Troels Oerting has a problem. As the group chief security officer for Barclays, he has a squad of elite ex-government agents patrolling the company’s digital perimeter. He also has a hefty budget to acquire state-of-the-art technology to protect Britain’s second-biggest bank from cyberattacks.
However, Oerting, with no small dose of grudging admiration, says his adversaries excel at something that cannot be addressed with deep pockets or killer software: They are superb networkers.
“The organized crime groups in cyber are sharing much better than we are at the moment,” said Oerting, a Dane with a square jaw and the watchful eyes of a cop who has investigated the underworld for 35 years.
Illustration: Yusha
“They are sharing methodologies, knowledge, tools, practices — what works and what doesn’t,” he said.
Now he and his counterparts at other big banks are doing some networking of their own. Oerting, who led the European Cybercrime Centre in The Hague before joining Barclays last year, has assigned some of his people to join allies from four other big UK banks at an operations center in London’s Canary Wharf complex. They sit side by side with police officers from the UK National Cyber Crime Unit.
The idea is that this industry-government “fusion cell,” the Cyber Defense Alliance, will let the sleuths swap tips, techniques and hunches the same way the bad guys do.
“To do this right, you need to have trust,” Oerting said. “If I give information to another bank about my breaches, I don’t want to see this on the front page of the newspaper the next day.”
The effort, the first of its kind in the UK, mirrors a similar initiative in the US called the National Cyber-Forensics and Training Alliance, a nonprofit organization in Pittsburgh that brings together academics, corporate security executives, intelligence operatives and law enforcement officials. Barclays has also installed an analyst at Interpol’s cyberinvestigation unit in Singapore.
Joining forces marks a big change for institutions long reluctant to share information about their information technology (IT) systems, let alone how they are compromised. They have decided they better reboot that mindset fast if they want to counter the online onslaught assailing their walls. In the second quarter of this year, cybercriminals tried to inject more than 1 million malware programs into financial companies worldwide, a 50 percent jump from the same period last year, according to Kaspersky Lab, a global cybersecurity company.
JPMorgan Chase, HSBC and the Federal Reserve Bank of New York have all been cyberjacked in some way in the past couple of years. So has Swift, the cross-border payments messaging network that constitutes the global economy’s circulatory system. No surprise, then, that banks are throwing a lot of treasure at the problem. JPMorgan chief executive officer Jamie Dimon last month said that he expected the bank’s US$600 million annual outlay on IT security to soar to US$1 billion in the next few years.
Yet cyberthieves are getting wilier by the day. In so-called “man-in-the-middle attacks,” they pretend to be trusted organizations to trick targets into sending them money or data. That happened in February when unidentified fraudsters sent fake Swift messages to the New York Fed, directing it to wire almost US$1 billion from the accounts of Bangladesh’s central bank to accounts they controlled. The fraudsters got away with US$81 million before the authorities caught on. As many as a dozen other lenders might have been similarly targeted.
A rapidly escalating scheme is “ransomware,” where criminals use viruses to seize virtual control of a company’s computers and refuse to release them until they are paid off, invariably in bitcoin. Then there are “whaling attacks.” By using sophisticated e-mails that pretend to be from a trusted friend or institution, frauds trick top corporate executives into divulging personal details. Thieves can then impersonate the executives and direct subordinates to transfer company funds to their own accounts.
Even projects that bankers believe are top secret turn out to be far from it. A major US lender recently learned that a supposedly unknown prototype for its new online portal had become a hot topic in a chat room used by criminals. Hackers were already testing malware on the site, says Alastair Paterson, the CEO and co-founder of Digital Shadows, the cyberdefense company that uncovered the scheme.
Many of the instruments in such skulduggery are free or for sale on the Internet. Password-cracking programs with names such as Hashcat and Medusa have become staples of the digital toolkit. Thanks to bitcoin, it is easy to buy more sophisticated penetration code and ready-made hacks on the dark Web, the subterranean layer of the internet untouched by conventional search engines.
Cyberattacks are becoming even more spectacular. Last month, Yahoo disclosed that hackers had stolen the names, passwords, birth dates and other personal data of more than 500 million users. Governments, organized crime gangs and hacktivists have never been better equipped to damage a bank’s most valuable asset: its reputation.
Financial companies are responding by dispatching their personnel to learn the dark arts of the digital world and share their knowledge with colleagues. On a recent morning, about a dozen men and women were tapping on computers in a training center near Cambridge, England, as part of an “ethical hacking” course taught by 7Safe, a British cybersecurity company. The pupils, a mix of corporate IT guys in jeans and polo shirts and hoodie-clad coders from a “white hat” collective called Hacker House, were working through a series of penetration tests on a fictional entity dubbed BeSureBank.
One of the trainees, a young would-be cyberconsultant, used a tool called Metasploit to expose BeSureBank’s IT specs in a process called enumeration. In minutes she was scrolling through a catalogue of the bank’s databases, ports, operating software and, best of all, the usernames for all the accounts on the network. Next she started cracking the passwords for those accounts by employing John the Ripper, an open-source program that computes character combinations until it finds a match.
Soon enough she was logging into the system with the administrator’s password. The consultant surveilled another user’s keystrokes in real time and figured it could be a senior executive at BeSureBank accessing a sensitive database.
“I’m sniffing the keystrokes,” she said to herself. “So that’s cool.”
The lesson concluded when all the trainees launched a “payload,” or virus, into BeSureBank’s system and took it down in a simulated distributed denial-of-service (DDoS) attack. In the real world, this type of assault mobilizes networks of hijacked computers called botnets to overwhelm the target. Such operations are on the rise in finance. On the morning of Jan. 29, a payday for many employees, unidentified hackers launched a DDoS attack on HSBC’s UK site and took it offline for a few hours until the bank could repel the incursion.
During a break in the class, a couple of corporate security directors grumbled that their jobs are not getting any easier when so much data is flying out the door of their companies. It is an important point. Every day employees at any number of companies take their work home with them on laptops, smartphones and tablets. They log in to their banks’ networks from trains, conferences and airport lounges. So, too, do customers and myriad financial technology (fintech) start-ups that are increasingly augmenting banking services with innovative offerings of their own. In January 2018, an EU law, Payment Services Directive 2, will require lenders to let outside companies access their customers’ accounts and connect their applications to the banks’ own systems.
Banks, in other words, will start to look less like isolated fortresses and more like open-border platforms hosting numerous apps and services, like Google’s Android system. While digitization might be the future, it poses a major security migraine.
“Every time there is a new app or a new channel opened, that provides criminal opportunities,” said Jamie Saunders, the director of the UK National Cyber Crime Unit.
“Banks are taking enormous care to design security into their apps, but as the technology evolves, the criminal will evolve, too, and vulnerabilities will open up,” he said.
By then, Oerting plans to be drawing strength from his networking push and the next generation of cyberdefenses. He helps select and mentor promising start-ups in the accelerators that Barclays runs in Tel Aviv, London and other cities.
He has championed Post-Quantum, a start-up that recently went through the bank’s UK accelerator program. Post-Quantum’s military-grade encryption for instant messaging, which has been tested by NATO, is being eyed for deployment to top Barclays bankers. The company also protects digital documents by splitting the “master keys” needed to unlock files into pieces and distributing the code to different keepers. That way, “when a hacker comes in, there’s nothing to hack,” said Andersen Cheng, Post-Quantum’s CEO and the former chief operating officer of Carlyle Group’s European venture fund.
For all the whiz-bang technology and talent at Oerting’s disposal, he is still paranoid something terrible might happen now that we have entered the age of the spectacular attack; just look at how Russian hackers reportedly made off with e-mails from the Democratic National Committee during the US presidential primaries.
“My nightmare is to wake up one morning and realize we’ve lost data for millions of credit cards, or a huge amount of money, or inboxes of e-mails for top executives,” Oerting said. “There is no such thing as absolute security.”
At least by working together, the banks hope they will be in a better position to improve their odds.
Additional reporting by Donal Griffin
Could Asia be on the verge of a new wave of nuclear proliferation? A look back at the early history of the North Atlantic Treaty Organization (NATO), which recently celebrated its 75th anniversary, illuminates some reasons for concern in the Indo-Pacific today. US Secretary of Defense Lloyd Austin recently described NATO as “the most powerful and successful alliance in history,” but the organization’s early years were not without challenges. At its inception, the signing of the North Atlantic Treaty marked a sea change in American strategic thinking. The United States had been intent on withdrawing from Europe in the years following
My wife and I spent the week in the interior of Taiwan where Shuyuan spent her childhood. In that town there is a street that functions as an open farmer’s market. Walk along that street, as Shuyuan did yesterday, and it is next to impossible to come home empty-handed. Some mangoes that looked vaguely like others we had seen around here ended up on our table. Shuyuan told how she had bought them from a little old farmer woman from the countryside who said the mangoes were from a very old tree she had on her property. The big surprise
The issue of China’s overcapacity has drawn greater global attention recently, with US Secretary of the Treasury Janet Yellen urging Beijing to address its excess production in key industries during her visit to China last week. Meanwhile in Brussels, European Commission President Ursula von der Leyen last week said that Europe must have a tough talk with China on its perceived overcapacity and unfair trade practices. The remarks by Yellen and Von der Leyen come as China’s economy is undergoing a painful transition. Beijing is trying to steer the world’s second-largest economy out of a COVID-19 slump, the property crisis and
Ursula K. le Guin in The Ones Who Walked Away from Omelas proposed a thought experiment of a utopian city whose existence depended on one child held captive in a dungeon. When taken to extremes, Le Guin suggests, utilitarian logic violates some of our deepest moral intuitions. Even the greatest social goods — peace, harmony and prosperity — are not worth the sacrifice of an innocent person. Former president Chen Shui-bian (陳水扁), since leaving office, has lived an odyssey that has brought him to lows like Le Guin’s dungeon. From late 2008 to 2015 he was imprisoned, much of this