In a speech at a Berlin conference, Dennis Lockhart, President of the Federal Reserve Bank of Atlanta, talked about the serious threat of cyber attacks against the largest U.S. banks and the apparent inability of the banking system to do anything about it. What was once thought of as an unlikely but very damaging event has now become a “persistent threat with potential systemic implications”.
Lockhart notes that the payments system in the United States processes an incredible $4.5 trillion of transactions daily. The system is fragmented with more than 7,000 banks and numerous other nonbank institutions involved in the daily processing of prepaid cards, transaction processing, online payments and remittances. This massive payments system has no one single comprehensive supervisor. Regulation and oversight on the movement of trillions of dollars per day by banks is fragmented among various federal entities and regulation of nonbank transactions is virtually nonexistent.
Any serious threat to the payments system would gravely threaten the financial system, affecting markets and institutions which would quickly cascade into the real economy causing a potentially massive destruction of wealth.
In Lockhart’s view, disruptions to the payments system from malicious, broadly targeted cyberattacks would immediately cause a “real financial stability concern”.
Just in the last few months, the United States has experienced an escalating incidence of distributed denial of service attacks aimed at our largest banks. The attacks came simultaneously or in rapid succession. They appear to have been executed by sophisticated, well-organized hacking groups who flood bank web servers with junk data, allowing the hackers to target certain web applications and disrupt online services. Nearly all the perpetrators are external to the targeted organizations, and they appear to be operating from all over the globe. Their motives are not always clear. Some are in it for money, while others are in it for what you might call ideological or political reasons.
Unlike other cybercrime activity, which aims to steal customer data for the purpose of unauthorized transactions, distributed denial of service attacks do not necessarily result in stolen data. Rather, the intent appears to be to disable essential systems of financial institutions and cause them financial loss and reputational damage. The intent may be mischief on a grand scale, but also retaliation for matters not directly associated with the financial sector.
Banks have been defending themselves against cyberattacks for a while, but the recent attacks involved unprecedented volumes of traffic—up to 20 times more than in previous attacks. Banks and other participants in the payments system will need to reevaluate defense strategies. The increasing incidence and heightened magnitude of attacks suggests to me the need to update our thinking. What was previously classified as an unlikely but very damaging event affecting one or a few institutions should now probably be thought of as a persistent threat with potential systemic implications.
In October, Defense Secretary Leon Panetta said the United States was facing the possibility of a “cyber Pearl Harbor” from foreign cyberattacks that could cripple the nation’s transportation network, financial system, the power grid and government. Panetta would not go into details on what type of countermeasures the Defense Department was developing, but recent successful attacks have revealed a striking inability by banks and large corporations to defend against such attacks.
In mid September, some of the nation’s largest banks including Bank of America, JP Morgan and Wells Fargo had their web sites crippled by foreign cyberattackers who had boldly announced their targets and dates of attack in advance. Despite the forewarning, the banks were virtually helpless to prevent the attacks from occurring. Although no permanent damage was done and the banks deny that data was compromised, the big worry should be about what comes next. Were the attacks of recent months merely a prelude to more serious attacks in the future that could cripple the U.S. economy? The scary answer is that nobody knows if these foreign cyberattacks were a test run for a 9-11 type of attack that could quickly cause chaos and send the nation’s economy into a tailspin.