By Clive, an investment technology professional and Japanophile
Part 2 of 2 – If Only There was Something We Could Do…
In Part 1, we examined how US and European governments – mindful of the fragility and vulnerability of the global financial system to threats from cyberterrorism – nevertheless still stood for the most part passively by, like the princess trapped in her tower looking out wistfully waiting for rescue. Her very own Prince Charming came, too, riding on a white horse, bearing a trusty sword and carried her off to safety where they both lived Happily Ever After. Well, I hate to be the one to break this to you sweethearts, but the big banks (the Too Big to Fails, or TBTFs) are no one’s Prince Charmings. In fact, they’re about the worst cads out there.
The nub of this is that old problem of, on the one hand, the banks like to pretend that they’re just like Starbucks or Macy’s and can safely be left to their own devices without any of that annoying government interference – but then something comes along that makes politicians realise that simply isn’t true and finance (especially money transmission) is important to the functioning of modern societies. In this case, that “something” is the necessity to provide system resilience – and even hardening – and a degree of survivability in the event of an attack. Or to protect the system from failures caused by the incompetence of the system operators.
From my vantage point inside the industry, the latter is much more of a threat than scary-sounding but fairly improbable sophisticated large-scale multi-target cyberattacks.
But because finance isn’t really regulated like the utility that it is (or operated as a publicly owned service), there’s a lot of hand waiving by governments and exhortations for the industry to “do something about the problem”. The TBTF where I am ungainfully employed gets audited by GCHQ (the British security service’s signals intelligence arm – an NSA-like body) here to assess its cyber security. While the security services can use soft power to try to enforce some basic standards they are, of course, not part of the management team. So there’s a lot of security-theatre, death-by-Powerpoint and often a parading of fancy looking gew gaws (intrusion detection hardware, transaction monitoring software, fancy-pants consultancy from people with impressive looking titles) which seem very snazzy but are only of limited effectiveness and limited scope. And if the security services apply too much pressure, the CEO can go whining to HM Treasury (or in the U.S. the Department of the Treasury) and get some more wriggle room (mentioning “excessing red tape” and “restricting the ability to lend to hard working families and small business” seem to be effective dog whistles).
It all ends up just a well-orchestrated tick-box exercise with the real weaknesses – which need co-ordinated industry action and standards – unaddressed.
And there are some really simple things which could be implemented tomorrow that would help a great deal. When analysing how to improve a certain feature of a complex system, do-ability is often a legitimate issue. For the examples I will present here, it does not apply because rather than developing something new, I am suggesting that the system be changed (or have the ability to fall back) to older methods of operation which used to be in place and were the norm.
As we go through these examples of how countermeasures to cyber threats can be developed keep in the backs of your minds that these were legacy approaches which were either decommissioned or are in the process of being run down by one or more parties in the global financial system. In finance, we have what I refer, rather clumsily, to as the “golden hexagon”. It is made up of the following six variables:
Credit Risk
Risk Ownership
Capital Requirements
Operational Resiliency
Operational Costs
User Needs
You can alter any one of these but you cannot help having an impact on at least one of the others. Whenever you are considering change to the financial system or a problem within it, it can be helpful to frame it in this Golden Hexagon of Banking. Banks and members of the banking ecosystem such as Card Networks (if you’re new to Naked Capitalism, it may help new readers if they familiarise themselves with some of the terms which will be used here by reading my earlier piece documenting who the various parties are in the financial payments system) like nothing better than to reduce their capital requirements, cut their operational costs and if they have to have credit risk to get someone else to own it. User needs – these users could be you or I, large corporations who rely on the financial system too but have different requirements because of their size and governments or regulators are all users – vary enormously but what they might want will impact the other sides of the hexagon.
The widely differing powers which system users have compared with system owners can lead to stresses in the system itself, too.
In the context of making the financial system better able to withstand cyber-attacks, there is potential for a conflict of interests in so far as what the system users (your or I, or governments) might wish for versus what the system owners (basically the banks) would have to do to satisfy those wishes. As we’ll see, while the banks may profess how they want to love and protect system users, if they end up having to do things they don’t like – especially if that involves higher capital requirements or operational costs – then that might mean we end up with rather fickle bedfellows.
Example 1: Merchant Floor Limits Decommissioning
The Card Networks (MasterCard, VISA, AMEX etc.) are pushing to remove floor limits (this is where the Merchant doesn’t need to get authorisation on a card transaction – for example, they let retailers approve transactions up to maybe $50 or $100 without checking with the Card Issuer that there’s funds on the account or the card isn’t reported as lost/stolen) entirely and insist that all transactions get authorised on-line in real-time. This hugely increases fragility in the financial system especially for retail users.
The reason for this change being pushed is that if you have a merchant floor limit, then in the event of a card transaction being executed with a lost or stolen card being used fraudulently or the customer having insufficient funds on their account, the Card Network has to take the financial hit. There may be some variation as it is possible for the Merchant or the Merchant Services Provider to be responsible depending on the contract between each party but historically it was the Card Network who took the credit and operational risk. If you own these risks, you need a buffer – working capital – to pay these expenses. This is a cost.
If the merchant loses their connection (e.g. the internet or their ISP goes down) to the Merchant Services Provider then that’s it, no more card payments until the problem is resolved. If the problem is just at the retailer (the Merchant), that’s not so bad. But technical issues on a local or even regional level can have big commercial impacts. In my town, the legacy cellular service from the biggest operator fell over a few weeks’ back (2G – GSM or GPRS here in Europe). Many EPoS terminals for small retailers used the 2G mobile service for authorising card payments. They had to operate on a cash-only basis for weeks until the cellular operator fixed the problem – it wasn’t deemed a priority for them as almost everyone is on 3G or higher now. Being able to invoke emergency floor limits – and override the Card Networks self-interested cost reductions – would create looser coupling and thus reduce fragility.
The Card Networks would squeal mightly loud if the government via the regulators attempted to force this operational change. But of course the regulators could insist the Card Networks, to coin a phrase, had to suck it up. The Card Networks could retaliate and attempt to pass the costs onto the Merchants who use their services. This is just the sort of threat which the financial service industry likes to throw around.
I would say, if that is what they want to do then “bring it on”. The financial system – usually via bank-friendly mouthpieces – likes nothing more than to say how it is both improving services (“innovation” is the usual buzz word) and reducing costs in the process. But if all that turns out to be a bit of a mirage because certain costs are being hidden – like dependency on a not-especially-robust system – and if when dragged out the closet those costs are then laid bare to system users those users now realise that the old-fashioned alternatives like cash aren’t quite so subject to cost disadvantages as it first appeared, then decisions on which is best can be re-evaluated in the light of the new facts.
Example 2: Card Network Authorisation Stand-in Decommissioning
My TBTF, like most, used to have an arrangement with their Card Network VISA (who issue the bank’s Debit Card BINs) whereby, if the back-end system fell over, then – under certain conditions – if VISA couldn’t get a response from the core accounting system, then VISA would step in and authorise the transaction to the Merchant Services Provider. This was so that customers at, maybe, a supermarket wouldn’t be left with a cartload of shopping at the checkout because their card wasn’t authorised due to a systems issue at the TBTF. But the downside was that the TBTF get hit for any fraud or credit losses where the transaction got authorised when it would really have preferred it not to have been.
(To give a technical explanation, don’t worry if you can’t follow this bit, the Card Networks maintain an interday list of lost or stolen cards and an as-at-last-working-day balance for available funds so they do have the ability to provide authorisations in the absence of the Card Issuer. This is okay but they cannot handle a situation where, intraday, a card is reported lost or stolen or a jilted spouse takes their revenge by deliberately trying to clear out the object of their rage’s account in a bout of runaway spending or similar situation)
So this arrangement was ended. Yes, the TBTF de-risks its operations. But this is at the cost of resiliency.
Giving regulators the power to enforce the provision of this kind of short-term redundancy in the system at times of systemic stress (such as an institution being attacked) even though the institution could later face higher loss levels seems a no-brainer. Facing losses tends to concentrate the minds of C-level TBTF management in not running their systems incompetently.
Example 3: Town Clearing Decommissioning
When considering the problems posed by the risks to the financial system from cyberwarfare governments, regulators and the banks themselves react in a seemingly logical but self limiting way. From earlier, remember when we learnt that, in the UK, the government sends advisors from the signals intelligence arm of the security services to review the banks’ responses to the threat. The banks then parade their best and their brightest along with a showcase of all the toys they’ve bought.
This means that technologists are sent to ask the technologists about their technology and if deficiencies are found, they’ll advise the implementation of some new or better technology.
But with cyberwarfare isn’t the problem down to technology?
I’ll illustrate why this is really dumb with a little self disclosure. I’m allergic to tomatoes. This is terrible. I just love tomatoes. I can quite happily scoff an entire punnet on my own in one sitting. But a few hours later my entire mouth breaks out in a rash. Now, I could spend a long while trying to find a variety of tomatoes which I don’t react quite so badly to. Or maybe get some medication to counter my allergic reaction. I’d have to hope that I didn’t experience any side effects if I took medication although it’s not unheard of to get clinicians prescribing medication to counter the side effects of the medication to counter the side effects (repeat as necessary).
The sensible thing for me to do though is to find an alternative to tomatoes. Once you start looking, there’s plenty out there.
Why, then, do both governments and the operators of the financial system insist that, in the face of a threat of cyberwarfare, a threat which is enabled by technology, the only countermeasures which should be investigated are technological ones? Did they all take a vow or something?
It’s not like there weren’t perfectly good (albeit comparatively more costly) systems in place which did not present the attack surfaces that today’s technology-dependent financial system presents. I’ll cover one such system, the City of London’s Town Clearing arrangement which provided same-day guaranteed settlement on high-value (which correlates to “systemically important”) transactions. Vulnerable only to large scale physical disruption, a dirty bomb for example which would leave electronic settlement systems pretty much unaffected, it is bizarre that alternate resilient and diversified fall-backs should have been allowed to be decommissioned by the banks purely on a short term cost basis. Either the financial system is crucial and the costs of an outage caused by cyberattacks would be considerable, in which case the costs of maintaining a fully independent backup are tolerable or someone is crying wolf.
Town Clearing was nothing more that paper clearing (checks) which were negotiated within a specific geographic area by means of transportation of paper vouchers to a network of clearing houses which manually tabulated the ledger entries. It was about as resilient a system as could be devised. Its weakness was of course that, compared to electronic settlement, it was more expensive and volumes were limited by physical constraints (premises, manpower, transportation).
But there was nothing that could really go wrong with it. (for a more detailed explanation of the evolution of clearing systems in the City of London this is an excellent introduction ).
Paper clearing done largely manually sounds to our modern sensibilities as like something from a bygone era and completely unsuitable for use today. But before electronic settlement, paper-based clearing had been highly industrialised – bulk check printers can issue hundreds or even thousands of checks per hour and a single operator of an electromechanical ledger processing machine can process a similar volume of “manual” entries. It isn’t feasible of course for a paper system to replicate the capacity of an electronic system. That would never be the intention. Instead, it would provide a completely isolated backup system. Regulators, banks and users would need to agree in advance which transaction were critical – what had to absolutely be processed same-day – and which could left until the threat had subsided.
Actually, it would do no harm at all for the various actors in the financial system to have a proper evaluation of which high-value and/or high-volume transactions are essential and which only benefit a narrow system user interest. High Frequency and algorithm driven trading generates a lot of volume, but in a crisis, are those services which must be preserved at all times? “Doubtful” seems the most neutral answer to that one.
Given the fixation with technical solutions for technology problems, I don’t expect to see a resurrection of Town Clearing nor the replication of similar systems in the main financial centres. This is highly suggestive that either the problem of cyberwarfare is being considerably overwrought or else the balance of power in who really calls the shots in the financial system is so heavily skewed towards that banks that anything which sounds like it will negatively impact their cost base doesn’t get a look-in.
If the regulators can’t rouse the banks to put system stability and availability ahead of profit then they can’t be taking potential threats to it such as cyberattacks seriously. If they don’t then maybe we shouldn’t either.
My dear Clive, thank you for this clear and cogent essay. I am So Old ™ that I learned bookkeeping with pen and ink, on paper pages, and when I recently found an old green ledger full of blank pages in Neighbourhood Recycling I clasped it to my bosom and bore it home, where it now sits next to my pads of yellow spreadsheet paper and my dual inkwell (one for black, one for red), awaiting the Apocalypse.
I entered the accounting field just as it was being computerized and did conversions from manual to computer systems for a number of SME’s during the ’80’s. I am now finding that many of them, including me, have now been locked out of our own older accounting records by systems and software ‘improvements’. Even the high-priced successor to the wonderfully simple original software will not open those old files. Too bad if you didn’t print it all out.
Yeah, paper. It’s the best, for accounting, for voting, for anything that needs to be verified, preserved, or secure, whether from cyberthreats or, as you point out, the much more likely incompetence.
And I learned a new word, punnet, which I shall use in conversation as often as possible today.
Domo arigato.
Unreadable after just 30 years whereas 4000 years later we can still read the clay tablets holding the accounts of your local Babylonian convenience store. How sad.
Yup. Perhaps a feature?
Oh yeah, and ink.
Sorry, yes, punnet is possibly a bit of a British-ism which slipped through my normal Naked Capitalism posting linguistic filter !
Don’t stop, I love it!! And I can make recipes using gills. Multi lingual, dontcha know! (also centigrade and Fahrenheit).
Part 2 is as good as part one.
Banks want someone else to own the financial cost of credit risks.
Politicians want someone else to own the political cost of governing.
Thanks for this post.
“banks like to pretend that they’re just like Starbucks or Macy’s and can safely be left to their own devices without any of that annoying government interference”
When really, they are like Chipotle, eh?
Add my voice to the chorus of gratitude for this post. I find myself at the intersection of IT and finance at the moment (lots of cars, poorly marked crosswalks), and the golden hexagon idea is an extremely useful frame. I am happy to hear other people are actually asking the question “and what happens when that fails?” since it seems I am typically the only one that seems interested in the answer; it’s easy for people to assume that since they don’t get the 2am call, they don’t have to deal with the consequences of failures.
Corporate cybersecurity also seems to be a form of security theater along the lines of the TSA, and I’m glad to also see someone else point out that clearly it’s not being taken seriously. The people on the inside know this and the people above them don’t want to hear it. This particular issue – internal politics > raising the red flag – not being considered “risk” is absurd.