Imagine – none of your credit cards or debit cards work. You only have $23 in cash and your bank tells you that none of its ATMs are working. They cannot access your account. Look at your smart phone banking app – nothing. Look around you, everyone else has the same problem and no one can buy or sell anything without cash.
How will you buy food? What about the insulin you need to buy for your child at the pharmacy which just told you they take cash only? Will you just walk away and let your child die?
This is you on the first day of the next major war. Welcome to the cashless society in a time of war.
Strategic Surprise
Strategic surprise will continue to be a dominating factor in the international system, especially where conflict is involved. From Pearl Harbour to 9/11 and from Hitler’s invasion of Russia to the rise of ISIS, surprise remains a constant factor. Despite billions spent on intelligence, no one actually knows when the next major war will start, nor do they have any valid concept of what it will look like. Whatever the next war looks like, technology and communications will affect it in the way that automatic weapons, airplanes and nuclear weapons did in previous wars.
Historically, kinetics and distance have been the dominating factors in all wars from the Stone Age to the 2003 invasion of Iraq. Now, even those fundamentals need to be rethought. Many well informed observers believe that some form of cyber-attack may presage the next war – an ‘Electronic Pearl Harbour.’ Much of the thinking involved, however, is based on the idea of a cyber-attack occurring within (or at the start of) of a kinetic war. These ideas generally involve discussions concerning an attack that would focus on communications or power systems using malware or DDOS attacks rather than physical (kinetic) bombs. In short, they are seen as a potential opening salvo in an otherwise ‘normal’ kinetic war. But the next war may look totally different – without its usual kinetic components.
The primary target in the next war may be the economy at the micro level, which is to say the individual consumer or citizen. Learning how to exist in a state of war with a civilian population that has lost its ability to complete financial transactions may be a key to winning at war or perhaps just surviving.
Money, Computers and You
As recently as the 1980s, most of the world’s financial systems were paper based and accounts were kept on ledgers. By the mid-1990s, this began to change dramatically and most financial systems migrated to computers. Speed and flexibility were the watchwords of this marvelous new application of technology. Money coming out of walls on demand was magic!
Now, an individual can buy an airline ticket online with a credit card, obtain in-flight whiskey with a debit card and get cash out of an ATM in almost any country with the mere swipe of a card. If you want to buy something – It’s just a tap on the smart phone app.
But how does all of this work? How is it that the beer you bought in Frankfurt and the taxi ride you took in Singapore are paid for by your bank account in Toronto or Vancouver?
What is Payments and Settlements System?
The central ‘nervous system’ of this financial system is the payments and settlements system. Credit cards, debit cards. ATMs and multibillion dollar state and commercial transactions all flow, at some point, through a complex network of computers broadly linked into the payments and settlements system.
The majority of the servers involved are controlled by the Central Banks of the respective countries and the larger financial institutions. Most countries have a payments and settlements body which oversees the operations. In Canada this is the Canadian Payments Association (CPA). The Bank for International Settlements in Basel, Switzerland, has a Committee on Payments and Market Infrastructures (CPMI). This committee is intended to “promote the safety and efficiency of payment, clearing, settlement and related arrangements” and “monitors and analyses developments in these arrangements, both within and across jurisdictions.” The committee is also intended to serve as “forum for central bank cooperation in related oversight, policy and operational matters, including the provision of central bank services.”[1] It should be noted that many countries are involved in running the CPMI – including China and Russia.
The dependency on this system is moving towards a near totality as governments and banks encourage virtually everyone to move towards a cashless society. Unfortunately, the loss or even partial loss of this system would result in massive shutdowns in the everyday economy, international finance, trade and the stock markets. Government exercises in Europe have predicted that less than 48 hours of disruptions could lead to violence among the citizenry as they compete for suddenly scarce or unavailable resources without a means of financial transactions.
What Happens when a Failure Occurs?
As noted at the outset, the payments and settlement systems are involved in almost all financial transactions from the simple purchase of a coffee at a café in a foreign land, to the multi-billion dollar transactions of states and major corporations.
If there is a full or partial failure (attack or technological failure), those affected will find that nearly all of their financial tools such as credit and debit cards and online apps will fail. ATMs may not work and the resulting rush for cash will likely cause them to empty in the first few hours. Customers of the HSBC bank in the UK had a partial look at this sort of failure when HSBC IT systems crashed (again) in early January 2016.[2]
In short, your ability to complete any sort of financial transaction, from purchasing groceries to buying a house, will fail.
What are the Weak Areas in the Payments and Settlements Systems?
A series of problems exist, some of which are technological and others have a more human dimension. Among the most serious are:
A. Legacy systems
B. The use of flat versus hierarchical networks
C. Hyper-connectivity
D. Software of dubious quality and origin
E. Managers think they can outsource risk
F. Belief in magic system such as uninterruptable power supplies
A. Legacy Systems
The payments and settlements system relies on a series of complex and overlapping systems which have built up over a period of more than two decades. The problems increase when mergers and acquisitions force unlike systems to cooperate with each other while IT staff seeks workarounds and stop gap solutions. Failure occurs, often with no apparent reason, when switchovers or upgrades are made.
In the UK alone, Royal Bank of Scotland, Natwest/Ulster Bank, Nationwide, Barclays and the Bank of England CHAPS (payment system for large value transfer) have all had technical failures resulting in loss of service to customers. This has all occurred in peace time.
B. Flat vs Hierarchical Networks and Virtual Servers
Many IT decisions in large financial institutions and Central Banks are based on user experience, cost and efficiency. Consequently, the use of virtual servers is common, in spite of considerable evidence that show such servers are vulnerable to failure when attacked. Additionally, it is generally understood that flat networks are more vulnerable than hierarchical networks which provide greater stability and redundancy. Nonetheless, both virtual servers and flat networks are commonly used.
C. Hyper-connectivity
In 2012, the World Economic Forum Global Risk report noted that the critical infrastructure that underpins our daily lives increasingly depends on hyper-connected systems. As a result, they believe that it now takes fewer resources and less people to inflict major damage on geopolitical or corporate structures.
The most critical issue may be that of hyper-connectivity and the increasing complexity of the financial networks. In general, the more complex a system, the more likelihood that a single failure will be catastrophic to the entire system.[3] Unfortunately, two of the direct side effects of hyper-connectivity are dependency and interconnectedness, both of which lead to greater cascading failures and more points of vulnerability accessible to hostile forces.
Simplicity is the enemy of complexity, yet we continuously opt for greater complexity.
D. Software of Dubious Quality and Origin
The quality of the software used in financial systems varies widely. Unlike many other products or services, the standards for software are ‘uneven’ and come in varying degrees of quality.[4] In general terms, the software used for fly-by-wire aircraft systems and nuclear power plants tends to be of the highest quality.
It should be noted that high quality software is one of the most effective defences against both hacking and failures. Financial systems, however, are not known for using high quality software in many cases and worse still, the problem increases when legacy systems have to be integrated into newer systems. The result is often software kludges (bad work arounds) that are themselves another layer of complexity and potential failure points.
E. Outsourcing Risk
One invisible risk involving financial IT systems is in the attempted outsourcing of risk. Many mid and senior level managers have been caught up in the popular business practice of outsourcing. While outsourcing may have a place for some services, IT security at a major financial centre is likely not one of those areas. In general terms outsourcing should be forbidden altogether or the practice should be on a limited basis. In terms of effectiveness, outsourcing IT security weakens the overall effectiveness.
Those who work for the company to which the work has been outsourced will likely not understand the operational patterns of the financial organization. This increases risks as the outsourced company employees will be less likely to see patterns of suspicious or malicious behaviour. Their commitment to any one contract or client is also less, as their paycheck does not come from the actual client. When the Ministry of Finance and the Treasury Board of Canada were hacked and they had all of their information compromised, outsourcing was identified as one significant weak point.
While outsourcing is an effective means for mid-level managers to appear competent by ‘cutting costs’ and ‘increasing efficiency,’ the reality is that the cost savings can be wiped out in one event. The Government of Canada has never identified how much it cost to restructure and repair the damages from the hacking of the Finance Ministry and Treasury Board, but the costs were known to be in the millions. Additionally, all of the information at both ministries is now in the hands of the People’s Republic of China. How much this hurt Canada is not known and almost impossible to assess.
The most damaging effect of outsourcing is the belief that ‘risk’ can be outsourced along with a variety of IT services. The reality is, however, that in a time of crisis or failure, citizens and governments expect the payments and settlements core services to continue working. If they fail, an angry population and government will likely not be sympathetic to the argument that highly paid Central Bank officials are not responsible as the fault lies with a substandard contractor.
F. A Belief in Magic
Many mid to senior level decision makers in Central Banks and large financial institutions do not have significant experience in either IT or security. As such, they tend to have an unsubstantiated belief in the ‘magic’ of technology. They truly believe that a ‘dedicated line’ is in fact a physical fibre optic or phone line that is dedicated just to them. They believe there is such a thing as an ‘uninterruptable power supply’ and they believe that having all of their IT, communications and security services dependent on the Internet does not create a ‘single point of failure.’ As a result they hold belief systems which are sustained by delusions of their own competency.
Unfortunately, this belief system is fragile. In times of stress or attack, they have already found out (IBM) that uninterruptable power systems can be interrupted. They have discovered (Barclays) that backup systems used when upgrading do not always work when your upgrade fails and so do your primary and secondary back up plans. Most surprising of all, (G10[5] Central Bank) it has been found that major IT financial systems with primary, secondary, tertiary and ‘uninterruptable’ power supplies can all fail at once and an entire central system can go dark in less than one second. The common link between all of the power supplies is – of course – a computer linkage between them and not physical switches.
Warnings?
The warnings for such an attacks or failure have already occurred. As noted above, several large UK banks have had partial failures affecting millions of customers.
Past events that should have attracted more attention are:
a. In February 2011, the Rabobank Tower in Utrecht Netherlands was hit by a fire. At the same time, a DDOS attack on their servers shut down a portion of their public facing computer systems as well as negatively impacting their payments and settlements capability. The attack also caused damage to the Dutch “iDeal” payment system as well. This attack, possibly the first coordinated physical and cyber-attack on a bank was the third attack against this same bank in approximately eight months.[6]
b. A spokesperson for the TD and Keybank (American affiliate) has confirmed they were the victims of a DDOS cyber-attack during the early afternoon of March 21, 2013. The attacks were brute force and aimed at bank servers. Customers were affected by reduced service levels, but the attack did not appear to steal money from customers’ accounts. The group responsible for this attack, and a series of others against US based banks, was the Izz ad-Din al-Qassam Cyber Fighters Brigade. Although the name of the group suggests a Palestinian origin, observers believe the real skills and effort are coming from Iran.[7]
With Iranian banks[8]now reported reconnected[9] to the SWIFT system[10], the potential for malicious attacks has increased again.
What Might the Next War Look Like?
The next major war may be cyber, kinetic, hybrid, nuclear a combination of all. Or it may be something that has not yet been truly envisaged.
Imagine a conflict in the Pacific Ocean where China, Japan and the USA are all involved in a show of force over some otherwise insignificant islands. Also imagine that the Chinese leadership is worried about its own survival in the face of an economic downturn. Now imagine an American government that has just lost the lives of its sailors or airmen in a small scale shooting event between forward deployed American and Chinese forces.
What if the Chinese government knows it has weak naval capabilities and would suffer badly in a conventional shooting war, but at the same time occupies a perilous political situation at home? If the government of China truly felt it was facing a conflict, would it be willing to pre-emptively strike at the USA and its allies by launching a loss-of-confidence attack on the payments and settlements system? The Chinese have already demonstrated their ability to enter and leave major financial systems undetected such as it did in the Canadian Ministry of Finance using a phishing scheme throughout much of 2010.[11] Similar events occurred at the Australian Parliament and the French Ministry of Finance.[12] China, of course, sits on the Committee on Payments and Market Infrastructures at the Bank for International Settlements in Basel Switzerland so it is well aware of how systems work.
China, Russian and Iran all have demonstrated both the ability and interest in seeking out alternative forms of war and conflict with the West. Such attacks are well within their technical competence and expecting them not to use such tools in a time of crisis or desperation is simply a form of denial.
Conclusions
Most if not all of the G10 countries are ill-prepared for a major failure in the payments and settlements system. An attack on the payments and settlements system would assault, as much or more, the individual, rather than the state. This would leave national leaders facing a crippling internal crisis and civil strife at a time when they needed to focus their attention outwards. As such, any foreign state could gain a significant if not dominating advantage. Retaliatory attack would be of limited effect as the attacker would be aware they were coming and could shut down servers temporarily. Also, most adversary states are better positioned to accept such damage due to their lower dependency on such systems and their population’s ability to accept such ‘pain’.
Measures to harden the systems, decrease their vulnerabilities and create resiliency are relatively cheap and simple. Political measures and responses are, however, increasingly unlikely and will not transpire until a major attack or failure occurs.
As always, the best way to adjust to strategic surprise is to develop the means to live with the failure of intelligence warning.
