ost critical functions of twenty-first-century society have become inextricably dependent on digital infrastructure, in particular the financial industry, whose business model relies on consumer confidence in the overall financial system. The internet is now the primary mechanism for financial transfers between banks and other institutions; most customers rely on online banking to manage their accounts and for the majority of point of sale payments. In fact, Canada ranks among the most cashless societies in the world (ForexBonuses 2017). The more reliant on digital technology the financial system becomes, the more interconnected it is and the more vulnerable it is to cyber exploitation. Consumers notoriously prefer convenience over security, and financial institutions encourage consumers to use online technology as a way of harnessing efficiencies and reducing operating costs. Malicious actors are not targeting the industry for mere financial gain: because the financial industry is systemically significant, adversaries are actively looking to exploit vulnerabilities that could be used to bring it down, thereby undermining confidence in the financial system and causing social chaos and turmoil to threaten the democratic way of life. The financial industry’s dense interconnectivities, broad digital footprint with consumers and extensive reliance on technological infrastructure expose it to a disproportionately large attack surface. Governance at both the national and the international level has not kept up.
The Threat Landscape
Canada’s financial sector is an appealing target for profit-motivated cybercriminals: it is subject to millions of infiltration attempts each day, compounded by cyber-enabled crime such as credit card fraud. The financial industry experiences greater losses from cybercrime than any other sector, reportedly experiencing attacks three times as often as other industries (Raytheon Company 2015, 3). A recent report from the International Monetary Fund (IMF) estimated that banks’ average annual potential losses from cybercrime could amount to nine percent of their net income, equivalent to US$97 billion (Bouveret 2018, 21).
Cybercriminals attempt to steal credentials and obtain information such as the passwords and personal information of bank staff and customers, allowing them to access accounts and place fraudulent payment orders. Phishing is a low-risk, low-cost instrument for even the least-skilled cybercriminals. Distributed denial of service attacks can disable financial services, preventing customers from accessing accounts and payments from being processed. The reams of sensitive customer data held by financial institutions contain a motherlode of high-value personal information. The consequences of large-scale data breaches, such as the 2017 theft of the financial records held by Equifax of more than 140 million people, undermine the mutual trust and confidence on which the financial system relies (Fleishman 2018). Although difficult to quantify, the cost of this shaken faith means the true burden of cyber heists extends beyond mere monetary losses.
Hackers working at the behest of states are now a serious cyber threat to the financial sector. Backed by the resources of state governments, they have the ability to cause significant disruption to the financial system. North Korea maintains dedicated teams focused on cyber operations against financial institutions. The attempted theft of more than one billion dollars through the Society for Worldwide Interbank Financial Telecommunication (SWIFT) network, including brazen attempts on central banks, has been attributed to teams such as the “Lazarus Group,” whose infamous “WannaCry” ransomware attacks have resulted in damages estimated at up to US$4 billion (Symantec 2016; Berr 2017; FireEye 2018).
Previous cyber operations against the financial sector were mainly carried out by financially motivated criminals. Their schemes aimed for quick profit before escaping, emphasizing speed and seeking to cause minimal collateral damage so as not to draw the attention of law enforcement. The growing cyber capabilities of state and non-state actors, however, are primarily driven by geopolitical goals (Leuprecht, Szeman and Skillicorn 2019). That scenario raises the prospect of genuine cyberattacks — defined as meeting the threshold of the use of force under international law — on the financial sector to wreak havoc and provoke instability as an end in itself (Healey et al. 2018).
Developed states have a mutual stake in upholding a functioning global financial system, but actors such as terrorist organizations and isolated rogue states may feel that they stand to gain from financial instability by holding developed countries ransom. North Korea-backed hackers operate with the aim of generating revenue for the regime in Pyongyang. By contrast, the so-called “DarkSeoul” attacks of 2013 followed joint military exercises between South Korea and the United States, targeting South Korean banks and television networks and paralyzing victims by disabling their computer systems (BBC News 2013). The accompanying bellicosity from Pyongyang (threatening pre-emptive nuclear strikes), and the fact that television networks were targeted alongside banks, indicates that the financial system was targeted as a means to a geopolitical end.
The financial system is fragile, resting upon a foundation of mutual trust and confidence. Modern history has plenty of examples of prolonged economic malaise provoked by a negative shock that caused confidence to evaporate, sending the economy into a downward spiral. It is not difficult to imagine that this sort of shock could be deliberately induced by an adversary or hostile actor.
In 2013, the Twitter feed of the Associated Press was hacked, reporting that an explosion at the White House had injured President Barack Obama. The ruse was quickly exposed, but the momentary shock provoked panic in the financial sector, causing the Standard & Poor’s 500 Index to drop 0.9 percent (equivalent to US$130 billion) (Matthews 2013). These losses were quickly recuperated, but the incident demonstrates that actors in cyberspace can intentionally undermine the stability of the financial system. Simple methods of exploitation could have far-reaching consequences.
Structural Vulnerabilities of the Financial Sector
The global scale, complex interconnectivity and systemic significance of the financial industry pose a unique cyber security challenge. Large multinational financial institutions tend to house their data across different countries, rendering them vulnerable to compromise in transit and at rest in jurisdictions with lax security standards. Banks are now often encouraged by host governments to keep customer and transaction data stored within the host country’s borders through measures such as data localization laws, and some institutions have already made data localization part of their business model. This can be difficult, however, as operations in the financial sector span the globe and it may not be clear where a given customer’s data should be stored or how to control the path taken by the data (Leuprecht, Skillicorn and Cockfield 2019).
Global interconnectivity raises the threat of “contagion” in the wake of a cyber operation. The most recent financial crisis shows how losses can cascade. This is true for losses incurred in the course of doing business and for losses caused by cyber intrusions. The SWIFT interbank communication system reaches banks in almost every country on the planet. Circumventing the national borders of the physical world, the SWIFT network can act as a vector for cyber operations. Banks in developed states with relatively robust security precautions are exposed to hackers in jurisdictions where security regulations and enforcement are less stringent (ibid.). In 2016, cybercriminals (possibly the Lazarus Group) acting through the SWIFT network convinced the Federal Reserve Bank of New York to transfer US$81 million from the Central Bank of Bangladesh’s account to recipient accounts in the Philippines (Corkery and Goldstein 2017). Contagion is also the result of the virulent nature of cybercriminals’ tools. In 2017, the WannaCry ransomware spread to hundreds of thousands of computers in a matter of days (Jones and Bradshaw 2017). The structure of the global financial system means that a single compromised node can have disproportionate consequences for the integrity of the network as a whole.
Notwithstanding the densely interwoven structure of the financial system, essential functions such as trade matching and custody of securities are concentrated in select hubs. These activities are also highly dependent on information and communications technology infrastructure, such as cloud computing services, which have the potential to be infiltrated or disabled by cyberattacks. These “single points of failure” can grind the whole system to a halt (Healey et al. 2018). In many instances, there are no clear alternatives or workarounds that financial actors could use in the event of a crisis.
A cyber operation’s likelihood of success can be affected by the security efforts of the targeted institution as well as by the digital hygiene followed by users and customers. The typical end-user of an online chequing account prefers convenience over security. Asking end-users to cover their own losses in the event of a heist seems intuitively unfair. Even if they were to adjust their behaviour by adopting measures such as dual sign-in authentication and not using wireless networks, they would remain vulnerable if their financial institution did not follow suit, and they have little power to force it to do so. As a result, Canadian banks currently bear the costs of consumer losses, as long as the victim was not negligent (Leuprecht, Skillicorn and Cockfield 2019). However, leaving banks to cover end-user losses in this way gives rise to a moral hazard: since they are assured that they will not be out of pocket in the event of a heist, end-users have little incentive to follow better security protocols. This leaves banks holding the bag, which exposes them to perverse incentives for greater cyber exploitation.
Faced with persistent and sophisticated actors launching increasingly ambitious and sophisticated attacks on financial institutions, governments must signal a willingness to punish and deter offensive action. If hostile actors are enjoying the backing of states, it is in the interest of Canada and its allies to project power and stability in cyberspace. Governments will need to commit to deterrence through punishment in the case of a debilitating attack against critical infrastructure. Hostile actors need to be put on notice that even attacks that do not necessarily meet the threshold of the use of force under international law or the North Atlantic Treaty Organization’s Article 5 may meet with reprisal. Bill C-59, Canada’s new national security bill, proposes to grant Canada’s signals intelligence agency, the Communications Security Establishment, the ability to conduct “active cyber operations” aimed at disrupting and disabling hostile actors. Canada and other friendly governments should develop policies to pursue guilty parties within the boundaries of international law, much of which does not apply in cyberspace, where operations largely fall below the threshold of the use of force. This necessitates enhanced international cooperation to enable extraterritorial investigation and prosecution. Mutual legal assistance treaties facilitate the sharing of information in attribution and prosecution. Greater track two and track 1.5 diplomacy, such as the United Nations’ Group of Governmental Experts on Developments in the Field of Information and Telecommunications in the Context of International Security, might eventually encourage more countries to sign on to the Budapest Convention on Cybercrime (Eoyang et al. 2018). Coordinated diplomatic pressure, backed up by a credible threat of sanctions or other punishment, will be needed to ensure compliance by rogue states (ibid).
Due to the interconnectivity between financial institutions and the risk of contagion, improving cyber security in the financial sector will require strengthening its weakest links. The inability of small and medium-sized financial institutions to properly take advantage of the same security measures as the major banks is one such blind spot. Complemented by financial intelligence networks, the Canadian Cyber Threat Exchange provides cyber domain awareness to bolster the defences of the major banks. However, many small and medium-sized enterprises have not had the same access to such intelligence (Leuprecht, Skillicorn and Cockfield 2019). In fact, smaller financial institutions have incurred disproportionately large losses from cyber heists, which bear equally disproportionate existential risks, suggesting that “economies of scale” are at work in cyber security (Bouveret 2018). Although any one such institution may appear systematically inconsequential, the interconnectivity of the financial sector means that small actors actually present a systemic risk. Policies will need to be amended to bolster the defences of the industry’s smaller institutions and enable them to benefit from timely threat intelligence.
Governments could also do more to protect the technological infrastructure upon which the financial industry is dependent. The Canadian government’s role and obligation in rebuilding critical infrastructure if it were disabled by a cyber attack is unclear. Citizens expect government to respond to naturogenic or anthropogenic disasters, and government should anticipate the possibility of having to similarily respond to a catastrophic failure of critical infrastructure in the event of a crisis as a way of mitigating the danger inherent in these “single points of failure.”
As detailed above, the distribution between banks and customers of the costs incurred by successful cyber attacks is problematic. Placing the burden on customers when they have little power to affect their banks’ security efforts may be unfair, but making the banks responsible for covering consumer losses raises the problem of moral hazard. Both the banks and their customers would benefit from a more mature cyber security insurance sector as a way to monetize risky behaviour by firms and individuals and incentivize good behaviour. Due to the novelty of cyber risk, cyber security insurance remains a fledgling industry that needs government attention. It will need detailed data on cyber exploits to properly quantify risk. Yet, banks currently have little incentive to share the frequency with which they are attacked, as that may have a negative impact on a firm’s reputation. Since February of this year, Canada’s prudential regulator, the Office of the Superintendent of Financial Institutions, has required federally regulated banks and insurers to report technology and cyber security incidents, although more robust requirements for the disclosure of breaches of the sort found in the European Union’s General Data Protection Regulation would be even more beneficial (Middleton 2018).
BBC News. 2013. “South Korea Blames North for Bank and TV Cyber-attacks.” April 10.
Berr, Jonathan. 2017. “WannaCry ransomware attack losses could reach $4 billion.” CBS News, May 16. www.cbsnews.com/news/wannacry-ransomware-attacks-wannacry-virus-losses/.
Bouveret, Antoine. 2018. “Cyber Risk for the Financial Sector: A Framework for Quantitative Assessment.” IMF Working Paper, June 22. www.imf.org/en/Publications/WP/Issues/2018/06/22/Cyber-Risk-for-the-Financial-Sector-A-Framework-for-Quantitative-Assessment-45924.
Corkery, Michael and Matthew Goldstein. 2017. “North Korea Said to Be Target of Inquiry Over $81 Million Cyberheist.” The New York Times, March 22. www.nytimes.com/2017/03/22/business/dealbook/north-korea-said-to-be-target-of-inquiry-over-81-million-cyberheist.html.
Eoyang, Mieke, Allison Peters, Ishan Mehta and Brandon Gaskew. 2018. “To Catch a Hacker: Toward a Comprehensive Strategy to Identify, Pursue, and Punish Malicious Actors.” Third Way, October 29. www.thirdway.org/report/to-catch-a-hacker-toward-a-comprehensive-strategy-to-identify-pursue-and-punish-malicious-cyber-actors.
FireEye. 2018. “APT38: Un-usual Suspects.” https://content.fireeye.com/apt/rpt-apt38.
Fleishman, Glenn. 2018. “Equifax Data Breach, One Year Later: Obvious Errors and No Real Changes, Report Says.” Fortune, September 8. http://fortune.com/2018/09/07/equifax-data-breach-one-year-anniversary/.
ForexBonuses. 2017. “The World’s Most Cashless Countries.” www.forexbonuses.org/cashless-countries/.
FSB. 2018. “Cyber Lexicon: Consultative Document.” July 2. www.fsb.org/2018/07/cyber-lexicon-consultative-document/.
G7. 2016. “G7 Fundamental Elements of Cybersecurity for the Financial Sector.” www.treasury.gov/resource-center/international/g7-g20/Documents/G7%20Fundamental%20Elements%20Oct%202016.pdf.
Healey, Jason, Patricia Mosser, Katheryn Rosen and Adriana Tache. 2018. “The Future of Financial Stability and Cyber Risk.” Brookings Institution, October 10. www.brookings.edu/research/the-future-of-financial-stability-and-cyber-risk/.
Jones, Sam and Tim Bradshaw. 2017. “Global Alert to Prepare for Fresh Cyberattacks.” Financial Times, May 14. www.ft.com/content/bb4dda38-389f-11e7-821a-6027b8a20f23.
Leuprecht, Christian, David Skillicorn and Arthur Cockfield. 2019. “Cybersecurity in the Financial Sector as an Economic Security Issue: Leuprecht, Skillicorn, and Cockfield at the House of Commons Committee on Public Safety and National Security.” Macdonald-Laurier Institute, January 29. www.macdonaldlaurier.ca/cybersecurity-financial-sector-economic-security-issue-leuprecht-skillicorn-cockfield-house-commons-committee-public-safety-national-security/.
Leuprecht, Christian, Joseph Szeman and David B. Skillicorn. 2019. “The Damoclean sword of offensive cyber: policy uncertainty and collective insecurity.” Contemporary Security Policy 40 (3). https://doi.org/10.1080/13523260.2019.1590960.
Matthews, Christopher. 2013. “How Does One Fake Tweet Cause a Stock Market Crash?” Time, April 24. http://business.time.com/2013/04/24/how-does-one-fake-tweet-cause-a-stock-market-crash/.
Middleton, Chris. 2018. “Cyber attacks could cost bank half of its profits, Warns IMF.” Internet of Business, June 25. https://internetofbusiness.com/fintech-cyber-attack-could-cost-bank-half-of-its-profits-warns-imf/.
Raytheon Company. 2015. 2015 Industry Drill-Down Report: Financial Services. www.websense.com/assets/reports/report-2015-industry-drill-down-finance-en.pdf.
Symantec. 2016. “SWIFT Attacker’s Malware Linked to More Financial Attacks.” May 26. www.symantec.com/connect/blogs/swift-attackers-malware-linked-more-financial-attacks.