Via Scotiabank's Guy Haselmann,
The Invisible Enemy
Earlier this month President Obama declared foreign cyber-threats a “national emergency”. During the State of the Union address, he said that “if the US government does not improve cyber defenses, we leave our nation and our economy vulnerable”. This past weekend the TV program 60 Minutes ran a special on cyber security, particularly pertaining to the importance of our nation’s satellite systems.
In the April issue of CIO Magazine, the President and CEO of IDG Communications wrote an article about cybersecurity, stating “significant data breaches at Anthem, Sony, Home Depot, eBay, JPMorgan Chase, Target and many more have caused headline-grabbing business upheavals that worry customers, affect profit margins, and derail corporate careers”. It seems there are now daily news articles about sinister cyber-activity.
Cyber-threats or crimes can be orchestrated in various ways. Targets can be aimed at critical infrastructure, manufacturing, power grids, or water supplies. They could be aimed at disrupting the availability of websites and networks, or at stealing trade secrets and financial information. Others could be driven by espionage, vandalism, terrorism, sabotage, or any form of criminality. Activities of the US and British governments have focused on surveillance and hacking of telecommunications.
It is difficult to fight cyber-activity, because the enemy is often invisible and their home address typically unclear. Building defenses are challenging while continuous ‘patchwork’ is a deficient solution. Threats morph and change quickly. For corporations many threats are internal and could come from rogue employees or from senior managers with weak passwords who have access to sensitive files. Some companies are now even looking into having retaliatory capabilities.
Warfare today (and in the future) is (and will be) fought differently. In the 1950’s with the creation of more destructive bombs and weaponry, the idea was ‘Mutually Assured Destruction’ (MAD). The movie War Games helped us learn that there are no winners. The warfare ideology today is ‘Multilateral Unconstrained Disruption’ (MUD). This unrestrictive warfare is meant to disrupt societal functioning; to ‘poison’ information to elevate distrust of all computer information.
Cyber-activity is the new ‘cold war’. Here are some random facts.
- 95% of all computers are non-governmental.
- It is estimated that 40% of all computers are run by pirated copies, and 17% run no antivirus protection.
- There are over 6 million known unique Malware viruses.
- According to a Mandiant report, attackers had free range in a breached system for a median of 205 days in 2014 and 69% of breaches where learned from an outside entity.
The scariest fact I learned in reading up on this topic is that 100% of all microprocessors and chips are produced overseas. In other words, it is hard to be certain what is really on them. Like the Stuxnet virus, computers can have a ‘zero-day’ where they are taught to do the wrong thing.
KCS Group, one of the world’s leading strategic intelligence and risk companies, reports a significant increase in cyber-attacks from Iran directed against Saudi Arabia and the US. The combination of Saudi policies (Yemen), the general rise in Middle East tensions, and the Stuxnet attack on Iran nuclear facilities are all likely motivations. The virus that infected Saudi state oil company Aramco’s IT system in 2012, for example, erased data on three-quarters of their PC’s, and replaced emails and documents with an image of the US flag in flames.
There is a positive correlation between cyber-attacks and the rise of geopolitical tensions. Pricing these heightened risks into markets however is impossible. ‘Event risk’ always exists, but handicapping it appropriately is a futile exercise. Markets participants do not try, because of improvements in data mining and due to the speed of news when there is something concrete to react to.
- In a similar manner, markets are not reacting to the threats or rumors of a Greece default or a Fed rate hike, because those threats have been delayed time and time again. Markets have learned to react only to concrete news.
At this point, you might be wondering why I bothered writing this note and how can these factors can help in terms of financial risk management. Well, I believe good traders, portfolio managers, and business managers should try to think through every conceivable contingency. In doing so ahead of time, managers should have a better handle on how to proceed should one of these events occur. They will be two steps ahead.
It might be helpful to analyze what happened to the stock prices of the companies mentioned above when they were hacked. How deeply were the firms impacted? How long did the impacts last? Some may have ultimately been left stronger as weaknesses were exposed and then stronger processes implemented. Oil traders should know if oil prices were affected by the Aramco attack?
Game plans are not just applicable to portfolio exposures, but directly to individuals personally. Corporate managers should have a plan B, contingency plans, and a disaster recovery site. I heard Jamie Dimon of JPM say at a conference that his firm is doubling the amount they spend on computer security in 2015 to $1.2 billion.
On June 5 in New York City, I am attending the Information Security Summit to hear more from industry experts in this area. Simply waiting for an event to react to may be too costly. I hope to obtain some suggestions for being proactive. The experts may even have some good suggestions for preventative medicine. At a minimum, I recommend that you encourage your firm’s Chief Security Officer to attend. Welcome to 2015.
“Never trust a computer you can’t throw out a window.” – Steve Wozniak