Stock Exchanges at Center of Cyber Bull’s Eye

In tandem with the increasingly anti-capitalistic ideology of cyber evildoers, the digital target on the New York Stock Exchange and Nasdaq Stock Market appears to have grown in recent months.

While there hasn’t been a known successful attack on a U.S. trading exchange, that doesn’t mean hacktivist groups like Anonymous or other nefarious organizations aren’t trying to make a very loud and very troubling statement that could cripple the markets.

The U.S. market operators themselves are heavily fortified, but some worry cyber criminals may be able to infiltrate the system through other cogs in the intricate, interconnected system.

“If you’re a stock exchange, this needs to be something you focus very dearly on,” said Carl Herberger, vice president of security solutions at Radware.

Of course, threats against the stock exchanges are nothing new. Due to the huge amount of potential financial gain, hackers have long targeted these crucial pieces of the U.S. financial infrastructure.

For example, last year many security experts were alarmed after Nasdaq OMX Group (NASDAQ:NDAQ) disclosed an infiltration into a confidential document-sharing service it runs.

Symbolic Targets

But the threat does seem to be increasing due to the rise of so-called hacktivism, which has shifted the motive behind cyber strikes from strictly financial gain to ideological. That ideological motive often carries an anti-capitalistic message, making it stand to reason that the stock exchanges -- the very embodiment of modern-day capitalism -- would be prime targets.

“It’s like the digital equivalent to the World Trade Center,” said Herberger. “They think the financial system is corrupt and it’s against the little guy. If you can keep at an exchange down for a decent amount of time, you can exact a ransom and require them to commit to change behavior. It really transfers power from the victim to the perpetrator.”

At the same time, the tools needed to carry out a sophisticated cyber attack are much more easily attainable than just a few years ago.

This was on full display earlier this month as pro-Palestinian hackers disrupted the websites of the Tel Aviv Stock Exchange, the Israeli central bank and scores of other related financial institutions.

“You can transit these tools very easily and you can amass an army very, very quickly,” said Herberger. “The attacks in Israel are happening from every continent around the world, including from within Israel itself.”

Are They Ready?

There’s little doubt the NYSE, which is owned by NYSE Euronext (NYSE:NYX), and Nasdaq employ some of the most sophisticated cyber defenses found anywhere. Understandably, those companies as well as cyber-security experts were reluctant to talk specifically about what tools they use to defend against this growing threat.

“These days, cyber attacks against corporations and governments occur constantly. At Nasdaq we’re aware of the role we play within the national infrastructure. We take that role very seriously,” said Joe Christinat, vice president of media relations at Nasdaq OMX. “We devote extensive resources and work with some of the best security consultants in the world.”

Richard Adamonis, an NYSE spokesman, said, "We don’t discuss security matters or discuss our preparedness."

Last month security officials from all over Wall Street, including from the NYSE, descended upon a downtown restaurant to learn about the growing threat during a security panel hosted by Radware.

“I think there are people in both those companies that are struggling to elevate the risk within their organizations and the problem within the organization so they get adequate resources and attention,” Herberger, who led the panel discussion, said, referring to NYSE and Nasdaq.

Pre-9/11 Mindset?

One advantage the stock-market operators have is that the exchanges themselves are not believed to be directly connected to the Internet, meaning cyber criminals would need to find another way to infiltrate them. Additionally, these sensitive areas of the financial system are constantly watched over to ensure an attack is quickly recognized.

“I don’t want to invite a competition, but it certainly would be more difficult to penetrate the exchanges than it would be some other sectors at this point,” said Phyllis Schneck, chief technology officer for the public sector at Intel’s (NASDAQ:INTC) McAfee.

Yet Herberger said he’s concerned that the threat, particularly the chance of an attack targeting the availability of an exchange, may be underestimated by the government and some in the industry. He likened it to the security world’s attitude toward an attack on the American homeland by terrorists before 9/11.

Al Qaeda declared war on the U.S. years before they took down the Twin Towers,” said Herberger. “We have a very analogous situation. There is a growing set of people that are planning very strong capabilities to take down the financial institutions around the world.”

While Herberger said he knows his warning “sounds ridiculous,” he added, “I don’t feel like people are taking this threat very seriously, to be honest.”

Others believe the stock exchanges are more than ready.

“I think they’re definitely up to the threat,” said Ron Plesco, CEO of the non-profit National Cyber Forensics and Training Alliance, which helps law enforcement prosecute cyber criminals.

The Weakest Link

While a successful attack on one of the U.S. exchanges may be difficult to pull off, some are worried cyber criminals will infiltrate the network by finding a chink in the armor of the vast financial ecosystem, which includes a slew of lesser-known organizations that provide support functions.

“When you think about the different cogs in the system, they do just have to find the weakest link,” said Schneck.

Herberger said among many others, one likely target is the Depository Trust Clearing Corp., which is a gigantic securities clearinghouse. The DTCC settled more than $1.66 quadrillion in securities transactions in 2010, including $217.5 trillion worth of equity, bond and ETF transactions.

“DTCC places the utmost priority in protecting our systems as well as our data and that of our customers,” a DTCC spokesperson said in a statement. “We have in place rigorous and robust security procedures to identify and prevent potential threats to our organization and we work closely with our members, regulators and the industry to help preserve the safety and integrity of the capital market’s infrastructure and operation as a whole.”

Confidence at Stake

Security experts differed on whether or not a single infiltration into a weaker link would be enough to bring down the whole network.

Schneck said she believes the financial system is too compartmentalized for that to happen.

“You can’t take them all out with just one button,” said Schneck. “It would be difficult to take down an exchange because an exchange really encompasses several different components that are highly protected due in large part to Herculean efforts by the financial sector.”

The stakes are clearly very high. A successful disruption in the markets caused by a cyber attack would be likely to severely hurt investor psyche and could trickle down to the broader economy.

Many investors appeared to lose confidence in the system in the aftermath of the May 2010 Flash Crash, the mysterious meltdown that caused the Dow to plummet 1,000 points in just minutes before quickly recovering.

“We all need to be increasingly vigilant because the adversary has to be right only once and we have to be always right,” said Schneck.