Tom Quiggan and Marc Tyrrell
Two Axioms for the Information Age
1. Any device with software-defined behaviour can be tricked into doing things its creators did not intend.
2. Any device connected to a network of any sort, in any way, can be compromised by an external party.iii
One Axiom for All Time
1. Whatever can go wrong, will, and at the worst possible time.
Warfare is about getting an opponent to bend to your will. At a basic level, this is taken as kinetics: energy is applied to mass and sent downrange employing a fist, stone, sword, arrow or missile. A more sophisticated view of warfare might include undermining the values and cultures of your opponent by indirectly changing their perceptions of the world, missionaries and propaganda are common ways of doing this.iv Arguably, the Internet and the WWW are now playing a similar role.
Domains of war are perceptual constructs in which and through which force is brought to bear to change your opponent’s capabilities and perceptions. The four primary domains of warfare (land, sea, air, and space)v have specific properties and the laws of physics apply to each. Humans can interact in the domains in accordance with these physical laws and the technologies that manipulate them.
Non-physical domains exist where efforts aimed at bending the will of your opponent occur: propaganda, missionary work, (dis)information efforts and finance/economics may all be considered ‘domains’ even if they do not exist primarily in physical forms.
Cyber is perceived of as a unique domain and is popularly referred to as “the fifth domain of warfare”.vi It consists of a set of natural laws and technological tools that allows it to cross the physical boundaries of other domains. We would argue that it is actually not a domain unto itself but,rather, it is a technology which spans across each of the other physical domains. Nonetheless, in terms of structure and organization, militaries and governments around the world are beginning to organize themselves in accordance with the view that cyber is its own domain.vii
What we intend to address here is the economic domain of warfare. This is not new as economic warfare has been around for millennia. In the past, discussions around economic warfare would have referred to shipping lanes, choke points, resource extraction sites, production locales and similar, physical concepts.viii Technology has changed this in a fundamental way. Computers, and especially the technology that allows computers to talk to other computers, has created a massive vulnerability which has grown exponentially, unsupervised and largely unwatched by the states in which they operate.
The target in this new economic warfare which will be damaged or destroyed (i.e. has its perceptions changed) is not solely the macro level of the economy: it is the micro level – you! This is what we call the sixth domain of warfare, a glocalized form of economic warfare.
The intelligence community has not seriously examined the potential for the application of the use of force (cyber or otherwise) within this domain. Nor is it clear that most Western governments have any ability to respond to such an attack (or internal failure) should such an event occur. Essentially, everyone would be ‘on their own’ during such an attack.ix
Laying out the Sixth Domain
Why do we say the payments and settlements system is the central nervous system of advanced economies? Consider the following scenario.
You bought your international airline ticket online using a Visa Card. Your debit card allowed you to put gas in the car while on the way to the airport and your MBNA credit card was used for parking at the airport terminal short term lot. Your hotel has been reserved and will be paid for with your Master Card. In flight, somewhere over Iceland at 38,000 feet, you bought a bottle of 18 year old whiskey for your host using your American Express card. While leaving the airport, you used a bank debit card to pick up a handful of Euros to have for spending money. You and your host head off for dinner, which you pay for with a credit card.
Did you ever wonder how all of this is sorted out? How do the individual merchants and suppliers get their money? At a larger level, how did an American based airline buy fuel at Germany’s Frankfurt Airport? How does the government of the United States pay its bills to other foreign states?
This miracle of international finance works through what is generically referred to as the payments and settlements systemx which is linked to a series of locally owned networks which support credit and debit cards as well as other forms of payments. A payment system is an operational network (backbone) which allows bank accounts to link with each other and it provides for monetary exchange using bank deposits.xi This system is typically balanced out each day, although the new gross settlement systems used by more than 100 countries are moving towards near real time settlements. The operating authority in each country is usually the Central Bank of that country, with the FIs playing a major role with their own networks.xii
What happens if the payments and settlements system fails? You need gasoline, but your credit card is refused at the pump. You try to get cash from the ATM, but it does not work. You cannot get that prescription at the pharmacy for your diabetic child. The plumber coming to fix your leaky hot water heater has just cancelled as he cannot get gas for his van. Cash is suddenly king – for now – but the supplies are short and your local bank may decide not to give you any as the teller does not actually recognize you and their accounts are down. And cash supplies are limited due to the ‘just in time’ systems that fill the ATMs which may not recognize your card anyway.
How much cash do you keep on hand? How much food do you have at home? If you were travelling abroad or deployed with the military overseas, would you feel confident that your home and family were prepared to deal with such a contingency?xiii
In short, we have allowed the international payments and settlements system to become the central nervous system of our financial structures and our entire economy – without even thinking about the consequences. Larger intelligence agencies have few, if any, resources that focus on this most basic threat and few have attempted to grapple with its complexities. If war is too important to leave to the generals, then our financial stability and wellbeing are too important to be left to the bankers.xiv
This system is vulnerable to both internal and to external threats. The resultant damage from a significant failure would be far greater than any previous, actual or attempted, terrorist attack. How states and other actors would respond to such an issue is neither clear nor predictable.
The Inherent Dangers of Hyperconnectivity
The Davos Foundationxv is drawing our attention to the perils of hyperconnectivity and networks. In the 2012 Davos Foundation Risk Report, the authors warned about the dangers of hyperconnectivity in IT systems. As they noted, “A healthy digital space is needed to ensure stability in the world economy and balance of power.” In the opening statements on their case study, THE DARK SIDE OF CONNECTIVITY, the authors note that “there is a sense that we understand the benefits of the Internet more fully than we understand the risks.”
In addition to the Davos Group, computer security specialist groups such as McAffee hold a similar view. In a recent paper by Caitríona H. Heinl, we see the following statement:
According to McAfee’s Threats Report for 2012, predictive assessments suggest that a variant of a new APT development called Operation High Roller designed to target financial services infrastructure and attack the Automated Transfer Systems in Europe and new High Roller-based attacks aimed at manufacturing and import/export firms will target the Automated Clearing House infrastructure which processes much of the world’s e-commerce transactions.xvi
The history of strategic surprise has been filled with the failure to predict future discrete events and – more importantly – a failure to detect the nature of emerging threats. Almost universally, the indicators and warnings were present, but the intelligence community and/or policymakers refused to deal with the issues for a number of institutional (or personal) reasons.xvii This current failure to do horizon scanning and to anticipate emerging threats is similar to past problems.xviii The Japanese were known to have significant energy, political and regional problems in the late 1930s. Saddam Hussein actually asked American Ambassador April Glaspie for permission to invade Kuwait.xix Osama bin Laden declared war on the USA not once, but twice in the 1990s and attacked an American warship in 2000.
If you say the words terrorism, sovereign citizen militias or organized crime, the lights come on at most intelligence and law enforcement agencies. However, if you say payments and settlements system, the response may be blank stares.
The Costs of Terrorism vs The Costs of Financial Collapse
Consider the effects of the financial collapse in 2007 and 2008.xx In the United States alone, over eight million people immediately lost their jobs – most of them good paying middle class positions. Five years later, those jobs not yet been fully recovered. The banking TARP bailouts alone initially cost some 700 billion dollars while the Federal Reserve ‘quantitative easing’ (money printing program) is creating new fiat currency at a rate 85 billion dollars a month. The resultant long term low interest rates in multiple countries is crushing the value of defined benefit pension funds and retirement savings,xxi forcing millions to extend their working lives while systemically displacing youth who cannot find jobs. In the USA alone, there are 47 million people on food stamps. In Spain and Greece, youth unemployment exceeds 50%. By comparison, the claims surrounding the destruction of the World Trade Center were around 13 billion.xxii
Conventional terrorism is not an immediate existential threat to the advanced economies.xxiii However, many intelligence and security agencies have made terrorism their de facto primary threat since 9/11. This stance, coming from reactions to highly visible attacks, has distorted the focus, spending and training for our intelligence and security agencies which has left our societies vulnerable to new, non-politically correct, threats.xxiv In intelligence terms, this is the ‘heads down’ monitoring of known threats, rather than the ‘heads up’ scanning for new threats. This well documented form of behaviour has been partially responsible for most strategic surprise attacks in the past.xxv Risk assessment and horizon scanning programs (RAHS) are needed but often overlooked due to a fascination with the current threat.xxvi
Critical Infrastructure and the Invisibility Factor
Critical Infrastructure (CI) is sometimes visible and in the public eye; power transmission lines and airports are good examples. With respect to the financial and economic systems, most people only see bank branches, ATMsxxvii and the large FI headquarter buildings in London, New York, Frankfurt and Toronto (etc). The payments and settlements system is virtually invisible to the public, intelligence and security agencies and most politicians. Yet this ‘invisible’ system has implicated itself into the everyday lives of the populations of almost all of the developed economies.
The other invisible factor lurking in the background is the fiat currency system used by almost all developed nations. Those bank notes in your pocket or wallet are called ‘fiat currency’ as there is little to nothing that supports them other than pure faith – which is by definition invisible. Central Banks hold little or no precious metal stocks and few come close to representing the value of their printed and digital currency. When individuals lose faith in their government or their financial system, the currency can become nearly worthless in a rapid manner: history is littered with failed fiat currencies.xxviii
Confidence in Central Banks, and their ability to monitor and control a number of issues such as inflation, asset prices and monetary supplies, is declining. Or, as Gillian Tett recently expressed it in the Financial Times, “the system depends more than ever on investor faith in central banks”. With respect to inflation and financial innovation, she adds: “logic might suggest this blind faith should have wilted after Lehman Brothers failed.”xxix
As such, a sudden shock to the payments and settlements system would cause individuals and institutions to begin to question the wisdom of storing all or most of their accumulated value (i.e. “money”) in digital and even paper forms.
The Payments and Settlements System – A Hierarchy of Problems
The electronic payments and settlements systems have been created rapidly in the last (~) thirty years. They have done so in a relatively uncoordinated manner outside of normal government oversight, even though the finance ministries of individual countries are mandated to have responsibility for the actions of Financial Institutes and Central Banks. The Bank for International Settlements has a committee on the payments and settlements system, but it has only limited enforcement or oversight capability.
Most of the individuals involved in the construction and operation of these networks have been IT and financial personnel who have limited knowledge and understanding about international affairs, intelligence and conflict. With only limited exceptions, most of the IT focus is on ‘the user experience’ and ‘efficiency.’ For example, the virtualization of servers is thought to be an acceptable practice, despite ample evidence to the contrary that suggests virtualized servers are increasingly vulnerable. Flat networks are often preferred by the IT types, even though it is clear that hierarchical networks provide greater stability and redundancy.
The problems with allowing the most critical of all systems (currency and financial) to be constructed outside of normal oversight are significant.
The most critical issue may be that of hyperconnectivityxxx and the increasing complexity of the networks involved. In general, the more complex a system, the more likelihood that a single failure will be catastrophic to the entire system. Simplicity is the enemy of complexity, yet we continuously opt for greater complexity.
Closely tied to this issue is the software used. Software code, like any other product, comes in varying degrees of quality.xxxi Software used in aviation control systems and nuclear power plants tends to be of the highest quality. The quality of the software itself forms an effective defense against hacking attacks and problems caused by cascading failures. To be polite, the quality of the software used in financial networks is ‘uneven.’ Compounding this problem is the ongoing integration of legacy systems with newer servers being built on top of existing ones. The software work-arounds (kludges) necessary to make this function creates both another layer of complexity and significant additional failure points.
IT personnel often tend to focus on the user experience, efficiency and chasing the newest trends rather than finding an appropriate balance between robustness and cost/efficiency. The changes that occur in the IT world happen so quickly and are often so arcane that those responsible for oversight are frequently blissfully unaware of what is happening. One result is the bureaucratic tendency to redefine standards downwards to match the outcome, rather than enforcing standards to bring systems up to a level of compliance.xxxii
An attitudinal shift is problematic in training. Those who had previously worked in the payments and settlements systems were trained to use the systems, understand them and then find non-IT workarounds should a system failure occur. Many ‘new generation’ managers disparage workaround training as they appear to have considerable faith in systems that they themselves only weakly understand.
Finally, there is the insider threat, although it is not clear where it fits on the hierarchy. This is the least understood of all the threat issues in the financial world. Financial Institutes and Central Banks are notoriously famous for being unwilling to discuss this issue even on an internal basis. As such, it remains a potentially serious threat that is only weakly understood.xxxiii
In the next segment of the paper, we will address a possible conflict scenario involving the payments and settlement system. We will also be offering some views on state of security and awareness on this issue.
i For more details on the international payment and settlements systems, see Massimo Cirasino and Jose Antonio Garcia, Measuring Payment System Development, The World Bank, 2008.
ii Such an attack or failure would also hurt non-democracies as well as emerging market economies. Our focus here, however, is on the advanced economy democracies.
iii Both of these axioms are drawn from the third case study in the Davos Forum 2012 Global Risks report. It can be seen by going to the Davos Forum site at http://www.weforum.org/reports/global-risks-2012-seventh-edition
iv Missionaries were a nearly universal feature of colonialization efforts. England, France and Spain all used missionaries in North America, Africa and Asia. This was attempted again in the Iraq War from 2003 to 2010 when various Christian ministries attempted to make inroads and change the culture and religious belief of Iraqis.
v For a discussion on how cyber war and space fit into the discussions of domain warfare, Vincent Manzo, Deterrence and Escalation in Cross-domain Operations: Where Do Space and Cyberspace Fit?, INSS Strategic Forum 272 (Washington, DC: National Defense University, December 2011); available at www.ndu.edu/inss/doc Uploaded/SF%20272_Manzo%20.pdf.
viii For more on the inability of governments to respond to a crisis in the banking sector see the Queens University Occasional Paper ‘Don’t Call Us’: Governments, Cyber Security, and Implications for the Private Sector. It is available online at: www.queensu.ca/cidp/publications/occasionalpapers/OP66.pdf.
ix See the Queens University Occasional Paper ‘Don’t Call Us’: Governments, Cyber Security, and Implications for the Private Sector. It is available online at: www.queensu.ca/cidp/publications/occasionalpapers/OP66.pdf.
xIn addition to balancing off payments, these systems also deal with matters such as securities and derivatives. For reasons of simplicity, these issues will not be discussed here despite their seriousness. Readers are encouraged to look at the Bank for International Settlements website for further information. For a start in this direction, see http://www.bis.org/cpss/ .
xiFor more on this see Payment Systems: Design, Governance and Oversight, edited by Bruce J. Summers, Central Banking Publications Ltd, London, 2012.
xii For more details on the international payment and settlements systems, see Massimo Cirasino and Jose Antonio Garcia, Measuring Payment System Development, The World Bank, 2008.
xiii The Government of Canada suggests that residents should be able to provide for themselves in the first 72 hours of a disaster. It is unclear how many people actually take this advice seriously. For more on the Government of Canada program on this issue see: http://www.getprepared.gc.ca/index-eng.aspx.
xiv Recent disclosures by The Guardian newspaper in the Snowden affair suggest that the NSA has a strong interest in monitoring the international payments and settlements system, including SWIFT. There was nothing in the disclosures to suggest the NSA has any role in protecting the integrity of the system.
xvSee the Davos Forum site at http://www.weforum.org/reports/global-risks-2012-seventh-edition
xviRegional Cyber Security: Moving Towards a Resilient ASEAN Cyber Security Regime, Caitríona H. Heinl,S. Rajaratnam School of International Studies, Singapore, 09 September 2013, RSIS Working Paper #263. It is available online at http://www.rsis.edu.sg/publications/workingpapers/wp263.pdf .
xviiFor more on ancient and modern strategic intelligence surprises and how we reinforce failures, see chapters five and six of Thomas Quiggin, Seeing the Invisible: National Security Intelligence in an Uncertain Age, RSIS Nanyang Technological University, World Scientific Press, Singapore, 2007.
xviii Ibid. See chapters nine and ten for information on horizon scanning and faint signals.
xix Ibid. See chapter nine for an explanation of this event and similar situations.
xx This paragraph does not address the human costs of 911 which amounted to almost 3000 dead. However, terrorist deaths in the USA over the last 10 years have been mostly in single digits. In 2010, there were 19,392 firearm-related suicide deaths, and 11,078 firearm-related homicide deaths in the United States. This does not include suicides by poisoning or other means, nor does it include homicides using knives, blunt objects or poison. The figures are from the 2010 National Vital Statistics System. National Center for Health Statistics, CDC. This means 30,000 people died from firearms deaths in one year. Seen another way, this is 10 times the number of individuals killed in the 911 attacks. The National Safety Council of the USA provided figures for the year 2000 that showed 341 people died from drowning in their own bathtubs. This figure does not include swimming pools. No one is suggesting a “war on bath-tubs.” See the figures on bathtubs at: http://danger.mongabay.com/injury_death.htm
xxi For more on this see, among many others, Pablo Antolin, Sebastian Schich and Juan Yermo, The economic impact of protracted low interest rates on pension funds and insurance companies, OECD Journal Financial Market Trends, No.: 15, Volume: 2011, Issue: 1 Pages237–256.
xxiiSee, among many others, HSBC Chief Economist Stephen D. King, Losing Control, the Emerging Threats to Western Prosperity, Yale University Press, (New Haven and London) 2010, Roger Lowenstein, The End of Wall Street, Penguin Books (London, UK) 2010, Michael Lewis, The Big Short – Inside the Doomsday Machine, W.W. Norton (New York, London) 2010, Greg Farrell, Crash of the Titans: Greed Hubris, the Fall of Merrill Lunch and the near-collapse of the Bank of America, Crown Business, New York, 2010, Sheldon S. Wolin, Democracy Incorporated: Managed Democracy and the Specter of Inverted Totalitarianism, Princeton University Press, 2008, and Susanne Schmidt, Market without Morals. The International Financial Elite’s Failure, (Droemer Verlag, Munich), 2010. See also Jeff Randall, The Bank of England is failing this country, the Daily Telegraph, 22 May 2011. The article is available online at: http://www.telegraph.co.uk/finance/comment/jeffrandall/8529749/The-Bank-of-England-is-failing-this-country.html. See also Peter O’Neil, Postmedia News, Global governance ineffective: Carney, as published in the 18 February 2011 Montreal Gazette. The article is available online at: http://www.montrealgazette.com/life/Global+governance+ineffective+Carney/4306112/story.html?id=4306112and Fed’s QE2: Miracle cure or moral hazard?, Reuters, 2:41 PM, E.T., May 20, 2011, Economy, U.S., available online at: http://www.bnn.ca/News/2011/5/20/Feds-QE2-Miracle-cure-or-moral-hazard.aspx.
xxiiiThe UK has survived years of attacks from the IRA and its offshoots. Canada survived and was arguably strengthened by the FLQ attacks of the 1960s and 1970s. Spain has survived intact after years of attacks by the ETA. Italy and Germany has survived years of various attacks from groups such as the Red Army Faction and the Baader/Meinhof group.
xxivIn the USSR, Stalin would not allow analysis that said Hitler would attack. In the 1970s, it was not permissible in American circles to say Iran might collapse due to the role of the Shah of Iran in maintaining security in the Gulf region.
xxvSee chapters nine and ten of Thomas Quiggin, Seeing the Invisible: National Security Intelligence in an Uncertain Age, RSIS Nanyang Technological University, World Scientific Press, Singapore, 2007.
xxvi For more on risk assessment and horizon scanning see the book: Thinking about the Future: Strategic Anticipation and RAHS edited by Hong Ngoh Edna Tan and Tiang Boon Hoo, National Security Coordination Centre (Singapore 2008), S. Rajaratnam School of International Studies.
xxviiWhether ATMs are critical infrastructure or not is a matter of much debate. In many banking security circles, it is now thought that the ATMs themselves are not CI, but the payments and settlements servers that ultimately support them are CI.
xxviii The German Reich mark from the 1920s is the classic examples. Other currencies that suffered significant failures are Roman Egypt 276/334 AD (one million % inflation), France 1795-1796, the Yugoslav Dinar (1990s), the Bosnian Dinar (1990s) the Serbian Dinar (hyperinflation in the mid-1990s), Brazil 1989-1990, Russia 1992, and the Zimbabwean Dollar (hyperinflation in 2008).
xxix For more on this, see the article by Gillian Tett in the Financial Times of 12 September 2013, Insane financial system lives post-Lehman.
xxx For more on the “The Dark Side of Connectivity” see page 24 of the PDF version of the Davos Forum 2012 Global Risks report. It can be seen by going to the Davos Forum site at http://www.weforum.org/reports/global-risks-2012-seventh-edition . Or go directly to the PDF version at: http://www3.weforum.org/docs/WEF_GlobalRisks_Report_2012.pdf.
xxxiFor more on this issue, see, for example, Jintao Pan, “Software Reliability,” Carnegie Mellon University, 1999, available online at http://www.ece.cmu.edu/~koopman/des_s99/sw_reliability.
xxxiiFor more on the corrosive and corrupting effects of bureaucracy, see Robert Michel’s Iron Law of Bureaucracy. See also the works of William Edward Demming. If all else fails, remember that the Peter Principle is a play.
xxxiiiReliable statistics are impossible to obtain as the financial industry does not maintain a central database of such issues. Moreover, many institutions prefer not to report such losses for reputational reasons. As one senior insider stated: “Anecdotally it is a huge issue and often involves members of affinity groups responsible for much of the industry’s fraud. Most security people in the banking industry expect a cyber crime attack on the banking industry over a physical attack.”