The financial crisis that erupted in 2007 highlighted how important trust is for the global system and how fragile it can be. The 2016 Bangladesh central bank cyber incident exposed a new threat to financial stability and the unprecedented scale of the risk that malicious cyber actors pose to financial institutions. While financial institutions have been targeted by hackers since the early days of the modern Internet, the threat has evolved and grown. In 1995, for example, hackers stole USD 10 million from a major bank at a time when most people were just starting to connect to the Internet. Cybercrime has since increased to the billions. Importantly, politically motivated actors have been carrying out increasingly risky actions in recent years. It is therefore no surprise that G20 Finance Ministers and Central Bank Governors are becoming increasingly alarmed by this evolving threat. (For a list of recent cyber incidents targeting financial institutions click here.)
Beyond theft, manipulating the integrity of data, in particular, poses a distinct and greater set of systemic risks than other forms of financial coercion. That is why the Carnegie proposal focuses specifically on data integrity. (The Carnegie report also recognizes that the availability of certain data and systems is critical and proposes a two-step process to explore and conceptualize the two dimensions.) The complex and interdependent character of the financial system and its transcendence of physical and national boundaries mean that manipulating the integrity of financial institutions’ data can, intentionally and/or unintentionally, threaten financial stability and the stability of the international system. Importantly, unlike the 2007–2008 global crisis, this risk exists independent of the underlying economic fundamentals and will only increase as more and more governments make cashless economies an explicit goal.
A 2017 study by the Massachusetts Institute of Technology explains in more detail why data integrity is the most severe risk to the financial sector::
“Our economy is based on a system of accounts recording who owes what to whom at any moment. Those accounts are digitized, and so are back-up systems. An attack that destroyed or corrupted the accounts of a major financial institution could wreak devastating economic havoc unless those accounts could be quickly and reliably reconstituted. The risk extends beyond banks to securities exchanges, brokerage firms, investment companies, clearing organizations, and other financial enterprises.
A sophisticated network attack could lock-up this sector. A logic bomb, for example, could randomly delete system files. According to one participant, that has already occurred, and it took time to understand what had happened and to fix it. But disruption is only one risk that could arise form from data loss or corruption. A subtle, more limited operation that corrupted the pricing of selected securities, for example, could be used to manipulate markets, create illegal profits and losses, and drive parties out of business.
Participants agreed that a slowly rolling attack on an institution might create more havoc than an attack that brought the institution to an immediate halt, for which the larger institutions prepare. A ‘low and slow’ corruption of accounts would be difficult to spot, and unless it were stopped quickly, it would infect back-up systems, too. The longer it lasted, the more backup accounts would also be infected.”
Major powers, notwithstanding their fundamental differences, have recognized this in principle and deed. The U.S. government reportedly refrained from using offensive cyber operations against Saddam Hussein’s financial systems. Russia’s 2011 Draft Convention on International Information Security explicitly suggests that “each State Party will take the measures necessary to ensure that the activity of international information systems for the management of the flow of . . . finance . . . continues without interference.” China also has a vested interest in the system, reflected, among other ways, by its successful effort to make the renminbi part of the IMF’s global reserve currency basket. Meanwhile, countries around the world are setting up or strengthening their CERTs specific to the financial sector, as, for example, India did in February 2017.
To help address this problem, Carnegie outlines a detailed proposal and road map for a G20 agreement on this issue. States have already demonstrated significant restraint from using cyber means against the integrity of financial institutions’ data. Such an agreement would therefore be making explicit what could be considered emerging state practice. Making it explicit would
- send a clear signal that the stability of the global financial system depends on preserving the integrity of financial data in peacetime and during war and that the international community considers the latter off limits;
- build confidence among states that already practice restraint in this domain, and thereby increase their leverage to mobilize the international community in case the norm is violated;
- create political momentum for greater collaboration to tackle nonstate actors who target financial institutions with cyber-enabled means; and
- complement and enhance existing agreements and efforts, namely the 2015 G20 statement, the 2015 UNGGE report, and the 2016 cyber guidance from the Committee on Payments and Market Infrastructures and the International Organization of Securities Commissions (CPMI-IOSCO).
This figure illustrates the underlying logic and main pillars of the proposed agreement and regime:
For more details, please read the Carnegie report “Toward a Global Norm Against Manipulating the Integrity of Financial Data.” Carnegie’s work also builds on past efforts focusing on this issue listed below.