When asked why he always went after banks, the famed Depression-era robber
Willie Sutton once explained that he picked them because "that's where the
money is."
Nowadays, with more banking transactions performed over electronic networks
than teller windows, a federal agency believes the same logic might appeal
to cyberterrorists.
In a report released this week on "Efforts of the Financial Services Sector
to Assess Cyber Threats," the U.S. General Accounting Office concluded that
entities handling monetary transactions face a particularly high risk of
attack by criminals or terrorist organizations.
The GAO, the investigative arm of Congress, included financial services in
a list of industries that provide so-called "critical infrastructure," such
as telecommunications or electrical power.
In the case of financial services, the GAO found that "the potential for
monetary gains and economic disruptions may increase its attractiveness as
a target."
In the online context, however, Sutton's logic plays out on a bigger scale.
As of mid-2002, the report estimates, financial services providers in the
United States, including commercial banks, insurance companies, mutual
funds, pension funds and securities brokers, among others, held more than
$23.5 trillion in assets.
Increasingly, assets are changing hands over computer networks, for
purposes ranging from Internet banking to electronic stock trading to the
backend operations required for settling transactions. But the growth of
these services, the GAO found, "has also increased the degree of access to
the systems used to support these services." As access grows, so does the
risk of criminal intrusions.
The GAO's concerns dovetail findings in a biannual report on Internet
security threats published by Symantec in February. The security firm found
that the overall volume of cyberattacks in the second half of 2002 declined
by about 6 percent from the first half of the year. Symantec said it was
the first time it had recorded such a decline.
But while overall cyberattacks were down, the financial services industry
was not spared. According to Symantec, the financial services industry
"experienced a sharp rise in attack volume and relative attack severity."
Vincent Weafer, director of Symantec Security Response, said some of the
rise in reported attacks can be attributed to the usual suspects:
cybercriminals on the prowl for credit card numbers and bank account
records. Weafer said that banks are better at detecting intrusion attempts,
so more attacks are being counted.
Like the GAO, however, Weafer sees online banking and other applications in
which customers access financial institutions from their personal computers
as particularly risky.
"Where we really need to focus attention is on the home users," he said.
"They're being used by criminals as launch pads to attack critical
infrastructure."
But while cyberattack risks remain high for financial services firms, the
GAO acknowledged that a number of industry groups and regulatory agencies
are actively working to boost security.
Private-sector efforts include a plan by the Securities Industry
Association for a virtual command center that will be activated when a
significant disaster occurs. Another group, the Financial Services
Technology Consortium, developed a database through which financial
institutions could find space to get their operations back up and running
in the event of a disaster.
Meanwhile, federal regulators, such as the Federal Reserve and the
Securities and Exchange Commission, are increasing scrutiny of information
security risks among the financial institutions they oversee.
http://www.wired.com/news/print/0,1294,57911,00.html