By Dune Lawrence and Michael Riley
Hackers are testing the financial system’s cyber defenses, and they can boast of some alarming success.
Let’s start with what we know. JPMorgan Chase & Co. (JPM) says a breach of its computer systems exposed the personal information of 76 million households and 7 million small businesses. The intrusion lasted from June until sometime in August, so hackers had more than a month to nose around. They accessed names, addresses, phone numbers and e-mail addresses, although the bank says there’s no evidence they compromised account information, passwords or Social Security numbers, Bloomberg Markets magazine will report in its December issue.
And keep in mind: JPMorgan is a giant, profitable bank with a reputation as one of the best companies in the world at cybersecurity.
Internet Security
Even more worrisome is what we don’t know — about the intrusion at JPMorgan, the hackers who did it and the potential vulnerability of the entire financial system. The bank has said little publicly about the breach beyond its description of the customer information that was and was not compromised and an assurance the company is cooperating with government investigations. U.S. intelligence agencies, federal prosecutors and attorneys general from at least two states have all launched probes.
Threats like these keep banking regulator Benjamin Lawsky, superintendent of the New York Department of Financial Services, awake at night. So he said in an interview at the Bloomberg Markets Most Influential Summit on Sept. 22. “I worry that we’re going to have some sort of major cyber event in the financial system that’s going to cause us all to shudder.”
Lucky or Good
One thing we don’t know, according to James Lewis, a senior fellow at the Center for Strategic and International Studies inWashington, is how well big banks’ cyber defenses are working.
“Maybe JPMorgan had good defenses that separated the high-value data from the low-value data, so the hackers weren’t able to get to the high-value data,” Lewis says. “That would be a success story.” Or maybe it was just chance that the intruders didn’t manage to further exploit their access. “We don’t know if we were good or if we were lucky,” he says.
James Angel, a professor at Georgetown University who specializes in financial market structure, points out that banks’ computer networks are “highly connected” to major stock exchanges, to credit card networks and to institutions such as the Depository Trust & Clearing Corp. That means a breach in one system might allow hackers to dig deeper into networks vital to our financial system.
“What other weaknesses in bank cybersecurity are there that might allow other hacks?” Angel asks. “There’s a natural skepticism that this is the entire extent of the damage.”
Bigger Budgets
Financial institutions are among the best at handling cybersecurity, says Greg Bell, Americas services leader for information protection and cybersecurity with KPMG, the tax, audit and advisory firm, in part because they’re attacked so often. The stakes are high — a bank’s first duty, after all, is keeping customer money safe.
They spend more than most businesses on protecting data and information. JPMorgan, even before the events of this summer, had a cybersecurity budget of about a quarter billion dollars annually — and it now plans to double its spending within five years.
Still, financial companies are losing ground to the hackers, according to a report by management-consulting firm Deloitte. In 2013, 88 percent of all successful intrusions into the computer systems of financial companies were accomplished in seconds, minutes or hours, not days, Deloitte found, while 79 percent of intrusions were discovered by the targeted firms only after days, weeks or months.
State Actors
As in the JPMorgan episode, the attackers move fast while the defenders are slow.
JPMorgan, in the bare description of what happened in its case, said no unusual customer fraud related to the digital breach had been detected. Although that might sound reassuring, it raises the more disturbing question of what the hackers were up to. Was this just another incidence of cyber crime or was it an example of the growing threat of cyber espionage or terrorism?
JPMorgan has told consultants who are working with the bank that it saw signs the Russian government may have had a hand in the attack, according to three people familiar with the bank’s investigation.
Attacks by groups that have some kind of state support or direction have been on the rise for the past three years, says KPMG’s Bell. Foreign powers may be trying to show they can penetrate computer networks that are key to the financial system and send a message that they could do more, he says. In such cases, the intruders will leave just enough clues for investigators to identify who’s doing it, Bell says. “It’s a threat, posturing,” he says, “that I can get access to your critical infrastructure.”
To contact the reporters on this story: Dune Lawrence in New York at dlawrence6@bloomberg.net; Michael Riley in Washington at michaelriley@bloomberg.net