With the Equifax data breach fresh in everyone’s mind and fintech on the march, we sat down with Richard Ledgett, former Deputy Director of the National Security Agency and recent recipient of the National Security Medal, to discuss cyber risk to our financial systems, the role of technology in increasing and mitigating risk, and what can be done to make the system and the individuals and organizations that use it more secure.
Q: Can you identify the major areas of cyber risk as they relate to financial systems?
A: The financial sector is fragile at a meta level; it was built without cybersecurity as a design feature, and attempts to fix things—clearinghouses, patches, and the like—are all overlays. One truism in cybersecurity is that the more complex a system, the less secure. When people update small sections of it, rarely do they consider the effects on the whole system.
Criminal groups are increasingly sophisticated and have almost unlimited amounts of money. They hire computer science graduates from top schools and pay them a lot of money. You also have nation states like North Korea literally robbing banks, including central banks, as occurred with Bangladesh.
With all these threats, the financial industry ends up spending a lot on cybersecurity, but there’s no overarching national plan for it. The previous administration did some conceptual modeling exercises, which were important and useful, but they haven’t gotten to the architecture phase yet.
Q: Is it possible for cyber threats to go beyond ransomware to actually degrade financial information without our knowing it?
A: Our financial system is a faith-based system. If you undermine faith in the system, you undermine the system itself. It’s not so much the corrosion of the system but the event risk where news is used to create events that cause markets to seize up. If people said some percentage of stock accounts were compromised, people’s willingness to put money into the system would change. Attacks on the integrity of data are especially pernicious and potentially impactful.
Q: Could you imagine a financial crisis similar to 2008, in which financial markets become so compromised they cease to function?
A: Yes, but it would have to be well-orchestrated. This is not a trivial thing to do, not something four guys in a garage with laptops could pull off, but I can see the financial system falling victim to something like that. It would be like the power grid failing.
The recent National Infrastructure Advisory Council report analyzed the 16 elements of critical U.S. infrastructure, with a focus on the three that matter most: the electrical power grid, the telecommunications network, and the financial system. Those three are interconnected, and all the others depend on them. Given that the financial industry has the best track record of investing in security—it has been fighting off bank robbers for years—it’s the most secure part of our infrastructure.
Q: Is the industry of one mind in terms of what needs to be done? Is there disagreement on the best solutions?
A: Actually, no, there’s general agreement. Except for anarchists, everyone needs the financial system. There’s a roadmap, but people haven’t paid what needs to be paid to get it done.
There has been talk of an Internet 2.0 where security is built in from the beginning. Things like removing anonymity from transactions, that would make the whole system much more secure.
Q: Are there “bad actors” that are private entities which may use cyber tools for financial gain?
A: Only a small minority of actors are destructive—almost none. Private entities are mostly stealing information or trying to get money out of people and institutions.
In terms of nation states, Russia is definitely the most sophisticated; they use cyber tools in conjunction with other things, like propaganda. China has caught up with Russia in recent years from a technical point of view. Then there’s something of a gap, and after that you have North Korea and Iran.
Another two standouts in terms of capabilities are Singapore and Israel, neither of which are our enemies. The former is quite technologically capable, even more so than North Korea.
Q: What are your thoughts on recent developments like blockchain and Bitcoin?
A: These can help. It depends on how they are used. Blockchain is transparent and de-emphasizes central control by banks. Putting control in people’s hands can be good or bad, depending on whom you ask. It’s an immature technology, and we may find things we didn’t expect down the road.
Blockchain does smart contracts. You code a contract into computer language and it executes automatically. If done well, it can be very good. If done poorly, just the opposite. However, lawyers who can write code are not thick on the ground.
Q: Is technology making us more or less financially secure?
A: It’s a risk/reward situation. This data in the quantities we have today wasn’t available to humans before. The downside risk is that technology exposes the data to potential compromise. We need to control where that data is stored and have standards for how it is protected.
The Equifax hack is a good example. Equifax didn’t take basic computer security steps because it wasn’t compelled to. There is a certain compellence appropriate to this, not detailed legislation or regulation but compelling guidance and standards based on outcomes on how to keep data secure. This is something that New York State is just starting to do for financial institutions.
Q: Overall, in your opinion, are we more or less safe today than we were a few years ago?
A: We are more vulnerable than we were a few years ago. People keep combining things in new and innovative ways, and so the financial system is more complex and more interconnected. The level of cybersecurity has decreased over time while our awareness of these issues has increased.
I think this is a solvable problem, or we can at least make things better. If you do a systems analysis of the information flow from end to end—the trading system, the banking system, futures and commodities, etc.—you will find single points of failure that we can target and minimize. This is one way in which we can begin to take a systematic approach.
Login in below to access content exclusive to clients of The GailFosler Group.
Not a client yet? For more information on the benefits of becoming a client, please contact us.