Featured eBooks
Army Trends
CDM
VA Transformation
Defense

Officials worry about safety of financial data

Computer hackers could cause additional economic turmoil by spreading false information.

Shane Harris

|

Not that we need it, but here's yet another reason to worry about havoc in financial markets: U.S. intelligence officials increasingly fear that computer hackers could wreck banks and large financial institutions, or send stock markets into one more panicked frenzy, by covertly manipulating data and spreading false information.

In interviews and speeches over the past few months, senior counterintelligence and security officials laid out some dire scenarios. They're all predicated on a determined individual or small group fabricating information in such a way that the public sees a different picture of financial health than exists, either at a particular company or in broad markets.

For example, imagine a large brokerage finds itself suddenly saddled with huge losses because a disgruntled employee falsified information in the company's accounting systems, thus ensuring that billions of dollars in losses never show up on the books. Or think about the tumult that would ensue if someone hacked into a stock exchange and changed individual share prices, unleashing a flood of buy and sell orders.

These kinds of nightmare events shape the thinking of the senior Bush administration officials in charge of protecting the nation's computer infrastructure. They're concerned that financial institutions, while aware of the risks posed by lax information security, haven't taken bold enough steps to tighten up their own defenses and thus are imperiling a global system that is utterly dependent on accurate information.

The current crisis in mortgage-backed securities underscores the consequences of inaccurate information. Analysts often labeled those investments safe because they relied on outdated mortgage-default rates to assess the loans' riskiness. Their flawed calculus was presumably unintentional.

But imagine the damage that intentionally feeding the market bad information could cause. "Let's say instead of bringing down the systems at the New York Stock Exchange, you were able to corrupt the data in the exchange's system," Joel Brenner, the government's top counterintelligence officer, posited in an interview with National Journal in May. "If that happened, the market would lose confidence in the prices. 'Gee, I thought I bought a million shares at X, not X plus 10 cents.' What would happen to trading? The clearing mechanism would grind to a halt at the end of the day."

It may sound improbable, and Brenner stressed that the security on stock exchanges is "very, very good." But he and other senior officials say that the financial system as a whole is not sufficiently protected. The economic damages from massive fraud, they note, could exceed those caused by an act of terrorism. And at a time when the global financial system is teetering on collapse, financial networks are becoming more interlinked and hackers are perfecting their techniques.

Officials don't base their hypotheses on unfounded fears. Indeed, the world has already seen that one person, with a reasonable level of technical skill, can make whole economies shudder.

In January, Societe Generale, one of France's largest financial services companies, discovered that a midlevel trader had made a series of complex and bogus futures transactions by hacking into the bank's security and trading systems. Jerome Kerviel disabled an automatic-alert mechanism that should have flagged his reckless transactions. And he stole passwords that gave him access to accounting records, which he falsified to cover his tracks. He even constructed fake e-mails about fictitious trades to make his activities seem real. When the trader's managers discovered Kerviel's fraud, they spent a weekend trying to reconcile the trades in the open market. The bank's losses totaled more than $7 billion.

"The unwinding of such a massive position put immense pressure on the futures market," according to Eben Esterhuizen, an investment analyst who covered the story for The Panelist, a financial news blog. "Other traders saw the plunge in futures amid massive and mysterious selling ... and they started selling everything else."

U.S. markets were closed the following Monday, on January 21, for the Martin Luther King Jr. holiday. But world stock markets dipped dramatically. Kerviel's fraudulent transactions had not yet been publicly revealed, so no one could point to a specific cause for the drop. To fend off a spreading panic, Federal Reserve Board Chairman Ben Bernanke cut the interest rate that the Fed charges banks for overnight loans by 0.75 percent. It was the Fed's biggest ever emergency cut, and it was precipitated in large part by Kerviel's massive disinformation campaign.

Rogue traders like Kerviel have caused big losses before, but never this big. In 1995, trader Nick Leeson brought down Britain's Barings Bank by causing approximately $1 billion in losses. Leeson, however, worked in the area of the company that also oversaw his activities. Kerviel, on the other hand, was a back-office employee and technophile who learned how to circumvent Societe Generale's computer systems.

The Kerviel case got the attention of senior security officials in the Bush administration. In a public address in September, Melissa Hathaway, who manages the cyber-security portfolio for the director of national intelligence, described it as a prime example of how an insider hacker can, with relative ease, shake the global economy.

Hathaway said that the case is one of several hacking incidents that have informed the policy behind the Bush White House's national cyber-security initiative, an ambitious and largely classified plan that officials are rolling out in the administration's final months. The insider threat ranked "first and foremost" among the so-called attack vectors that officials have reviewed, she said. The cyber-plan is aimed primarily at government networks, but Hathaway, like Brenner and other experts in government, has spent much of her time discussing unaddressed risks to private networks, particularly in the financial sector.

To get a sense of just how susceptible financial markets are to disinformation, consider how wildly stock prices fluctuate because of a rumor. Earlier this month, Apple's share price tumbled by more than 10 percent moments after a post on a CNN website claimed that paramedics had rushed Steve Jobs, the company's CEO, from his home after an apparent heart attack. The site solicits "user-generated content," but CNN does not verify it. The poster claimed that an anonymous source with firsthand information had supplied the tip about Jobs, and the report seemed real enough to spark a panic. (Jobs had pancreatic cancer, and his health has been a constant source of worry for investors.)

The company quickly denied the report, and Apple's stock rebounded, but not before dipping under $100 a share for the first time in nearly a year and a half. CNN removed the fake report from its site.

This wasn't the first time that bad information has shaken the markets. In January 2006, an error in NASDAQ's reporting system prompted several websites and online brokers to display incorrect price shifts on various stocks. The prices were correct, but the scale of price changes was not. Some stocks seemed to be up when they were really down, and some seemed to be falling when their share price was actually on the rise. In Japan, trading was halted, and investors found themselves unable to sell losing stocks or to buy up new ones at a discount.

"When you have this kind of problem, it calls into question the entire system," Yakov Amihud, a finance professor at New York University's Stern School of Business, told the Associated Press at the time. "As an investor, you question whether the liquidity in that market is there, whether you can buy or sell exactly when you want to. And maybe you decide to sell off your stocks if you don't trust the system."

These mishaps were also inadvertent. But for financial institutions, officials say, the lesson is clear: Companies must address the safety and soundness of their information systems in the face of all kinds of potential threats. "This is not happening. And this needs to happen," says Tom Kellermann, who was the senior data-risk management specialist at the financial division of the World Bank Group and who now sits on a bipartisan commission writing a comprehensive cyber-security assessment for the next U.S. administration. The threat to financial networks has been a key area of concern for the commission.

"The reality is, we've been building our vaults out of wood in cyberspace for too long," Kellermann says.

NEXT STORY: New president will face major challenges at Defense

X
This website uses cookies to enhance user experience and to analyze performance and traffic on our website. We also share information about your use of our site with our social media, advertising and analytics partners. Learn More / Do Not Sell My Personal Information
Accept Cookies
X
Cookie Preferences Cookie List

Do Not Sell My Personal Information

When you visit our website, we store cookies on your browser to collect information. The information collected might relate to you, your preferences or your device, and is mostly used to make the site work as you expect it to and to provide a more personalized web experience. However, you can choose not to allow certain types of cookies, which may impact your experience of the site and the services we are able to offer. Click on the different category headings to find out more and change our default settings according to your preference. You cannot opt-out of our First Party Strictly Necessary Cookies as they are deployed in order to ensure the proper functioning of our website (such as prompting the cookie banner and remembering your settings, to log into your account, to redirect you when you log out, etc.). For more information about the First and Third Party Cookies used please follow this link.

Allow All Cookies

Manage Consent Preferences

Strictly Necessary Cookies - Always Active

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data, Targeting & Social Media Cookies

Under the California Consumer Privacy Act, you have the right to opt-out of the sale of your personal information to third parties. These cookies collect information for analytics and to personalize your experience with targeted ads. You may exercise your right to opt out of the sale of personal information by using this toggle switch. If you opt out we will not be able to offer you personalised ads and will not hand over your personal information to any third parties. Additionally, you may contact our legal department for further clarification about your rights as a California consumer by using this Exercise My Rights link

If you have enabled privacy controls on your browser (such as a plugin), we have to take that as a valid request to opt-out. Therefore we would not be able to track your activity through the web. This may affect our ability to personalize ads according to your preferences.

Targeting cookies may be set through our site by our advertising partners. They may be used by those companies to build a profile of your interests and show you relevant adverts on other sites. They do not store directly personal information, but are based on uniquely identifying your browser and internet device. If you do not allow these cookies, you will experience less targeted advertising.

Social media cookies are set by a range of social media services that we have added to the site to enable you to share our content with your friends and networks. They are capable of tracking your browser across other sites and building up a profile of your interests. This may impact the content and messages you see on other websites you visit. If you do not allow these cookies you may not be able to use or see these sharing tools.

If you want to opt out of all of our lead reports and lists, please submit a privacy request at our Do Not Sell page.

Save Settings
Cookie Preferences Cookie List

Cookie List

A cookie is a small piece of data (text file) that a website – when visited by a user – asks your browser to store on your device in order to remember information about you, such as your language preference or login information. Those cookies are set by us and called first-party cookies. We also use third-party cookies – which are cookies from a domain different than the domain of the website you are visiting – for our advertising and marketing efforts. More specifically, we use cookies and other tracking technologies for the following purposes:

Strictly Necessary Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Functional Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Performance Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Social Media Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Targeting Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.