[Cryptography] North Korea and Sony

Jerry Leichter leichter at lrw.com
Wed Dec 10 14:12:44 EST 2014

[Same thing as plain text]

On Dec 10, 2014, at 10:49 AM, John Ioannidis <ji at tla.org> wrote:
> "Banks Dreading Computer Hacks Call for Cyber War Council"
> Bloomberg, July 8, 2014
> www.bloomberg.com/news/print/2014-07-08/banks-dreading-computer-hacks-call-for-cyber-war-council.html
> Are these people that clueless (which makes me even more worried about the vulnerability of our financial systems), or are they trying to accomplish something else? 
Mainly the former.

I'm most of the way through Timothy Geithner's Stress Test, his personal history of the 2008 financial crisis.  One of the things that becomes crystal clear is the bizarre way in which value in the financial system is created as a result of participant's faith in the value of other participants.  So Citibank (to pick an arbitrary example) is willing to lend some manufacturer money to build a plant because it believes the plant will produce goods that will make the manufacturer enough money to buy it back; Goldman is willing to buy Citibank's bonds because it believes in the value of the loans on Citibank's books; the stock market is willing to buy shares in Goldman because of the value of its loans to Citibank; and so on.  This is a simple linear chain, but in fact the interconnections these days are extremely complex - so complex that no one can really know what they are, and have to go on faith.

You'd think that the values are ultimately grounded in the loans backed by land or machines in a factory, but they get decoupled because of different time constants:  Loan periods can be as long as a hundred years and as short as overnight, and banks live off of lending four long periods while borrowing (repeatedly) for short ones.  The short loans have to be repeated, so their values within the system are re-established all the time, but the long ones have a value that can only be guessed at if they aren't re-sold.  The net result is that there are many fixed points to the system - some in which the value is high, some in which it's low.  The only thing that keeps the markets stable at a high point is faith in everyone's ability ... to keep playing as if the values are high.

Any interruption can cause the whole thing to collapse quickly.  Traditionally, anything that reveals that some of the long-term estimates are wrong - e.g., that the holders of many mortgages won't actually be able to repay them, or that companies that borrowed money to buy equipment won't be able to sell what they make because there's no demand - can rapidly ripple through the system and cause the whole thing to fall apart.

The concern here is that a new source of instability has been introduced into the system.  It's always been a (justifiable) article of faith that as long as a bank, say, actually has enough assets to pay off its creditors on an ongoing basis, it will be able to do so.  But now people look at Sony and realize:  What would happen if a similar attack were mounted against Citibank?  It would have plenty of assets - but with its computer systems crippled, it would be unable to pay debts it owes (or, really, roll them over by incurring new debts while retiring old ones) or collect on debts owed to it.

The time constants here are very short: A bank could probably survive - with significant damage - if unable to effectively manipulate its (all virtual - it's not like Citibank has a vault full of gold somewhere) assets for a day.  But it would be severely damaged in a week, and dead within two weeks - probably less.

We've never seen a collapse of this sort.  Back when ATM's were first being introduced, I recall seeing an article speculating about the effects of a collapse in the ATM networks.  But they were looking at the "Main Street" effects:  What happens to individuals and local businesses when no one can get cash.  The time constants here are much longer.

We've had bigger disasters (e.g., Sandy) where not only were all the ATM's knocked out (because power and telecom were down) but all kinds of other infrastructure was damaged, and people adjusted in various ways until the systems could be brought back up.

But the evidence of past financial crises is that there is little adaptability to large shocks in the financial system ("Wall Street").  It's Perrow's risky system:  Very highly interconnected, with very short time constants.  While "Main Street"'s coupling to the system isn't as close, it ultimately *is* there:  When the big banks can't borrow, they can't lend, and ultimately that leads to a general decline in the economy (as we saw in 2008).

So, yes, there is something very real and very scary here.  The danger has been there for a while, but no one thought about it - and since no one thought about it, it had no effect in how financial players viewed each others' riskiness.  Now we have an example, in Sony, of what could happen. 

No one believes the security of the financial institutions is significantly better than Sony's - everyone buys from the same vendors and follows the same "industry standards" which have now been shown to be hollow.  Not only does no one know how to do better - no one has a clue about how to respond if a Sony-like attack hit someone "systemically important" like Citibank.  The traditional backstops - sufficient capitalization, for example - don't help if the capital is there but can't be accessed because all the computers are frozen.

My guess is we're going to see the equivalent of capital requirements in backup systems:  The development of isolated mechanisms that allow access to enough functionality to see a bank through any reasonable foreseeable damage to its main systems.  Manual systems?  Isolated computer systems with no network connections at all?  How can these help to interact with counter-parties who rely on all their day-to-day systems?  It's really not clear.

Do the banks *also* have some ulterior motives?  Always - though those motives are hardly secret:  They want maximum profit for themselves.  Banks are the ultimate capitalists:  They work with nothing but money, and interact with their customers solely through exchanges of money.

Banks will want to emphasize the "cyberdefense" side rather than the "system capital" side because (a) it's cheaper - banks hate to have their capital requirements increased because that costs them money every day; (b) it's easier to fake, and since in their heart of hearts, they all know it's about faith, not about reality - why not go with a fake everyone believes in?  (Which would actually work - up to the moment someone mounts a real attack.  But, hey, the bank guys already invested their bonuses in things like real estate.)
                                                        -- Jerry

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4813 bytes
Desc: not available
URL: <http://www.metzdowd.com/pipermail/cryptography/attachments/20141210/37c7b506/attachment.bin>

More information about the cryptography mailing list