Protecting Bank Networks from Acts of Computer Terrorism
Boris I. Skorodumov*
Institute of Banking Affairs of the Association of Russian Banks
The rapid adoption of information technologies by various Russian banks and the development of trends toward distributed data processing using modern computer hardware are accompanied by the appearance of new or modified problems that represent the negative side effects of technological progress. Much attention is being paid to issues of information security in the developing e-business sector. This is an important issue for Russia as we move toward joining the World Trade Organization (WTO), which is highly likely after our country’s banks introduce international financial accounting standards and comply with certain additional conditions in 2003. Russian banks are highly automated and are developing their networks and their presence on the Internet (www.cbr.ru). This progress, however, is accompanied by the exacerbation of security problems and specifically by the phenomena of cyberterrorism and cybercrime.
The targeted city program “Electronic Moscow,” announced on December 24, 2002, indicates that the introduction of modern information technologies has led to the appearance of new types of crimes such as computer crime and computer terrorism—unlawful interference with the operation of computers, systems, and networks or the theft, acquisition, or extortion of computer information (www.iis.ru). Cyberterrorism and cybercrime are new forms of criminal activity using computers and telecommunications. According to data from ex-
perts from the Council of Europe, credit card cases alone result in annual losses of about $400 million. Losses from viruses total about $12 billion, while violation of property rights causes $250 billion in damages.
The number of crimes in the information technology (IT) sphere committed against governmental information systems is constantly on the increase. According to data from the Central Intelligence Agency, Internet sites of central U.S. government agencies were attacked 750,000 times in the past three years. Other sources indicate that the number of such attacks could be 1 million. In 2001 the networks of the U.S. Space Command alone were attacked 30,000 times. From 1998 through 2001, the number of such attacks increased fivefold.
According to data for 2002 published in the quarterly report of the U.S. Computer Security Institute (CSI), 223 of 503 organizations surveyed suffered financial losses totaling $455,848,000 as a result of various types of information threats being carried out against them. For example, while in 1997, 21 organizations suffered losses of $20,048,000 from theft of proprietary information, in 2002 these losses amounted to $170,827,000. The annual CSI/FBI Computer Crime and Security Survey is conducted as a public service by the CSI with the participation of the Computer Intrusion Squad of the FBI’s San Francisco office. Its purpose is to increase the level of security awareness and help in determining the scope of computer crime in the United States (www.gocsi.com).
According to data on high-tech crimes from the Moscow Main Administration for Internal Affairs, its personnel discovered about 3,000 pornographic websites in the period from March through December 2002 alone, with the profits from each site averaging $30,000. Some of this money was going to support the activities of extremist and terrorist groups. The number of cyberattacks against enterprises, organizations, and citizens is growing at a stable pace. According to information from the Main Administration for Special Technical Measures of the Russian Ministry of Internal Affairs, in 2001 the number of computer-related crimes committed in Russia increased by almost 150 percent compared with 2000 (www.mvdinform.ru).
It should be noted that in our country today the overwhelming majority of banks are commercial or nonstate owned, and their automated systems contain almost no information involving state secrecy. In addition, the limited-access information that circulates in such automated bank systems in most cases includes no state secrets whatsoever. Russia currently has no general official information security recommendations or requirements for such systems, for example, in the form of any set standards. Only old requirements for security organizations remain in effect. Bank security is primarily provided with the help of technical means of protection. If such means prove inadequate to ensure the absolute security of cash, valuables, and important papers, armed guards are posted at main offices and major branches.
Technical means of protection include reinforced buildings, vaults, and safes; fire and security alarm systems; sprinkler systems; and the use of firearms and
communications systems. Newly constructed banks may open only after they have telephone service, the appropriate technical reinforcements and structures (vaults) for storing cash and other valuables, and the necessary fire, security, and panic alert systems. In Russia, information security problems were studied and addressed in a timely fashion only for the protection of state secrets in military, governmental, or other state-related automated systems. Thus, over time, a situation developed in which very specific commercial sector problems went unresolved because of the absence of such a sector. At present, this presents a substantial obstacle to the development of secure information technologies in the Russian commercial market, for instance, in banks, which are being formed and integrated into the world trade system.
A response might be to recommend that the information security requirements for state-automated systems continue to be used in order to address the problems of protecting commercial information in banks. For example, we could take advantage of the latest technical advances of authoritative state organizations, which recently issued materials on the protection of confidential information not involving state secrets.
To deal with this problem objectively, it would be appropriate to look at the commonalities or differences in processes involved in defining parameters for and ensuring the security of information in automated systems. I propose analyzing this problem using the example of automated banking systems, which involve the storage of huge amounts of valuable information and entail a corresponding number of security problems. There are also other reasons for doing so. In particular, the Doctrine for the Information Security of the Russian Federation, which was affirmed by Russian President Vladimir V. Putin, emphasizes that “computer crimes associated with the penetration of the computer systems and networks of banks and other lending organizations represent a serious threat to the normal functioning of the economy as a whole.” It should be noted that information security requirements have been formulated and are being applied in the Russian Central Bank system. For instance, these requirements are covered in Order No. 02-144, dated April 3, 1997, and titled “On the Institution of Temporary Requirements for Ensuring the Security of Electronic Payment Processing Technologies within the Russian Central Bank System.”
These regulations do not apply to Russian commercial banks, which handle such problems at their own discretion and according to their own capabilities. These issues are dealt with differently abroad. For instance, in Germany and France, commercial banks have specially developed methodological materials for use as guidance in handling information security matters.
Russian commercial banks could use publicly accessible Russian Central Bank documents on information protection. However, it is not that simple. It should be kept in mind that the fundamental goals of government-run and private banks are diametrically opposed, as clearly stated in the relevant legislation. Article 1 of the Federal Law on Banks and Banking Activities states: “A lending
organization is a legal entity that, having profit as the main goal of its activities and operating on the basis of a special permit (license) from the Central Bank of the Russian Federation (the Bank of Russia), has the right to carry out banking operations as stipulated under this Federal Law.” Article 3 of the Federal Law on the Central Bank of Russia states: “Earning a profit is not the goal of the activities of the Bank of Russia.” These different goals give rise to different ways of achieving them, although the components and means used could be similar. Let me clarify this thesis: A commercial bank, like any other market organization, is essentially a highly risky enterprise. Therefore, Western markets have highly developed theories and practical mechanisms for the management of risks, including those that are computer related. Risks are constantly monitored and analyzed. In accordance with the recently adopted Russian Law on Technical Regulations, “risk is the likelihood by which some harm will occur…,” that is, the collective characterization of whether some security threat might be realized. Such characterizations may be highlighted in various Western sources of statistical data, for example, in the annual CSI/FBI survey. Besides risk characterizations, it also includes examples of financial losses suffered, including by banks. Our country currently lacks adequate information of this sort (www.mvdinform.ru).
Materials from the Global Association of Risk Professionals (GARP) focus on the following requirements for risk identification and assessment:
Risk assessment must take into account internal and external risk factors and must be made at all levels of an organization.
An organization must identify risks both within its control (manageable risks) and those beyond its control.
All materially significant risks that could have a negative effect on the achievement of the organization’s goals must be identified and assessed on a continuous basis.
GARP was founded in 1996 and has more than 15,000 members. Its Russian branch was established in 1998.
The new Russian Law on Technical Regulation also gives rise to a new formulation of the concept of security, which the law does not limit to the diffuse synonym protectedness as it appeared in older government documents. This law states that “security is a condition in which intolerable risk of harm is absent….” Furthermore, its Article 7 states that “technical regulations taking into account the degree of risk of harm establish minimum necessary requirements for ensuring
nuclear and radiological security
electromagnetic compatibility with regard to ensuring the secure operation of equipment
consistency of measurements”
Before 2003, documents issued by Russian state organizations on information security did not include the word risk.
Denial of service (DoS) attacks could serve as a prime example of the new threats presented by cyberterrorism. Three years ago, six U.S. Internet companies suffered losses totaling $624 million as a result of DoS attacks lasting only two hours. Following this incident, widespread calls for change were made:
Establish inter-network screens to record spoofing attempts.
Work out a plan with your Internet provider to determine the source of the DoS attack.
Create your own rapid response group.
Develop your own comprehensive plan for preventing and dealing with the consequences of attacks.
Russian Internet banks have begun to suffer similar attacks, although they have been carefully concealed from public knowledge.
All of this calls for the adoption of a common (market economy-wide) approach to resolving the information security problems of commercial organizations, especially banks—in other words, a risk management approach. Because economic and market factors are of top priority for commercial banks, it is very important for automated banking systems that everything be done to reduce or eliminate risks of financial losses and to ensure that profits are made for the owner and users given the existing real (assessed) threat conditions. In particular, this would include minimization of the typical banking risks, such as losses incurred by mistakenly sent payments, falsification of payment documents, and so forth.
We must also address the concepts of ownership of information resources. Ownership entails rights to control, use, and dispose of a given piece of property as well as the opportunity to exercise these rights effectively in real life. Information systems resources and the information itself are someone’s property. Therefore, the security of a commercial automated banking system should be regarded as a matter of ensuring the exercise of the owner’s rights with regard to the resources included in the system. The exercise of the owner’s rights is asso-
ciated with the ability to manage the resources effectively and, as part of this management, to ensure that their use is limited to only authorized individuals.
The protection of information in automated banking systems involves a number of special points that must be taken into account, as they have a great impact on information security technology. In addition, other characteristics of commercial automated banking systems explain the need for creating specialized information security requirements (standards) for commercial bank networks.
The adoption of information technologies by banks, the development of trends favoring distributed data processing using modern computer hardware, the creation of information and telecommunications systems for various purposes, and the need for information exchanges among these systems have shaped the efforts of the world community in categorizing and prioritizing the fundamental requirements and characteristics of such systems, including in the area of information security. This matter is particularly urgent for so-called open gener-al-use systems that handle confidential information not involving state secrecy, which are experiencing very rapid growth in our country. The term open means that all devices and processes in the system (computer network) work together in accord with a certain range of standards and are therefore open to interaction with other systems (computer networks). This sort of approach entails the need to link into a unified system a wide variety of hardware and software used in computer systems or networks by all sorts of commercial organizations with no single manager or owner. In particular, this also has an effect on mechanisms for cryptographic protection of information or protection against unauthorized access to information. During 2003, Russia is implementing the basic international standard ISO 15408 for information security criteria. The use of the ISO 15408 standard will make it possible to initiate work to improve domestic information security standards and bring them into line with existing international practices in this field of knowledge and technology. The new criteria have been adapted to the needs of mutual recognition of the results of information security assessments on an international scale and are intended for use as a basis for such assessments. The criteria were approved as a standard by the International Organization for Standardization in May 1999.
The common criteria make it possible to compare the results of independent information security assessments. This is done by advancing and implementing a multitude of general functional security requirements and assurances for information technology hardware and systems in the process of evaluating information security and corresponding tolerable risks.
The main advantages of the common criteria include the comprehensive nature of its information security requirements, flexibility of application, and openness to subsequent development in line with the latest scientific and technical achievements. The common criteria were developed so as to meet the demands of all three user groups (consumers, developers, and evaluators) for studies of the security properties of information technology hardware or systems,
called evaluated products in common criteria terminology. This standard can provide useful guidance in developing hardware and systems with information security functions as well as in procuring commercial products and systems with such functions. The common criteria may be applied to other aspects of information technology security besides those mentioned above. This standard is mainly focused on threats resulting from human actions, malicious or otherwise, but it may also be applied to threats not caused by human actions. Specialized requirements for the credit and financial sphere are likely to be formulated in the future.
The traditional concept of security with regard to information involving state secrets entails an assessment of three characteristics: accessibility, integrity, and confidentiality. However, this is a somewhat narrow view of the problem. For commercial banks, the legal standing of banking information is a pressing matter that has become increasingly important in recent years, along with the creation of a legal and regulatory base governing property security in our country, especially when it involves the interactions of automated systems owned by various legal entities. The legal standing of information may be defined as a characteristic of security information that makes it possible to ensure the legal force of documents or information processes in accordance with the legal regime for information resources established under Russian law.
This last point is particularly important given the need to ensure strict accounting of all information services, which is the economic basis for the operation of any information system and serves to facilitate tight regulation and control of access to information using system resources. It is often necessary to ensure strict notarization (legal accountability) of information, which is essential in resolving conflicts between clients and providers of information services.
In addition to the features of commercial automated banking systems, the following could be noted:
specific threat and intruder model
possibility of ensuring against information risks
wide variety of commercial organizations
need to determine the value of information
expediency of dynamic protection and monitoring systems
application of openly created means of protection
On February 20, 2003, the Association of Russian Banks (ARB) and the National Association of Funds Market Participants (NAUFOR) signed a memorandum creating the Association of Participants in Confidential (Secure) Electronic Document Exchange in Russia. This association is open to organizations adhering to the fundamental principles of confidential electronic document exchange as set forth in the memorandum, the main goal of which is the creation of a collective-use center for financial authentication. This authentication center
will be created taking into account foreign experience and the characteristics particular to Russia.
Now, during the year when the ISO 15408 standard is being introduced, it would be convenient to establish requirements for commercial or banking sector security, focusing on the special aspects involved in ensuring the security of commercial information not involving state secrecy.