Core Pillar #2: Reinforce international norms at the United Nations and through other relevant processes to clarify what is considered inappropriate behavior—that is, when malicious activity has crossed a line—and hold actors accountable for violations to avoid norms being eroded by impunity.
Problem Statement: Weak International Norms in Need of Implementation
International norms make clear what behavior is considered appropriate and when a line has been crossed.1 They provide the legitimacy for actions to hold those who violate such norms accountable. If every country unilaterally did what it wanted, the world would be even more of a Wild West. That is why the international community has clarified norms of shared interest around issues ranging from biological and chemical weapons, to human rights, international trade, and cyberspace. The past few years have also highlighted what happens when these norms erode and weaken over time.
Operationalizing and implementing the still nascent norms for cyberspace must be a top priority in the coming years. The financial sector provides an opportunity to advance this effort and to cement words and diplomatic consensus into action and state behavior.
The international community shares a strong common interest in financial stability. Great powers share an interest in preserving the integrity of the financial system. In the United States, “it’s the economy, stupid” wins elections.2 In China, the Communist Party has no interest in seeing a run on banks that could fuel further social unrest. The Russian elite wants to safeguard its money and has an interest in setting certain limits on cyber criminals like the Carbanak group that become too aggressive.3 And most of the world is tiring of attacks by North Korean hackers that continue to steal millions from countries all around the globe.4 Amounts that may seem like peanuts for rich countries matter greatly to countries that need every penny for the effort to lift people out of poverty.
States can help protect the integrity of the financial system by committing to advance certain norms governing their behavior. Currently, the process for establishing international norms for cyberspace comes from two directions. The first is the top-down process driven by UN diplomats who have agreed on a catalogue of aspirational, voluntary norms that they hope will ultimately reflect how states actually behave. The second is the bottom-up process of emerging state practice that is beginning to shed light on areas of state restraint that could eventually be explicitly codified as norms.
The bad news is that neither of these two driving forces currently provides clarity on how international norms apply to the financial system specifically. The good news is that both offer useful starting points for clarifying and strengthening norms to protect the financial system. In addition, the work carried out by financial supervisory authorities on systemic risk can help operationalize and implement the diplomatic norms agenda. For example, the European Systemic Risk Board released a report in February 2020 identifying key economic functions of the financial system that, if disrupted, could pose a systemic risk.5 Table 3 details these functions.
Industry also has an important role to play in strengthening international norms. The value to industry in pursuing cyber norms for the financial system is twofold. Most obviously, norms that increase the stability and security of cyberspace will reduce operational and systemic risk. In addition, public advocacy for norms allows financial institutions to enhance their brand and improve customer trust in their products. There are five main approaches that the financial industry can use to support the construction of cyber norms protecting the global financial system: (1) political signaling and agenda setting, (2) coalition building, (3) partnerships and financial support, (4) public commitments, and (5) monitoring compliance and collective response.
Mapping the Status Quo: A Shaky Foundation in Need of Reinforcement
Emerging State Practice
In addition to the diplomat-led, top-down processes, a growing number of experts with ties to the national security community are focusing on how states actually behave in cyberspace and what their use of offensive tools reveals about emerging norms.6
A comprehensive review of significant cyber incidents targeting financial institutions between 2011 and 2020 reveals that states have already demonstrated significant restraint in using cyber means against the integrity of the financial system. For example, it is noteworthy that there are no public data implicating states in any of the incidents involving the manipulation of the integrity of financial data; this suggests states have been exercising restraint so far. (The only exceptions over the past two decades have been North Korea’s disk-wiping attacks against financial institutions in South Korea and Chile.)7
Upon reflection, such restraint makes sense. Global interdependence makes the financial sector more vulnerable than other critical infrastructure, but states share a common interest in refraining from putting financial stability at risk.8 The damaging effects of an intrusion targeting the electrical grid or the oil and gas sector will mostly be limited to a single country’s territory or its immediate neighbors. The effects of an incident targeting the integrity of financial data, however, are not necessarily bound by geography—they would be very difficult to understand and, therefore, hard to tailor and to predict.9 An operation targeting a payment processing system could have the direct impact of corrupting the transactions running through it. Indirectly, however, it could lead to an institution’s bankruptcy that sends shock waves throughout the international system. The 2008 collapse of Lehman Brothers highlighted the unanticipated contagion effect caused by the bankruptcy of even a single institution. The 1997 Asian financial crisis was similarly triggered by the collapse of the Thai currency and the unanticipated cascading effects that occurred throughout the region. Such second-order effects are difficult to anticipate, and they may not be factored into the attacker’s battle damage assessments.10
Major powers, notwithstanding their fundamental differences, have recognized this in principle and in practice. The U.S. government reportedly refrained from using offensive cyber operations against Saddam Hussein’s financial system.11 Russia’s 2011 “Draft Convention on International Information Security” explicitly suggests that “each State Party will take the measures necessary to ensure that the activity of international information systems for the management of the flow of . . . finance . . . continues without interference.”12 China also has a vested interest in the system, reflected, in part, by its successful effort to make the renminbi part of the IMF’s global reserve currency basket.13
- Recommendation 2.1: Heads of state should ensure that their state organs (continue to) exercise restraint when using offensive cyber capabilities to target financial institutions. This will strengthen the nascent state practice that has emerged over the past few decades.
Existing International Law
The international community has clarified through the UN that existing international law applies in cyberspace.14 However, at present, there is so much uncertainty about how international law applies during both times of peace and war, at least in respect to data, that international law is simply not up to the task of safeguarding interdependent domestic, regional, and global financial systems. Because cyber attacks against the financial sector do not result in deaths or physical damage, it is difficult to analogize their effects, particularly of attacks against the integrity of financial data. The following discussion is based on an analysis that Michael Schmitt, one of the world’s leading international lawyers on cyber operations, co-authored with Tim Maurer, one of the authors of this strategy document.15
International law has instituted a set of prohibitions that can be used to determine what sorts of operations are acceptable and unacceptable. During peacetime, the three prohibitions most likely to be implicated by cyber operations are those involving sovereignty, coercive intervention, and the use of force:
- It is unclear whether cyber operations against data that do not cause damage to another state’s cyber infrastructure qualify as violations of sovereignty. Efforts to manipulate the integrity of financial data are unlikely to result in physical damage or loss of functionality of cyber infrastructure (although they could cause a loss of confidence in financial institutions and be highly destabilizing); thus, they exist in a legal gray zone. Similarly, the line between financial activities that amount to inherently governmental acts and those that do not is indistinct. Financial data associated with a state’s taxation system, for instance, would be clearly encompassed in the protection; however, data residing in the servers of state-owned banks might not be.
- The second prohibition forbids a state’s unlawful intervention in the internal or external affairs of another state. . . . The paradigmatic case of a prohibited cyber intervention is manipulation of election returns. In the context of financial data, an operation targeting the integrity of financial data upon which the state pension or welfare system relied in order to compel the target to adopt a particular domestic policy would exemplify prohibited cyber intervention.
- The debate continues over whether non-physically destructive cyber operations can nevertheless qualify as prohibited uses of force. In particular, there is a strong argument to be made that the nature of the consequences (destructive or not) matters far less than their severity. From this perspective, a cyber operation targeting financial data that results in severe financial instability and widespread economic disruption might amount to a prohibited use of force. But the approach is far from universally embraced, and the threshold above which a cyber operation would be considered sufficiently severe remains unsettled even among this perspective’s proponents.
There are three factors that obscure how international law applies to cyber operations during wartime:
- First, it is not clear that a cyber operation undermining the integrity of financial data, but not affecting the associated cyber infrastructure, would qualify as an attack and therefore be subject to the prohibition on attacking civilian objects.
- There is also lack of agreement as to whether data constitute an “object,” such that the prohibition on attacking civilian objects applies at all. . . . The interpretive distinction is critical, for if civilian financial and other data do not qualify as an object, they may be targeted, subject to some narrow exceptions, without violating international humanitarian law.
- Finally, assuming solely for the sake of analysis that data are an “object” that is capable of being “attacked” as a matter of law, the question arises as to which data qualify as a “military objective” legally susceptible to attack. However, a long-standing debate surrounds so-called “war-sustaining” objects and how far the definition of a legitimate target can be stretched. The issue has direct relevance in the data context because cyber operations against an enemy’s financial system could directly impede its ability to sustain the conflict.
Since this article was published in 2017, only three governments have publicly clarified aspects of how they interpret international law with respect to cyber operations involving financial institutions:
- In 2018, the UK attorney general stated in a speech that:The precise boundaries of [the international law prohibition on intervention in the internal affairs of other states] are the subject of ongoing debate between states, and not just in the context of cyberspace. But the practical application of the principle in this context would be the use by a hostile state of cyber operations to [sic] . . . intervention . . . in the stability of our financial system. Such acts must surely be a breach of the prohibition on intervention in the domestic affairs of states.16 (Emphasis added.)
- In 2019, the Australian government stated in a letter to the UN that:Harmful conduct in cyberspace that does not constitute a use of force may still constitute a breach of the duty not to intervene in the internal or external affairs of another state. . . . Accordingly, as former UK Attorney-General Jeremy Wright outlined in 2018, the use by a hostile State of cyber operations to [sic] . . . intervention . . . in the stability of States’ financial systems would constitute a violation of the principle of non-intervention.17 (Emphasis added.)
- In 2019, the Dutch minister of foreign affairs outlined in a letter on the international legal order in cyberspace to the House of Representatives of the Netherlands thatInternational law does not provide a clear definition of “use of force.” The government endorses the generally accepted position that each case must be examined individually to establish whether the “scale and effects” are such that an operation may be deemed a violation of the prohibition of use of force. . . . In the view of the government, at this time it cannot be ruled out that a cyber operation with a very serious financial or economic impact may qualify as the use of force.
. . .
Necessity is a ground justifying an act which, under certain strict conditions, offers justification for an act that would otherwise be deemed internationally wrongful, such as deploying offensive cyber capabilities against another state. . . . [T]he damage does not already have to have taken place, but must be imminent and objectively verifiable. . . . The damage caused or threatened does not necessarily have to be physical: situations in which virtually the entire internet is rendered inaccessible or where there are severe shocks to the financial markets could be classified as circumstances in which invoking necessity may be justified.18 (Emphasis added.)
- Recommendation 2.2: Individual governments should clarify how they interpret existing international law to apply to cyberspace, specifically with respect to malicious cyber activity involving financial institutions. Governments could do this through ministerial statements or speeches, letters to parliament/legislatures, submissions to the United Nations (UN) emulating existing examples, or other appropriate mechanisms. (Such clarification should follow and ideally go beyond the Australian, British, and Dutch examples and focus on the set of questions highlighted in the complementary report to this strategy.)
- Supporting Action 2.2.1: The North Atlantic Treaty Organization (NATO), the Shanghai Cooperation Organisation (SCO), and other relevant security organizations should clarify how they interpret existing international law to apply to cyberspace, specifically with respect to malicious cyber activity involving financial institutions; at a minimum, they should initiate processes for member states to discuss this question.
- Supporting Action 2.2.2: The International Committee of the Red Cross, through its mission to build respect for international legal obligations, should build on and clarify its existing publications to provide a recommendation to the international community for how existing international humanitarian law should apply to cyberspace specifically with respect to malicious cyber activity involving financial institutions.
As international lawyers debate how existing international law and its provisions apply to cyberspace, diplomats have been busy developing a set of complementary, voluntary norms for peacetime. Outlined in a set of consensus reports agreed to by the UN GGE and endorsed by the UN General Assembly and the G20, these norms are aspirational in nature and outline how states will ideally behave in the future.
The most relevant norm with respect to the financial system is the following paragraph from the 2015 UN GGE report:
A State should not conduct or knowingly support ICT activity contrary to its obligations under international law that intentionally damages critical infrastructure or otherwise impairs the use and operation of critical infrastructure to provide services to the public.19
This statement articulates a laudable goal, but effective operationalization faces several challenges. First, states have different definitions of what constitutes critical infrastructure. Second, the limitation to “intentional” damage does not take into account potential unintended effects like those witnessed in the WannaCry and NotPetya incidents. This was part of the reason several governments issued statements specifically condemning such attacks.20
To address this shortcoming, the discussion among UN member states in 2019 and 2020 led to a “pre-draft” report from the UN OEWG, which noted that:
While States observed that critical infrastructure is defined differently in accordance with national prerogatives and priorities, they emphasized the severity of threats to particular categories of infrastructure, including for instance the health and financial sectors and electoral infrastructure. Transborder and transnational critical infrastructure was highlighted as at risk as was supranational critical information infrastructure, notably those global systems upon which public or financial services rely. In this regard, States underscored that attacks on critical infrastructure pose not only a threat to security, but also to economic development and people’s livelihoods.21 (Emphasis added.)
As part of this discussion, some states suggested “an ‘upgrading’ as well as further elaboration of norms,” such as “highlight[ing] that supranational critical information infrastructure could be considered a special category of critical infrastructure, and that its protection was the shared responsibility of all States.”22 Singapore, one of the world’s four largest global financial hubs,23 specifically argued that.
More cooperation is necessary to protect and deal with threats to supranational critical information infrastructure (CII), which are owned by private companies, operate across national borders, and are not under any particular State’s jurisdiction. . . . Singapore also supports the further elaboration of norms where needed, for example, in respect of supranational CIIs which could be considered a special category of critical infrastructure, whose protection is the shared responsibility of all Member States.24
And the French government recommended that “More space could be dedicated to fields of vital importance such as healthcare, finance, transport, and electoral infrastructures.”25 (Emphasis added.)
In the United States, the congressionally mandated Cyberspace Solarium Commission issued a similar recommendation to “take a sector-by-sector approach to norms implementation: Prioritize norms against malicious cyber activity targeting elements of critical infrastructure that underpin shared global stability, such as the financial services sector, building on the existing norm against attacking critical infrastructure (CI).”26 (Emphasis added.)
The U.S. government has already started taking action in line with this recommendation, issuing specific statements focusing on election infrastructure and the health sector (see Appendix C for more details). With respect to the financial sector, it is worth mentioning the bipartisan joint letter sent by the chairman of the U.S. House Committee on Foreign Affairs, then congressman Edward Royce, and the co-chair of the Congressional Cybersecurity Caucus, Congressman Jim Langevin, to Treasury Secretary Steven Mnuchin and State Secretary Mike Pompeo on November 5, 2018.27 (See Appendix D for the text of the letters.) The representatives proposed that the two secretaries work with their counterparts in other countries to issue a statement at an upcoming G20 Finance Ministers and Central Bank Governors’ meeting that would declare a commitment to protecting the financial system in the face of growing cyber threats. They recommended that such a statement condemn malicious cyber activity targeting financial institutions and call for partner governments and private sector institutions to facilitate better international cooperation on this issue. Two weeks later, on November 19, 2018, private industry speaking through the FSSCC also sent a letter to Mnuchin with the same request to pursue a statement through G20 and G7 channels.28
Why focus on the G20 for such a statement? The G20 is uniquely positioned to serve as the anchor for such a declaratory statement for several reasons:
- Impact: The G20 convenes the world’s major economies, all of which have a shared interest in protecting the integrity of the global financial system, despite other existing political differences and tensions.
- Mandate: The G20 was established specifically in the wake of the global financial crisis to focus on financial stability and is primarily focused on economic issues and the financial system.
- Type of agreement: The G20 adopts not legally binding agreements but political ones. These are nonetheless effective because it is senior officials—either heads of state or top ministers—that agree to them. This important characteristic of the G20 has allowed its members to elegantly circumvent the contentious debate between Russia and China on the one hand, which have been promoting the idea of a legally binding information security treaty, and Western nations on the other, which have been focusing instead on existing international law and voluntary norms.
- Process: The G20’s most established track is the G20 Finance Track, which precedes even the G20 heads of state convenings, thereby providing a well-established and well-oiled mechanism.
- Recommendation 2.3: UN member states should strengthen and support the operationalization and implementation of the voluntary norms they agreed to through the UN, namely the norm focused on protecting critical infrastructure.
- Supporting Action 2.3.1: The G20 Finance Ministers and Central Bank Governors should adopt a communiqué, building on previous communiqués, urging restraint per recommendation 2.1, and adding specific declaratory language. The G20 heads of state should then endorse the language adopted by the G20 Finance Ministers and Central Bank Governors.
- Supporting Action 2.3.2: In a future process convened through the UN General Assembly and succeeding the UN Open-Ended Working Group (OEWG) and the UN Group of Governmental Experts (GGE), UN member states should:
- Make explicit reference to the financial services sector as critical infrastructure for all UN member states for the purposes of norms (f) and (g) of the 2015 UN GGE report, which focus on critical infrastructure.
- Highlight that financial institutions have been a primary target for malicious actors and face growing criminal and state-sponsored threats that require stronger cooperation among states to protect the global financial system.
- Call on states to adhere to the positive norms of cooperating in the investigation of transnational cyber crimes and denying the use of their territories for malicious activity.
- Supporting Action 2.3.3: Financial authorities and industry should use the systems developed for resilience purposes (for example, to identify and detect potential incidents in order to defend against and recover from them) for the detection and attribution of norm violations. Sharing such information is necessary to more effectively hold malicious actors accountable.
- Supporting Action 2.3.4: The UN Security Council should continue to monitor North Korea’s activities, considering that North Korea’s actions have impacted at least thirty-eight UN member states from 2015 to 2020 alone. The UN Security Council should use all its instruments, ranging from monitoring latest developments through regular reports (such as the 2019 “Report of the Panel of Experts Established Pursuant to Resolution 1874”) to the imposition of sanctions, to deter future malicious activity.
- Supporting Action 2.3.2: UN member states in a future process convened through the UN General Assembly and succeeding the UN OEWG and UNGGE should
- make explicit reference to the financial services sector as critical infrastructure for all UN member states for the purposes of norms (f) and (g) of the 2015 UNGGE report, focusing on critical infrastructure;
- highlight that financial institutions have been a primary target for malicious actors and face growing criminal and state-sponsored threats that require stronger cooperation among states to protect the global financial system; and
- call on states to adhere to the positive norm of cooperating in the investigation of transitional cyber crimes and to deny the use of their territories for malicious activity.
- Supporting Action 2.3.3: Financial authorities and industry should use the systems developed for resilience purposes, e.g. to identify and to detect potential incidents in order to defend against and to recover from them, also for the detection and attribution of norm violations. Sharing such information is necessary to hold malicious actors accountable more effectively.
- Supporting Action 2.3.4: The UN Security Council should continue to monitor North Korea’s activities considering that North Korea’s actions have impacted at least 38 UN member states across continents from 2015–2020 alone. The UN Security Council should use all its instruments ranging from monitoring latest developments through regular reports, such as the 2019 Report of the Panel of Experts established pursuant to resolution 1874, to the potential imposition of sanctions to deter future malicious activity.
North Korea is one of the most threatening actors targeting financial institutions. Over the past decade, North Korea has used cyber attacks to steal some $2 billion, more than three times the amount of money it was able to generate through counterfeit activity over the four decades prior.29
A More Ambitious Proposal
States could also be more ambitious and consider establishing a specific regime designed to protect the integrity of the financial system as outlined below. Such a regime would have three connected and mutually reinforcing elements.30
- First, a state must not conduct or knowingly support any activity that intentionally manipulates the integrity of financial institutions’ data and algorithms where they are stored or when they are in transit (for example, by sharing information about a vulnerability with other actors who then conduct the malicious action or by turning a blind eye to a nonstate actor’s activity).
- Second, to the extent permitted by law, a state must respond promptly to appropriate requests from another state to mitigate activities manipulating the integrity of financial institutions’ data and algorithms when such activities are passing through or emanating from its territory or perpetrated by its citizens. (This element is analogous to Core Pillar #3 on collective response in this strategy document.)
- Third, states would also be expected to implement existing due diligence standards and best practices. (This element is analogous to Core Pillar #1 on operational resilience.)
Linking these three elements would augment the overall effectiveness of this normative regime, as illustrated in Figure 8. The important characteristic of this proposal is that it combines a negative normative commitment (states commit not to do something) with a positive normative commitment (states commit to do something).31 Linking the agreement governing state behavior with expectations that states will implement due diligence standards addresses the problem of moral hazard. And states’ commitment to provide assistance and information when requested circumvents the attribution problem: rather than the victim of an attack having to prove its source, other states would have to live up to their commitment to respond to and help mitigate that attack, or explain why they do not. States would be expected to comply with these obligations in accordance with the requirements of national and international laws, both of which may require adjustment to reflect the principles described here.32
In order to achieve effective reciprocal adherence and be widely accepted among UN member states, this regime should not be limited to only a subset of financial institutions like the Global Systemically Important Banks (as enumerated by the FSB). From the standpoint of international stability—and of winning the support of a large number of states—it may be worth extending protections to all states’ financial institutions. Cyber operations that threaten the integrity of any financial institution would create precedents and sow fears that could threaten all states and the financial system writ large.
If G20 member states or a group of states were to find the proposed agreement compelling, they could include the language proposed here (or otherwise improved) in a communiqué and implement and promulgate the agreement with the relevant standard-setting bodies and private sector institutions including CPMI, IOSCO, and the BCBS.33
Unlike the actions taken after the 2007–2008 financial crisis, adoption and implementation of an agreement like the one proposed here would require engagement with countries’ national security communities and CERTs. No international forum to date exists that allows for such interactions. However, the FSB can act as the convener for such a process, possibly with the support and cooperation of other nongovernmental organizations.
There are clearly limits to the extent to which officials in the national security communities of each country can engage with foreign governments and experts in the financial sector. Given those limits, another approach would be an international agreement through the G20 complemented by a series of unilateral declarations by each government or its military to bolster the G20’s statement and contribute to the agreement’s effectiveness.34 Unilateral declarations would also be a simple way for states that are not part of the G20 to state that they join the G20 member states in their commitment.
The existing regime against counterfeiting currencies is instructive here. For nearly a century, states have adhered to and helped enforce the 1929 International Convention for the Suppression of Counterfeiting Currency, because of widespread mutual vulnerability to the effects of counterfeiting. And because this restraint is widely accepted, states violating it are highly likely to face punishment. Nonstate actors, of course, persist in counterfeiting, as do North Korea and a few other states, but the practice is contained enough that it does not threaten the stability of the international financial system.
The Role of the Private Sector: Activating the Financial Industry as a Norm Entrepreneur
To date, the financial industry as a whole has not been very active in discussions of international cyber norms, apart from a few individual firms such as JPMorgan Chase, Bank of America, and Mastercard that have publicly supported international cyber norms.35 Although multiple major financial institutions have considered becoming more actively involved (for example, when they were asked to join the Paris Call for Trust and Security in Cyberspace), there has not been the right window of opportunity for the sector to throw its full weight behind an initiative. Implementing a more coherent strategic approach such as the one outlined in this report may present such a window for industry to take some of the following actions.
- Political Signaling and Agenda Setting: Financial institutions can signal to their customers, the broader public, and their governments that there is a need for norms to constrain malicious cyber activity against the financial system. The impact of such signaling depends on the number of institutions sending a signal, and how loud and public those signals are. Options range from a series of letters sent to relevant government institutions, to public statements or op-eds published by a group of institutions, to public testimony before legislative bodies. Through political signaling, financial institutions can elevate the issue of cyber norms, particularly those to protect the financial system, on the agenda of political and industry leaders. For example, Microsoft’s president, Brad Smith, has advocated for his idea of a Digital Geneva Convention at the Munich Security Conference, the WEF Annual Meeting in Davos, and many other high-profile events, and the company is actively engaged in intergovernmental fora.36
- Coalition Building: The financial industry has a global architecture in place to build and channel coalitions; trade associations at the national, regional, and global levels are potential vehicles for building consensus and advocating for norms. The work of consensus building and advocacy includes building consensus within the financial industry and developing greater consensus and momentum among the stakeholders in the international community to focus on norms for the global financial system.
For example, at the global level, the financial industry could leverage global trade associations like the IIF and GFMA. Financial industry efforts could also be synchronized with current regional norms processes in organizations like the OAS, the Association of Southeast Asian Nations (ASEAN) Regional Forum (ARF), and the OSCE.
It is worth highlighting that in 2018, the OAS issued a detailed 181-page report, “State of Cybersecurity in the Banking Sector in Latin America and the Caribbean,” demonstrating how a regional organization could be leveraged effectively and in partnership with industry.37
- Partnerships and Financial Support: The financial industry can join others’ public commitments in support of international cyber norms such as Microsoft’s Cybersecurity Tech Accord, Siemens’ Charter of Trust, or the Paris Call. Financial support, particularly for resource-constrained nongovernmental organizations involved in advancing the public interest and strong cyber norms, provides another important opportunity for financial institutions to support ongoing norms processes. For example, Mastercard supports the CyberPeace Institute.38
- Public Commitments: The financial services industry could follow the logic of the Charter of Trust by making and implementing certain public commitments (although the lack of implementation has become a growing criticism of the Charter of Trust). A good illustration of such a corporate action is SWIFT’s Customer Security Program. Following the 2016 Bangladesh incident, SWIFT updated its Customer Security Program to include cybersecurity standards for its clients in its contractual relationships. The program’s terms and conditions remind clients that:
To conduct business over the SWIFT network, users need to have a commercial relationship with other SWIFT users. Users must establish such relationships taking into account multiple criteria. In addition to obvious commercial considerations, these criteria typically relate to KYC and sanctions/AML compliance, operational risk, cyber security, and fraud.
Cyber-attacks are growing in number, their modus operandi are increasing in sophistication and attackers are focusing more deeply inside banks. Cybersecurity is therefore an important consideration in establishing commercial relationships between SWIFT users. . . . [As] part of the SWIFT Customer Security Programme, SWIFT is acting as a facilitator of standards and transparency regarding the cybersecurity compliance status of the users. Pursuant to the [SWIFT Customer Security Controls Policy], users must self-attest against the security controls set out in the CSCF. While SWIFT reserves the right to report failures to comply therewith, each user remains solely and exclusively responsible for any reliance thereupon and, more generally, any decision to exchange (or stop or suspend exchanging) messages or files with another user, and defining and implementing appropriate supporting controls and other arrangements.39 (Emphasis added.)
These are now de facto mandatory requirements that SWIFT expects its clients to meet in order to retain access to the global network. This is one example of how private financial institutions can leverage their contractual relationships to strengthen cybersecurity and impose consequences on those who do not meet such requirements.
A related option is for financial services firms to use the power of the purse to nudge other industry actors into changing their behavior. In 2002, for example, Microsoft launched its Trustworthy Computing Initiative after Wall Street joined its growing chorus of critics.
On January 15, 2002, Bill Gates sent a now famous, one-paragraph memo to Microsoft employees, announcing that henceforth security would be Microsoft’s number one priority:
Over the last year it has become clear that ensuring .NET is a platform for Trustworthy Computing is more important than any other part of our work. If we don’t do this, people simply won’t be willing—or able—to take advantage of all the other great work we do. Trustworthy Computing is the highest priority for all the work we are doing. We must lead the industry to a whole new level of Trustworthiness in computing.40
After this memo, Microsoft launched its Trustworthy Computing Initiative and developed its security lifecycle model for Microsoft products.
Microsoft took this action because several of its largest customers, including major financial firms, told the company to improve the security of its software or risk losing some of their business.41 At the time, financial industry was undergoing the transformative shift to internet banking services—such as the 2001 strategic alliance between Citigroup and Microsoft to offer internet banking services. Reliable infrastructure was essential.42 Microsoft executives made specific overtures to the financial industry during the roll-out of the Trustworthy Computing Initiative.43 In an Economist op-ed about Microsoft’s focus on security, Craig Mundie, the champion of the Trustworthy Computing Initiative, noted that “in online banking, for example, the bank wants robust authentication.” In other words, Wall Street used the power of the purse to nudge others to change.
- Monitoring Compliance and Collective Response: Industry owns and operates most of the financial system’s infrastructure. Without industry, governments would have difficulty assessing when an international norm has been violated. Information sharing between industry and government is therefore required to monitor states’ compliance with international norms. If states commit and generally adhere to strong international norms and mechanisms to hold actors accountable, industry will have an incentive to work with government when incidents occur.
The financial industry is uniquely positioned to work with governments to hold norm violators accountable. States already use the financial sector to implement sanctions for a wide variety of reasons. Usually, financial services firms are reluctant instruments of statecraft. However, there is likely significantly greater appetite among financial services firms for implementing sanctions if these firms were themselves the target of malicious activity. One could also imagine a scenario where a firm could leverage its corporate relationships through contractual provisions, like those of SWIFT’s Customer Security Program, to hold its clients accountable for actions enabling or contributing to norm violations.
- Recommendation 2.4: Financial services firms and related trade associations, such as the Institute of International Finance (IIF), the Global Financial Markets Association (GFMA), the Bank Policy Institute (BPI), the Geneva Association, the American Bankers Association (ABA), the European Banking Federation (EBF), the Pan-European Insurance Forum, the Association of Banks in Singapore (ABS), and others should call for stronger international norms to protect the financial system and should prioritize this as a talking point in their engagement with governments.
- Supporting Action 2.4.1: CEOs of financial services firms should collectively call on governments, for example via a joint letter, to strengthen international norms to protect the global financial system and for the G7 and the G20 to issue such a commitment.
- Supporting Action 2.4.2: Financial services firms should commit to sharing information about threat actors’ behavior and potential norm violations to assist in the monitoring of compliance. Not sharing this information could embolden malicious actors to continue their activity with impunity.
- Supporting Action 2.4.3: If governments publicly commit to protecting the integrity of the financial system, financial services firms should provide financial support to advance the implementation and strengthening of international norms, for example, to expand capacity-building activities.
1 This section includes text from the previously published, short article by Tim Maurer and Michael Schmitt, “Protecting Financial Data in Cyberspace: Precedent for Further Progress on Cyber Norms?,” Just Security (blog), August 24, 2017, and the Carnegie white paper “Toward a Global Norm Against Manipulating the Integrity of Financial Data” co-authored by Tim Maurer, Ariel Levite, and George Perkovich released on March 27, 2017.
2 “It’s the Economy, Stupid,” Wikipedia, https://en.wikipedia.org/wiki/It%27s_the_economy,_stupid.
3 Group-IB, “Group-IB: Cobalt’s Latest Attacks on Banks Confirm Connection to Anunak,” www.group-ib.com, May 2018, https://www.group-ib.com/media/group-ib-cobalts-latest-attacks-on-banks-confirms-connection-to-anunak/.
4 Nish and Naumaan, “The Cyber Threat Landscape: Confronting Challenges to the Financial System.”
5 European Systemic Risk Board, “Systemic Cyber Risk,” February 2020, https://www.esrb.europa.eu/pub/pdf/reports/esrb.report200219_systemiccyberrisk~101a09685e.en.pdf.
6 Michael P. Fischerkeller and Richard J. Harknett, “Persistent Engagement and Tacit Bargaining: A Path Toward Constructing Norms in Cyberspace,” Lawfare (blog), November 9, 2018, https://www.lawfareblog.com/persistent-engagement-and-tacit-bargaining-path-toward-constructing-norms-cyberspace.
7 For more details, see Carnegie’s “Timeline of Cyber Incidents Involving Financial Institutions,” developed in association with BAE Systems: https://carnegieendowment.org/specialprojects/protectingfinancialstability/timeline
8 Tim Maurer et al., “Toward a Global Norm Against Manipulating the Integrity of Financial Data,” Carnegie Endowment for International Peace, March 2017, https://carnegieendowment.org/2017/03/27/toward-global-norm-against-manipulating-integrity-of-financial-data-pub-68403.
9 Tim Maurer et al., “Toward a Global Norm Against Manipulating the Integrity of Financial Data,” Carnegie Endowment for International Peace, March 2017, https://carnegieendowment.org/2017/03/27/toward-global-norm-against-manipulating-integrity-of-financial-data-pub-68403.
10 Tim Maurer et al., “Toward a Global Norm Against Manipulating the Integrity of Financial Data,” Carnegie Endowment for International Peace, March 2017, https://carnegieendowment.org/2017/03/27/toward-global-norm-against-manipulating-integrity-of-financial-data-pub-68403.
11 Richard A. Clarke and Robert K. Knake, Cyber War: The next Threat to National Security and What to Do about It, 1st Ecco pbk. ed (New York: Ecco, 2012), 202–3; John Markoff and Thom Shanker, “Halted ’03 Iraq Plan Illustrates U.S. Fear of Cyberwar Risk,” New York Times, August 1, 2009, https://www.nytimes.com/2009/08/02/us/politics/02cyber.html.
12 The Ministry of Foreign Affairs of the Russian Federation, “Convention on International Information Security,” September 2011, https://www.mid.ru/foreign_policy/official_documents/-/asset_publisher/CptICkB6BZ29/content/id/191666.
13 Mark Wells and Nick Fahey, “Charts: Who Loses When the Renminbi Joins the IMF Basket?,” CNBC, December 2, 2015, https://www.cnbc.com/2015/12/02/who-loses-when-the-renminbi-joins-the-imf-basket.html.
14 United Nations General Assembly, “Group of Governmental Experts on Developments in the Field of Information and Telecommunications in the Context of International Security,” Pub. L. No. A/68/98, A/68/98 (2013), https://www.unidir.org/files/medias/pdfs/developments-in-the-field-of-information-and-telecommunications-in-the-context-of-international-security-2012-2013-a-68-98-eng-0-518.pdf.
15 Michael Schmitt and Tim Maurer, “Protecting Financial Data in Cyberspace: Precedent for Further Progress on Cyber Norms?,” Just Security (blog), August 24, 2017, https://www.justsecurity.org/44411/protecting-financial-data-cyberspace-precedent-progress-cyber-norms/.
16 Attorney General Jeremy Wright QC MP, “Cyber and International Law in the 21st Century” (Speech, Chatham House, London, May 23, 2018), https://www.gov.uk/government/speeches/cyber-and-international-law-in-the-21st-century.
17 Australian Mission to the United Nations, “Australian Paper - Open Ended Working Group on Developments in the Field of Information and Telecommunications in the Context of International Security,” Open Ended Working Group, September 2019, https://unoda-web.s3.amazonaws.com/wp-content/uploads/2019/09/fin-australian-oewg-national-paper-Sept-2019.pdf.
18 Stef Blok, “Letter to the Parliament on the International Legal Order in Cyberspace From the Government of the Kingdom of the Netherlands to Parliament,” July 5, 2019, https://www.government.nl/documents/parliamentary-documents/2019/09/26/letter-to-the-parliament-on-the-international-legal-order-in-cyberspace.
19 United Nations General Assembly, “Group of Governmental Experts on Developments in the Field of Information and Telecommunications in the Context of International Security,” A/70/174 § (2015), https://undocs.org/A/70/174.
20 Catalin Cimpanu, “All Five Eyes Countries Formally Accuse Russia of Orchestrating NotPetya Attack,” BleepingComputer, February 18, 2018, https://www.bleepingcomputer.com/news/security/all-five-eyes-countries-formally-accuse-russia-of-orchestrating-notpetya-attack/; Dustin Volz, “U.S. Blames North Korea for ‘WannaCry’ Cyber Attack,” Reuters, December 19, 2017, https://www.reuters.com/article/us-usa-cyber-northkorea-idUSKBN1ED00Q.
21 Open Ended Working Group, “Initial ‘Pre-Draft’ of the Report of the OEWG on Developments in the Field of Information and Telecommunications in the Context of International Security,” 2020, https://www.un.org/disarmament/open-ended-working-group/.
22 Permanent Mission of the Republic of Singapore to the United Nations, “Singapore’s Written Comment on the Chair’s Pre-Draft of the OEWG Report,” Open Ended Working Group, 2020, https://front.un-arm.org/wp-content/uploads/2020/04/singapore-written-comment-on-pre-draft-oewg-report.pdf.
23 David Reid, “New York Stretches Lead over London as the World’s Top Financial Center, Survey Shows,” CNBC, September 19, 2019, https://www.cnbc.com/2019/09/19/new-york-beats-london-again-as-the-worlds-top-financial-center.html.
24 Permanent Mission of the Republic of Singapore to the United Nations, “Singapore’s Written Comment on the Chair’s Pre-Draft of the OEWG Report.”
25 Permanent Mission of France to the United Nations, “France’s Response to the Pre-Draft Report from the OEWG Chair,” Open Ended Working Group, 2020, https://front.un-arm.org/wp-content/uploads/2020/04/contribution-fr-oewg-eng-vf.pdf.
26 U.S. Cyberspace Solarium Commission, “Cyberspace Solarium Commission Final Report,” March 2020, https://www.solarium.gov/.
27 Letter by Congressman Royce and Langevin to Secretary Mnuchin, November 5, 2018;
Letter by Congressman Royce and Langevin to Secretary Pompeo, November 5, 2018.
28 Letter by the FSSCC to Secretary Mnuchin dated November 19, 2018.
29 Tim Maurer and Arthur Nelson, “COVID-19’s Other Virus: Targeting the Financial System,” Strategic Europe (blog), Carnegie Europe, April 21, 2020, 1, https://carnegieeurope.eu/strategiceurope/81599.
30 Tim Maurer et al., “Toward a Global Norm Against Manipulating the Integrity of Financial Data,” Carnegie Endowment for International Peace, March 2017, https://carnegieendowment.org/2017/03/27/toward-global-norm-against-manipulating-integrity-of-financial-data-pub-68403.
31 Tim Maurer et al., “Toward a Global Norm Against Manipulating the Integrity of Financial Data,” Carnegie Endowment for International Peace, March 2017, https://carnegieendowment.org/2017/03/27/toward-global-norm-against-manipulating-integrity-of-financial-data-pub-68403.
32 Tim Maurer et al., “Toward a Global Norm Against Manipulating the Integrity of Financial Data,” Carnegie Endowment for International Peace, March 2017, https://carnegieendowment.org/2017/03/27/toward-global-norm-against-manipulating-integrity-of-financial-data-pub-68403.
33 Tim Maurer et al., “Toward a Global Norm Against Manipulating the Integrity of Financial Data,” Carnegie Endowment for International Peace, March 2017, https://carnegieendowment.org/2017/03/27/toward-global-norm-against-manipulating-integrity-of-financial-data-pub-68403.
34 Tim Maurer et al., “Toward a Global Norm Against Manipulating the Integrity of Financial Data,” Carnegie Endowment for International Peace, March 2017, https://carnegieendowment.org/2017/03/27/toward-global-norm-against-manipulating-integrity-of-financial-data-pub-68403.
35 Carnegie Endowment for International Peace, “Launch Event: Toward a Global Norm Against Manipulating the Integrity of Financial Data,” June 19, 2017, accessed October 30, 2020, https://carnegieendowment.org/2017/06/19/launch-toward-global-norm-against-manipulating-integrity-of-financial-data-event-5617.
36 Brad Smith, “The Need for a Digital Geneva Convention,” https://blogs.microsoft.com/on-the-issues/2017/02/14/need-digital-geneva-convention/.
37 Cyber Security Program of the Inter-American Committee against Terrorism, “State of Cybersecurity in the Banking Sector in Latin America and the Caribbean,” Organization of American States, 2018, https://www.oas.org/es/sms/cicte/sectorbancarioeng.pdf.
38 “CyberPeace Institute - Home,” CyberPeace Institute, accessed February 28, 2020, https://cyberpeaceinstitute.org/.
39 SWIFT, “Customer Security Programme Terms and Conditions,” June 30, 2017, https://www2.swift.com/uhbonline/books/public/en_uk/cst_sec_prog_trm_cond/index.htm.
40 Bill Gates, “Bill Gates: Trustworthy Computing,” Wired, January 17, 2002, https://www.wired.com/2002/01/bill-gates-trustworthy-computing/.
41 Dennis Fisher, “Era Ends With Break Up of Trustworthy Computing Group at Microsoft,” ThreatPost, accessed January 14, 2020, https://threatpost.com/era-ends-with-break-up-of-trustworthy-computing-group-at-microsoft/108404/.
42 Paul Beckett and Rebecca Buckman, “Citigroup, Microsoft Will Allow Users to Send Money Transfers - WSJ,” Wall Street Journal, accessed January 16, 2020, https://www.wsj.com/articles/SB988669484896586123.
43 Craig Mundie et al., “Trustworthy Computing, Microsoft White Paper,” Microsoft Corporation, revised version 2002, http://download.microsoft.com/documents/australia/about/trustworthy_comp.doc. Emphasis added by author.