A couple of months ago, the computer systems of Nonghyup, a large South Korean bank, crashed spectacularly, leaving thousands of customers stranded for several days. It never made headline news in the west. But perhaps it should.
The South Korean military believe the source of the crash was a carefully planned attack by North Korea, which used an infected laptop to infiltrate the banking system, to sow consumer panic. And while Pyongyang has denied the charges, the episode is thought-provoking for investors, particularly given this week’s excitement about the computing “cloud”.
Never mind the fact hackers have recently stolen data from Sony’s game systems; while this is profoundly embarrassing for Sony that does not have any real systemic impact. Instead, the real danger that now worries some western government officials, and financiers too, is the vision of a malevolent government – or group of well-organised criminals – hacking into the computer systems of exchanges, banks, clearing houses or depository groups. For if that occurred on a large scale, it might not just hurt customers and banks, but wider investor confidence. A widespread computer freeze is not something most investors have ever prepared for.
Or as James A. Lewis of the Center for Strategic and International Studies, told a Congress committee in Washington a couple of weeks ago: “There is increasing concern about the vulnerability of the American financial system to cyberdisruption. How much of this concern is justified is difficult to say, but there are some disquieting signs. Last year’s ‘flash crash’, where automated trading systems briefly crashed the stock market shows the potential for cyberdisruption.”
Unsurprisingly, most intelligence experts do not want to talk about the risks in too much detail, for fear of stoking the type of alarm they want to avoid. But the threats they are now watching fall into at least four categories. The first is obvious: the risk that criminals will hack into credit card and bank accounts, to steal personal details or money. This week, Citi admitted its systems had been breached, causing some client data to be compromised. The second threat is that “hacktivists” could attack the websites of financial groups, or their systems, as a form of political protest or for fun. That has also already occurred.
However, there are two other, less obvious – but potentially more important – risks. One is the danger that malevolent or criminal groups might hack computers to gain information to use to front-run trades, or rig the markets. Late last year, the computer systems of the Nasdaq suffered an attempted breach, seemingly by hackers chasing sensitive data. Another, scarier scenario, is that someone will try to infiltrate the computer systems to spark a wider market malfunction, halt financial flows – or simply wipe out assets on a large scale. This is the financial equivalent of a “Stuxnet” attack (like the computer worm that caused devastating damage to Iran’s nuclear programme); the aim would be to cause wider systemic damage.
Thankfully, security experts assume the chance of a financial “Stuxnet” is very low, since it would require government-level capabilities. “It is very unlikely that the nations with advanced cybercapabilities would crash the American financial system – they simply have too much invested in it,” Mr Lewis observes.
But, he adds, “that could change in the event of a war”. And there is a more immediate risk: if cybercriminals try to manipulate stock prices or gain insider information, there is a danger that might “inadvertently cause some kind of crash” too.
And that could have unpredictable impacts. After all, modern cyberfinance can only operate with deep trust. Investors cannot touch or see “their” assets. But if that faith in the intangible crumbles, confidence in values more widely could quickly fragment too. Just look at last year’s peculiar “flash crash” to see how that can play out; or at the bank and shadow bank runs that took place during 2008.
Now the good news, if you like, is that this is still hypothetical; indeed, it is something of a triumph that successful breaches (as at Nonghyup) are so rare. And the better news is that the financial community is now rallying round to fight back; events such as the (failed) attack on Nasdaq have been a wake-up call. “Everyone is very, very focused on cybersecurity issues now,” the chief executive of one large global bank told me this week.
But one of the most pernicious problems with cyberspace, says one Pentagon official, is that the fight is so lopsided: it takes huge resources to protect a bank or exchange, but just one infected computer drive to launch an attack. The tail risk of a cyber disruption to markets, in other words, cannot be ignored. Investors had better hope that the banks and exchanges are much better organised than Sony; and, perhaps, keep some hard cash in the mattress.