While this cooperation is certainly important, is it also strategic?
Definitely. And for various reasons. The most obvious one is cooperation when it comes to intelligence information. In this regard, we share so-called indicators of compromise in near real-time with the SWIFT community, which is data about threats regarding malware or perpetrator groups so that community members can also quickly adapt their defense. These indicators are also fed by experiences gathered by others. I find it extremely important that we exchange such information and that we mutually warn one another about potential threat situations. And we have actually been able to successfully defend ourselves against several attacks, in answer to your earlier question about where we have been effective against cyber fraud.
A further strategic aspect is that we seek to sharpen awareness throughout the entire SWIFT community in this context. We provide examples of how attacks function and how criminal hackers do it; how they are sometimes very, very patient, that after penetrating a company's network, they spy on the environment and user activities, unnoticed, for months or even more than a year before attacking. We have evidence that criminals very cunningly strike on national holidays or weekends in order to take advantage of the behavior of local operators. We must share this information and enhance risk awareness for concrete situations so that companies then also make targeted investments where it makes the most sense. We should not go around with a watering can and futilely attempt to equally protect ourselves from everything, but apply our efforts where they are most effective. True effectiveness is only possible when the community works together.
The SWIFT master plan for cyber security is structured according to four main criteria. The first of which is: Know your enemy. We may be familiar with the know-your-customer principle. But how does one recognize an enemy?
Creating threat assessments is a very important first step. The second aspect is the capability of the respective security operation center (SOC) to recognize intruders. That is a difficult issue because, after all, hackers inherently wish to remain unrecognized. However, technical support is available here, such as in the area of network behavior analysis. This makes it possible to detect unusual behavior in the network and to track it down. This type of behavior analysis, like the above-mentioned deception technology, is a further possibility to raise awareness in technical terms in regard to the infrastructure. And then, it goes without saying, there is the business side. The priority here is how to detect a fraudulent payment, for example. I briefly mentioned our new Payment Controls service. Our daily validation report offers another possibility to protect processes involved in the daily reconciliation of transactions from fraud. If I have a message which arrives at an unusual time or is to be forwarded to a new creditor that is unknown to me, then it’s quite clear that something may be wrong. And that is just what is meant by "know your enemy".
A new version of the CSP framework will be published this summer containing changes to many security controls. Why did the framework have be changed? Did the currently applicable one miss out on some essential aspects?
No, that’s not the case. Regardless of how cleverly we defend ourselves against cyber attacks, criminals never sleep and are growing ever more sophisticated. That means that we also must continue to move forward. That goes for the CSP too. We must continuously question and further develop the controls if we do not wish to lose the race. Because the risks and the threat situation are constantly changing, we were compelled to adapt the CSP accordingly. In this context, there will certainly be new mandatory security controls in the future, and perhaps some will also be dismantled. In any case, I expect that the framework will generally become stricter.
Is it then safe to assume that the framework will more or less undergo a release cycle?
That’s how it is. We are constantly scrutinizing the controls. We will introduce such a cycle in tandem with the community.
Hackers fed fraudulent payments between the back-office system and SWIFT Alliance Access at the Bangladesh’s central bank. The most effective control against such an attack is back-office data flow security. Why does the control point remain only ‘just recommended’ in the new framework instead of being mandatory?
We consider this to be an important issue. That’s why it is also part of the control framework. We are sure that in the course of the further development of the framework there will be shifts from advisory to mandatory controls. We regularly review the importance and appropriateness of the respective controls and then consider whether an upgrade to “mandatory control” is called for.
And this will come up in the next release...
That’s how it is.
Due to its systemic importance for the stability of the global financial system, SWIFT has been supervised by the G-10 central banks for twenty years. How does SWIFT rate its own efforts in the area of cyber security?
Naturally, the issue of cyber security is not only extremely important for the community, but also for our own security status. That means that this issue has top priority for us. At the same time, we have substantially invested in our infrastructure and in our cyber strategy, and will continue doing so. We consistently proceed according to the international standards (e.g. ISO) as well as best practice and determine where we can still go the extra mile. And beyond all that we can do here, we constantly keep the G-10 regularly up to date to facilitate them in their governance duties.