It wasn't a good week for exchanges and their security systems. Last week the London Stock Exchange (LSE) revealed that it has been the victim of a series of cyber attacks late last year and last Saturday Nasdaq revealed that it had been visited by unwanted intruders on their systems. While these exchanges use state-of-the-art technology for trading and analysis, they are alluring targets for a new breed of hackers. Advanced Trading spoke with Craig Spiezle, executive director of the Online Trust Alliance, a non-profit organization that promotes best practices surrounding online crime, identity theft and deception. The Seattle-based expert says these attackers have moved from teenage pranksters to perpetrators of state-sponsored cyber terrorism. And we haven't heard the last from them.
Should buy-side firms and asset managers be worried about the Nasdaq hack?
Craig Spiezle, Online Trust Alliance: Yes, we all need to be concerned and from two perspectives. First, the ability to potentially manipulate data; we don't really know what has happened and when. The other perspective is more troubling in that there is a history of criminals who do these attacks then propagate deceptive e-mails that get people to open an e-mail that might be full of a viruses or divulge bogus information. Now you might get an e-mail that appears to come from "Nasdaq" and it says "Special Advisory" and you expect it has relevancy and now your machine has been compromised. You need to know if your e-mail is from a trusted party. Can you validate your email?
Last week the LSE revealed that it had been the victim of a series of cyber attacks in late 2010. What steps are exchanges taking to fortify their data, platforms?
Speizle: They should be doing many things. If you look at the Federal Deposit Insurance Corporation (FDIC), we are seeing a trend of a cyber criminal going after the supply chain of data and going after other trusted sources. An example is the trading desk and the data stored there.
Obviously there are two methods to address this: Investing in new technologies but more often than not it's the best practices. Looking at the Secret Service and other US federal agencies, this is not an issue about procurement of new tech solutions. It's about operational discipline and establishing best practices and adhering to them. Increased diligence is important. It's not a one-time set-up and then you walk away from it.
Could a hacker cause a flash crash or increase latency on an exchange?
Speizle: That is outside my expertise -- but the ability of cyber criminals to manipulate information and latency to their benefit should not be underestimated. We should assume that it is possible and then figure out how to mitigate and prevent it.
Are these hackers operating inside the US or outside our borders?
Speizle: I can't comment on the specific instance because it's being investigated. But if it follows other cyber attacks, it could be a combination of very organized cyber criminals that span many nations. In terms of recent world events we have to wonder at what point does this become state-sponsored terrorism?
Should we expect more exchange hacks?
Speizle: It would be our estimate that you can expect that. Here's some data for a little perspective. The FDIC -- we are working with a lot of government agencies -- and they are doing a lot of very good things. On a daily basis, about 20 percent of the email messages that purports to be from the FDIC.gov is forged e-mail. That is forged e-mail with malicious purposes. We saw an influx that almost went up to 90 percent two weeks ago. The reason is because the cyber criminals prey off the news. When the FDIC comes out with a bank closure, merger or foreclosure news, you would expect a higher volume of mail to come from a government organization.
The good news is the FDIC has put in place very pro-active measures to sniff out ISPs and can detect if that e-mail is forged and this allows them to block it. That is [an example of a government agency that is] a north star. The IRS is another that has a lot of e-mails that are targeted to consumers and to member banks. The goal there is to compromise a member bank's machine and then compromise the system.
So what can buy side firms do to protect themselves?
Speizle: To sum it up, there are best practices. Not only around protecting the infrastructure but also protecting your mail stream so someone isn't fooled into opening up an e-mail and compromising their access. The old adage that you don't open an e-mail if you don't know whom it's from applies as much today as it did five years ago.
Now the threats are that much more malicious and they are targeting not only consumers but also businesses and governments.