United States: Internet Wake- Up Call: Are Financial Institutions Ready For Cyber Terrorists?

Computer hackers made front pages last week by lobbing virtual hand grenades at some of the world’s most popular Internet sites, inconveniencing millions of Web users and shaking investor confidence in some of Wall Street’s hottest stocks.

But in the war to make businesses secure in today’s interconnected world, these attacks were merely skirmishes, nuisance attacks that could have been orchestrated by a C student testing classroom theories about Web traffic. What would happen if malicious hackers used the Internet to mount a concerted assault on U. S. financial institutions?

Are our banks, brokerages and insurance companies as ready for these criminal threats as they were for the technical glitch known as Y2K?

The answer is largely no. The days when a strong vault, iron bars and an armed guard seemed an adequate deterrent to bank robbers have fast disappeared. It’s not enough to beef up security any more. The whole concept must be redefined.

With half of the world’s computer capacity, and more than 60 percent of Internet assets, the United States is the most advanced and most dependent user of information technology in the world. Widespread electronic thefts or disruptions could shake public confidence in the emerging new economic order and wreak financial havoc.

It also costs big bucks. Consider that for every $1 million stolen electronically from a financial or investment institution, the recovery costs can exceed $100 million. That includes costs for forensic investigations, crisis management, litigation and lost customers.

In fact, U. S. financial services companies are ahead of many other industries – healthcare and manufacturing, for example – when it comes to security. Many important dealings, like ATM transactions and wire transfers, take place on closed, encrypted networks, not on the Internet. Because of their long history in risk management, most financial firms have relatively sophisticated systems in place to monitor online traffic and detect suspicious behavior.

"Denial of Service" ambushes like those that hit at least seven heavily visited sites last week merely disrupt service. They’re not break- ins that alter information inside company walls – and empty your brokerage account, for example.

Still, attacks on financial institutions pose a very real threat. And the specter of these attacks has not received the attention it merits: not from the public and media, and certainly not from the upper echelons of corporate America itself.

The Y2K threat, after all, was something that CEOs could easily understand. It was a specific problem, with a specific solution involving a finite, if enormous, number of lines of computer code. The moment of truth was just that – the stroke of midnight on New Year’s Eve.

Most importantly, Y2K commanded the constant attention of the men and women who run America’s publicly held companies. Every CEO faced regular questions from Wall Street analysts on Y2K preparedness. Stock prices rose and fell on the strength of Y2K programs. That kind of attention from the top opens corporate wallets like no back- office Cassandra ever could.

Combating cyber- terrorism also requires an enormous commitment of effort and resources. But the solutions, like the problem, are more ambiguous than those associated with Y2K. Each new dawn brings a new day of reckoning; there is no sigh of relief on January 2. Hackers and crackers develop resistant strains to each new vaccine as the Internet becomes a playground for all kinds of malcontents and ne’er- do- wells.

The Center for Strategic & International Studies has compiled a list of the types of people who will use information warfare to further their political, social and economic agendas in the coming decade. By 2005, organized criminals, terrorist groups and foreign spies will do lots of business online – joining the hackers, disgruntled employees and common crooks already logging on. Some 18 million people around the world already possess the skills to conduct cyber- attacks, according to International Data Corporation.

Thinking of security as an "Internet- only" problem is a wrong- headed approach destined to fail.

The Internet may be fast emerging as a public network vital to the flow of commerce. But it also depends on the rest of the critical public infrastructure – the national power grid, the telephone switching system – to operate at all. These systems are vulnerable to a dizzying variety of attackers from without and within, according to the Presidential Commission on Critical Infrastructure Protection.

Conversely, the best computer security cannot stop a disgruntled former employee with a password – or a key to the basement – from sabotaging corporate data. These types of inside attacks are by far the most common among U. S. companies, accounting for as much as 85 percent of thefts of information and other corporate assets.

Some companies have already appointed Chief Security Officers whose mandates encompass both physical and network security. In the future, these professionals must create a security culture where such artificial lines will disappear entirely – and where information security is a hot topic in the boardroom, not just in the back room.

Therein lies the only blessing that may emerge from last week’s jolt to the Internet. Investor punishment of the affected companies is sure to get the attention of Wall Street analysts – and, consequently, top corporate decision- makers. They have a long, long road ahead of them. Instilling a culture of security, unlike slaying the Y2K dragon, is a neverending quest.

Nearly every CEO in the country now understands that an e- commerce strategy is critical to their success. But in their race to embrace the Internet, they too often see security as a roadblock. The truth is, security is a fundamental part of doing business.

In a world where few customers or commercial partners do business face to face, good security is the cyber equivalent of a firm handshake and a square look in the eye.