Financial services in the firing line for cyber-attacks says ex-CIA chief
Morell: “The government isn’t coming to help any time soon … you’re on your own.”
“The only good news about cyber is the investment opportunities – the markets for defences and insurance are exploding and will continue to do so,” says Michael Morell. “The cyber threat is now, it is serious and it is going to get much, much worse.”
Morell, addressing one of the opening sessions at the SifmaTech conference in New York this week, is a former deputy and acting director of the Central Intelligence Agency, who thinks that “the fastest growing national security threat facing the [US], which also happens to face the financial services industry, is cyber-espionage, cyber-crime and cyber-terrorism”.
According to Morell, cyber-crime in the now accounts for as much money as the illegal drugs trade – theft of intellectual property alone accounts for sums “in the low hundreds of billions of dollars annually” according to the best estimates he has seen.
Morell said that private sector firms will have to address these threats on their own for the foreseeable future, at least in the US. “The government is not coming to help any time soon,” he said, adding that the US Congress would have to pass appropriate legislation to all information sharing and other measures between the private sector and government, but in the wake of revelations by former National Security Agency analyst Edward Snowden about US surveillance activities, there is not the support. “I don’t see legislation anytime soon, so you are one your own,” he said.
Morell said that there are different forms of threat: warfare – either sponsored by legitimate states such as Russia and China, or hostile regimes such as Iran and North Korea – theft of intellectual property or money, and wilful damage, such as denial of service attacks organised by anti-capitalist groups or lone-wolf, disgruntled individuals. At the top end, he predicts the evolution of a similar situation as emerged with nuclear weapons – Mutually Assured Destruction – but the asymmetrical threat from what he called “terrorist states and groups” will not be neutralised by that and will have to be dealt with differently, through the development of capabilities of spotting and stopping attacks during the planning stages. He added that some private companies have taken to deploying “attack capability” as part of their response to the threat.
One of the prime threats that private sector firms should be aware of is the disgruntled individual, Morell warned: “What Ed Snowden did to the NSA. some of your employees are capable of doing to you.”
In terms of capabilities, Morell said that “the US and our allies” have the most sophisticated cyber capabilities, both offensive and defensive – “if you knew what I know about our capabilities, you wouldn’t even plug your toaster in”, he said – followed by China, Russia and “some cyber-criminal organisations”, with Iran, South Korea and others trailing a considerable way behind. “Those gaps will narrow and the nature of the threat will expand, because you can easily buy some of the infiltration tools on the grey markets on the darker parts of the internet – many smaller intelligence agencies do,” he said.
The financial services industry faces the threat more than other areas of the economy because all of the threats converge: hackivists want to bring down the system, criminals want to steal the money and potential hostiles see it as a weapon – by damaging its economy, adversaries weaken a country’s ability to defend itself. Morell said that Iran “is aggressively attacking the US as an asymmetric response” to the economic sanctions. “Their capabilities are minimal at the moment, but they will improve.”
“Believe me, they see your industry as part of the critical infrastructure,” said Morell. “It is also extremely dependent on other infrastructures including telecommunications and energy that are also being targeted.”
