Last week on May 6 Lorenzo Tan, President of the Philippines’ Rizal Commercial Banking Corp (RCBC) resigned in connection with the laundering of the funds when one of the biggest breaches of cyber security happened with funds of Bangladesh Central Bank siphoned off last February from the New York Federal Reserve. The news made headlines again on April 19 during a hearing in the Philippines Senate which led to a total $9.8 million of the stolen funds stolen from the US Fed was handed back to the Anti Money Laundering Council (AMLC) by businessman Kim Wong, involved in the cyber heist. Some of the missing funds could be traced to Eastern Hawaii Leisure Company Ltd., Midas Hotel and Casino, and Solaire Resort and Casino in the Philippines. Cyber thieves netted $81 million after executing a series of transactions via the NY Fed to accounts in Sri Lanka and Philippines. The attack was sophisticated, with the use of a “zero day”, i.e. a software vulnerability that is yet to be patched, making it easier for hackers to infect a targeted computer without the victim’s knowledge.
The reality is that connectivity is changing the way we work, socialize, create and share information, and organize ideas and things around the world. A study by McKinsey Institute in 2011 found that $8 trillion exchange hands each year through e-commerce. On an average, internet accounts 3.4 percent of GDP across the large economies that make up 70 percent of the global GDP. On the flip side, cybercrime is a big business with annual cost to global economy of more than $400 billion. The global communications network connects people and supply chains almost anywhere in the world. Criminals can access company systems from nearly any jurisdiction resulting in widespread exploitation of networks in an organized manner.
In 2013, $45 million were stolen within hours from ATMs after the perpetrators hacked into a database of prepaid debit cards. Prepaid MasterCard debit cards issued by banks in the United Arab Emirates and Oman were drained of cash in the hack. The hackers operated in cells, encoding magnetic stripe cards, such as gift cards, with the compromised debit card data. The subsequent release of PINs for hacked accounts triggered a coordinated, international cash out operation involving cash withdrawals from ATMs across the globe. Similarly, JPMorgan’s 2014 hack was tied to one of the largest cyber breaches ever. It was a vast, multi-year criminal enterprise centering on hacks of at least nine big financial and publishing firms and theft of information of 100 million of their customers that fueled a web of stock manipulation, credit-card fraud and illegal online casinos. Hackers in more than a dozen countries generated hundreds of millions of dollars on pump-and-dump stock schemes and online gambling.
Cyber security breaches are threatening not only financial data but also private data. The electoral database from the Philippines’ Commission on Elections was leaked online when their website was compromised on March 2016 putting 55 million voters at risk. In May 2014, cyber espionage led the U.S. Justice Department to issue arrest warrants for five members of the Chinese military who conducted cyber-attacks against U.S. companies. In 2014, Iranian hackers launched cyber-attack on Las Vegas Sands Casino to avenge its CEO, Sheldon Adelson for comments he made about Iran.
Anonymity and concealment that the internet provides make it difficult to prove that a certain individual indeed used a given system to break the law. Incentives in cybercrime encourage attack and discourage defense. The two most common exploitation techniques are social engineering and vulnerability exploitation. In the first case, a cybercriminal tricks a user into granting access and in the second instance, a cybercriminal takes advantage of a programming failure to gain access. Both are surprisingly cheap and the rate of return on cybercrime favors the criminal with incentive to steal more. The rate of return per victim on cybercrime can be very low, but because the costs and risks of engaging in it are even lower, cybercrime remains an irresistible criminal activity. In light of such massive breaches to cyber security, the world’s preparedness in tackling these risks is now under increased scrutiny. Careful trade-offs need to be weighed in between the value inherent in an increasingly connected world and the cyber risk of operational disruption, intellectual property loss, public embarrassment, and fraud.
An international platform needs to be developed for strengthening infrastructure and protecting information assets. Equally important is forging partnership between governments and private sectors as well as cross-country cooperation. The Federal Reserve heist was possible due to an unprotected router which provided hackers access to the network. Risk assessment and constant testing of defense systems for improvement of response to breaches are critical to address such issues. Security needs to be integrated into the technology environment, helping individuals understand the risks of the information assets that they deal with every day. Building capacity, raising awareness, and working with industries and stakeholders are the way forward as lines are getting blurred between individuals and institutions, nations and borders, connectivity and casualty. The security breach in a system as secured as the US Federal Reserve is a wake up call for the global cyber citizenry.
Syed Munir Khasru is Chairman of the international think tank, The Institute for Policy, Advocacy, and Governance (IPAG), and can be reached at firstname.lastname@example.org