The power and ubiquity behind spyware
The
US administration – along with governments of other countries – has
been using ever more sophisticated methods of data analysis, designed to
defend and protect its interests and those of its citizens against
foreign cyber attacks and other threats. At least this was the official
story, until Edward Snowden, a former US National Security Agency (NSA)
contractor, made public a significant volume of hitherto secret
intelligence files last month. Mr Snowden’s stunning exposure of US
government documents painted a rather different picture of US cyber
activity on a global scale, including clandestine surveillance, data and
software hijacking as well as aggressive attacks on other states, their
critical infrastructure and their economic competitiveness, arguably
with the potential – in extremis – to bring down large parts of the
world economy. It is likely that few in the international banking
industry are prepared for such an outcome.
Non-American IT
professionals have long suspected that US government agencies had a
healthy disregard for their rights to privacy. Mr Snowden has given the
world a wake up call in this respect. The USA’s various three letter
agencies (FBI, CIA, NSA, DIA) and the UK’s GCHQ, as well as agencies in
Argentina, Brazil, Canada, France, Germany, Italy, Spain, even New
Zealand and Australia have all shown more than a healthy interest in
Swiss private banks. Mr Snowden confirmed that, since 1999, many US
government agencies have been able to penetrate all Microsoft operating
systems. The NSA’s ‘Prism’ surveillance project is alleged by Mr Snowden
to have been operational since 2006.
Up to now, Prism’s main
interest has been to tap into data from network switches, or fibre-optic
cables, rather than to attack individual computers directly. It appears
that the agencies concerned decided it was more expedient to collect
data at the network level, taking all they could obtain from firms such
as Microsoft, Facebook, Verizon, AT&T, Google, Twitter, Apple,
Oracle, Yahoo and Skype (now owned by Microsoft). According to Mr
Snowden, the CEOs of many of these organisations have been actively
collaborating with the US administration for some time.
The US
administration has set its sights on the Swiss private banking sector,
with some significant punitive action, such as the US Internal Revenue
Service (IRS) awarding Bradley Birkenfeld $104 million for outing those
American clients of UBS who were tax cheats, as well as the Department
of Justice’s legal pursuit of Wegelin & Cie, Switzerland’s oldest
bank, causing it to close its doors after more than 200 years. At least
13 other banks are in the firing line.
Mr Snowden has alleged
that these initiatives were apparently just the tip of an iceberg, as
reported on 10th June 2013 in The Guardian, a UK newspaper, where he
describes the entrapment of a Swiss banker in Geneva. The value of
catching some rich tax evaders is nothing when compared to the value of
the proceeds of corporate espionage. Most of the data intercepts have
been tracked back to countries that are economic competitors to the US,
such as China, Germany and India, in high margin industries like
banking, aviation, IT, media and pharmaceuticals. It is conceivable that
any private banker working with clients even remotely connected with
these industries risks harassment, interference, eventually blackmail
(such as in Snowden's example of a certain banker in Geneva), not to
mention poaching of clients and employees by competitors.
Another
problem is that over collection of this data has led to false
positives, such as the UK case of David Mery reported in The Guardian on
22nd September 2005. Despite all charges being dropped against Mr Mery
that year, apparently he is still on file as a potential terrorist and
can no longer obtain a travel visa.
The back-doors to the various
operating systems used in the financial services sector enable the use
of key logging, programmed trade front running, the planting false
evidence and other nefarious acts. Other parts of government and
regulatory machinery appear to be unfit for purpose in providing the
checks and balances one would expect from an effective administration.
For
example, there still has been no adequate explanation for the massive
spike in put and call options in relevant listed companies prior to
September 11th, 2001. According to 911research, a website established to
collate information about the terrorist attack on the World Trade
Center in New York on 11th September 2001, a significant number of
industry professionals were “deputized” by the US authorities to snuff
out any form of disclosure. In other words, they are unable to speak
about what they know, as they now represent the US government.
What
is clear is a certain privileged group made a proverbial killing (see
“The impact of terrorism on financial markets: An empirical study”, by
Marc Chesney, Ganna Reshetar and Mustafa Karaman, Journal of Banking
& Finance – vol. 35, no. 2, pp. 253-267, 2011). The SEC has so far
done little, despite records that show trading volumes increasing by an
unusually large margin. In the case of the NSA and the Foreign
Intelligence Surveillance Court (FISA), for the last three years, these
organisations have approved all government surveillance requests,
excluding four that were withdrawn.
Open democracies or Big Brother states? The answer seems clearThe
laws passed since 2001 allow the US government to enter a US citizen’s
home with a secret warrant (FISA under the Patriot Act) , imprison the
citizen indefinitely at a secret location , try the individual with
secret evidence (again FISA and the Patriot Act) and – just in case
these powers over a US citizen were not enough, it allows them to revoke
US citizenship as a suspected terrorist . With this in mind, how fairly
can non-US citizens expect to be treated?
It is fair to assume
that traffic analysis from the collected meta-data could expose even
judges and journalists, let alone bankers and their clients. This means
the Swiss banking industry should not assume that even a legal solution
is going to be possible. Perhaps banks in other jurisdictions need to
consider what steps they need to take to protect themselves, their
employees and clients.
Recent reports have shown that
surveillance programs have regularly been abused. As well as the
much-publicised News of the World phone hacking scandal in the UK,
Rupert Murdoch’s news empire has also been accused of acting as a global
extension of the Israeli secret service programs for intelligence
gathering, propaganda and political infiltration. Evidently, Murdoch’s
news organization was not simply limited to spying on celebrities. In
the aftermath it has emerged that the initial Scotland Yard
investigators of News Corporation were also bribed, according to reports
in The Guardian.
Other alleged examples of the exploitation of
software ‘back doors’ include the listening in on the Greek prime
minister in 2005, during the preparation of the Olympic bid and the
breach of Google's Gmail by Chinese hackers to unmask political
dissidents.
Perhaps the best example of illicit corporate
surveillance was Nokia, whose mobile browser decrypted all encrypted
traffic from its handset's browser. Nokia diverted all traffic from its
handsets through its own servers, decrypted the encrypted traffic,
re-encrypting it before passing it on, issuing HTTPS certificates on the
fly that the Nokia phone had been instructed to trust as secure.
Deliberate or not, Nokia betrayed its financial services industry
customers, amongst others, by specifically designing its phones to
enable full, unecrypted access to users’ browsing activity without their
knowledge. Nokia was forced to push out a patch to close the
vulnerability, but could just as easily create another one if they
wanted to.
Official information regarding the US-based Prism
program is dubious. In effect, James Clapper, director of US National
Intelligence appears to have perjured himself, by admitting that he gave
an ‘erroneous’ answer to the congressional committees that were
supposed to be overseeing him. This is not the first time that officials
have been caught out lying in public, nor is it likely to be the last.
What we can be fairly certain about regarding intelligence information
is that whatever is disclosed will be the strict minimum and likely to
be slanted to reflect the current administration's policies.
It
appears that the current US military, led by General Keith Alexander as
head of the NSA and Cyber Command, want to do more than passive
eavesdropping. According to Mr Snowden, these agencies are penetrating
and damaging foreign networks, both for espionage purposes and to ready
them for cyber attack, if required. Apparently, the US (and possibly
governments of other countries) has already created custom-designed
Internet weapons, pre-targeted and ready to be "fired" against some
piece of another country's electronic infrastructure on a moment's
notice. These include the Flame super-virus, which was uncovered last
year (to spy on PDF files) and – allegedly – Stuxnet, which was deployed
in Iran to destroy centrifuges (see
http://spectrum.ieee.org/telecom/security/the-real-story-of-stuxnet for
details). This led to considerable additional collateral damage in Iran.
A similar malware called Gauss targeted Lebanese banks, including Bank
of Beirut, Byblos Bank and Fransabank, according to Kaspersky Lab, a
Moscow-based security firm. There is still some speculation as to what
Gauss’s purpose was. What is certain is that other people will take
these examples and copy them.
The sophistication and complexity
of these forms of malware is frighteningly impressive and opinion is
united in pointing to state sponsorship. The message from Mr Snowden is
that these illicit practices are set to continue, unless they can be
held in check.
Unfortunately the victims of these attacks will
not just be individuals or selected targets, but also proprietary
software suppliers and, ironically, American hardware and software
suppliers perhaps most of all. The revelations make clear that all the
hard work to stabilise the various operating platforms and the software
application stacks built on top of them by most businesses over the past
25 years or so are now completely compromised, as are most of the
network devices in use.
Can existing core banking systems really be secure?The
proprietary nature of most of the current software stack means that
there is no access to, nor oversight of the underlying source code, nor
to the compiler tools used to create the final binary programs that are
installed, where all sorts of malware can be intentionally hidden. There
are just not enough software experts to comb through all the coding in
the software being used today, to check for hidden malware in a
reasonable period of time.
The biggest core banking software
providers, such as Temenos, Avaloq and Olympic are based in Switzerland,
regarded by many as possibly the safest jurisdiction world-wide in
terms of personal privacy. However, none of these firms have anywhere
close to the tens of thousands of people and $billions in government
funding available to General Alexander at the NSA and US Cyber Command.
The headcount at Cyber Command alone is set to increase five-fold,
following Pentagon approval in January this year, according to The
Washington Post, a US newspaper.
Until now in Switzerland, most
banks have been working on their core banking systems individually, or –
rarely – in small groups, as with some Cantonal banks. Typically, the
hope has been that a bank will have a working application after
installation of a commercial package, with some period of parallel
testing and tweaking of parameters as required. Getting the application
into operation within a given deadline has almost always taken
precedence over any other issues. This means there is a lot of
bug-filled, inefficient code sitting in banks’ server rooms. Much of the
code in the last decade has been outsourced to various low wage
economies, which have cultures less inclined to balk at bribery (China,
India, Russia, Eastern Europe). This will almost certainly catch up with
the industry and bite bankers in the tail; we just do not know when, or
where.
Banks have relied upon vendor staff to create and
maintain the packages. The development costs of the solution were shared
amongst the buyers, who hoped to pay less than the total cost to write
and maintain specific subject applications in-house.
Naturally,
vendors try to address the broadest possible requirements.
Unfortunately, not only does this accentuate the homogenisation of the
industry – a competitive nightmare, but it also means that individual
requirements still require custom modifications, though this often
negates the labour displacement and cost savings.
The packages
are most often sold without the source code, or developer documentation,
so the customer bank has no real way to audit the software package in
any depth, or to fix any defects, without going back to the vendor. The
buyers are at the mercy of the vendor, putting them at risk should the
vendor decide to discontinue the use of a particular package, or, worse
still, go out of business.
Buyers also have to struggle with
incompatibility as in-house applications are mixed with different vendor
packages that may not be fully compatible. Several products may have
redundant functionality, or not handle certain functions at all as there
is no clear line of demarcation between all of them.
The
business environment is changing faster than the programs that seek to
model it, meaning that the programs are a perpetual drag on corporate
performance. Core banking systems often take years to modify, or change.
Many of these projects have ended the careers of some otherwise
competent IT professionals.
The tendency to outsource has added
additional layers to the development process, creating additional
expense and delays. Worst of all, it has created inevitable conflicts of
interest.
The above security implications mean that, if there
are no major radical changes in the software stack being used, then
sooner rather than later, someone else could be eating bankers’ lunches.
The current proprietary model is open to abuse by corrupted employees,
competitors and government agencies, even more so when the applications
are outsourced.
What the banking industry needs is software where
the users and their representatives, can review, modify and share
source code in the best interests of transparency, security and
maintaining customer goodwill built on a free (as in freedom) software
platform.
New devices such as mobile phones and tablets in
various formats are also giving a strong impetus to refresh the approach
to core banking applications. Many core banking systems have severe
problems when it comes to scalability and integration with other
software systems. Open standards and free software have a lot to offer
to help build a more robust and appropriate solution for the future.
What is free software?Free
software, as defined by the Free Software Foundation (
http://www.fsf.org/ ), is not about price; it is about users' freedom to
run software, to study and change a program in source code form, to
redistribute exact copies, to distribute modified versions. Free
software also implies free documentation. The freedom to modify is also
crucial for documenting free software. When people exercise their right
to modify the software, and add or change its features, if they are
conscientious they will also change the software manual, in order to
provide accurate and usable documentation for the program they have
modified.
Free software means the users (banks, in this case)
control the program. Otherwise, the program controls the users. There
are several million developers writing software today. There is a high
likelihood that the majority of what you want to write has already been
written by someone else. Black Duck Software, a Burlington,
Massachusetts, US-based provider of consulting and software for enabling
enterprise adoption of open source software (OSS), estimates there are
some 600,000 free or open source software projects in existence, with
some 20 billion lines of code available. This represents some 10 million
man-years of work
http://devsbuild.it/files/PRE_andevcon_innovate-more-code-less.pdf. Free
software allows organisations to save time and investment through the
re-use of code.
Where is free software being used?Free
software has been at the heart of a lot of operating systems, such as
the GNU/Linux kernel, which has been in use at the London Stock Exchange
since February 2011. After its installation, trading times went from an
average of three to four milliseconds under Microsoft and Accenture's
supplied TradElect to 126 microseconds (i.e. around 30 times faster)
using Millennium IT’s Turquoise. Other stock exchanges that use
GNU/Linux include Deutsche Börse, the Tokyo Stock Exchange, NASDAQ,
India's National Exchange and the New York Stock Exchange.
Most
readers are likely to have seen free software being used in an
opportunistic fashion, but what I will be proposing in this article is a
more systematic use, for more mission critical applications. Up to now,
the banking industry has been more concerned with time to market, lower
costs and quality, but the industry is now at a technological
crossroads and is facing a major shake up. The perceived threats are
potentially so great, that the private banking industry may have to set
out a new software policy that is capable of meeting the challenges of
the future.
Why free software for core banking?Core
banking systems have cost many millions of dollars to develop and
implement. They are also typically the longest lived software
applications in a bank. There is great reluctance to change these
systems for many well-founded reasons.
The ethics of banking and
the financial services industry more generally have often been
challenged, but the revelations since 2007 have given rise to more
scrutiny of professional practices than ever before. Arguably, we have
seen the disadvantages of historic (and often still current) business
practices being thrown into sharp relief. Proprietary software impedes
most people from looking at the source code, whilst users are unable to
contribute to make it faster and more secure, or to improve its
development. The financial services industry has been one of the largest
software consumers after government for the past forty years, but has
traded off essential freedoms for very little in return. IT purchasing
agents have rarely spoken about freedom, ethical issues, or
responsibilities. It is probable that most leaders of financial services
businesses have preferred to ignore these issues up to now, but recent
observations are bringing the industry to a pivotal inflection point,
not least because corporate reputations and the businesses behind them
are at risk.
Why a Free IT Foundation?Finding
competent people to produce the core banking application stack is still
a concern. There are not that many firms that can properly pull this
off. The fastest way seems to be a takeover by a consortium of banks
through a not-for-profit foundation to buy out one or more of their
banking software suppliers, change the software licenses to a free
source code license or re-implement software under a free license. A
foundation aligns the banks interests to leverage their power and regain
competitiveness against those that have received unfair advantages.
Contributors to a free software project are able to capitalize their
investment and treat it as an asset instead of expense all their
expenditures (
http://www.free-it-foundation.org).
Perhaps it is time to close some old windows and open some new doors.
Gerold Rupprecht is an independent IT specialist, based in Geneva.
After Edward Snowden…are core banking systems secure?by Gerold Rupprecht - geroldr(at)bluewin.ch - is licensed under a
Creative Commons Attribution-NonCommercial-ShareAlike 3.0 Unported License.
All reproductions shall include the words "This article originally appeared on
www.thewealthnet.com".
Commercial copyright enquiries should be made to janderson(at)paminsight.com