Western investors have largely shrugged off the military conflict in Ukraine, pushing global markets higher. But, deep inside some financial institutions and intelligence services, a debate is bubbling that investors should watch. This revolves not around boots and tanks but the cyber world.
A couple of weeks ago JPMorgan Chase disclosed that it had been the victim of a big cyber attack, and was now co-operating with US government agencies over this (presumed to include the Federal Bureau of Investigation, the Central Intelligence Agency and the National Security Agency).
The details of the incident are mysterious and JPMorgan has refused to elaborate in public. But it appears the attacks emanated from Russia, that they were exceptionally sophisticated and that they affected other institutions, too. And they have consequently left executives in London and New York asking: could the next phase in the Ukrainian conflict be a wave of cyber attacks on western finance – either to retaliate against sanctions or to spark fear?
In some senses, such concerns are not new. Western corporations have faced escalating cyber assaults in recent years: last year, for example, Jamie Dimon, JPMorgan chief executive, revealed the bank was experiencing “tens of thousands” attacks each day. Though many seem to come from China, others come from criminal networks in Russia, the only country considered to have cyber capabilities equal to those of America.
Cyber experts now fear the combination of incentives and skill behind such attacks could shift. To date they have taken (modest) comfort from the fact that the truly malicious attacks against western financial groups – or those aimed at causing lasting damage or panic by sparking a market crash – seem to have come from groups without highly sophisticated capabilities. Islamic terrorist groups, for example, grab headlines but they have not yet brought down an exchange.
Meanwhile, the really sophisticated cyber attacks on western financial groups have hitherto emanated from groups or states that “only” want to steal intelligence or money, not destroy entire systems or even reveal themselves. After all, Russian oligarchs and Chinese officials have money in western banks and markets so it is presumed they want to keep them intact.
But in some financial groups and intelligence forums, the big question is what might happen if Russian hackers (or any that are similarly sophisticated) ever stop feeling they have a stake in global finance or a shared interest in maintaining market stability. “It’s a huge concern,” one New York-based chief executive says.
Right now, there is little evidence that any such shift has occurred. And the Financial Services Information Sharing and Analysis Center, an industry body recently created by the banks to discuss cyber attacks, last week pointedly told its members there was no need to panic. It sent an email insisting that, notwithstanding the JPMorgan incident, nothing significant had changed in the cyber landscape.
But some western public and private sector groups are quietly stepping up their defences. Nato announced last week that it had decided for the first time to classify a cyber attack as the type of event that could trigger a joint alliance response.
The US Securities and Exchange Commission is implementing a system to examine financial firms’ cyber defences. And the big banks and exchanges are increasingly trying to share information with each other and the government via the FS-ISAC.
In many respects, this is good news: until recently, the level of collaboration between the public and private sector in America was woefully low, compared with places such as Australia.
But these steps are still far from comprehensive, let alone foolproof. In particular, the asset management world lags behind well behind the banks and exchanges. This sector is “just not as involved because it is so fragmented – you have billion-dollar hedge funds that don’t even know what the FS-ISAC is”, observes Eldon Sprickerhoff, co-founder of eSentire, an advisory group.
Until recently, many experts presumed that the main focus of a malicious cyber attack would be an exchange or a bank. But if there is one thing that a decade of geopolitical turbulence has shown, it is that shocks have a nasty habit of coming from unwatched places. And if there was an attack on, say, money market funds, this could have wide repercussions.
The real message from the JPMorgan rumours, then, is that western governments need to keep up the pressure on financial companies to improve their cyber defence plans across the industry and to provide tangible assistance.
And, of course, keep hoping that geopolitical tensions do not escalate or move from the old-fashioned real world into cyber space.