Toward a Global Norm Against the Manipulation of the Integrity of Financial Data

{
  "authors": [
    "Tim Maurer",
    "Steven Nyikos"
  ],
  "type": "legacyinthemedia",
  "centerAffiliationAll": "dc",
  "centers": [
    "Carnegie Endowment for International Peace"
  ],
  "collections": [
    "Cyber and Digital Policy"
  ],
  "englishNewsletterAll": "ctw",
  "nonEnglishNewsletterAll": "",
  "primaryCenter": "Carnegie Endowment for International Peace",
  "programAffiliation": "TIA",
  "programs": [
    "Technology and International Affairs"
  ],
  "projects": [
    "Protecting Financial Stability"
  ],
  "regions": [
    "Iran"
  ],
  "topics": [
    "Economy",
    "Security",
    "Technology"
  ]
}

In The Media

Toward a Global Norm Against the Manipulation of the Integrity of Financial Data

Cyberattacks to manipulate the integrity of financial data pose a distinct set of systemic risks.

By Tim Maurer and Steven Nyikos

Published on Apr 6, 2017

Program

Technology and International Affairs

The Technology and International Affairs Program develops insights to address the governance challenges and large-scale risks of new technologies. Our experts identify actionable best practices and incentives for industry and government leaders on artificial intelligence, cyber threats, cloud security, countering influence operations, reducing the risk of biotechnologies, and ensuring global digital inclusion.

Learn More

Project

Protecting Financial Stability

The Carnegie Endowment has proposed that the G20 explicitly commit not to engage in offensive cyber operations that could undermine financial stability, namely manipulating the integrity of data of financial institutions, and to cooperate when such incidents occur. Such an agreement by the world’s leading economies would send a clear signal condemning such activity and enable future cooperation.

Learn More

Source: R Street

The February 2016 theft of $81 million from Bangladesh’s central bank, which recent reports suggest may have been perpetrated by agents of North Korea, demonstrated the scale of risk that malicious hackers pose to financial institutions.

Cyberattacks to manipulate the integrity of financial data pose a distinct set of systemic risks. While a cyberattack on an electrical grid, for example, will be mostly limited to a single country’s territory or its immediate neighbors, the effects of an attack on the financial system are not bound by geography. Such attacks could lead to bankruptcies that, in turn, send shock waves throughout the global system.

The G-20 finance ministers and central bank governors recognized the threat in a March 18 communiqué:

The malicious use of Information and Communication Technologies (ICT) could disrupt financial services crucial to both national and international financial systems, undermine security and confidence and endanger financial stability.

Now the G20 heads of state have an opportunity to take further action. A new white paper by the Carnegie Endowment for International Peace proposes the G-20 heads of state explicitly commit not to undermine the integrity of financial institutions’ data—whether in peacetime or during war—or allow their nationals to do so, and to cooperate with the international community when such attacks do occur.

Most states already demonstrate restraint when it comes to cyberattacks that could compromise the integrity of financial institutions’ data. By making such restraint explicit, they could:

Send a clear signal that global financial stability depends on preserving the integrity of financial data and that the international community considers attacks on that integrity off limits;
Build confidence among states that restraint in this domain is already the norm and thereby make it easier to mobilize the international community when that norm is violated;
Foster greater international collaboration to tackle nonstate actors who target financial institutions with cyber-enabled means; and
Complement and enhance existing agreements and efforts, namely the 2015 G-20 communiqué, the 2015 UNGGE report and the 2016 cyber guidance from the Committee on Payments and Market Infrastructures and the International Organization of Securities Commissions (CPMI-IOSCO).

The agreement proposed in the Carnegie white paper would commit states not to conduct or knowingly support any activity that intentionally manipulates the integrity of financial institutions’ data and algorithms, wherever they are stored or when in transit. It also binds states, to the extent permitted by law, to respond to requests by other states to assist in halting cyberattacks that target financial institutions’ data and algorithms and that either pass through or emanate from the state in question.

Elements of the proposed agreement are mutually reinforcing. The commitment by states to provide assistance and information, upon request, shifts the burden of attribution from the victim of attack to states that have professed interest in helping to respond to and ultimately prevent such attacks. Linking an agreement on state restraint with expectations for the private sector to implement due-diligence standards addresses potential moral-hazard problems.

The agreement would build on existing international law and on recent international efforts to develop rules for cyberspace. These include the 2015 report of the U.N. Group of Governmental Experts, which proclaimed:

States must not use proxies to commit internationally wrongful acts using ICTs, and should seek to ensure that their territory is not used by non-State actors to commit such acts.

The G-20 heads of state could advance this norm powerfully, building on the finance ministers’ statement, by articulating it formally when they meet in July.

Of course, in the 21st century, a few states that are relatively cut off from the global economy, and nonstate actors who may or may not be affiliated with them, could conduct cyberattacks against financial institutions. But states that endorse the norm explicitly would be more united and would have a clear basis to demand potential retaliatory action against violators—be they states, terrorists or cybercriminals.

This piece was originally published on R Street.

About the Authors

Tim Maurer

Former Senior Fellow, Technology and International Affairs Program

Dr. Tim Maurer was a senior fellow in Carnegie’s Technology and International Affairs program.

Steven Nyikos

Former Nonresident Research Analyst, Cyber Initiative

Economy Security Technology Iran

Carnegie does not take institutional positions on public policy issues; the views represented herein are those of the author(s) and do not necessarily reflect the views of Carnegie, its staff, or its trustees.

More Work from Carnegie Endowment for International Peace

Commentary
Diwan
The Gulf Conflict and the South Caucasus
In an interview, Sergei Melkonian discusses Armenia’s and Azerbaijan’s careful balancing act among the United States, Israel, and Iran.
Armenak Tokmajyan
Collection
Conflict, Security, and Peacemaking
Domestic and international conflicts present myriad challenges for leaders, militaries, and civilians, including the effects of new technological capabilities on the conduct of war, the effectiveness of security strategies, and the intricacies of post-conflict peacemaking. Carnegie scholars provide timely analyses to address these and other related questions.
Commentary
Strategic Europe
Europe and the Arab Gulf Must Come Together
The war in Iran proves the United States is now a destabilizing actor for Europe and the Arab Gulf. From protect their economies and energy supplies to safeguarding their territorial integrity, both regions have much to gain from forming a new kind of partnership together.
Rym Momtaz
Commentary
Carnegie Politika
Why Has Kazakhstan Started Deporting Political Activists?
The current U.S. indifference to human rights means Astana no longer has any incentive to refuse extradition requests from its authoritarian neighbors—including Russia.
Temur Umarov
Commentary
Emissary
Iran’s Northern Neighbors Are Facing Fallout From the War, Too
The conflict is threatening stability in Armenia and Azerbaijan.
Zaur Shiriyev

More Work from Carnegie Endowment for International Peace

Commentary

Diwan

The Gulf Conflict and the South Caucasus

In an interview, Sergei Melkonian discusses Armenia’s and Azerbaijan’s careful balancing act among the United States, Israel, and Iran.

Armenak Tokmajyan

Soldier looking at a drone on the ground

Collection

Conflict, Security, and Peacemaking

Domestic and international conflicts present myriad challenges for leaders, militaries, and civilians, including the effects of new technological capabilities on the conduct of war, the effectiveness of security strategies, and the intricacies of post-conflict peacemaking. Carnegie scholars provide timely analyses to address these and other related questions.

Commentary

Strategic Europe

Europe and the Arab Gulf Must Come Together

The war in Iran proves the United States is now a destabilizing actor for Europe and the Arab Gulf. From protect their economies and energy supplies to safeguarding their territorial integrity, both regions have much to gain from forming a new kind of partnership together.

Rym Momtaz

Commentary

Carnegie Politika

Why Has Kazakhstan Started Deporting Political Activists?

The current U.S. indifference to human rights means Astana no longer has any incentive to refuse extradition requests from its authoritarian neighbors—including Russia.

Temur Umarov

Commentary

Emissary

Iran’s Northern Neighbors Are Facing Fallout From the War, Too

The conflict is threatening stability in Armenia and Azerbaijan.

Zaur Shiriyev