When people run their credit card, pay a bill online, or withdraw money from an ATM, few consider the software and hardware that makes those transactions happen. They expect that their personal and financial information is secure. Yet, there is a silent but immense assault against consumers via their financial transactions. The financial service organizations on which we all rely are increasingly the chief target of cyber attacks.
A new report for China Tech Threat identifies that financial organizations have become the prime target of cyber attack, which a morass of government agencies and policies tasked with cyber-defenses have done little to abate. U.S. banks must take proactive measures—including cyber resilience audits, secure-sourcing strategies and removing elements with vulnerabilities—to protect their systems, data, and customers.
Cyber-attacks against major financial institutions have grown significantly in recent years. An analysis in 2015 found that financial organizations were targeted four times more than other industries. Only four years later, financial firms experienced as many as 300 times more cyber-attacks than other companies.
Those located in the United States were the most targeted, accounting for over a quarter (55 of 207) of major global cyber-attacks against financial services, according to the FinCyber Project by the Carnegie Endowment for International Peace and BAE Intelligence.
Increasingly attacks are perpetrated by Advanced Persistent Threat (APTs) actors. These sophisticated, sustained attacks are meant to infiltrate networks and conduct long-term operations, such as spying or data exfiltration. Unlike an opportunistic cyber-attack, in which the perpetrator seeks to “get in and get out” for some immediate payoff, an effective APT will skirt a system’s security and remain undetected for a prolonged period. A cyberattack on a bank can devastate its customers and systems; and a cyberattack on the US Treasury, which SolarWinds can dangerously close, could bring down the country.
Much cybersecurity discourse and practice are focused on software and applications, and while important, these can compel organizations to de-emphasize hardware and physical facilities security. As the Supermicro case illustrates, the motherboard hardware of a U.S. firm was compromised by third-party supplier linked to the PRC military to enable a sophisticated attack across the network of an organization. This revelation reportedly led to Apple removing thousands of servers and Amazon terminating a supplier in China.
APT attacks require greater resources, planning, and knowhow than most rogue hackers possess. As such, they are more likely to be perpetrated by nation states—namely, the People’s Republic of China, North Korea, Russia, or Iran. Of these, only the People’s Republic of China (PRC) has a key position in the production of information technology, enabling it to install physical and virtual backdoors.
It is well documented that the PRC uses technology to surveille and exfiltrate information. In fact, recent Chinese laws require its citizens and businesses to support the government’s intelligence operations, which include spying, IP theft and technology acquisition. As the China Tech Threat report notes, perhaps most alarming, the only barrier preventing PRC-sponsored hackers from launching a potentially catastrophic cyber-attack against U.S. banks may be a precarious dynamic of mutual economic interdependence between US banks which want to do business in China and the discretion of the Chinese government to allow them to do, albeit with draconian conditions.
U.S. banks and financial service providers cannot rely solely on the government to combat these state-sponsored threats. Federal measures leave something to be desired, as evidenced by the growing number of attacks and even government agencies’ own technology purchases from companies with known ties to the PRC. Additionally, the absence of a clearly defined authority on cyber-defense has produced policy that is at time inconsistent, incoherent, or incomplete.
Rather than wait for policymakers to fix the problem, U.S. banks should preemptively mitigate exposure. That requires regular resilience audits and, increasingly, sourcing technology products from trusted democratic countries and removing hardware that could be compromised.
“Hardware represents a gaping and exploitable hole the current approach to cyber security… Hardware vulnerabilities can be exploited to completely sidestep software-based security measures,” wrote John Villesenor, a former nonresident fellow at the Brookings Institution’s Center for Technology Innovation, in 2013. As China’s production capacity has grown since Villesenor’s report, so too has the potential for these built-in backdoors.
Last month, President Biden signed an executive order to initiate a review of U.S. supply chain security. That should offer a wake-up call to policymakers of how important it is to know where their IT products are originate.