By Massimo Ortolani
A financial economist’s thinking on how to counter cyber-crime should inevitably focus on how to make institutional factors and the peculiarities of financial markets compatible and consistent, with a view to outlining a new paradigm for countering and preventing the differential impacts of this crime.
This is because updated findings, largely supported by academic research and reliable investigative investigations, (N1) broadly support the idea that efforts to counter cyber-crime will still have to rely on the use of technology-driven toolkits and compliance implementation.
As I remarked at a recent roundtable discussion on cybersecurity organized by “The Information Security Institute,” a global skills hub created in 2015 by a network of partners from Ukraine, the United States, Italy, Germany and Belgium, at an early stage of analysis and discussion of this issue, it seems highly advisable to stick to some indisputable basic criteria:
-To avoid imagining a “closed” system of regulatory guidance and approach to risk when linked to human vulnerabilities, because the context of the contaminations to which human behavior is now subjected appears to be rapidly evolving, dominated-as it is-by the hardly predictable effects of cyber influence, operating in the many forms that media and infoware make available. In this regard, the results of the important Clusit survey (N1) on the cyber threat in the European financial sector affirm the need to implement solutions that can adapt quickly and automatically to a threat that is extremely changeable. This means, from an operational point of view, that we should therefore direct any action toward a virtuous convergence of solutions that already exist and have been known for a long time, i.e., toward the adoption of threat intelligence feeds that enable their rapid updating and adaptation to changing threats, hour by hour.
-More in depth, and about the new sophisticated applications and implementations of artificial intelligence, it should be emphasized that they can provide only initial temporal benefits to those involved in cyber-crime defense. For, since they are almost always based on open artificial intelligence systems, as such they can be freely used as tools of attack. How, then, to assess the role of cloud computing and artificial intelligence? Machine Learning, for example, can be really useful in catching anomalies with respect to each user’s “characteristic” behavior or network traffic, taking on the burden of understanding what is characteristic user by user. And it is now possible to track these trends on a user-by-user basis, precisely because each user in the organization has a unique way of working that Machine Learning is able to delineate. But conversely, the use of machine learning makes it possible to gather target information and train artificial intelligence to cause increasingly impactful consequences.
That said, in outlining the potential and capability characteristics of a new paradigm for a cyber-defense system, two coexisting-but operationally distinct-objectives must be considered and distinguished: that of prevention, fundamentally focused on human vulnerabilities, and that of resilience, predominantly focused on the sophistication of technological tools.
From the perspective of risk analysis, it seems appropriate to propose a holistic approach. This implies a view of reputational risks on the one hand and legal and operational risks on the other. There is a clear reference to the current and future legal implications of information theft, for all stakeholders of a financial entity (customers, shareholders, suppliers, etc.). Regarding the prevention of data theft, it must be said-for example-that some Italian public administrations have not yet decided whether or not to move their data to the cloud. Finally, there remains the delicate question of assessing under what conditions a dangerous word of mouth on social media, concentrated over time through the use of bots, can be considered a reputational threat to banking entities with undisclosed weaknesses.
At the microeconomic level, and from the perspective of the intertemporal sophistication of cyber defenses, it is also necessary to analyze the highly differentiated peculiarities (i.e., business model) between a bank operating in traditional retail and a challenger bank, which offers exclusively and entirely digital services. This sectoral and microeconomic aspect becomes particularly relevant when considering financial entities operating in the cryptocurrency sector, or the differentiated institutional missions that exist between an investment bank, a financial holding company, and so on.
A final important point concerns how to optimize intertemporal threat prevention. Because-as the experience of recent years shows-they are increasingly influenced by geopolitical or geoeconomic tensions. In this regard we consider the 4 well-known distinctions between: traditional cyber crime, hacktivism, espionage, and sabotage. Especially today, in the presence of a war between two nations, but involving geopolitically and geo-economically large groups of other countries, a defense against the cyber threat should be vigilant and immediately responsive to the fact that the historical probability of risk of each of the above 4 forms of attack could change very rapidly, in relation to a war that is clearly also a hybrid war.
With regard to institutional factors, it must be considered that the EU-NIS Directive (Directive 2016/1148 on Network and Information System Security), made mandatory the measures necessary to raise within the European Union the level of security related to the networks and systems of Essential Service Operators and Digital Service Providers. In the “first NIS” of 2018, there were eight strategic sectors identified within Essential Service Operators (ESOs): energy, transportation, banking, financial market infrastructure, healthcare, drinking water supply and distribution, and digital infrastructure.
The NIS Directive 2 stipulates that it is the “management bodies” of the ESOs concerned that approve the defense measures and oversee their proper implementation. In addition to the above, these entities will be obliged to notify the competent authority without undue delay of any incident that significantly impacts the provision of their services. From this it can be deduced that an inadequate cyber defense apparatus in a country could be the source of macroeconomic significance impacts that could also negatively affect the rating of the country at financial risk.
Needless to say, the banking sector is also subject to close supervision by regulators with regard to the security of IT systems. To provide an example of the broad scope of the economic implications that a well-structured IT system would have to meet-if required by regulators- consider, for example, that the U.S. SEC, due to the increased frequency and sophistication of cyber attacks, is about to propose enhanced cybersecurity risk management to protect “both markets and investors.” (N2) Because of the above, another closely related sector, such as shadow banking, must be considered an even more difficult area of cyber threat origination.
Author: Massimo Ortolani – Lecturer, economist, and international consultant, advises on risks and opportunities arising from cross-border investment/exports-assessment of geo-economic risks-training coaches on appropriate techniques and tools to mitigate these risks.