security vulnerabilities."
The stock exchanges could implement a few key changes to enhance security, he said.
Read more: Cramer: Nasdaq was 'WRONG WRONG WRONG'
The Securities and Exchange Commission is working on new regulations for market technology. Only voluntary standards—some dating back to the 1980s—are in place now.
"Those standards reflect the time in which they were written. ... I think there needs to be an update, especially to address what we know about computer security, how we know attackers operate today," McGeorge said.
The exchanges have pushed back against regulation. But after the "Flash Freeze" on Thursday, the Nasdaq CEO Robert Greifield seemed more open to the SEC's proposals.
"When you look at the details of the rules, there's always ways to quibble," he told CNBC. "But the pure spirit of the rules are there, and we think we ought to go further on this concept of defensive driving."
McGeorge, who has been working in cybersecurity for the financial industry since 2008, said that the industry must take a broader view of the expense. While cybersecurity can be a big investment, the costs of an attack are far greater.
For example, he said, "the PlayStation network that's delivered by Sony … a very large network, had significant downtime, months, because of a security breach." If the same kind of thing were to happen to the exchanges, "I don't know if the economy could deal with something like this," he added.
According to McGeorge, regulators and stock exchanges can take a few specific measures to increase cybersecurity.
For one, financial networks need to be better segregated. Thousands of people and firms need to access critical systems daily. Each person is a point of vulnerability.
"If I can compromise one of the users of this system, that gives me an avenue to attack the system itself," McGeorge said.
Stock exchanges also need more redundancies, or backups, he said. The Nasdaq glitch occurred when the central system for reporting prices—known as the securities information processor, or SIP—was compromised.
Greifeld told CNBC that the Nasdaq would be open to allowing competitors to set up SIPs of their own. That way if a system goes down, firms would have an alternative source for pricing information.
The SEC should require the financial industry to have third parties test its networks, McGeorge said, adding that he performs such tests for Immunity.
"Anything that's connected to an exchange has to undergo regular, manual third-party assessment," he said. "Nothing scripted or automated, because ... people willing to go through to this length to attack an exchange are going to doing it manually."
To hear more about all five steps the markets can take to protect themselves against cyberattacks, watch the video