Officials worry about safety of financial data

Computer hackers could cause additional economic turmoil by spreading false information.

Not that we need it, but here's yet another reason to worry about havoc in financial markets: U.S. intelligence officials increasingly fear that computer hackers could wreck banks and large financial institutions, or send stock markets into one more panicked frenzy, by covertly manipulating data and spreading false information.

In interviews and speeches over the past few months, senior counterintelligence and security officials laid out some dire scenarios. They're all predicated on a determined individual or small group fabricating information in such a way that the public sees a different picture of financial health than exists, either at a particular company or in broad markets.

For example, imagine a large brokerage finds itself suddenly saddled with huge losses because a disgruntled employee falsified information in the company's accounting systems, thus ensuring that billions of dollars in losses never show up on the books. Or think about the tumult that would ensue if someone hacked into a stock exchange and changed individual share prices, unleashing a flood of buy and sell orders.

These kinds of nightmare events shape the thinking of the senior Bush administration officials in charge of protecting the nation's computer infrastructure. They're concerned that financial institutions, while aware of the risks posed by lax information security, haven't taken bold enough steps to tighten up their own defenses and thus are imperiling a global system that is utterly dependent on accurate information.

The current crisis in mortgage-backed securities underscores the consequences of inaccurate information. Analysts often labeled those investments safe because they relied on outdated mortgage-default rates to assess the loans' riskiness. Their flawed calculus was presumably unintentional.

But imagine the damage that intentionally feeding the market bad information could cause. "Let's say instead of bringing down the systems at the New York Stock Exchange, you were able to corrupt the data in the exchange's system," Joel Brenner, the government's top counterintelligence officer, posited in an interview with National Journal in May. "If that happened, the market would lose confidence in the prices. 'Gee, I thought I bought a million shares at X, not X plus 10 cents.' What would happen to trading? The clearing mechanism would grind to a halt at the end of the day."

It may sound improbable, and Brenner stressed that the security on stock exchanges is "very, very good." But he and other senior officials say that the financial system as a whole is not sufficiently protected. The economic damages from massive fraud, they note, could exceed those caused by an act of terrorism. And at a time when the global financial system is teetering on collapse, financial networks are becoming more interlinked and hackers are perfecting their techniques.

Officials don't base their hypotheses on unfounded fears. Indeed, the world has already seen that one person, with a reasonable level of technical skill, can make whole economies shudder.

In January, Societe Generale, one of France's largest financial services companies, discovered that a midlevel trader had made a series of complex and bogus futures transactions by hacking into the bank's security and trading systems. Jerome Kerviel disabled an automatic-alert mechanism that should have flagged his reckless transactions. And he stole passwords that gave him access to accounting records, which he falsified to cover his tracks. He even constructed fake e-mails about fictitious trades to make his activities seem real. When the trader's managers discovered Kerviel's fraud, they spent a weekend trying to reconcile the trades in the open market. The bank's losses totaled more than $7 billion.

"The unwinding of such a massive position put immense pressure on the futures market," according to Eben Esterhuizen, an investment analyst who covered the story for The Panelist, a financial news blog. "Other traders saw the plunge in futures amid massive and mysterious selling ... and they started selling everything else."

U.S. markets were closed the following Monday, on January 21, for the Martin Luther King Jr. holiday. But world stock markets dipped dramatically. Kerviel's fraudulent transactions had not yet been publicly revealed, so no one could point to a specific cause for the drop. To fend off a spreading panic, Federal Reserve Board Chairman Ben Bernanke cut the interest rate that the Fed charges banks for overnight loans by 0.75 percent. It was the Fed's biggest ever emergency cut, and it was precipitated in large part by Kerviel's massive disinformation campaign.

Rogue traders like Kerviel have caused big losses before, but never this big. In 1995, trader Nick Leeson brought down Britain's Barings Bank by causing approximately $1 billion in losses. Leeson, however, worked in the area of the company that also oversaw his activities. Kerviel, on the other hand, was a back-office employee and technophile who learned how to circumvent Societe Generale's computer systems.

The Kerviel case got the attention of senior security officials in the Bush administration. In a public address in September, Melissa Hathaway, who manages the cyber-security portfolio for the director of national intelligence, described it as a prime example of how an insider hacker can, with relative ease, shake the global economy.

Hathaway said that the case is one of several hacking incidents that have informed the policy behind the Bush White House's national cyber-security initiative, an ambitious and largely classified plan that officials are rolling out in the administration's final months. The insider threat ranked "first and foremost" among the so-called attack vectors that officials have reviewed, she said. The cyber-plan is aimed primarily at government networks, but Hathaway, like Brenner and other experts in government, has spent much of her time discussing unaddressed risks to private networks, particularly in the financial sector.

To get a sense of just how susceptible financial markets are to disinformation, consider how wildly stock prices fluctuate because of a rumor. Earlier this month, Apple's share price tumbled by more than 10 percent moments after a post on a CNN website claimed that paramedics had rushed Steve Jobs, the company's CEO, from his home after an apparent heart attack. The site solicits "user-generated content," but CNN does not verify it. The poster claimed that an anonymous source with firsthand information had supplied the tip about Jobs, and the report seemed real enough to spark a panic. (Jobs had pancreatic cancer, and his health has been a constant source of worry for investors.)

The company quickly denied the report, and Apple's stock rebounded, but not before dipping under $100 a share for the first time in nearly a year and a half. CNN removed the fake report from its site.

This wasn't the first time that bad information has shaken the markets. In January 2006, an error in NASDAQ's reporting system prompted several websites and online brokers to display incorrect price shifts on various stocks. The prices were correct, but the scale of price changes was not. Some stocks seemed to be up when they were really down, and some seemed to be falling when their share price was actually on the rise. In Japan, trading was halted, and investors found themselves unable to sell losing stocks or to buy up new ones at a discount.

"When you have this kind of problem, it calls into question the entire system," Yakov Amihud, a finance professor at New York University's Stern School of Business, told the Associated Press at the time. "As an investor, you question whether the liquidity in that market is there, whether you can buy or sell exactly when you want to. And maybe you decide to sell off your stocks if you don't trust the system."

These mishaps were also inadvertent. But for financial institutions, officials say, the lesson is clear: Companies must address the safety and soundness of their information systems in the face of all kinds of potential threats. "This is not happening. And this needs to happen," says Tom Kellermann, who was the senior data-risk management specialist at the financial division of the World Bank Group and who now sits on a bipartisan commission writing a comprehensive cyber-security assessment for the next U.S. administration. The threat to financial networks has been a key area of concern for the commission.

"The reality is, we've been building our vaults out of wood in cyberspace for too long," Kellermann says.