Financial Cyber Risk Is Not Systemic Risk

This interesting essay argues that financial risks are generally not systemic risks, and instead are generally much smaller. That's certainly been our experience to date:

While systemic risk is frequently invoked as a key reason to be on guard for cyber risk, such a connection is quite tenuous. A cyber event might in extreme cases result in a systemic crisis, but to do so needs highly fortuitous timing.

From the point of view of policymaking, rather than simply asserting systemic consequences for cyber risks, it would be better if the cyber discussion were better integrated into the existing macroprudential dialogue. To us, the overall discussion of cyber and systemic risk seems to be too focused on IT considerations and not enough on economic consequences.

After all, if there are systemic consequences from cyber risk, the chain of causality will be found in the macroprudential domain.

Posted on June 10, 2016 at 12:56 PM • 10 Comments

Comments

Clive RobinsonJune 10, 2016 3:44 PM

Hmm,

    A cyber event might in extreme cases result in a systemic crisis, but to do so needs highly fortuitous timing.

Such timing is what APT can give you.

The reason "fortuitous timing" is comparatively rare is cyber-criminals tend to be very short term, almost "snatch and run" in nature. And because of that MO their activities tend to come onto the radar fairly quickly. Thus we only see "fortuitous timing" when one State is making a point to another state. Even though it was a rush job we saw that not so long ago when an ex Russian Republic had problems with their electrical grid.

Clive RobinsonJune 10, 2016 4:51 PM

@ Bruce,

Whilst you and Ross are likely to be fairly well up on "economics jargon", a lot of your readers are not.

Whilst people can "google" terms a lot of the subtleties that carry significant meaning can pass people by.

Perhaps a pointer to a suitable "cheat sheet" or prima would help the majority of readers get to grips with what will become a more important aspect of security.

Some GuyJune 10, 2016 6:02 PM

The viewpoint is strictly financial, which is too narrow. The authors have it right when they say that systemic risk is about loss of confidence. Excessive risk taking behavior is one cause. Loss of confidence in the country (or global) infrastructure also will result in this loss of confidence.

What do people need for confidence in a high threat situation. I am sure many have researched it and I haven't. But I would suspect that confidence in safety, family, and money all come into play. A coordinated attack that hits safety (infrastructure attack), family (communications attack), and money (financial system attack) at appropriate intervals would lead to mass loss of confidence. All three can be hit using cyber techniques in multiple ways.

In essence, this coordinated attack is a manufactured systemic failure that far exceeds the financial markets.

Some Other GuyJune 11, 2016 12:04 AM

sounds to me like treating computers and the internet (aka CYBER) as tools instead of a magical place is the gist of it. Of course the 'systemic' risks are things like 9/11, the 2008 economic too big to fail meltdown etc. Sounds as though they are suggesting not to be too overfocused on the blockbuster movie level risks, and realize that outside of those, it's a big complicated world. Same as it ever was.

NileJune 11, 2016 8:36 AM


In layman's terms, the cyber risk they're modelling is the internal, 'local' risk within a system operating under dangerous external instabilities: to offer an analogy, it's just another kind of 'bang' or cough or unwise footstep that can trigger avalanches.

I'm going to unpack that, using avalanches by analogy, because their conclusion's quite a mouthful:

After all, if there are systemic consequences from cyber risk, the chain of causality will be found in the macroprudential domain.

If I can make that comprehensible, I'd better start at the microeconomic scale: local risk, and precautionary rather than prudential regulation.

So lets set off into the mountains, where we see a 'Danger! Avalanches!' sign, and ponder the role of the authorities...


It is wise to heed the warnings, and it's posting them is an essential service: there is a role for regulation in preventing certain kinds of 'bang' where there is heavy snowfall.

This is, however, 'micro' scale, in terms of economics and analogies.

The 'macroprudential' approach is all about the fact that there is too much snow.

That, in itself, can be managed: economic policy is all about analogies and governments have more control than you might think, over the 'geography' and 'weather' - 'climate', even - leading up to economic avalanches.

That's macroeconomic policy.

Prudential regulation is about ensuring that we don't build our essential infrastructure under likely avalanches; and that anything significant we build, up in the mountains, should be individually resilient.

This prudence ventures into 'macro' when we regulate against excessive interdependence - it's not enough to build for individual resilience, we have to regulate against a tendency to an excessive interdependence that brings down the other buildings when there is an 'isolated' (or a not-so-isolated) failure.

And, above that, we must consider macroeconomic policy: we don't have 'Weather Gods' but we do have some command over the climate, if we choose to wield it.

So here, at last, I have a point to this extended ramble: 'cyber' isn't just a source of 'bangs' and triggers for an economic avalanche. It's fragile technology, shovelling millions of tons of 'snow' onto existing pikes of risk through the sheer volume of transactions.

It is also, if you wish to delve into analogy, the widespread use of fragile technology making snowbanks frictionless and faster when they start to move, and chaining all the houses in the valley onto one another, so that their individual resilience is meaningless if one or two of them are overwhelmed.

I will confine myself to the analogy that our technology is more than just triggers and bangs and buildings: it's millions of idiots with mechanical shovels, piling snow onto the sloping surfaces of our financial markets.

It is external and it's macro scale, not just an internal 'local' risk within an institution.

This is where the 'cyber' part moves over from the local regulation - no loud bangs, don't construct a dam there, check the building codes before you build a house up in the mountains - into macroeconomics: there is much more snow and it moves faster and it's on such a scale that we must model it as 'climate' rather than the weather of the day.

...And the code and infrastructure are ridiculously fragile.

Note, also, that I don't pick out 'security', in the narrow definition of our mitigating a maliciously act: I refer to the general fragility of our source code and our electronic infrastructure. I saw some of that, up close and personal when we recoded all the dates in banking systems in the nineties, and I can assure you that the comms and network code we're using now is even flakier.

Snow, and flaky, and the risk of avalanches work all too well as the analogy of choice here: and just as some technologists can only think of better snowshoes and a chalet built on stilts when they consider risk and mountaineering, so too do some economists and authors of reports on 'cyber risk'.

fajensenJune 13, 2016 4:57 AM

Meh - "Systemic Risk" in finance is something that triggers a bailout; OK, so they think that "financial cyber risk" will not do it, they need some leverage ;-).

Now, what if some neo-liberal activist hackers manage to take down the "SNAP EBT System"?

It's not a "systemic risk" in the strictly financialized sense, but, the food riots never the less might leave a lasting impression on our cities and the taxpayers will have to pick up the bill for that mess too.

blakeJune 13, 2016 11:32 AM

> financial risks are generally not systemic risks
> almost all cyber risk is microprudential

You only need one systemic risk to make it a systemic risk.

"It's never been a problem before, so why should it be considered a problem now?" This didn't work out so well as a data security policy for Ashley Madison, nor for the subprime mortgage market just prior to 2008.


Serious question: would the "financial system" be considered a harder or softer target than, say, an Iranian nuclear centrifuge?

Clive RobinsonJune 13, 2016 1:43 PM

@ Blake,

Serious question: would the "financial system" be considered a harder or softer target than, say, an Iranian nuclear centrifuge?

We already know the answer to that and the "financial system" is by far the juiciest of the lower hanging fruit. It was just blind luck that stopped a $billion taking a walk on the wild side the other day, not that a $billion getting stolen is likely to cause much of a raised eyebrow and certainly not any panic etc.

The centrifuges were amongst other protections not just isolated but "air-gapped", a large part of the financial system is not even effectively isolated.

paulJune 13, 2016 5:05 PM

I think the point is well taken that most cybercriminals are after the money and not particularly well funded. They're parasites, and if the host gets sick or dies, so do they.

It would take a better-funded actor with a different agenda to do things like stealing publicly from multiple targets within a short time frame, so as to destroy confidence in key financial infrastructure (think what happens if transfer systems get shut down or stop being used). Or to start trading against revelation of large thefts or other threats. But as long as the gains from cybercrime are denominated in money, criminals are going to want to keep things stable.

blakeJune 13, 2016 5:46 PM

@Clive

In agreement.

> .. not that a $billion getting stolen is likely to cause much of a raised eyebrow

Does anyone even know how big the dark pools are now? In total, I mean. Oh, "dark", right.

@paul

While I agree with your main sentiment, what if the total destruction of the financial system isn't deliberate? Malice vs incompetence again.

I don't think we've seen an Enron size f*ckup with HFT yet, and I sure hope we don't, I just hope the people running it are doing enough to mitigate the risks. Ermm ... not that it worked out that way at Enron though ...

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of IBM Resilient.