Not your father’s vault
Posted by Jim Eckenrode, executive director, Deloitte Center for Financial Services, Deloitte Services LP, on December 10, 2013
Today, we hosted a Dbriefs webcast on the topic of cybersecurity in financial services. One of the major points we made in the Dbriefs is that, perhaps even more than the increased variety of attacks on financial institutions, it is the emergence of new threat actors, with motivations beyond the simple theft of personally identifiable information or funds, that is driving the need for many financial institutions to reevaluate their cybersecurity programs. Core to this reevaluation is a greater focus on intrusion detection and recovery alongside the prevention methods that are well-established today. The potential for sustained operational disruptions and systemic damage to the financial system requires more collaboration and planning for the time when the unthinkable happens.
This caused me to wonder: how did we get here? To be sure, technology security is not a new topic, but where did it all start? Some give “credit” to a man named John Draper, who in 1971 created a device from a whistle that was a “free inside” breakfast cereal giveaway that allowed him to mimic the tones that controlled access to the long-distance telephone network; he was convicted of toll fraud in 1972 1. At the same time, engineers working on ARPANet, the precursor to the Internet, developed as a proof-of-concept the first code designed to self-replicate across computers in a network: called “Creeper,” it’s generally recognized as the first “virus.” 2 Things progressed slowly from there, perhaps given the state of computer and network development during this period. However, in 1982, these computer “worms” moved from experimental status to maker of mischief: that year, a 15 year-old boy created another “virus” as a prank on his friends. Dubbed “Elk Clone,” the virus was considered by its designer to be a joke; its only function was to interrupt a game to display a poem. 3 Four years later, Congress passed the Computer Fraud and Abuse Act and by 1993, the first conference for hackers, called DefCon, was held in Las Vegas.
There is a frequently-used quote whose origin is debated, but that is widely attributed to notorious gangster Willie Sutton. When Sutton was asked by a reporter why he robbed banks, his simple answer allegedly was: “Because that’s where the money is.” An axiom that fraudsters quickly found applied to their hacking attempts as well. Computer fraud against financial institutions began to emerge about the same time as Draper was making free long-distance calls, but these were few in number and largely perpetrated by insiders. But with the development of dialup banking and later, banking on the Internet, these incidents gained speed. And it hasn’t stopped there: recently, about $1 million worth of Bitcoins were stolen from a “wallet” service provider that makes up part of the Bitcoin processing network. 4
Today, cybersecurity is #3 on the list of corporate risks, as judged by global CEOs and board members surveyed for the Lloyd’s Risk Survey. 5 And with good reason: this brief history suggests not only that the speed of cyber-attack development in some sense mirrors the speed of development and adoption of technology by financial institutions and their clients, but also changes the nature of the “vault” that Willie Sutton and his kind targeted back in the day when value was stored on paper. The Bitcoin example is at the extreme edge of the confluence of technology and value, where the entire network and the value of the currency itself, was developed by an anonymous individual or group and is managed by a series of algorithms.
Not only that, but in some sense, we’ve come full circle, back to the kid who developed “Elk Clone” as a prank on his friends. Ensuring that the media of exchange (whether currency, negotiable instruments, or electronic “money”) are safe and secure is one very big challenge that the industry is struggling to deal with as that media moves from metal, to paper, to electronic form. But staying ahead of the latest generation of “pranksters” (and I use that term extremely loosely) with designs on the stability of production systems and the larger financial system itself, mandates a rethink of value, the vault and of course, what defines “security.”
This is the message that we covered in our Dbriefs today. Further discussion of this issue will be available shortly with the release of the accompanying report from the Deloitte Center for Financial Services which will be available on this website shortly.
1 John Markoff, “The Odyssey of a Hacker: From Outlaw to Consultant,” New York Times, January 29, 2001.
2 Tom Meltzer and Sarah Phillips, “From the First Email to the First YouTube Video: a Definitive Internet History,” Guardian, October 22, 2009.
3 Farhad Manjoo, “The Computer Virus Turns 25,” Salon, July 12, 2007.
4 Andrea Peterson, “When Bitcoins Go Bad: 4 Stories of Fraud, Hacking and Digital Currencies,” Washington Post, November 26, 2013.
5 Lloyd’s, Risk Index 2013, July 2013.
As used in this document, “Deloitte” means Deloitte LLP and its subsidiaries. Please see www.deloitte.com/us/about for a detailed description of the legal structure of Deloitte LLP and its subsidiaries. Certain services may not be available to attest clients under the rules and regulations of public accounting.