'White Hat' Hackers Expose Flaws of U.S. Stock Market

Ethical "white hat" hackers, intentionally looking to expose the cyber vulnerabilities of U.S. equity markets, were able to directly impact market performance in a test last month--forcing a mock market close.

Details of the exercise, dubbed Quantum Dawn 2, were unveiled in a new report earlier this week and highlight the steps the financial industry has taken to tackle ongoing digital threats.

More importantly, they underscore the work that still needs to be done.

“You don’t know what you don’t know until you do exercises like this,” said Cedric Leighton, a former U.S. intelligence officer with the National Security Agency (NSA).

More than 50 entities and 500 people in the financial services sector participated in the wide-scale mock cyber attack hosted by the Securities Industry and Financial Markets Association (SIFMA) on July 18. Ethical hackers were told to give everything they had to try and cripple the U.S. stock market.

The six-hour exercise, which simulated multiple trading days, was designed to be realistic and intense, underscoring the growing sophistication of malicious hackers in an effort to improve the industry's coordinated response in the event of a systemic attack.

“Quantum Dawn 2 demonstrated the industry’s resiliency when faced with serious cyber attacks that aimed to steal money, crash systems and disrupt equity market trading,” SIFMA CEO Judd Gregg said in a statement.

While the industry has made strides on this front, the test showed how much work still lies ahead in protecting critical U.S. assets, including the highly liquid equity markets.

“The more realistic the exercise the better prepared they’ll be if and when attacks from a cyber standpoint occur."

- Cedric Leighton, former U.S. intelligence officer

“Complacency is not an option in the fight against cyber crime,” said Gregg, a former senator.

It Could Happen

Using multiple attack vectors, including those originating from external sources and malicious insiders, individuals from the private and public sector participating in the SIFMA exercise gained experience reacting to realistic attempts by hackers to crash the technical systems that serve as the lifeblood of U.S. equity markets.

With motives varying from a desire to steal billions of dollars, disrupt equities markets or degrade a firm’s post-trade processing capability, participants fought off attempted phishing schemes, corruption in widely-used source code, distributed denial of service attacks, fraud designed to falsely move the market as well as stolen administrator accounts that triggered automatic selloffs in target stocks.

To top it all off, malicious code and equipment was introduced that in a real-world scenario, would serve to divert authorities in their investigation and slow down response time.

“The more realistic the exercise, and the more involved the traders and the hierarchy of the exchanges and the whole financial community are in these exercises, the better prepared they’ll be if and when attacks from a cyber standpoint occur,” Leighton said.

SIFMA said cooperation between the private and public sector was crucial in dealing with the attacks and re-ignited the call to Congress to pass legislation that would make it easier for the private/public sectors to share information in an effort to prevent an attack.

At an unrelated cyber security industry event in Midtown Manhattan on Monday, acting Department of Homeland Security Secretary Rand Beers also encouraged Congress to pass comprehensive cyber legislation, calling security a "shared responsibility."

Ed Powers, national managing partner of Deloitte’s Security & Privacy practice, who helped audit the SIFMA exercise, says it's unrealistic to expect defenses to prevent all cyber incidents, though he says understanding the need to not just be secure, but also "vigilant and resilient" is key to thwarting them.

The SIFMA rehearsal also tackled the market’s open and close decision process in the event of an attack, including understanding how the market would react and function once reopened following the loss of critical infrastructure and assets.

“It’s much easier to respond if you’ve practiced responding to it,” Leighton notes.

Bullseye on America's Markets

Ongoing analysis of intelligence is crucial in the fight against cyber crime, terrorism, hacking and espionage, especially as crime continues to evolve and the hackers themselves consistently update methods designed to throw off authorities.

Western financial institutions have long been a target of cyber evildoers, particularly those operating out of anti-capitalist groups and nations overseas.

While no known cyber attacks have taken The New York Stock Exchange and Nasdaq Stock Market offline (though their systems have succumbed to tech glitches), the threat is unwavering and has seeped into other aspects of the financial industry.

For example, last September and earlier this year, major U.S. and European banks, including Bank of America (NYSE:BAC), JPMorgan (NYSE:JPM) and HSBC (NYSE:HBC) suffered from DDoS attacks that temporarily downed their consumer sites. In 2011, the Nasdaq OMX Group (NASDAQ:NDAQ) disclosed that its confidential document-sharing service was infiltrated.

Spokespeople from the Nasdaq and NYSE exchanges couldn’t immediately be reached to discuss the Quantum exercise specifically.

However, at Monday's cyber security event in Manhattan, Mark Graff, CISO at Nasdaq OMX, said the exchange remains “a big target” of those who want to “hurt the financial industry.”

Beers agreed, saying, "cyber networks and systems are increasingly being targeted."