Tom Quiggan and Marc Tyrrell
If the 20th Century saw the development of total warfare and the war among the people, the 21st Century will see the rise of a different type of economic and social warfare.
As we argued in part one of this series, our entire economic and financial systems have migrated onto an inherently complex and dubiously stable system. This system, the payments and settlements network, has modified the terms of economic warfare from the physical and geographic into the virtual and individual. For example, in WWII, one of the central forms of economic warfare conducted by the Nazis against the UK was the counterfeit five pounds note campaign while at the same time using wolf pack submarine tactics to sink shipping to constrict resources (hence increasing inflation and making defence more costly while depriving the island nation of food and industrial resources).
To achieve the same economic affects today does not require extensive submarine fleets and stolen plates to produce counterfeit currency. All it requires is the manipulation of software and individuals who have access to the payments and settlements system. This is the new Achilles Heel.
Previous Cyber Attacks or Failures
In February 2011, the Rabobank Tower in Utrecht Netherlands was hit by a fire. At the same time, a DDOS attack on their servers shut down a portion of their public facing computer systems as well as negatively impacting their payments and settlements capability. The attack also caused damage to the Dutch “iDeal” payment system as well. This attack, possibly the first coordinated physical and cyber-attack on a bank was the third attack against this same bank in approximately eight months. The Rabobank Tower had been previously hit by arson attacks in June 2010 and October 2010.i A statement of claim was made by a group using the name “Conspiracy Cells of Fire, the Dutch Cell.” However, the Dutch intelligence service AIVD stated that the claim was fake and there was no Dutch cell of the Conspiracy of Fire group which is known to have Greek roots.ii Actual responsibility for the attacks remain a matter of contention.
In June of 2012 RBS/Natwest bank in the UK had a significant failure which was publically attributed to complications during a software upgrade. Also affected was their partner Ulster Bank. Customer accounts were not updated and they were unable to access funds and accounts for several days as payments into and out of accounts were stopped.iii As one customer noted “I have been left unable to buy food or fuel. I work for a very low wage and live hand-to-hand every week. I had my three young children staying this weekend and spent my last £15 cash on meals for them. I was utterly embarrassed when I was just 90p short at the till with a huge queue behind me.”iv
In March 2013, tens of thousands of Korean bank computers were the victim of a cyber-attack that knocked six banks off line. Only one recovered quickly (Shinhan Bank). Korean investigators identified a Chinese IP address, but added that they believed North Korea may have been ultimately responsible for the attack. An earlier attack in 2011 may also have been the work of North Korea.v
A spoke person for the TD and Keybank (American affiliate) have confirmed they were the victims of a DDOS cyber-attack during the early afternoon of 21 March 2013. The attacks were brute force and aimed at bank servers. Customers were affected by reduced service levels, but the attack did not appear to steal money from customer’s accounts. The group responsible for this attack, and a series of others against US based banks, was the Izz ad-Din al-Qassam Cyber Fighters Brigade. Although the name of the group suggests a Palestinian origin, observers believe the real skills and effort are coming from Iran.vi
The increasing frequency and severity of bank failures from cyber-attacks and internal failures form what the intelligence community would call ‘indicators and warnings’ about the stability of bank networks. Additionally, it has already been seen that attacks from activist or terrorist groups have already occurred (Rabobank, TD Keybank etc). Future attacks are inevitable as more individuals, groups and states gains the capabilities necessary for such attacks to occur.
The motives for such attacks are not always clear. Profit does not seem to be the motivator in many of the cases and political activism does not fully explain the activities either. One plausible explanation is that the attacks are a proof of concept being run to check for vulnerabilities which can be fully exploited later.
Different Types of Attacks
Multiple forms of attacks exist and categorizing them is difficult due to rapid changes in who is attacking, what tools they are using, what they are targeting and how the intentions behind the attacks are changing. Whether the attack is carried out by an insider or external force is also a major factor in assessing attacks and defending against them.
Simple external attacks can be carried out by relatively low skilled individuals with limited budgets. One such approach would be to use DDOS (distributed denial-of-service). Botnets to carry out such attacks can be built or hired for a couple of hundred dollars, placing this type of attack in the easy reach of most individuals.
A sophisticated external attack could be carried out by a high skills individual, group or state level asset. Hacking through firewalls and other security appliances and entering a network without detection remains a common event despite enhanced awareness and security measures. SQL injections are common in this type of attack.
Social engineering attacks (internal or external) are among the most feared attacks. They can be carried out by low or high skilled attackers from either small or large groups. The intent is to find one individual in a target organization and dupe them into opening an email with a virus or malware carried in something like a PDF attachment. Even the most sophisticated user can be duped into opening an email containing malware, as the good folks at RSA can verify.
Another problem for security can be hardware attacks. The computer chips that are at the heart of almost all computer systems can be constructed with built-in flaws or vulnerabilities. As such, an adversary, who may have built the chip, can exploit the vulnerability at the time and place of their choosing. A variant form of this is viruses tailored to attack the unique on-board code of a specific type of chip (this is what the Stuxnet virus was). This issue has been raised as a particular concern in military circles.
Often overlooked is the simple physical attack. Rather than hacking into a system, the alternative is to identify the location of the server and disable it physically through something like an arson attack. Two individuals in the UK were caught attempting to set fire to two sets of server racks in a facility. These two server racks carried most of the Internet traffic into and out of the UK. The fact that the backup server was in the same physical space as the primary server meant that if the attack had not been detected, it would have been crippling for an extended period of time.
Non-state actor attacks – Anonymous and HB Garry
In February of 2011, the CEO of the consulting firm HB Garry, Aaron Barr, made an unfortunate business decision to publicly challenge the hacking group Anonymous. Mr. Barr stated he would announce the names of several key figures in Anonymous at a computer security conference sponsored by the high profile computer security company RSA. Members of Anonymous were not amused and retaliated with a devastating series of attacks using social media, social engineering and SQL injections. This defeated the security measures at HB Gary and resulted in the extraction of some 50,000 to 68,000 emails, the cutting off of the file headers on a large number of company files and the temporary take down of the internal phone systems. The devastating attack embarrassed the company, caused severe financial losses while at the same time causing customers and business partners to disassociate themselves from the firm. As it turned out, the firm had been involved in a series of legally and morally dubious business practices that were revealed in the email leaks. The CEO resigned and the consulting arm of HB Gary collapsed.vii Additionally, the US Department of Justice was embarrassed when it was determined that HB Gary was consulting with the government on how to destroy the reputations of journalists who were filing stories which the US government did not like.viii
As we can see, a non-state actor with limited resources such as Anonymous can destroy a company closely connected to the US Government on short notice. What then can we expect to see from a well-resourced state actor with the advantages of time and organization? While many countries have significant national level offensive cyber capabilities (USA, Israel, Iran, Russia), China is often discussed due to the energy and resources they expend in this area.
The People’s Republic of China – Capabilities and Intentions
China has repeatedly demonstrated an ability to infiltrate and compromise the security of computer networks. To mention but a few, the public record shows that China has copied virtually all of the digitally available information from the Treasury Board of Canada, the Canadian Ministry of Financeix, the Australian Parliamentx, and the French Ministry of Finance (including G20 plans)xi. “The Reserve Bank of Australia’s computer networks have been repeatedly and successfully hacked in a series of cyber-attacks to infiltrate sensitive internal information, including by Chinese-developed malicious software.” xii
In the USA, the computer security company (!) RSAxiii was comprised (for an extended period of time) by a simple targeted Chinese attackxiv and the information gained was then used to infiltrate the defence contractor Lockheed.xv Various reports suggest that the aim of the attacks was information on the F-35 aircraft project. The Ghostnet Project by SecDevxvi in Canada revealed that China had successfully infiltrated and infected more than a thousand computer systems which were in some way connected to the Dali Lama. Accusations that the giant company Nortel Networks was destroyed in part by computer hacking carried out by China were heard at a recent trial in the USA.xvii
As a member of the international payments and settlements system at the Bank for International Settlementsxviii and as an operator of such systems, it should be clear that China has both the awareness and capability to infiltrate such systems. Their activities against various financial entities demonstrates a willingness to engage.
This is not to say that China has the intention to launch any such attack pre-emptively. Rather, based on a reading of their strategistsxix, China is looking for ways to ensure their own capabilities while having the ability to push back if cornered. Absent from this paper, but not from the reality of the situation, is a discussion on Russia and Iran. Iran, for instance, appears to have been the primary backer behind the al-Qassam Cyber Fighters which have successfully executed DDOS attacks against America Financial Institutes.xx Russia is a story unto itself.
The relationship between the advanced Western economies and China is complex to say the least. At one level, we ‘cooperate’ with China (for instance) on trade. China is connected to the payment and settlement systems in order to make the trade work. We also compete (commodities, trade, and influence in Africa etc). Signs of confrontation and potential conflict with China exist in areas such as the Taiwan Straits, the South China Sea, the Senkaku/Diaoyu Islands and the Straits of Malacca. Where ‘The West’ would stand if such a confrontation were to escalate into a conflict is not at all clear.
A Potential Conflict Scenario
Imagine it is the fall of 2015. The American Presidential election campaign is in full swing. The economy is the main issue as the Great Economic Crash has caused stock markets to drop, unemployment to soar and the multi-trillion dollar global derivatives market is threatening to unwind. Currency wars are in full swing as each major trading country tries the beggar-thy-neighbor by depressing the value of their own currency. Presumed stocks of physical gold are reported missing from the COMEX when customers cannot exchange their gold certificates for bullion. It is rumoured that that the degree of rehypothecation of physical gold may have been higher then suspected. The backwardation of gold suddenly stops and prices of gold soar with premiums reaching a stunning 50 dollars over spot. Trade barriers are being erected in the form of tariffs, import taxes and increased port security inspection protocols. Dire threats and predictions of further economic disaster abound.
A sudden crisis erupts in the Senkaku/Diaoyu Islands. Perhaps fearful that the Chinese will use the current state of crisis to their advantage, the Japanese move their new helicopter carrier Izumoxxi into a position close to the islands when Chinese fishing vessels are reported close to the disputed boundary area. The surprise appearance of the Japanese carrier and its V-22 Osprey aircraftxxii recalls the latent fear that many Asian countries have concerning Japanese aircraft carriers. The events are seen as a major escalation by China and other observers.
China responds aggressively and positions its own warships, including the aging Soviet designed and Ukrainian built Liaoning. The limited air wing of the Liaoning has never been tested in combat, but it can operate a limited number of Shenyang J-15 fixed wing fighter aircraft. The American President, unwilling to have his party seen as weak in a time of economic and political crisis makes a public statement of support for the Japanese. He then directs an American carrier battle group into the area. An unconfirmed report by an oil rig doing exploratory drilling suggests it has been overflown by unidentified fighter aircraft. A Japanese fishing vessel is reported as ‘missing.’ The Japanese Prime Minister goes to the shrine at Yasukunixxiii to pray for guidance. The symbolism of this visit in not lost on China or the rest of the world.
China feels that it is about to be attacked or lose face. Compounding their fears are economic instability and social unrest at home that could be further aggravated when their trillion dollar (+) holding of US Treasuries starts to look valueless. Even with the Chinese Central Bank now reported to hold the world’s largest stock of physical gold, financial officials there are worried about social unrest caused by concerns about their paper fiat currency failing in light of the US Treasuries failing and the derivative market unwinding.
As such, China perceives the need to forestall an American supported Japanese attack on their maritime interests and sovereignty. Burdened by history, and remembering Nanking, the Chinese politburo decides to take pre-emptive action. Quietly, the international payments and settlement systems is infiltrated by malware borne by PDFs which look like innocent business announcements to their recipients (think RSA here).
The next day, several G10 Central Banks and FIs notice that their payments and settlements systems are not balancing while two major US based banks suffer cascading failures after normally scheduled software upgrades.xxiv The Izz ad-Din al-Qassam Cyber Fighters claim responsibility, but the forensics point to China. The entire trust based payments and settlements system suddenly comes under suspicion and transfers start to freeze up as the FIs try to protect their own assets. The system grinds to a halt in a matter of 24 hours and the failures cascade due to human, software and trust reasons.
The US FED (Central Bank) appeals for calm and promises to inject liquidity into the system. However, having already been weakened by years of Quantitative Easing (money printing) and questionable policies such as long term low interest rates, the FED’s voice is not trusted by most as its reputation has been lost.
Globally, many Central Bank staffs have a problem doing workarounds as no one was trained and most of the baby boomers who knew how to do this have already retired or quit in frustration. The US stock market, plagued by systemic challenges caused by the fragmented and interconnected High Frequency Trading system, plunges in a series of millisecond trades. These crashing prices trip the trading breakers and the market ceases to trade, rattling already nervous traders and now even the ‘mom and pop’ retail investors.
A rather large number of citizens now begin to understand that their ‘money’ and their ‘savings’ exist in a digital format only. They suddenly realize that what they might need is cash or some form of property that has real value (gold, silver, food, fuel, cigarettes etc.).
The result in the advanced economy democracies is a run on the banks for cash in an attempt to buy real world useful commodities such as fuel and food as quickly as possible. The citizens fear, with good reason, that their paper currency and digital accounts may soon be of limited to no value.
Students of history will understand how such a situation can rapidly spin out of control. Perceptions about strength and weakness dominate decision making. No one involved wants to be seen to be losing face.
How does a US President assert himself and the national interest at the same time as major domestic social unrest situation is starting to unfold? And what of the soldiers and sailors overseas? What is their focus is they feel that their families cannot get food or fuel while domestic unrest is building? What are you going to do as your household has limited food, no fuel and no cash or gold?
We will leave it to greater minds to game this one out to its logical conclusions.
A combination of factors is generating weakness in the payments and settlements system. We have allowed this system to grow unsupervised while allowing it to become the central nervous systems of our financial networks and indeed the entire economy. Potential opponents, including social activists, terrorists and nation states have tested it and found it wanting. Hyper-connectivity, poor software standards, IT personnel, legacy systems and a lack of training are all building towards a payments and settlements system which is vulnerable to cascading failures and attack.
In the event of an actual attack or a cascading failure caused by hyper-connectivity, the reality is that most governments would be unable to respond to the attacks in a meaningful way. As Jason Healey, the former White House Director of Cyber Infrastructure Protection noted in a recent address, if the United States is engaged in a cyberwar, Americans would be far better served by contacting Microsoft or AT&T rather than the Department of Homeland Security.xxv
We have created a new battle space or a “domain” of warfare without even being conscientiously aware of it. Welcome to the sixth domain of warfare where you, and the cards in your wallet, are the target.
For more on the issue of why most Western governments would be unable to respond to such an attack on banking and financial networks see: Occasional Paper #66 “Don’t Call Us” Governments, Cyber Security, and Implications for the Private Sector. The paper can be found at the Queens University Centre for International and Defence Policy website (publications/occasional papers) or at: http://www.queensu.ca/cidp/publications/occasionalpapers.html
i For more on this see http://www.volkskrant.nl/vk/nl/2664/Nieuws/article/detail/1851359/2011/02/23/Anarchisten-wij-hebben-de-Rabotoren-in-de-fik-gezet.dhtml as well as http://www.trouw.nl/tr/nl/4504/Economie/article/detail/1851380/2011/02/23/Actiegroep-claimt-cyberaanval-en-branden-Rabobank.dhtml and http://www.telegraaf.nl/dft/nieuws_dft/article20256603.ece . What is most interesting to note is that the cyber attack and physical attack were coordinated, a capability which had not been seen before.
ii The AIVD statement can bee seen at: http://www.rnw.nl/english/bulletin/rabo-towers-fire-claim-fake
iii For more on this see http://www.bbc.co.uk/news/uk-northern-ireland-18569815 and http://www.bbc.co.uk/news/business-18547149 .
vi For more on this see, among many others, http://www.nbcnews.com/id/51790132/ns/technology_and_science-tech_and_gadgets/t/anonymous-islamist-hackers-plan-major-assault-may/
vii For an overview of how this attack was carried out and a compendium of sources, see the slideshow created by Mathew Benton (firstname.lastname@example.org). The material is available at: http://www.slideshare.net/LaNMaSteR53/the-fail-of-hbgary
viii For details on the smear campaign, see: http://www.forbes.com/sites/parmyolson/2011/02/14/revenge-still-sweet-as-anonymous-posts-27000-more-hbgary-e-mails/
ix See, among others, http://www.cbc.ca/news/politics/story/2011/02/16/pol-weston-hacking.html
xi See the article Chinese ‘hacked French ministry for G20 data’. It is available online at: http://www.theweek.co.uk/technology/7229/chinese-%E2%80%98hacked-french-ministry-g20-data%E2%80%99
xii For more on this attack and others, see http://www.afr.com/p/national/cyber_attackers_penetrate_reserve_FEdCLOI50owRMgI0urEYnK
xiv For an explanation of how the hacking of RSA occurred, see: http://www.f-secure.com/weblog/archives/00002226.html
xv Lockheed claims that the attack was stymied by them in a short period of time an no valuable files were lost. This seems debatable, especially given other statement of questionable veracity made at the same time. Spokesman, for instance, claimed that the attack was “extremely sophisticated” when in fact it was rather simple. For more on this see: http://www.dailytech.com/Reports+Hackers+Use+Stolen+RSA+Information+to+Hack+Lockheed+Martin/article21757.htm
xvi See more on this at: http://deibert.citizenlab.org/2009/03/tracking-ghostnet/
xvii See more on this at the CBC news website: http://www.cbc.ca/news/business/story/2012/02/14/nortel-chinese-hackers.html
xviii China sits on the BIS Central Bank Governance Forum. See details at: http://www.bis.org/about/cbgov.htm. For more information on the BIS payments and settlements system see: http://www.bis.org/cpss/index.htm. China is one of 25 members of the BIS Committee on Payment and Settlement Systems. See http://www.bis.org/about/factcpss.htm.
xix See the statements from PLA Colonel Senior Colonel Ye Zheng and Zhao Baoxian where they state: Just as nuclear warfare was the strategic war of the industrial era, cyber-warfare has become the strategic war of the information era, and this has become a form of battle that is massively destructive and concerns the life and death of nations.” Of the various potential uses of cyber warfare, the two authors note that the second is network paralysis. For a discussion of the paper see: http://www.stratfor.com/analysis/china-security-memo-illuminating-beijing%E2%80%99s-cyber-war-strategy
xxi For more on this vessel, see the Navy Recognition guide online at: http://www.navyrecognition.com/index.php?option=com_content&task=view&id=1182
xxii Japan is considering the V-22 Osprey for its helicopter carriers. During a recent exercise (June 2013), an Osprey landed on the Japanese helicopter carrier Hyūga. See http://theaviationist.com/2013/06/18/mv-22-japanes-ship/#.UiCISE1zaM8 for a photo and further details.
xxiii The shrine is located in Tokyo. It was built in 1869 to commemorate those who died in the service of the Emperor during the Meiji Restoration. Unfortunately it has been at the center of a controversy as a number of “Class A” war criminals have had their names added to the list in the post-WW II period. For many other Asian countries such as China, Taiwan and Korea, this shrine is seen as a monument to what they consider Japanese war crimes.
xxiv In 2012, the UK bank RBS suffered a major computer failure as the result of a ‘normal’ software upgrade. Millions of customers were left without ATM, online or physical branch access to their funds and the RBS payments and settlements system failed to update accounts for approximately a week. The cost of repairing the damage is unknown, but press reports suggest 100 million Pounds Sterling as a reasonable estimate.
xxv Occasional Paper #66 “Don’t Call Us” Governments, Cyber Security, and Implications for the Private Sector. The paper can be found at the Queens University Centre for International and Defence Policy website (publications/occasional papers) or at: http://www.queensu.ca/cidp/publications/occasionalpapers.html