In their March 2017 communique, the G20 Finance Ministers and Central Bank Governors warned that “The malicious use of Information and Communication Technologies could …undermine security and confidence and endanger financial stability.” That is why, the Carnegie Endowment has proposed that the G20 explicitly commit not to engage in offensive cyber operations that could undermine financial stability, namely manipulating the integrity of data of financial institutions, and to cooperate when such incidents occur. Such an agreement by the world’s leading economies would send a clear signal condemning such activity and enable future cooperation. The G20 is now discussing such a commitment by its member states.
This website is meant to serve as a hub providing more details about the G20 discussions, the related Carnegie report and proposal, reactions following its publications, as well as additional resources. The team at Carnegie’s Cyber Policy Initiative also continues to work with government officials, including national security officials, financial institutions, and other experts in the next phase of this project. Feedback is welcomed and stakeholders interested in engaging with Carnegie on this issue are encouraged to contact us here.
Tim Maurer, Ariel (Eli) Levite, and George Perkovich explain why it is vital to the stability of the international system to prohibit the corruption of data in the global financial system, and to strengthen a comprehensive norm to this effect.
The financial crisis that erupted in 2007 highlighted how important trust is for the global system and how fragile it can be. The 2016 Bangladesh central bank cyber incident exposed a new threat to financial stability and the unprecedented scale of the risk that malicious cyber actors pose to financial institutions. While financial institutions have been targeted by hackers since the early days of the modern Internet, the threat has evolved and grown. In 1995, for example, hackers stole USD 10 million from a major bank at a time when most people were just starting to connect to the Internet. Cybercrime has since increased to the billions. Importantly, politically motivated actors have been carrying out increasingly risky actions in recent years. It is therefore no surprise that G20 Finance Ministers and Central Bank Governors are becoming increasingly alarmed by this evolving threat. (For a list of recent cyber incidents targeting financial institutions click here.)
Beyond theft, manipulating the integrity of data, in particular, poses a distinct and greater set of systemic risks than other forms of financial coercion. That is why the Carnegie proposal focuses specifically on data integrity. (The Carnegie report also recognizes that the availability of certain data and systems is critical and proposes a two-step process to explore and conceptualize the two dimensions.) The complex and interdependent character of the financial system and its transcendence of physical and national boundaries mean that manipulating the integrity of financial institutions’ data can, intentionally and/or unintentionally, threaten financial stability and the stability of the international system. Importantly, unlike the 2007–2008 global crisis, this risk exists independent of the underlying economic fundamentals and will only increase as more and more governments make cashless economies an explicit goal.
A 2017 study by the Massachusetts Institute of Technology explains in more detail why data integrity is the most severe risk to the financial sector::
“Our economy is based on a system of accounts recording who owes what to whom at any moment. Those accounts are digitized, and so are back-up systems. An attack that destroyed or corrupted the accounts of a major financial institution could wreak devastating economic havoc unless those accounts could be quickly and reliably reconstituted. The risk extends beyond banks to securities exchanges, brokerage firms, investment companies, clearing organizations, and other financial enterprises.
A sophisticated network attack could lock-up this sector. A logic bomb, for example, could randomly delete system files. According to one participant, that has already occurred, and it took time to understand what had happened and to fix it. But disruption is only one risk that could arise form from data loss or corruption. A subtle, more limited operation that corrupted the pricing of selected securities, for example, could be used to manipulate markets, create illegal profits and losses, and drive parties out of business.
Participants agreed that a slowly rolling attack on an institution might create more havoc than an attack that brought the institution to an immediate halt, for which the larger institutions prepare. A ‘low and slow’ corruption of accounts would be difficult to spot, and unless it were stopped quickly, it would infect back-up systems, too. The longer it lasted, the more backup accounts would also be infected.”
Major powers, notwithstanding their fundamental differences, have recognized this in principle and deed. The U.S. government reportedly refrained from using offensive cyber operations against Saddam Hussein’s financial systems. Russia’s 2011 Draft Convention on International Information Security explicitly suggests that “each State Party will take the measures necessary to ensure that the activity of international information systems for the management of the flow of . . . finance . . . continues without interference.” China also has a vested interest in the system, reflected, among other ways, by its successful effort to make the renminbi part of the IMF’s global reserve currency basket. Meanwhile, countries around the world are setting up or strengthening their CERTs specific to the financial sector, as, for example, India did in February 2017.
To help address this problem, Carnegie outlines a detailed proposal and road map for a G20 agreement on this issue. States have already demonstrated significant restraint from using cyber means against the integrity of financial institutions’ data. Such an agreement would therefore be making explicit what could be considered emerging state practice. Making it explicit would
This figure illustrates the underlying logic and main pillars of the proposed agreement and regime:
For more details, please read the Carnegie report “Toward a Global Norm Against Manipulating the Integrity of Financial Data.” Carnegie’s work also builds on past efforts focusing on this issue listed below.
Estonia was part of the 2014/2015 UN Group of Governmental Experts, which released its consensus report in 2015. As part of the group’s deliberations, the Estonian government shared an input paper specifically focusing on financial infrastructure with the group in September 20014. The relevant section states:
“2.1 Protection of critical financial infrastructure
Potentially the most harmful cyber attacks are those targeted against a nation’s critical infrastructure and associated information systems. Failures of, or disruptions to, critical information systems may impact extensively upon the normal functioning of society with potentially disastrous consequences. Therefore it is vital to enhance international co-operation and mutual assistance for the purpose of critical information infrastructure protection.
In our view, the protection of ICT-based or ICT-dependent critical infrastructure subject to State’s jurisdiction constitutes responsible State behavior. In the spirit of UN Resolution 58/199 States are encouraged to define their nationally critical infrastructure, assign responsible institutions and develop protection measures, including comprehensive national crisis preparedness and response procedures. In addition, States should facilitate cross-border cooperation to address vulnerabilities of critical information infrastructure transcending national borders.
While we consider it necessary to continue developing practices on the protection of all types of critical infrastructure, we would like to focus particularly on the issue of stability and security of the financial system, which we consider to be in the interest of all States due to its centrality for the functioning of individual economies as well as the global economy as a whole. Due to interdependencies, attacks against individual financial institutions as well as financial services can cause extensive damage and reduce public trust toward the digital economy.
Therefore, Estonia considers it essential for States to take steps to reduce potential damage resulting from cyber attacks against the financial system as an essential enabler of economic and social stability.”
For the full version of Estonia’s input paper, click here.
In 2010, Richard Clarke and Robert Knake propose in their book Cyber War an international agreement that would “prohibit altering data or damaging networks of financial institutions at any time, including the preparation to do so by the emplacement of logic bombs” (p. 267).
In 2013, Clarke’s company Good Harbor published a report titled “Securing Cyberspace Through International Norms” expanding on this proposal stating that:
“The Financial Sector
In most major nations, the financial sector has become inherently international and interconnected. The international financial system is based to a large degree on trust, a belief that assets recorded in data bases do in fact exist in the types, amounts, and ownership recorded. Altering and falsifying those databases, or engaging in unauthorized ownership transfer, would significantly undermine the international financial system.
Thus, nation-states have a major incentive to refrain from altering data in or disrupting the communications system of the international financial system. The United States reportedly considered and rejected a cyber attack on the Iraqi banking system in 2003 precisely because of a fear that such an attack would be a precedent that would be used by others to justify similar attacks, which would undermine the essential trust in the international financial system. Arms control often beings with nations promising not to do things that they never had any intentions of doing anyway. Thus, a first step to a cyber war norm might be a series of unilateral declarations that financial sector targets will be avoided.
The international financial system is based to a large degree on trust, a belief that assets recorded in data bases do in fact exist in the types, amounts, and ownership recorded. Altering and falsifying those databases, or engaging in unauthorized ownership transfer, would significantly undermine the international financial system… A first step to a cyber war norm might be a series of unilateral declarations that financial targets will be avoided.”
For the full version of the Good Harbor paper, click here.