After Edward Snowden… are core banking systems secure ?

The power and ubiquity behind spyware

The US administration – along with governments of other countries – has been using ever more sophisticated methods of data analysis, designed to defend and protect its interests and those of its citizens against foreign cyber attacks and other threats. At least this was the official story, until Edward Snowden, a former US National Security Agency (NSA) contractor, made public a significant volume of hitherto secret intelligence files last month. Mr Snowden’s stunning exposure of US government documents painted a rather different picture of US cyber activity on a global scale, including clandestine surveillance, data and software hijacking as well as aggressive attacks on other states, their critical infrastructure and their economic competitiveness, arguably with the potential – in extremis – to bring down large parts of the world economy. It is likely that few in the international banking industry are prepared for such an outcome.

Non-American IT professionals have long suspected that US government agencies had a healthy disregard for their rights to privacy. Mr Snowden has given the world a wake up call in this respect. The USA’s various three letter agencies (FBI, CIA, NSA, DIA) and the UK’s GCHQ, as well as agencies in Argentina, Brazil, Canada, France, Germany, Italy, Spain, even New Zealand and Australia have all shown more than a healthy interest in Swiss private banks. Mr Snowden confirmed that, since 1999, many US government agencies have been able to penetrate all Microsoft operating systems. The NSA’s ‘Prism’ surveillance project is alleged by Mr Snowden to have been operational since 2006.

Up to now, Prism’s main interest has been to tap into data from network switches, or fibre-optic cables, rather than to attack individual computers directly. It appears that the agencies concerned decided it was more expedient to collect data at the network level, taking all they could obtain from firms such as Microsoft, Facebook, Verizon, AT&T, Google, Twitter, Apple, Oracle, Yahoo and Skype (now owned by Microsoft). According to Mr Snowden, the CEOs of many of these organisations have been actively collaborating with the US administration for some time.

The US administration has set its sights on the Swiss private banking sector, with some significant punitive action, such as the US Internal Revenue Service (IRS) awarding Bradley Birkenfeld $104 million for outing those American clients of UBS who were tax cheats, as well as the Department of Justice’s legal pursuit of Wegelin & Cie, Switzerland’s oldest bank, causing it to close its doors after more than 200 years. At least 13 other banks are in the firing line.

Mr Snowden has alleged that these initiatives were apparently just the tip of an iceberg, as reported on 10th June 2013 in The Guardian, a UK newspaper, where he describes the entrapment of a Swiss banker in Geneva. The value of catching some rich tax evaders is nothing when compared to the value of the proceeds of corporate espionage. Most of the data intercepts have been tracked back to countries that are economic competitors to the US, such as China, Germany and India, in high margin industries like banking, aviation, IT, media and pharmaceuticals. It is conceivable that any private banker working with clients even remotely connected with these industries risks harassment, interference, eventually blackmail (such as in Snowden's example of a certain banker in Geneva), not to mention poaching of clients and employees by competitors.

Another problem is that over collection of this data has led to false positives, such as the UK case of David Mery reported in The Guardian on 22nd September 2005. Despite all charges being dropped against Mr Mery that year, apparently he is still on file as a potential terrorist and can no longer obtain a travel visa.

The back-doors to the various operating systems used in the financial services sector enable the use of key logging, programmed trade front running, the planting false evidence and other nefarious acts. Other parts of government and regulatory machinery appear to be unfit for purpose in providing the checks and balances one would expect from an effective administration.

For example, there still has been no adequate explanation for the massive spike in put and call options in relevant listed companies prior to September 11th, 2001. According to 911research, a website established to collate information about the terrorist attack on the World Trade Center in New York on 11th September 2001, a significant number of industry professionals were “deputized” by the US authorities to snuff out any form of disclosure. In other words, they are unable to speak about what they know, as they now represent the US government.

What is clear is a certain privileged group made a proverbial killing (see “The impact of terrorism on financial markets: An empirical study”, by Marc Chesney, Ganna Reshetar and Mustafa Karaman, Journal of Banking & Finance – vol. 35, no. 2, pp. 253-267, 2011). The SEC has so far done little, despite records that show trading volumes increasing by an unusually large margin. In the case of the NSA and the Foreign Intelligence Surveillance Court (FISA), for the last three years, these organisations have approved all government surveillance requests, excluding four that were withdrawn.

Open democracies or Big Brother states? The answer seems clear

The laws passed since 2001 allow the US government to enter a US citizen’s home with a secret warrant (FISA under the Patriot Act) , imprison the citizen indefinitely at a secret location , try the individual with secret evidence (again FISA and the Patriot Act) and – just in case these powers over a US citizen were not enough, it allows them to revoke US citizenship as a suspected terrorist . With this in mind, how fairly can non-US citizens expect to be treated?

It is fair to assume that traffic analysis from the collected meta-data could expose even judges and journalists, let alone bankers and their clients. This means the Swiss banking industry should not assume that even a legal solution is going to be possible. Perhaps banks in other jurisdictions need to consider what steps they need to take to protect themselves, their employees and clients.

Recent reports have shown that surveillance programs have regularly been abused. As well as the much-publicised News of the World phone hacking scandal in the UK, Rupert Murdoch’s news empire has also been accused of acting as a global extension of the Israeli secret service programs for intelligence gathering, propaganda and political infiltration. Evidently, Murdoch’s news organization was not simply limited to spying on celebrities. In the aftermath it has emerged that the initial Scotland Yard investigators of News Corporation were also bribed, according to reports in The Guardian.

Other alleged examples of the exploitation of software ‘back doors’ include the listening in on the Greek prime minister in 2005, during the preparation of the Olympic bid and the breach of Google's Gmail by Chinese hackers to unmask political dissidents.

Perhaps the best example of illicit corporate surveillance was Nokia, whose mobile browser decrypted all encrypted traffic from its handset's browser. Nokia diverted all traffic from its handsets through its own servers, decrypted the encrypted traffic, re-encrypting it before passing it on, issuing HTTPS certificates on the fly that the Nokia phone had been instructed to trust as secure. Deliberate or not, Nokia betrayed its financial services industry customers, amongst others, by specifically designing its phones to enable full, unecrypted access to users’ browsing activity without their knowledge. Nokia was forced to push out a patch to close the vulnerability, but could just as easily create another one if they wanted to.

Official information regarding the US-based Prism program is dubious. In effect, James Clapper, director of US National Intelligence appears to have perjured himself, by admitting that he gave an ‘erroneous’ answer to the congressional committees that were supposed to be overseeing him. This is not the first time that officials have been caught out lying in public, nor is it likely to be the last. What we can be fairly certain about regarding intelligence information is that whatever is disclosed will be the strict minimum and likely to be slanted to reflect the current administration's policies.

It appears that the current US military, led by General Keith Alexander as head of the NSA and Cyber Command, want to do more than passive eavesdropping. According to Mr Snowden, these agencies are penetrating and damaging foreign networks, both for espionage purposes and to ready them for cyber attack, if required. Apparently, the US (and possibly governments of other countries) has already created custom-designed Internet weapons, pre-targeted and ready to be "fired" against some piece of another country's electronic infrastructure on a moment's notice. These include the Flame super-virus, which was uncovered last year (to spy on PDF files) and – allegedly – Stuxnet, which was deployed in Iran to destroy centrifuges (see http://spectrum.ieee.org/telecom/security/the-real-story-of-stuxnet for details). This led to considerable additional collateral damage in Iran. A similar malware called Gauss targeted Lebanese banks, including Bank of Beirut, Byblos Bank and Fransabank, according to Kaspersky Lab, a Moscow-based security firm. There is still some speculation as to what Gauss’s purpose was. What is certain is that other people will take these examples and copy them.

The sophistication and complexity of these forms of malware is frighteningly impressive and opinion is united in pointing to state sponsorship. The message from Mr Snowden is that these illicit practices are set to continue, unless they can be held in check.

Unfortunately the victims of these attacks will not just be individuals or selected targets, but also proprietary software suppliers and, ironically, American hardware and software suppliers perhaps most of all. The revelations make clear that all the hard work to stabilise the various operating platforms and the software application stacks built on top of them by most businesses over the past 25 years or so are now completely compromised, as are most of the network devices in use.

Can existing core banking systems really be secure?

The proprietary nature of most of the current software stack means that there is no access to, nor oversight of the underlying source code, nor to the compiler tools used to create the final binary programs that are installed, where all sorts of malware can be intentionally hidden. There are just not enough software experts to comb through all the coding in the software being used today, to check for hidden malware in a reasonable period of time.

The biggest core banking software providers, such as Temenos, Avaloq and Olympic are based in Switzerland, regarded by many as possibly the safest jurisdiction world-wide in terms of personal privacy. However, none of these firms have anywhere close to the tens of thousands of people and $billions in government funding available to General Alexander at the NSA and US Cyber Command. The headcount at Cyber Command alone is set to increase five-fold, following Pentagon approval in January this year, according to The Washington Post, a US newspaper.

Until now in Switzerland, most banks have been working on their core banking systems individually, or – rarely – in small groups, as with some Cantonal banks. Typically, the hope has been that a bank will have a working application after installation of a commercial package, with some period of parallel testing and tweaking of parameters as required. Getting the application into operation within a given deadline has almost always taken precedence over any other issues. This means there is a lot of bug-filled, inefficient code sitting in banks’ server rooms. Much of the code in the last decade has been outsourced to various low wage economies, which have cultures less inclined to balk at bribery (China, India, Russia, Eastern Europe). This will almost certainly catch up with the industry and bite bankers in the tail; we just do not know when, or where.

Banks have relied upon vendor staff to create and maintain the packages. The development costs of the solution were shared amongst the buyers, who hoped to pay less than the total cost to write and maintain specific subject applications in-house.

Naturally, vendors try to address the broadest possible requirements. Unfortunately, not only does this accentuate the homogenisation of the industry – a competitive nightmare, but it also means that individual requirements still require custom modifications, though this often negates the labour displacement and cost savings.

The packages are most often sold without the source code, or developer documentation, so the customer bank has no real way to audit the software package in any depth, or to fix any defects, without going back to the vendor. The buyers are at the mercy of the vendor, putting them at risk should the vendor decide to discontinue the use of a particular package, or, worse still, go out of business.

Buyers also have to struggle with incompatibility as in-house applications are mixed with different vendor packages that may not be fully compatible. Several products may have redundant functionality, or not handle certain functions at all as there is no clear line of demarcation between all of them.

The business environment is changing faster than the programs that seek to model it, meaning that the programs are a perpetual drag on corporate performance. Core banking systems often take years to modify, or change. Many of these projects have ended the careers of some otherwise competent IT professionals.

The tendency to outsource has added additional layers to the development process, creating additional expense and delays. Worst of all, it has created inevitable conflicts of interest.

The above security implications mean that, if there are no major radical changes in the software stack being used, then sooner rather than later, someone else could be eating bankers’ lunches. The current proprietary model is open to abuse by corrupted employees, competitors and government agencies, even more so when the applications are outsourced.

What the banking industry needs is software where the users and their representatives, can review, modify and share source code in the best interests of transparency, security and maintaining customer goodwill built on a free (as in freedom) software platform.

New devices such as mobile phones and tablets in various formats are also giving a strong impetus to refresh the approach to core banking applications. Many core banking systems have severe problems when it comes to scalability and integration with other software systems. Open standards and free software have a lot to offer to help build a more robust and appropriate solution for the future.

What is free software?

Free software, as defined by the Free Software Foundation ( http://www.fsf.org/ ), is not about price; it is about users' freedom to run software, to study and change a program in source code form, to redistribute exact copies, to distribute modified versions. Free software also implies free documentation. The freedom to modify is also crucial for documenting free software. When people exercise their right to modify the software, and add or change its features, if they are conscientious they will also change the software manual, in order to provide accurate and usable documentation for the program they have modified.

Free software means the users (banks, in this case) control the program. Otherwise, the program controls the users. There are several million developers writing software today. There is a high likelihood that the majority of what you want to write has already been written by someone else. Black Duck Software, a Burlington, Massachusetts, US-based provider of consulting and software for enabling enterprise adoption of open source software (OSS), estimates there are some 600,000 free or open source software projects in existence, with some 20 billion lines of code available. This represents some 10 million man-years of work http://devsbuild.it/files/PRE_andevcon_innovate-more-code-less.pdf. Free software allows organisations to save time and investment through the re-use of code.

Where is free software being used?

Free software has been at the heart of a lot of operating systems, such as the GNU/Linux kernel, which has been in use at the London Stock Exchange since February 2011. After its installation, trading times went from an average of three to four milliseconds under Microsoft and Accenture's supplied TradElect to 126 microseconds (i.e. around 30 times faster) using Millennium IT’s Turquoise. Other stock exchanges that use GNU/Linux include Deutsche Börse, the Tokyo Stock Exchange,  NASDAQ, India's National Exchange and the New York Stock Exchange.

Most readers are likely to have seen free software being used in an opportunistic fashion, but what I will be proposing in this article is a more systematic use, for more mission critical applications. Up to now, the banking industry has been more concerned with time to market, lower costs and quality, but the industry is now at a technological crossroads and is facing a major shake up. The perceived threats are potentially so great, that the private banking industry may have to set out a new software policy that is capable of meeting the challenges of the future.

Why free software for core banking?

Core banking systems have cost many millions of dollars to develop and implement. They are also typically the longest lived software applications in a bank. There is great reluctance to change these systems for many well-founded reasons.

The ethics of banking and the financial services industry more generally have often been challenged, but the revelations since 2007 have given rise to more scrutiny of professional practices than ever before. Arguably, we have seen the disadvantages of historic (and often still current) business practices being thrown into sharp relief. Proprietary software impedes most people from looking at the source code, whilst users are unable to contribute to make it faster and more secure, or to improve its development. The financial services industry has been one of the largest software consumers after government for the past forty years, but has traded off essential freedoms for very little in return. IT purchasing agents have rarely spoken about freedom, ethical issues, or responsibilities. It is probable that most leaders of financial services businesses have preferred to ignore these issues up to now, but recent observations are bringing the industry to a pivotal inflection point, not least because corporate reputations and the businesses behind them are at risk.

Why a Free IT Foundation?

Finding competent people to produce the core banking application stack is still a concern. There are not that many firms that can properly pull this off. The fastest way seems to be a takeover by a consortium of banks through a not-for-profit foundation to buy out one or more of their banking software suppliers, change the software licenses to a free source code license or re-implement software under a free license. A foundation aligns the banks interests to leverage their power and regain competitiveness against those that have received unfair advantages. Contributors to a free software project are able to capitalize their investment and treat it as an asset instead of expense all their expenditures (http://www.free-it-foundation.org).

Perhaps it is time to close some old windows and open some new doors.

Gerold Rupprecht is an independent IT specialist, based in Geneva.
 



After Edward Snowden…are core banking systems secure?
by Gerold Rupprecht - geroldr(at)bluewin.ch - is licensed under a Creative Commons Attribution-NonCommercial-ShareAlike 3.0 Unported License.
All reproductions shall include the words "This article originally appeared on www.thewealthnet.com".
Commercial copyright enquiries should be made to janderson(at)paminsight.com
   

 

Numéro fédéral :  CH-660.2.608.005-3
Creative Commons License CC BY-SA