The cybersecurity panel, obligatory at every big fintech event, is usually a yawner. The topic usually makes for dull reporting as well. This is because people don’t say anything interesting.
Yes, we hear about the latest headline-grabbing exploit, or hear the latest multi-billion sum that this is costing the industry. But really, wouldn’t you rather just talk about A.I. or crypto or the latest financial-inclusion story?
Because, let’s face it, we’ve heard the scary warnings. We’ve listened to the same metronomic warnings or heard the sob stories about the lady in procurement who clicked on an innocent-looking email link. And we know big banks are spending a zillion bucks on something called “cybersecurity” or I.T. infrastructure or business recovery systems.
It’s the nature of the business, both tech and finance, to yawn at these things. They are costs. Nobody wants to deal with this crap. And while the message is – yes, absolutely, very – important, the attention and the budgets go to chasing “customer experience” and meeting dopamine-driven instant gratification. That’s what wins eyeballs and makes money.
Ringing the alarm
Someone finally produced an account of what’s actually going on in cyber, one that’s well researched, unfolds like an action movie, and is genuinely scary as hell.
This is How They Tell Me the World Ends by New York Times reporter Nicole Perlroth is that account. (Bloomsbury Publishing, London, 2021; the book was just named the Financial Times’s business book of the year.)
Perlroth dives into the world of zero-day exploits and the governments, tech companies, and shadowy brokers that deal in them. They usually don’t talk to her either. (Her tales of journalistic humiliation, such as the conference where she was made to wear a fat green glowstick around her neck so everyone knew she was toxic, are both funny as well as painfully familiar to DigFin.)
But over time, she learns the beat, and figures out who will talk, and eventually people come to her with intel. Perlroth remains frustrated by the opacity of selling the exploits of vital technology, but she’s amassed enough of the story to lay out a clear and frightening argument.
Valuable exploits are called zero-days (often pronounced “oh-days”, she tells us). These are bugs and vulnerabilities that a tech vendor like Microsoft or Apple doesn’t know exists, and so hasn’t developed a patch to its code. Anyone in possession of such information is already inside the system, and the vendor has zero days to fix it.
Some zero-days are insubstantial, and might allow a low-grade hacker the ability to deface a website. Others can enable hostile governments the ability to lurk “at the metal”, deep the physical microprocessors of a device, and steal or monitor data. An iOS zero-day can fetch millions of dollars, but it’s not just criminals or North Koreans in the market. The U.S. National Security Agency, Britain’s GCHQ, and others are also big buyers.
Boomerang
The NSA probably did more than any other agency to create this market. It wants to keep zero-day hacks to itself so it can break into Gmail and iPhones to spy. The NSA also developed the world’s most sophisticated zero-days, and for a time was unrivalled in cyber arms.
Until the summer of 2016, when a still-unknown group called the Shadow Brokers stole the NSA’s code and began releasing it to the world. This turbocharged Chinese, Russian, Saudi, Iranian, and criminal attacks on banks, nuclear power stations, media companies, hospitals – on everything.
The lesson for finance and tech is that the more we digitalize, the greater the exposure to hackers.
The United States is the most digitized country, and therefore the most vulnerable. Its own weapons are now being used against it. The Russians and others have the ability to turn off the lights, blow up power stations, steal secrets, and destroy information.
Presumably the U.S. has infiltrated its enemies as well. Perlroth recounts how the N.S.A. broke into Huawei. American complaints against the Chinese tech company, however valid, tend to ignore this fact.
The U.S. (as far as we know) hasn’t gone on mass corporate stealing campaigns. Perlroth also details the U.S.’s attempt at internal controls and limits, scruples that rival states don’t exhibit. But there’s no “good guys versus bad guys” narrative here. We’re too far past that.
Stretching the surface area
DigFin writes about the rise of the internet economy in Asia and the vast opportunities this means for fintechs and for those banks nimble enough to cater to this growth. COVID and remote working – remove everything – is speeding this up.
But the more Asia digitizes, the more vulnerable its companies, governments, and individuals are to cyber attack.
One area she does not touch is blockchain, and whether decentralization offers meaningful protection. But cryptonados should be careful. It’s true that a widely distributed network like Bitcoin or Ethereum hasn’t been hacked. But it’s been proven to be all too easy to steal crypto. Ransomware attackers, on the other hand, have been big fans of bitcoin.
The lesson is evergreen. Any business that rushes for growth – the “move fast and break things” ethos of Silicon Valley – is unlikely to pay attention to protecting infrastructure. The same is true of financial services, in which operations are a cost center.
Silicon Valley’s Big Tech companies were the same, until attacks forced the likes of Microsoft and Google to focus heavily on security. Microsoft, once a joke, now bears the grudging respect of zero-day brokers.
While Perlroth is convinced we’re on the cusp of experiencing The Big One, the hack that brings down civilization, she doesn’t suggest people just give up.
On the contrary, she ends with a very short list of things companies and individuals can do: get serious about designing code to be secure, reward developers in open-source platforms to identify bugs, insist on multifactor authentication for every device or platform software, and take some critical processes offline (like elections).
The best thing about Perlroth’s book is that it’s so damn readable. We’re not on airplanes much these days but this reads like an airport novel. For anyone who follows the news, a lot of her account will be familiar, like the recent NotPetya attack that shut down Maersk, among many other organizations. Perlroth plots the dots.
