Dr. Greg Austin was featured as the keynote speaker at the 2014 Canada-US Cybersecurity Conference on February 28, 2014, co-hosted by the Consulate General of Canada in New York and the Securities Industry and Financial Markets Association.
Dr Austin recommended that states should commit by treaty to the absolute protection in cyberspace of designated exchanges and clearing houses in the same way as they now commit to the absolute protection of diplomats as internationally protected persons and embassies as internationally protected premises. While admitting that the proposal may sound strange, Dr Austin suggested that we think of it as an innovation that is not only in keeping with the spirit of the times, a cyber age zeitgeist, but more importantly one that offers an essential pathway to help secure the global economy. This economy is now totally dependent on the secure functioning of the information systems and networks that support trading in currencies, stocks and derivatives and the operation of clearing houses. The integrity of data in the international financial system is a new frontline of global economic security.
Prepared Text for Keynote, 2014 Canada-US Cybersecurity Conference: Securing our Financial Infrastructure, 28 February 2014, hosted by the Government of Canada in partnership with the Securities Industry and Financial Markets Association
Good morning/afternoon Ladies and Gentlemen. Thank you for the opportunity to join you today. The EastWest Institute, or EastWest as we now brand ourselves, has been working with private sector partners and governments for about five years now on new measures to protect the digital economy, or perhaps more correctly the digitalized economy. Our Worldwide Cyberspace Cooperation Initiative has several streams of work, including international measures for the protection of critical information infrastructure. Toward the end of these remarks, I have one idea on international protection of exchanges that I would like to test out with you. You can give it thumbs up or thumbs down.
One example of how EastWest works is the recently published paper on the protection of civil nuclear assets. … how we did it , where it went, and what we will do with it… Nuclear Knowledge Summit.
The main purpose of this report was to establish a baseline of action for states to do their part in protecting civil nuclear assets from cyber attack. But the purpose was also to select an area of critical infrastructure protection in cyberspace where there would be little disagreement on the need or the sorts of measures that might be implemented. This approach is necessary to build confidence in an international system characterized by increasing threats from state actors and non-state actors alike, but where mistrust levels between states are high and also increasing.
At the same time as we were developing that paper, we also started to research the financial services sector. We took our cue in part from President Obama who in his State of the Union address in 2013 called it out as one of three sectors now being attacked by America’s enemies. But we also decided to focus on this question because of its high potential appeal to China. In our 2012 paper on Cyber Détente between the United States and China, there is a recommendation for the two countries to better understand their economic interdependence in addressing cyber threats to critical infrastructure. In fact, the paper calls for a joint Chinese American study on the subject.
As you know, the financial services sector has been designated by the United States government as one of 16 critical infrastructures. The sector has been a consistent focus of attention at EastWest, from our earliest work on the reliability of undersea cables in 2009 to more recent work on priority international communications. We are discussing with our partners in the private sector and in government, in countries like China, Russia, India, Germany and the United States, the needs of the financial services sector in protecting its system critical assets in cyberspace.
We hope that our work can complement the efforts of the new working group announced in December by the World Federation of Exchanges. It will bring together representation a number of exchanges and clearinghouses to help protect global capital markets. It is chaired by Mark Graff, Chief Information Security Officer, NASDAQ OMX and its vice-chair is Jerry Perullo, Vice President, Information Security, Intercontinental Exchange (ICE). The founding committee members include Australian Securities Exchange, BM&FBOVESPA, CME Group, The Depository Trust & Clearing Corporation (DTCC), Intercontinental Exchange (ICE, International Securities Exchange (ISE), NASDAQ OMX, NYSE Euronext, and stock exchanges from Saudi, Singapore, Switzerland and Toronto. The group will aim to:
- Establish a communication framework among participants based on mutual trust;
- Facilitate information sharing, including threat intelligence, attack trends, and useful policies, standards and technologies;
- Enhance dialogue with policy makers, regulators and government organizations on cyber threats for fair, transparent and efficient markets;
- Support improved defenses from both external and internal cyber-based threats against the markets.
The positioning of EastWest should allow us to make some new connections between the interests of the private sector and governments in these endeavors. Our interest is not so much in facilitating conversations within one country as it is in supporting cross-border efforts where political conditions get in the way of effective cross-border industry-government cooperation. The potential target EWI is looking at is not a geography-specific enterprise, i.e. a single stock exchange and its physical cyber protections. The target is a country’s economy. The potential immediate effect is not localized: it could have nation-wide and global economic and global impacts. And the potential geopolitical and geo-economic flow-on effects could be through an entire national economy, and in the worst case, the entire global economy.
The System, Not an Infrastructure
When we look closely at the global picture, we see however that the financial services sector is not just a critical infrastructure, if we understand the term as DHS does – the backbone of the country’s economy, security and health. If we are using an anatomical analogy, I think we would have to say that the financial services sector is the backbone, but it is quite quite a lot more. It is the entire skeleton, it is the muscle, it is the blood supply. In fact it is not distinguishable from the totality of national prosperity and national security. That is why the term “capitalist” can be used, without any negative overtones, to describe the entire system.
The brains of this system are indeed human, but if we can sustain the metaphor of the body, the nervous system of this body (of the capitalist system) is now the global web of data networks and communications systems that underpin it. The integrity of the systems and data in the global financial services sector does influence its overall health.
EastWest is interested in the addressing threats to this nervous system that might incapacitate the body as a whole. Our interest in international protection in cyberspace of the financial services sector is directed at systemic threats, not enterprise level threats. What threats are there in cyberspace that may cause a global economic shock and what can be done about them at the international level?
We have opened a consultation with leaders in the field, people such as yourselves, to begin to answer this question. We are definitely still in fact-finding mode. SIFMA and EastWest partnered in a small brainstorming session in December last year. Several of you here today have been kind enough to spare some time to discuss some of the issues involved. Here are some thoughts and ideas we are looking at.
Global Economic Shock
Coming at this cyberspace question from the wider perspective, we are trying to understand the relationship between threats and risks in cyberspace and those from other sources. Could the simultaneous interaction of non-cyber threats and a cyber threat have a debilitating impact on the financial services system as whole? Where do cyber issues fit in the hierarchy of threat?
One set of possible answers to this question has been provided by two British professors on commission from the OECD. Peter Sommer, from the Information Systems and Innovation Group, at the London School of Economics, and Ian Brown, from the Oxford Internet Institute at Oxford University, authored a paper on the threat of system incapacitation from cyber attack. It was part of a very ambitious OECD study on “Future Global Shocks” conducted over two years and published in 2011. The study included five cases:
1. financial crises
2. cyber risks
4. geomagnetic storms
5. social unrest.
The professors concluded in the cyber risks study that “very few single cyber-related events have the capacity to cause a global shock”. They saw instead “significant and growing risks of localised misery and loss as a result of compromise of computer and telecommunications services”. They did however identify “Catastrophic single cyber-related events” and gave as two examples the “successful attack on one of the underlying technical protocols upon which the Internet depends, such as the Border Gateway Protocol which determines routing between Internet Service Providers” and a “very large-scale solar flare which physically destroys key communications components such as satellites, cellular base stations and switches”. They nevertheless warned that governments need to prepare for a wide range of cyber events, both accidental and deliberate.
The OECD synthesis report which was based on the five case studies and other research did however conclude that more effective international coordination to mitigate the effects of global shocks, whether caused by cyber events, is both necessary and possible. It advocated the establishment of new mechanisms or “institutional strengthening” at all stages of the decision cycle for risk management. Our consultations and research at EastWest have concluded that there is definitely room for strengthening international collaboration in the financial services sector around the threat of global economic shock, especially with reference to cyberspace.
In international governance of global economic shocks, major gulfs remain. This is true across big geopolitical divides (such as China and the United States) and it is true between private sector actors and governments. This is the case not only in responding to such shocks but in anticipating them. When a global economic shock occurs, there are low levels of trust between major actors. In the Global Financial Crisis of 2008, there was a default resort to economic nationalism and a certain loss of confidence in international regulatory systems. One of the case studies for the OECD report actually concluded that the international regulatory system exacerbated the crisis after a certain point. That is the broad governance context of my remarks today.
We can probably all agree that cyberspace is an important locus of risk management at the enterprise level but at the systemic level (the national economic level and the global economic level) the jury may still be out.
Three Risk Factors
Let me say a few words about three risk factors for global economic shock, before introducing a fresh idea on what the EastWest Institute and its partners might do about it.
The first is the fragility of the global economy.
“This is the most serious financial crisis we’ve seen, at least since the 1930s, if not ever.”
- Mervyn King, Governor, Bank of England, 5 October 2011
“different regulation scenarios, such as the Basel accords, are demonstrated to work well in times of moderate leverage, but deepen crisis when leverage levels are high. This is due to enhanced synchronization effects induced by the regulations.”
Dr Stefan Thurner, OECD Study, Systemic Financial Risk, 2011
“changes envisaged in the Basel III framework might be too small to sufficiently enhance the resilience of financial institutions against systemic shocks”
Report by the UN Secretary General in consultation with the IMF, July 2012
The second is derivatives trading. The IMF has estimated the book value of the derivatives market at around $70 trillion. The IMF has identified derivatives markets as a source of high concern for global economic stability but no-one is listening. Yet the “cyberized” character of derivatives trading, with complex assumptions built into trading alogrithms (“algo trading”) makes the already fragile derivatives market, as currently configured, even more of a vulnerability or risk to the global economy if it were subject to a cyber attack that had systemic shock effects.
The third is the threat landscape in cyberspace. On the one hand, there is the underdeveloped state of international and national response mechanisms for cyber incidents that may have unintended follow-on consequences on confidence in trading systems. Confidence is not something that is wholly rational. On the other hand, there is the fact that countries are developing capabilities for attacks on exchanges and clearance houses with potentially systemic effects. The United States Director of National Intelligence, gen. (ret.) James Clapper has articulated his concern about state manipulation of markets through cyber means for geopolitical effect. We know from the September 11 attacks and the World Trade Centre bombing that exchanges are an iconic target for terrorists.
I want to focus most of these short remarks on one of those risk factors: the absence of international protection for exchanges and clearing houses in cyberspace. Just so you know where this is heading, this is the idea that states should commit by treaty to the absolute protection in cyberspace of designated exchanges and clearing houses in the same way as they now commit to the absolute protection of diplomats as internationally protected persons and embassies as internationally protected premises. It may sound strange, but think of it as an innovation that is not only in keeping with the spirit of the times, a cyber age zeitgeist, but more importantly one that offers an essential pathway to help secure the global economy. This economy is now totally dependent on the secure functioning of the information systems and networks that support trading in currencies, stocks and derivatives and the operation of clearing houses. The integrity of data in the international financial system is a new frontline of global economic security.
So, the proposal is that states take on the obligation to devote special efforts to the detection of any preparations of cyber attack specifically directed at or likely to impact the safe and secure operations in cyberspace of exchanges and clearing houses in any country as if it were a national security threat of the highest order to its own country.
The idea would be take the 1997 Convention on Crimes against Internationally Protected Persons and adapt if to apply to a new target of international law, “internationally protected facilities”. The 1997 convention is aimed primarily at the protection of diplomats on the grounds that there simply can’t be normal business if diplomats are not fully protected by international law. The preamble to that convention sets out four simple reasons why states signed the convention. As I read them, perhaps you might ask yourself if or how these would apply to the common understanding of the centrality of exchanges and clearance houses to global security. The four preambular statements were:
“Having in mind the purposes and principles of the Charter of the United Nations concerning the maintenance of international peace and the promotion of friendly relations and co-operation among States,
Considering that [these] crimes … create a serious threat to the maintenance of normal international relations which are necessary for co-operation among States,
Believing that the commission of such crimes is a matter of grave concern to the international community,
Convinced that there is an urgent need to adopt appropriate and effective measures for the prevention and punishment of such crimes,…”
The difficulty will come on establishing the text. But there is a treaty precedent in cyberspace. In 2010,the United States and China were among some 24 countries to sign the 2010 Beijing Convention and 2010 Beijing Protocol, multilateral agreements which require states, inter alia, to criminalize cyber attacks (though it used a more general term of “new technologies”), and certain preparatory activities, that target civil air navigation facilities and aircraft in flight.
What are the pro’s and con’s of this proposal?
There are a few negatives. The last thing many operators want would be an excuse for governments to be intervening in cyber dimensions of trading on security grounds. But this may not be a real obstacle. The could be addressed by including in the convention a prohibition of any action by states themselves to interfere in cyber dimensions of trading. In any case, the disposition of states or their determination to peek into and perhaps interfere with cyber aspects of trading already exists. Having a convention like this will not make them more disposed to do that.
On the plus side, one might argue that the threats and risks are real enough now and that the time taken for voluntary non-state approaches might not prevent a catastrophe.
Let me finish with a quote from Shakespeare: “There are more things in heaven and earth, Horatio, Than are dreamt of in your philosophy.” Perhaps I could invite you to consider the proposal tabled here today as very much in this vein. I am arguably a little out of my depth in framing it as I have given my knowledge of financial services sector, but I do suspect that there is a serious threat here that is bigger than all of us. It will take some going outside of ourselves and our comfort zones to understand if it is as bad as some suggest and then to devise a way ahead.
Thank you for your attention.