Cyber Security – It's a Race for Time

Virtually everybody is exposed to cyber risk in some form," stated IMF experts in a paper last year. That sounds as banal as a police reminder about the risk of accidents. Mr. Hofmann, how do you feel about this?

Contrary to the cyber risks, I do not believe that the risk of road traffic accidents has increased tremendously in recent decades. Criminal hackers today are essentially better organized than they were a few years ago and have a wide range of resources. They act like a globally active company. This has massively changed the threat situation. Another aspect is that there’s greater exposure to cyberattack: digitalization, the opening of our networks to the Internet – that particularly pertains to the customer-bank interface. Consider the keyword, open banking, or the Internet of Things, or the regulation stipulated by PSD2, which opens the customer interface for third parties with the help of APIs.

Two years ago, as a reaction to cyber bank robbery at the Bangladesh's central bank, SWIFT announced a series of security measures and introduced them under the name, Customer Security Programme (CSP). An article about this appeared in clearit 12/2017. By the end of last year, all SWIFT customers had to prove that they have complied with the mandatory security controls. Apparently, 89% did so. What happens to those who do not cooperate?

I am pleased to say that meanwhile more than 90% of our 12,000 customers completed the self-attestation. And this number is growing as we speak. That's good news. Taking a closer look at the numbers shows that this figure covers more than 99% of all SWIFT FIN messages. We are striving for 100% by the end of 2018 and will help the remaining customers to carry out the CSP attestation. And there we are welcomed with open arms, because the SWIFT community has a steadily increasing common interest in its own security. Together with our stakeholders, we're doing everything we can to achieve this goal. This also includes reporting those who do not adhere to the requirements to the relevant supervisory authorities.

Apropos community: One would expect that a regular exchange of information and experience takes place between the individual members. According to our information, that doesn’t always seem to be the case. Only very few banks are interested in the security attestation status of counterparties. What's the reason for this?

That does not correspond with my experience. Actually, I see just the opposite: a much stronger and growing interest in the security of counterparties. And that applies not only to counterparties, that goes for all relationships with third parties – in contrast to previously when one was primarily limited to one’s own security. I have noticed in many banks that rules and processes have been set up to ensure security among partners, and requests for attestation information are also growing worldwide. Because we are in a learning process, it goes without saying that there’s still plenty of room for improvement.

How much fraud is being effectively prevented due to the CSP activities?

We have actually made tangible and measurable progress in the fight against fraud. I can, however, not provide you with figures or even individual cases. We have observed that our measures to prevent payment fraud have proven effective in numerous cases. An additional important aspect is that our customers show a significantly higher level of awareness of their own security and – as I indicated before – also that of their counterparties who also are raising their capability to recognize threats. We're getting better every day. But from what I’m able to gather, the number of fraud attempts is not really decreasing. In fact, the opposite is true. As long as hackers hope to be able to earn money, they won’t stop.

Is there any indication that hackers have meanwhile shifted their criminal activities to other channels and areas as a result of the CSP?

We know that criminal hackers make increasingly greater efforts to bypass security measures. Thus, regardless of what financial institutions have introduced, criminals attempt to find a way to get around them. Using deception technology, we simulate false servers and accounts, amongst other things, to trap them. They are meanwhile reacting to this and that will also be the case with other measures, and the CSP is no exception. What does that mean for us? It means that we cannot rest, must continually question whether our measures are appropriate and we must logically continue upping the ante.

We detect many fraud attempts very early on with our integrity check tool, which shows whether a message has been transmitted in a falsified manner.

Apropos tool: With the new Payment Controls service, SWIFT has launched a new tool for fraud protection – real-time screening of outgoing payments. Why not also for incoming payment instructions?

First of all, it’s the obligation of each individual company to check outbound messages to make sure they are not fraudulent. And that’s the reason why we started there. The future expansion to the recipient side is thereby not ruled out.

That’s one of the next steps in the race against the criminals…

Possibly, yes. The thing is though; you need to be able to ultimately bring the entire community along with you. Few things function with simply the flick of a switch, and suddenly the effect works for the entire community. Rather, a joint effort is required for most things. And that means: Together with our customers we must consider where our priorities lie and where we can achieve the best effect with a view to both the current and anticipated threat situation.

The cyber threat is the reverse side of digitalization. Politics, business and society seem to have recognized the seriousness of the situation. To name just a few examples: EU countries have come together to create rapid cyber attack troops, the Swiss Federal Council has been given a "Mr./Ms. Cyber Security", and in Germany, the world's largest research center for IT security shall be built (Cispa) with a masters study program in cyber security. How is SWIFT integrating itself in the race to create security with global initiatives?

First of all, I find the promotion of cooperation in the battle against crime to be an extremely important issue – and I mean not just banks or our customers, but also law enforcement authorities. I believe that cooperation, or at least the exchange of information about the modus operandi of cybercriminals with government organizations as well as universities will be one of the crucial capabilities for us to be able to effectively defend ourselves. Therefore, we’ve already undertaken numerous steps in this regard and are planning more. For example, we’re working with organizations such as the International Monetary Fund and the World Bank. We’re also part of the FS-ISAC, an organization for the financial sector which provides information about cyber threats to its 7,000 members around the world. The annual meeting recently took place in Miami, where the chief information security officers of the banks conferred and did some straight talking.

While this cooperation is certainly important, is it also strategic?

Definitely. And for various reasons. The most obvious one is cooperation when it comes to intelligence information. In this regard, we share so-called indicators of compromise in near real-time with the SWIFT community, which is data about threats regarding malware or perpetrator groups so that community members can also quickly adapt their defense. These indicators are also fed by experiences gathered by others. I find it extremely important that we exchange such information and that we mutually warn one another about potential threat situations. And we have actually been able to successfully defend ourselves against several attacks, in answer to your earlier question about where we have been effective against cyber fraud.

A further strategic aspect is that we seek to sharpen awareness throughout the entire SWIFT community in this context. We provide examples of how attacks function and how criminal hackers do it; how they are sometimes very, very patient, that after penetrating a company's network, they spy on the environment and user activities, unnoticed, for months or even more than a year before attacking. We have evidence that criminals very cunningly strike on national holidays or weekends in order to take advantage of the behavior of local operators. We must share this information and enhance risk awareness for concrete situations so that companies then also make targeted investments where it makes the most sense. We should not go around with a watering can and futilely attempt to equally protect ourselves from everything, but apply our efforts where they are most effective. True effectiveness is only possible when the community works together.

The SWIFT master plan for cyber security is structured according to four main criteria. The first of which is: Know your enemy. We may be familiar with the know-your-customer principle. But how does one recognize an enemy?

Creating threat assessments is a very important first step. The second aspect is the capability of the respective security operation center (SOC) to recognize intruders. That is a difficult issue because, after all, hackers inherently wish to remain unrecognized. However, technical support is available here, such as in the area of network behavior analysis. This makes it possible to detect unusual behavior in the network and to track it down. This type of behavior analysis, like the above-mentioned deception technology, is a further possibility to raise awareness in technical terms in regard to the infrastructure. And then, it goes without saying, there is the business side. The priority here is how to detect a fraudulent payment, for example. I briefly mentioned our new Payment Controls service. Our daily validation report offers another possibility to protect processes involved in the daily reconciliation of transactions from fraud. If I have a message which arrives at an unusual time or is to be forwarded to a new creditor that is unknown to me, then it’s quite clear that something may be wrong. And that is just what is meant by "know your enemy".

A new version of the CSP framework will be published this summer containing changes to many security controls. Why did the framework have be changed? Did the currently applicable one miss out on some essential aspects?

No, that’s not the case. Regardless of how cleverly we defend ourselves against cyber attacks, criminals never sleep and are growing ever more sophisticated. That means that we also must continue to move forward. That goes for the CSP too. We must continuously question and further develop the controls if we do not wish to lose the race. Because the risks and the threat situation are constantly changing, we were compelled to adapt the CSP accordingly. In this context, there will certainly be new mandatory security controls in the future, and perhaps some will also be dismantled. In any case, I expect that the framework will generally become stricter.

Is it then safe to assume that the framework will more or less undergo a release cycle?

That’s how it is. We are constantly scrutinizing the controls. We will introduce such a cycle in tandem with the community.

Hackers fed fraudulent payments between the back-office system and SWIFT Alliance Access at the Bangladesh’s central bank. The most effective control against such an attack is back-office data flow security. Why does the control point remain only ‘just recommended’ in the new framework instead of being mandatory?

We consider this to be an important issue. That’s why it is also part of the control framework. We are sure that in the course of the further development of the framework there will be shifts from advisory to mandatory controls. We regularly review the importance and appropriateness of the respective controls and then consider whether an upgrade to “mandatory control” is called for.

And this will come up in the next release...

That’s how it is.

Due to its systemic importance for the stability of the global financial system, SWIFT has been supervised by the G-10 central banks for twenty years. How does SWIFT rate its own efforts in the area of cyber security?

Naturally, the issue of cyber security is not only extremely important for the community, but also for our own security status. That means that this issue has top priority for us. At the same time, we have substantially invested in our infrastructure and in our cyber strategy, and will continue doing so. We consistently proceed according to the international standards (e.g. ISO) as well as best practice and determine where we can still go the extra mile. And beyond all that we can do here, we constantly keep the G-10 regularly up to date to facilitate them in their governance duties.

In your opinion, what are the remaining major hindrances to providing cyber security in the SWIFT community?

The reality is that whilst not the majority, many of our customers still shy away from exchanging information. Some view it as a competitive advantage to keep such information to themselves. That particularly applies to information about incidents. If there was something I could wish for, then it would be that all companies, without exception, would immediately turn to us if they suspect misuse so that we can help them. Or that we can share information through our channels to ward off damage to other companies, naturally only upon approval and in an anonymized form. In my experience, many companies are unfortunately not even in the position to be able to act along with us in a suspicious case. First, because they simply do not know who to turn to internally in matters involving legal and compliance in order to obtain approval for such an exchange of information. And even if this knowledge exists, it sometimes takes too long to obtain the approval, even days, either because those in charge are on holiday or are at least not available. The second issue is that under some circumstances some companies cannot do more in technical terms. I have been able to observe several attacks in which criminals did extensive damage to the company's infrastructure (e.g. server, including mail server) in order to erase their tracks. Either they delete database entries or act in an extremely damaging way and encrypt or simply delete everything that gets in their way. In other words, it’s not possible for customers to react quickly enough. In principle, criminal hackers set out to prevent or at least delay the reconciliation of incoming and outgoing payments. In the end, it’s a race for time. Nothing matters more than time when it comes to the recovery of funds. Hackers know this too and therefore seek to erase their tracks and to slow down the reaction times of their victims.