Hackers Break Into Virginia Health Professions Database, Demand Ransom

 

Hackers last week broke into a Virginia state Web site used by pharmacists to track prescription drug abuse. They deleted records on more than 8 million patients and replaced the site's homepage with a ransom note demanding $10 million for the return of the records.

 

Washington Post, May 4 2009

 

 

The financial services industry has undergone increasing consolidation in the last 30 years. An overwhelming percentage of all business, in all products, is run by handful of mega firms. At the same time, every aspect of business in the financial services industry is now conducted electronically. No longer do you see elderly runners tottering down Wall Street with confirmations and certified checks to be exchanged at the cage for corresponding settlement documents. From the submission of customer orders on-line, trading platforms, clearance and settlement of securities transactions, in addition to payments made by debit and credit cards and automated clearinghouse (ACH) transactions, such as the direct deposit of paychecks, every component of transactions in the financial services industry is linked through vast data and communication networks.

 

Electronic commerce has facilitated the burgeoning economy that we have experienced over the last 30 years  -- periodic crashes, not withstanding --- the complete reliance on electronic record keeping and communications capability has significant risks to the individual commercial entity and to our national and global economic viability. Those risks stem from an economy that, although composed of many and varied individual participants, is a system. While this has always, in a sense, been true, the electronic and telecommunications connections between the participants have solidified the system, much as links in a chain. And today the number of links in the chain is diminishing because of consolidation among the participants and increasing automation efficiency. The interconnectedness and the small number of key players in the financial services industry increase the risk of events, which would cripple key nodes in the network. This could, as a consequence, impact the entire system causing economic blackouts, which would have economic and political consequences. Fortunately, the system has spent a great deal of time on effort on disaster recovery to avoid such events.

  

Our economic system is dominated by a small number of very big banks and investment firms. The disaster recovery rules in the financial services industry (FINRA Rule Series 3500 etc) focus on the preparedness of the individual financial entity to respond to a variety of challenges: technology outage, communications outage, building inaccessible, pandemic preparedness etc. The next step is to elevate financial services industry disaster recovery preparedness to a more robust and systemic level.

 

Disaster Recovery for the financial community belongs next to national security in rigor and importance. The financial community should continue to collectively leverage their individual disaster response capabilities to develop highly secure message protocols, alternate data stores, and communications capabilities. Similarly, systemic end-to-end disaster recovery testing, which exercises scenarios where key links in the chain are not functioning, should occur on a regular basis.  If we have learned anything from 9/11 from a disaster recovery perspective, it is that the piles of paper that we have generated to respond to business continuity mandates do not mean a whole lot if you have not thoroughly practiced the disaster response.  During 9/11, the firms that efficiently and effectively executed their plans did so as a result of planning and practice.

 

Recently, we have seen how economic events caused a cascading impact on every financial institution, not only nationally, but also globally and in every obscure economic nook and cranny of the planet.  Similarly, thorough emergency management planning and disaster recovery planning softens the impact of continent or global-wide events.

 

We have only to recall the recent announcement by the Federal Government that foreign governments have planted code moles in our electronic grid to realize that piracy is taking in a new form in the 21^st century. Although, the grid mole is a very clever tactic, as this is the top of the automated food chain i.e. no power, no data, no commerce, it is indicative of the kinds of incursions we need to broadly plan for in the future.