Hackers Break Into Virginia Health Professions Database, Demand Ransom
Hackers last week broke into a Virginia state Web site used by pharmacists to track prescription drug abuse. They deleted
records on more than 8 million patients and replaced the site's homepage with a ransom note demanding $10 million for the
return of the records.
Washington Post, May 4 2009
The financial services industry has undergone increasing consolidation in the last 30 years. An overwhelming percentage
of all business, in all products, is run by handful of mega firms. At the same time, every aspect of business in the financial
services industry is now conducted electronically. No longer do you see elderly runners tottering down Wall Street with confirmations
and certified checks to be exchanged at the cage for corresponding settlement documents. From the submission of customer orders
on-line, trading platforms, clearance and settlement of securities transactions, in addition to payments made by debit and
credit cards and automated clearinghouse (ACH) transactions, such as the direct deposit of paychecks, every component of transactions
in the financial services industry is linked through vast data and communication networks.
Electronic commerce has facilitated the burgeoning economy that we have experienced over the last 30 years -- periodic crashes, not withstanding --- the complete reliance on electronic record keeping and communications
capability has significant risks to the individual commercial entity and to our national and global economic viability. Those
risks stem from an economy that, although composed of many and varied individual participants, is a system. While this has
always, in a sense, been true, the electronic and telecommunications connections between the participants have solidified
the system, much as links in a chain. And today the number of links in the chain is diminishing because of consolidation among
the participants and increasing automation efficiency. The interconnectedness and the small number of key players in the financial
services industry increase the risk of events, which would cripple key nodes in the network. This could, as a consequence,
impact the entire system causing economic blackouts, which would have economic and political consequences. Fortunately, the
system has spent a great deal of time on effort on disaster recovery to avoid such events.
Our economic system is dominated by a small number of very big banks and investment firms. The disaster recovery rules
in the financial services industry (FINRA Rule Series 3500 etc) focus on the preparedness of the individual financial entity
to respond to a variety of challenges: technology outage, communications outage, building inaccessible, pandemic preparedness
etc. The next step is to elevate financial services industry disaster recovery preparedness to a more robust and systemic
level.
Disaster Recovery for the financial community belongs next to national security in rigor and importance. The financial
community should continue to collectively leverage their individual disaster response capabilities to develop highly secure
message protocols, alternate data stores, and communications capabilities. Similarly, systemic end-to-end disaster recovery
testing, which exercises scenarios where key links in the chain are not functioning, should occur on a regular basis. If we have learned anything from 9/11 from a disaster recovery perspective, it is
that the piles of paper that we have generated to respond to business continuity mandates do not mean a whole lot if you have
not thoroughly practiced the disaster response. During 9/11, the firms that efficiently
and effectively executed their plans did so as a result of planning and practice.
Recently, we have seen how economic events caused a cascading impact on every financial institution, not only nationally,
but also globally and in every obscure economic nook and cranny of the planet. Similarly,
thorough emergency management planning and disaster recovery planning softens the impact of continent or global-wide events.
We have only to recall the recent announcement by the Federal Government that foreign governments have planted code
moles in our electronic grid to realize that piracy is taking in a new form in the 21st century. Although, the
grid mole is a very clever tactic, as this is the top of the automated food chain i.e. no power, no data, no commerce, it
is indicative of the kinds of incursions we need to broadly plan for in the future.