Less than a decade ago, the next generation of security challenges was closer to science fiction than to strategic investments (e.g., security infrastructure challenges were the stuff of Die Hard movies rather than systemic cyber-physical threats; predictive analytics was a movie plot theme, like “pre-crime”; machine learning had limited applications to the financial sector and was impractical and unaffordable to use at scale and operationally). This update highlights a big shift that is within sight. Advances in algorithm design suggest that cryptographic-based security may need re-visiting. It’s widely anticipated that we’re entering a new era of low-cost, high-power, real-time, wide-scope forms of Predictive Analytics and Machine Learning, e.g. making increasingly-routine use of GAN Global Adversarial Networks to discover and pre-harden new types of attack surfaces that don’t even exist yet, protecting against not-yet-conceived types of threats). Those trends are treated as “Black Swans” (currently-rare or inconceivable phenomena which could lead to huge, even existential, security threats. Hence the EU is funding substantial Innovation projects such as FINSEC, to anticipate and protect against high-consequence cyber-physical threats to key sectors such as banking.
FINSEC’s strategy begins with what is operational today, collaborating in real-world trials of today’s research-based innovations such as predictive analytics and machine learning. Trial ecosystems include both incumbent organisations (e.g., major retail banks) and challengers. The trial scenarios will be familiar to subscribers of Financial-Cybercrime Security Bulletins (e.g., Kaspersky’s 2019 Overview and Predictions). Such bulletins commonly focus on rapid dissemination of “after the event” news, e.g. details of recent attacks and threats, and trends in the exploits and algorithms being used by organised crime and state actors to attack larger targets such as internal banking networks (to reach PoS terminals, ATMs); crypto-exchanges; and fin-tech companies. We publicise some of our findings, but keep confidential details of specific tests, threats or defenses.
FINSEC is preparing for likely increasingly sophisticated and challenging threats to actors in the financial sector, including payment systems used by complex supply chains; mobile payment systems used by the public (e.g., targeted on mobile-banking; threats arising from new forms of biometric challenges and/or identity theft); and inside threats (e.g. bypassing cybersecurity systems of financial institutions, by using physical devices connected to internal networks). Larger one-off threats involving multiple zero-day exploits may also be discussed later, since these can affect major parts of an economy. News media warn of signs of involvement of proxies of nation state-supported actors, capable of whole system and cyber-warlike scenarios. A notable trend here, to counter state-sponsored attacks, is the prominence being given by governments to announcing their future use of new diplomatic rules of engagement for cyber-physical attacks, e.g. as set out in the EU’s “Cyber Diplomacy Toolbox” (May 2019).
By Paul Lefrere, CCA