The Washington Post report on the suspected North Korean cyberattack is troubling in a number of ways. If true, the attack signals that commercial institutions are – as many have suspected – the targets of weapons-grade, state-sponsored cyberattacks and exploits. Such attacks and exploits mean that commercial institutions need to consider, and probably to employ, the same level of cybersecurity protection and the same level of sophistication in their defense as is becoming the norm in the national security community. In the past, financial institutions had considered cyberattacks as a “cost of doing business” and had mitigated the effects of these attacks on an “actuarial” basis, i.e., building a financial position that took into account the losses these attacks represent. Such an approach is less viable every day. More sophisticated attacks and exploits can do more than draw funds from a bank; it can hinder its very operations; it can jeopardize the interests of numerous customers, and it can compromise a bank’s intellectual property and competitive position. In can even destabilize a financial institution, assuming sufficiently clever and malicious manipulation of a bank’s data. The story from the Washington Post points to South Korea’s Internet connectivity as a characteristic of that country’s financial industry. In the future, this level of connectivity will be the global norm, and banks will have to find more ways to use global connectivity to their advantage, and to the advantage of their customers. Banking products and services will depend on global connectivity. Indeed, mobile banking will require this connectivity at a level that significantly surpasses today’s online banking activity. As a result, banks throughout the world will face the same situation as those in South Korea. The risks and threats of an online environment will be unavoidable.
Though not necessarily good news, this kind of report is useful in that it can help catalyze disciplined thinking and effective action to safeguard our financial institutions. Banks can build information architectures that are more intrinsically secure. Banks can “bake in” designs that impose stronger rules for data exiting their systems. They can move beyond an actuarial approach to hardening their systems, and to investing in tools to find anomalous system behavior. Indeed, there will be little choice but to engage in these approaches. Banks can and should work with government authorities to understand cyber threats, both in terms of the activities of criminal organizations and in terms of the technologies they must master on behalf of their customers and themselves. Banks and government authorities must work together to improve the level and quality of information available about global cyber criminal activity. Indeed, overcoming, this “data crisis” in which cyber threats are both under-played and over-hyped, is an urgent priority.
For better or worse, global banking will encounter global cyber threats. Overcoming and managing these threats is an unavoidable responsibility. The best institutions will accept these responsibilities and turn that acceptance into a competitive advantage.