The Wall Street Journal reported on Saturday (2/5/2011) that it learned that the computer network for the Nasdaq OMX Group has been repeatedly (and at least somewhat successfully) attacked over the past year. What makes this news, of course — and also particularly interesting to the WSJ, which follows the NASDAQ and other major global markets and trading platforms — is that, in the words of the story, the federal government considers "...the exchange's critical role, which officials put right up with power companies and air-traffic control operations, all part of the nation's basic infrastructure."
That explains why these threats are being take so seriously, and why government agencies at the highest level, including the US Secret Service and the Federal Bureau of Investigation, are involved in the follow-up and are investigating available evidence very, very carefully. So far, however, according to experts familiar with the case, there's no evidence of wrongdoing of any kind, other than unauthorized access to the systems involved. Nevertheless, such a case is extremely disturbing because of potential loss of confidence in that market in particular (or electronic markets and trading in general) and because of the increased threat levels that reporting even successful reconnaissance of such systems must evoke.
Interestingly, some tell-tale evidence in the case points to computers in Russia as being involved. But investigators are quick to point out that computer attacks can be mounted from anywhere on the planet, and often use computers in far-flung locations as intermediate stages in attacks that may originate in one country, pass through one or more intermediate countries while underway, and ultimately target a systems or systems in yet other countries. Because stock exchanges understand that they pose attractive targets for attackers, such operations normally take strong, well-architected security measures to protect their systems. That's what makes this story both interesting and disturbing because attackers were able to gain a foothold on the internal Nasdaq OMX Group networks.
Trading is operated on a completely separate network from the one that was penetrated and Nasdaq claims (and government investigators confirm) that no financial losses nor losses of sensitive financial information were involved in the incidents, which occurred in the second half of 2010. This has to be a wake-up call for Nasdaq (and all the other major trading companies) that additional security audits and increased vigilance are called for.
It's bad enough that companies or organizations can lose funds when their own bank accounts become compromised. But that still limits losses to the assets that individual organizations are likely to have on deposit in some particular bank. When the scale (and the amounts involved) raises to the level of a major trading market, the extent of potential losses quickly climb into the billions of dollars. That's why this situation is being treated so carefully, and why you can bet that additional technology and monitoring tools were laid on thickly before any of this information could be allowed to go public.
What lessons can we draw from this report? Here's my take on the impact of this situation:
Why don't we do this already? Because the default risk management policy currently in place is more like "handle reasonable risks, and otherwise, hope for the best." Maybe it's time to rethink that posture!
Stu Sjouwerman
That explains why these threats are being take so seriously, and why government agencies at the highest level, including the US Secret Service and the Federal Bureau of Investigation, are involved in the follow-up and are investigating available evidence very, very carefully. So far, however, according to experts familiar with the case, there's no evidence of wrongdoing of any kind, other than unauthorized access to the systems involved. Nevertheless, such a case is extremely disturbing because of potential loss of confidence in that market in particular (or electronic markets and trading in general) and because of the increased threat levels that reporting even successful reconnaissance of such systems must evoke.
Interestingly, some tell-tale evidence in the case points to computers in Russia as being involved. But investigators are quick to point out that computer attacks can be mounted from anywhere on the planet, and often use computers in far-flung locations as intermediate stages in attacks that may originate in one country, pass through one or more intermediate countries while underway, and ultimately target a systems or systems in yet other countries. Because stock exchanges understand that they pose attractive targets for attackers, such operations normally take strong, well-architected security measures to protect their systems. That's what makes this story both interesting and disturbing because attackers were able to gain a foothold on the internal Nasdaq OMX Group networks.
Trading is operated on a completely separate network from the one that was penetrated and Nasdaq claims (and government investigators confirm) that no financial losses nor losses of sensitive financial information were involved in the incidents, which occurred in the second half of 2010. This has to be a wake-up call for Nasdaq (and all the other major trading companies) that additional security audits and increased vigilance are called for.
It's bad enough that companies or organizations can lose funds when their own bank accounts become compromised. But that still limits losses to the assets that individual organizations are likely to have on deposit in some particular bank. When the scale (and the amounts involved) raises to the level of a major trading market, the extent of potential losses quickly climb into the billions of dollars. That's why this situation is being treated so carefully, and why you can bet that additional technology and monitoring tools were laid on thickly before any of this information could be allowed to go public.
What lessons can we draw from this report? Here's my take on the impact of this situation:
- On the Internet no systems or networks are safe. This calls for outright, formal risk analysis, with mitigation and protective technology to avoid as much risk as possible, and to enable organizations to handle such risks as they cannot avoid or deflect. Managing risk means expecting things to go wrong, and preparing to deal with that eventuality. Individuals, businesses, and organizations all need to make this part of their fiscal management routines.
- Any system that involves financial activity requires financial and activity monitoring, and such monitoring should include sufficient sophistication to detect and report on unusual, out-of-bounds, or high-dollar-volume activity. Automatic shut-down in extreme cases now makes a lot more sense than simply protecting markets against runaway sell-offs (what if this represented a huge volume of bogus or invalid trades?).
- It's possible that technologists may want to rethink the protocols used for financial access and activity. If proper use of technology means that impersonation or spoofing no longer works, only "inside jobs" will be able to produce the kinds of nightmare scenarios that a compromised stock exchange can quickly spawn. Even then, applying the same kinds of controls for large financial trades as used for missile launches or emergency nuclear plant shutdowns would practically eliminate insider fraud as well.
Why don't we do this already? Because the default risk management policy currently in place is more like "handle reasonable risks, and otherwise, hope for the best." Maybe it's time to rethink that posture!
Stu Sjouwerman
