In its regular Financial Stability Review (FSR), the Reserve Bank of Australia (RBA) mainly focused on what it was thinking about the economic recovery pace after the pandemic. It also highlighted what they were going to do about the booming local property market.
But during a background briefing with senior RBA staff on the issue of financial security, it emerged that the bank was very concerned with another threat to domestic and global financial security: potential cyberattacks.
Imagine the damage that a concerted and malign cyber attack on a major central bank could do. It could stop the payments system and bond markets in their tracks and very quickly bring economic activity to a screeching halt. Beyond an attack on an individual company or bank, a successful attack on a central bank could create long-term damage to the financial system and the broader economy.
Redefining critical infrastructure
The intelligence community warns of a new cyber dimension in the conflict between nations. As a result, the RBA advocates that the Australian Government extend its definition of “critical infrastructure.” It wants to place a positive security obligation on financial sector institutions and “additional obligations” on entities considered to be of national significance. Legislation to enable these reforms is currently before the Australian Parliament.
The RBA sits on the Council of Financial Regulators, which endorsed a new cyber work plan in November 2020, one of which is implementing the pilot Cyber Operational Resilience Intelligence-led Exercises (CORIE) testing framework. The testing framework will be used to launch “ethical hacking” exercises against financial sector entities “that mimic the tactics, techniques, and procedures of real-life adversaries.”
In the FSR, the RBA made a note of two recent incidents involving cyber risk. One was a series of outages on the Australian Securities Exchange in November 2020, which disrupted trading and other functions.
The other occurred when several institutions worldwide experienced external breaches of file transfer software supplied by U.S. technology company Accellion in December 2020 and January 2021.
Australia’s corporate regulator ASIC was impacted along with the State Government of New South Wales, as was the Reserve Bank of New Zealand (RBNZ), which has been dealing with the fallout ever since. Earlier in 2020, the RBNZ also experienced incidents of information leakage.
In the Accellion case, New Zealand’s central bank was the target of a malicious breach of its data systems. A third-party file sharing service used by the Bank to share and store some sensitive information was illegally accessed, and information stored on that system has likely been compromised.
According to the RBNZ, customer data containing personal email addresses, dates of birth, and credit information were accessed.
Security firm Mandiant was called in and found two different vulnerabilities in the software that were exposed. The second one occurred five days after a patch was released to fix the first vulnerability, a move the RBNZ claims it was not informed of until after the event.
Not just central banks are under threat
It is not a central bank, but another example of what can happen was the 2019 attack on the Inter-American Development Bank, which occurred as Latin American delegates arrived in Washington to celebrate the institution’s 60th anniversary.
As they arrived, requests from more than 15,000 electronic addresses across China flooded the bank portal, disabling parts of the service intermittently. To resolve the issue, the bank took drastic action and blocked all traffic from China.
But the attackers persisted, and as delegates gathered for a conference day with athletes, academics, and television chefs, the bombardment intensified.
The RBA’s Financial Stability Review also included a discussion of various digital initiatives the bank is involved with, such as the possibility of a Central Bank Digital Currency, a local Stablecoin, and e-conveyancing.
All of this shows how the financial system’s digitization is proceeding apace, driven by some of the world’s largest institutions.
And yet, as the RBA points out, this critical infrastructure is often dependent on third-party providers from the commercial sector. This, in itself, is a vulnerability
The window for damage exists
Meanwhile, the Bank for International Settlements’ Committee on Payments and Market Infrastructures (CPMI) has developed a strategy to reduce the risk of wholesale payments fraud by enhancing endpoint security.
It is a positive move, but all the CPMI is doing is urging people to read the document and think seriously about implementing its recommendations.
It appears that those at the top of our global financial infrastructure are highly aware of the risks of cyberattacks and worried about its impact.
They have some ideas and approaches to a security posture, but the response is not uniform and, in some cases, needs enacting legislation.
All of these suggest that the ‘bad actors’ in the cybersecurity conflict have a window and an opportunity to damage institutions that understand the risks but may not be sufficiently prepared to respond.
Lachlan Colquhoun is the Australia and New Zealand correspondent for CDOTrends and HR&DigitalTrends, and the editor of NextGen Connectivity. His fascination is with how businesses are reinventing themselves through digital technology and collaborate with others to become completely new organizations. You can reach him at [email protected].
Image credit: iStockphoto/undefined undefined