Thank you very much for the invitation to speak to you today. The topic you've asked me to cover is the issue of cybersecurity, and in particular how it applies to the financial sector.
I think it would be useful to start with a very quick bit of background information when it comes to cybersecurity, in terms of why the financial sector is of interest, who the actors might be who might be interested in attacking, compromising or otherwise getting into the financial system, and some of the challenges that go with trying to protect the financial system and why.
I did provide my speaking notes beforehand, and the cover is just some very, very big numbers. Essentially, we're talking about the rate of breaches per day. It's in the hundreds, if not more, and it just keeps going up. People are very interested in attacking organizations from a cyber or Internet perspective because it's easy. You can be anywhere in the world to do it. In particular, when we think about those who might be interested in the financial sector, I would bucket them into four categories.
The first category is very easy: people who like the challenge. I sometimes refer to them as thrill-seekers. Financial institutions represent probably the toughest nut to crack when it comes to cybersecurity, so the kudos that goes with successfully breaching systems is very high in the hacker community. In many cases, this sort of action may be harmless and may be more reputational, such as changing the graphical interface on a web page, but nevertheless it's a group with interests in the financial sector.
Second are the hacktivists, those who have a social or political cause and see the financial sector or some of those it supports as being part of the challenge they face. Hacking helps them to further their cause or further their message. Again, I think it's very straightforward. Everyone has heard of Anonymous, though they're not very anonymous anymore.
Third are the criminals. Again, this is very straightforward in some ways. In the financial system, there's a direct monetary return that can be gained by criminals, but it's not just the direct monetary interest that criminals have, and I think this is very important to emphasize. You could hack into a system and try to siphon out money, but it's not just money that's in the system—it's information. It's personal information and information about the dealings of companies, all of which can be monetized in other ways. When we think about criminals, it's not just about direct monetization off the attack; it's also about the indirect benefits they can gain.
Finally—and I think this is where some of the biggest challenges are coming from—there is the issue of nation-states. You might ask the question, why would another state be interested in our financial system? If you think about it for a moment, in terms of the challenges we face in today's world, economic competition is as stiff as it ever was, and understanding the financial system, because everything flows through it at one point or another, gives you a very strong indication of not only how the country is doing, but also potentially how some of the corporations within the country are doing.
When it comes to having the upper hand in the economic challenge sphere—I shouldn't say “warfare”—from nation to nation, understanding the financials of a nation becomes very useful. If you think about that further and you're talking about nation state-sponsored takeovers, that information becomes even more useful. Ultimately, if you think about modern warfare and modern threats, think about the financial system this way. At the end of the day, our financial systems are literally based on confidence. Anyone who is able to infiltrate that and affect that confidence will affect our markets.
We've seen time and time again how markets change just on the basis of what people think is going to happen. For those nation-states, in terms of a leg-up, in terms of a new hybrid warfare option, that becomes a target of tremendous interest, because the consequences can be quite significant if you manage to undermine confidence in the financial system.
If we take a look at those four actors and then look across the financial system, I think there are five key challenges we have to think about.
The first is—I think this has been mentioned time and time again—that we think about the threats we face in terms of regulation and legislation. We think that if we put in the right rules and the right standards, we'll be able to stop bad things from happening.
I don't know how many of you have the 60-day or 90-day password rule change. Just to let you know, that was invented in the days when it took between 60 and 90 days to compromise your account from when someone had your password, but this is an ISO standard, and in many cases it's a requirement for companies.
First and foremost, standards are actually struggling to keep up. By the time a standard comes into place, we've gone well beyond it. I think the first big challenge we face, particularly in the financial sector, which is heavily regulated, is that if we just depend on standards and regulation, which cannot keep up with the threat, for me they're just the table stakes to get into the game. It has to go far beyond that.
The second issue, which is certainly as pertinent in the financial sector but it cuts across everything in cybersecurity, is the issue of information sharing. If I'm company A and somebody has tried to attack me by going after a very specific piece of software and no one knows, it's a zero-day vulnerability. No one yet knows this vulnerability exists, but the rest of the financial sector, maybe 70% of it, depends on the same software. Do you know what? It's embarrassing to admit that I've been hacked, so I'm not going to tell anyone. That's the typical story we hear about cybersecurity. The information about what's happened is rarely, if ever, shared or made available. Now, this is not about embarrassing anyone. This can be made available anonymously. Some nations like Australia, for instance, are pushing for more and more disclosure when it comes to breaches or attacks. Having that intelligence and information shared actually has a crucial role to play in cybersecurity, and it's something we have not gotten right yet.
The third challenge is that whenever I say “cybersecurity”, someone brings up a smart phone and says, “Yes, it's about securing this.” Cybersecurity is not just a technology problem. In fact, if you look at the latest breach statistics from the Australian privacy commissioner and work it out in terms of the different categories they use, over 60% of it comes through humans, either malicious or non-malicious, making mistakes or being socially engineered. That's 60% or more. This is not just a technology problem; it is very much a human problem.
I would say this to you as well: If I wanted to hack your bank, I wouldn't hack your bank; I would hack you. It's far easier to engineer a person than it is to get through the protections that a financial institution or a large organization might have.
The fourth thing, which is kind of an extension of that first piece about technology, is users. I think there was a news story a few weeks ago about a user being compromised because they were taken in by a scam and they were actually paying out large amounts of money. Unfortunately, that security, as one expert once described to me, is like armoured vehicles with armed officers taking money between two cardboard boxes, and it's the cardboard box at the end that we worry about, because the user at the end may not be as well defended, or may not understand things as well as the bank or the financial institution or the provider of the services might.
My biggest nightmare was when my father got an eBay account and a PayPal account. Not everyone is familiar with the digital world, and therefore there can be attacks against them, and while you and I may look at those and laugh and say we know they are scams, not everyone will. So the user at the end of the chain is another piece that we need to think of.
Going back to the comment I made about confidence, it may not be a financial institution's fault, but if enough of those users, particularly as people age, start suffering these attacks, think about what that does for confidence. They tell their friends; their friends tell their friends, and that spreads. There's a problem with the system, but it's not the system; it's the user, at the end of the day.
The last piece, which I think is a very big challenge and certainly it's pertinent in today's headlines, is the issue of supply chains. This might sound a little odd in cybersecurity, but think about it this way. We buy equipment; we buy bits and pieces from all over the world, and we integrate those into our systems. If we look at the earpieces we're using today to the translation systems, to the audio systems, there will probably be anywhere between three and 20 countries involved in constructing all of those. There's a direct supply chain, but it's not even in the equipment we're using directly. For those of you who remember the infamous Target breach, it was the HVAC system that they went after. They went after the HVAC company, and through that breached the system, and from there got into Target.
Supply chains have become very complex. They involve not just the bits and pieces we buy, but also the organizations that provide services to us. Again, I wouldn't attack your company; I would attack whoever services your company. When we think about cybersecurity, all of these elements add up to a very dangerous picture, which is, what does that do to confidence? If enough of these incidents keep happening, will they affect confidence, which is ultimately what underpins our financial system? That's why cybersecurity in the financial sector is a major concern and continues to be a major concern today.