Cyber-attacks on the stock exchange: Threat, motivation and response
RUSI Analysis, 3 Feb 2011
By John Bassett OBE, Associate Fellow, Cyber Security
Increased media speculation about the possibility of a cyber-attack on the London or New York stock exchanges has ignored the nature of the threat, which is likely to seek to cause disruption rather than make money, and the counter-measures that can hinder a catastrophic attack
By John Bassett and David Smart for RUSI.org
The main motivation for attempting cyber-attacks on the stock exchange is likely to lie in the political arena rather than market manipulation for financial gain.
Over the last few days there has been a good deal of media speculation about cyber-attacks on the New York and London stock exchanges. There is, however, no hard evidence that the incidents were the results of cyber-attacks. But the possibility of attacks now or in the future raises important questions, especially about threat, motivation and responses.
The possibility of stock market exploitation by terrorist or other hostile groups has concerned security analysts for some years, as well as being the stuff of a thousand thrillers. There was extensive discussion of the causes of the wild fluctuations on the New York stock exchange in May 2010. One can also call to mind claims that Al-Qa'ida or the Taliban profited from advanced knowledge of 9/11 to short sell stocks linked to air travel; those claims proved quite unfounded.
The obvious motivation for a cyber-attack on the stock market might appear to be criminal gain. But there are formidable obstacles of complexity, risk and cost. The challenges for putative criminals are:
- To engineer the effect they need;
- To be confident that this is the outcome they will achieve, not something different; and
- To evade detection and prosecution.
They must also have access to capital, primarily to trade with, but also possibly to fund the attack. There are much better ways for criminals to profit from cyber-attacks - ways that are less glamorous but more reliable, such as extortion or theft. For the cyber criminal the 'low value/high volume' approach is the best way to balance gain against risk, as we know from other areas of financial crime, such as credit card fraud.
Thus the principal motivation for a cyber-attack on the stock exchange is much more likely to be to cause disruption. Examples of potential perpetrators could include:
- A terrorist group seeking to put pressure on a government;
- Political extremists, for example militant anti-capitalists, seeking to damage financial infrastructure;
- A rival state seeking to undermine a nation's economy by damaging its reputation as a good place to do business;
- A state striking at a nation's infrastructure as part of a military campaign.
Given the range of possible motivations, an attempt to mount a cyber-attack on the stock exchange may well be inevitable. The method of attack would probably vary depending on the perpetrators and the effects they are seeking to cause. Non-state actors may well seek to identify and exploit loopholes, though historically the stock exchange has had strong electronic security. States or groups sponsored and supported by states are more likely to utilise technically sophisticated attacks involving significant research and intellectual capital.
Options for Policymakers
For the defender, resilience and an agile response will be crucial, especially at this juncture, when network defence is relatively immature. An effective and well-exercised pre-existing structure for managing disruptive events should enable a swift and effective response to limit the impact of any disruption. Such an approach would also be of benefit when confronted by accidental events. However, one challenge for the defender that is liable to remain difficult is the accurate and timely attribution of an attack.
Defenders can take some comfort from the knowledge that they can learn from each attack, and that the attacker will most likely be confronted by the law of diminishing returns. A security loophole, once identified, should be easy and quick to block. And even the most sophisticated attacks are likely to be one-offs, as each new attack will draw on the aggressor's limited supply of intellectual capital and requires extensive research.
By mounting an advanced cyber-attack, the perpetrators reveal their methods and techniques and thus provide the defender with the means to evolve effective counter-measures. A stock exchange with a robust approach to resilience and a strong event management structure should be able to recover effectively from anything other than a catastrophic first strike.
John Bassett OBE is Associate Fellow for Cyber Security at RUSI
David Smart is an independent consultant specialising in financial and e-crime
Photo: Flickr (artemuestra)
Further Analysis: Cyber, Technology, Information, Domestic Security, UK, Europe, United States, Americas