Cybersecurity at Machine Speed
All I wanted was a “pick me up.” You know – that mid-afternoon cup of coffee to get you through the day. It was about 2:30 pm – time to go to the in-house café. On my way downstairs, I glanced at the TV, expecting the usual chatter on CNBC. “What? The market’s down a 1,000 points! What going on?”
I hurried back to my desk. My team – the company’s risk management unit – was alarmed. “Susan, did you see? Procter and Gamble’s trading for pennies. Everything’s collapsing. This is crazy!”
The Flash Crash
It was crazy. On May 6, 2010, the Dow had fallen nearly 9% in less than ten minutes. At 2:32 pm, sharp price declines that started in the futures market had spread to huge stable companies: Proctor and Gamble, GE, IBM, and Apple… hundreds of stocks plummeted. On paper, over a trillion dollars had been wiped out. By 3:07 pm, the markets had recovered – not completely, but enough. Things settled down. Still, investors and regulators wanted answers about what became known as the Flash Crash.
In September 2010, after months of investigation, the CFTC and SEC issued their findings: order imbalances and “fat finger” errors had triggered a cascade of sell orders across the futures and equity markets – a frightening slide worsened by high-frequency traders, or HFTs. HFTs trade based on algorithms: they buy and sell shares in small amounts all day, every day to exploit small differences in bids and offers. Hundreds of millions of shares trade in fractions of a second. They operate at machine speed.
In April 2015, nearly five years after the Flash Crash, the Department of Justice indicted a man in west London on twenty-two criminal counts related to the markets’ bizarre gyrations. He was accused of “spoofing, layering and front-running” orders and trades worth $200 million. Through malicious code, he placed and then cancelled thousands of trades in the futures markets to precipitate price declines, yielding him huge profits – all at machine speed.
Disagreement about Causes
Experts disagree about who’s right. Were the CFTC and SEC right? Was the Flash Crash caused by a combination of unrecognized dependencies and human errors? Or was the Justice Department on to something? Did malicious actors seek to stage and reap windfalls from wild market disruptions?
Since the Flash Crash, numerous other incidents have occurred, alarming industry players, regulators and, importantly, investors, whose trust in the integrity and reliability of the markets is central to confidence. In the summer of 2016, the NYSE was forced to halt trading for several hours because of a flawed software release. Rumors were flying about a cyberattack. These rumors were quickly dismissed by the exchange and federal government.
Nonetheless, a sense of vulnerability remains. Everything runs at machine speed. Financial services firms depend on ultra-low latency networks and sophisticated algorithms to run their businesses. They operate at machine speed – faster than a human can possibly perceive, understand, decide and respond. Because of their complexity and speed, they’re vulnerable.
The very systems upon which the financial sector relies are vulnerable to breakdown, even catastrophic collapse - whether because of errors, unrecognized dependencies, deliberate attacks, or some combination of them all.
Lessons from Financial Services
So what can we learn from what the financial services sector is doing about cyberattacks? How are firms improving their defenses at machine speed? How are they working with government agencies to do so?
A survey of financial sector activities reveals a three-pronged approach to the problem – improving resilience, information sharing and attack simulations.
First, major banks and regulators are studying key dependencies and vulnerabilities across the sector’s highly complex, interconnected systems. Their goal is to reduce counterparty risks – financial and technical. Through so-called “shock absorbers” and buffers they hope to prevent shocks from propagating and spiraling out of control. Their goal is to improve system stability and resilience.
Second, the sector is seeking to build upon the industry’s well-established information sharing and advisory council, or FS-ISAC. The financial sector is working to create a “community of trust” with the government to share intelligence about potential cyberattacks. Conceptually, it’s a “neighborhood watch” designed to identify bad actors and track events. It uses standardized communication protocols to share threat information in a trusted, automated fashion. In short, it envisions “defense at machine speed.”
Third, the industry and key government agencies have been conducting a variety of cyberattack simulation exercises to improve attack detection, enhance incident response, and promote strong collaboration among industry players, the nation’s security apparatus, and relevant regulators. .
Let’s focus on the last two activities – information sharing and cyberattack simulation exercises.
In the wake of 9/11, the financial sector has used the ISAC framework of “trusted collaboration” – FS-ISAC - as a successful model to protect it against cyber and physical threats. FS-ISAC acts as a trusted third party among its members across the banking, payments and securities sub-sectors. Its primary activities include:
Timely, relevant and actionable cyber and physical email alerts from various sources distributed through the FS-ISAC Security Operations Center (SOC)
Anonymous online submission capabilities for members to share threat, vulnerability, and incident information and best practices in a non-attributable and trusted manner
Attributable information exchange through special industry interest groups
Bi-weekly threat information sharing calls for members and invited security/risk experts
Emergency threat or incident notifications using the Critical Infrastructure Notification System (CINS)
A good example of the industry’s engagement occurred in 2012 and 2013 when it worked within the Cyber Unified Coordination Group (Cyber UCG) structure to share relevant actionable information amidst widespread distributed denial of service (DDOS) attacks by non-state actors seeking to prevent depositors, investors and other clients from gaining access to their accounts.
Notable Progress by H-ISAC
Here significant progress has been made by H-ISAC in recent years. In a recent article in Healthcare Innovation, the Council shared some exciting initiatives, including a customizable money-saving algorithm which the entire H-ISAC membership uses to scan and scrub the Deep Dark Web for exposed member data.
Another example of information sharing by H-ISAC is this recent white paper on identity management, a key area for healthcare CISOs.
Automated Threat Information Sharing
Speed and reliability are critical to success in detecting and preventing cyberattacks. As such, the financial services sector has expanded its use of DHS-funded open specifications for information sharing, including Structured Threat Information eXchange (STIX) and Trusted Automated eXchange of Indicator Information (TAXII).
Better still in late 2014, the financial sector announced “Soltra Edge,” a joint venture between FS-ISAC and the Depository Trust and Clearing Corporation, or DTCC. The DTCC operates facilities and data centers that support post-trade processing of financial transactions for thousands of institutions around the world. DTCC provides a global infrastructure for clearing and settling transactions. It services assets measured in the trillions of dollars for such instruments as stocks, bonds and government securities, as well as money markets, syndicated loans, and mutual funds, among others.
Soltra Edge was initially led by former senior IT executives at the DTCC. It serves large and small financial organizations alike. Among its key goals are
Deliver an industry-utility to automate threat intelligence sharing, operating at-cost and using open standards like STIX and TAXII
Reduce response time from days/weeks/or months to seconds or minutes
Leverage the DTCC’s scale, FS-ISAC’s community and best practices
Enable integration with vendor solutions in such areas as firewalls, intrusion detection, anti-virus and threat intelligence
It’s important to point out that these advances reflect a partnership mindset between the financial services sector and the Department of Homeland Security. Dating to 2002, the Financial Services Sector Coordinating Council, or FSSCC, now involves sixty-five of the largest financial services providers and associations, from commercial banks, credit card networks and credit rating agencies to exchanges, advisors, insurers, banks, brokers and electronic payment firms.
As such, the Council endorses adequate funding for DHS so that the agency might attract and retain qualified cybersecurity talent. It also works continuously to address program gaps and implementation inefficiencies in its partnership with the agency.
Here again, H-ISAC and Health Sector Coordinating Council (HSCC) have made real advances. After establishing a relationship with Soltra, it’s since moved on. Still, H-ISAC has made huge progress, taking advantage of what’s been learned and built by the financial services sector, while tailoring its model to healthcare’s unique needs.
Quantum Dawn: Industry-wide Cyberattack Simulation
Perhaps the most interesting area of collaboration in financial services is its bi-annual, industry-wide cyberattack simulation exercise known as Quantum Dawn. Sponsored by Securities Industry and Financial Markets Association (SIFMA), it brings together banks, brokerage firms, asset managers, stock exchanges and custodians with DHS, FBI, Federal Reserve Board, industry regulators (i.e. FDIC, OCC, CTFC, and SEC) in a Distributed Environment for Critical Infrastructure Exercises (DECIDE-FS) developed by Norwich University.
The Role of the Game Space
Individual firms have a private game space configured to represent their operating environment and network topology. This game space is where teams gather online for a four-hour simulation of a cyberattack on the industry (e.g. disruptions of trading, settlement and payment activities). Among the teams typically represented within an organization are business units, operations, technology, information security, crisis management/business continuity, legal, compliance and public relations.
On the other side are exercise facilitators, controllers, technical support and observations. There’s also a Market Response Committee comprised of major firms, exchanges, DTCC and industry associations. The Committee observes what’s happening in real-time, assessing whether markets and payment systems are operating within safety margins within the simulated environment. Indeed, on one occasion the Committee concluded it would have been forced to close the financial markets given the disarray it observed during the simulation.
Results of the simulation are both private and collective. Firms maintain proprietary control over the information and data associated with their participation in the exercise. General findings are shared with the industry by Deloitte, many of which have driven actions by the industry to remedy vulnerabilities.
Lessons for Healthcare
Nearly a decade since the Flash Crash, much of the attention and worry about cyberattacks on critical infrastructure has shifted to healthcare. Rapidly escalating, highly complex cyber threats from a variety of actors could threaten the ability of organizations to operate normally.
Indeed, targeted attacks at machine speed could comprise patient data or, worse still, disrupt day-to-day clinical operations, fundamentally undermining the trust in the broader healthcare system of providers, payers and suppliers upon which we all rely. With little or no warning, data integrity may be violated and/or system availability, stability and reliability compromised by malicious actors.
Healthcare information security professionals and the vendors who support them are crucial players in care delivery. Providing them with information like I’ve shared is valuable. Taking advantage of the industry’s H-ISAC and HSCC are musts. These professionals also deserve visibility and support at the highest levels in their organizations. Such support should translate into sustained engagement by the C-suite, as well as adequate resources and the authority to do their jobs as part of the care team.