Citigroup, with more than $112 billion in annual revenues this year, is a global behemoth. On any routine business day, the world’ biggest financial services giant moves a trillion dollars or more around the world. Little wonder, then, that Citigroup’s IT security executives were stunned one day in 1994 when they learned that a hacker had broken into their systems’ innards and was moving around millions of dollars. As Colin Crook, former chief technology officer of Citigroup, recalls, “It was a profoundly traumatic experience.”
Crook, now a senior fellow at Wharton’s SEI Center for Advanced Studies in Management, says that fortunately for Citigroup, the culprit – Vladimir Levin from St. Petersburg in Russia – was soon caught. He had stolen customer passwords to transfer $10 million into his accounts, and Scotland Yard and the FBI tracked him down and arrested him. By the time a U.S. judge sentenced Levin in 1998, Citibank had recovered more than $9.5 million of the missing money. Following this experience, the financial services giant installed procedures aimed not just at patching security gaps but also at recognizing signals that someone may be trying to hack into the computer system. The act of breach is not a unique event; it has precursors. “You must be able to recognize the fingerprints among the noise,” Crook says.
Crook shared these insights at a session on the risks of cyber-terrorism at a conference last month on developing a “Systems Approach to Terrorism.” The conference was sponsored jointly by the Association for Enterprise Integration and several research centers at Wharton and the University of Pennsylvania and George Washington University. Wharton sponsors included the Risk Management and Decision Processes Center, led by Paul Kleindorfer and Howard Kunreuther, and the SEI Center for Advanced Studies in Management, led by Jerry Wind.
Setting the stage for Crook’s presentation, Wind pointed out that cyber-terrorism represents just one form of vulnerability against which organizations must plan to protect themselves. In addition, companies must assess their vulnerability to bio-terrorism and other forms of threats. “Vulnerability is a function of who you are,” Wind pointed out. “Organizations need strategic plans that can help them detect and deter terrorism and take pre-emptive action against potential threats.”
Wind said that as companies try to assess how vulnerable they are to terrorist threats, they must address several concerns. “Vulnerability is a local phenomenon, and it may manifest itself differently in New York than it does in Philadelphia or Washington, D.C.,” he noted. Wind also said that companies face challenges in breaking down or bridging silos of information. While individual parts of an organization may have some information, it is often difficult for them to connect the dots and see the whole picture.
This problem is aggravated further when several organizations, such as government agencies, have partial information whose context can remain concealed unless it is more broadly shared with intelligence that resides in other organizations. When the organizations that must share knowledge are scattered around the world, the challenge becomes even more formidable – and yet it must be tackled because terrorism has an international dimension. “Facilities of companies like Coca-Cola or McDonald’s (which are closely identified with the U.S.) get attacked around the world,” Wind said. As such, a global strategy to counter global threats is essential. “Everyone’s skin is in the game,” he added.
Cyber-Terrorism and the Financial Sector
According to Crook, although the threat of cyber-terrorism against financial institutions such as Citigroup constantly exists, companies have to recognize that life must go on. “We’ll have to live this phenomenon for several generations,” he noted, adding that a dichotomy has always existed between secrecy and openness. “In business, very few things can ultimately be kept secret. You have to assume that most things will be open and known at some point in the future.” Crook added that secrecy in business differs considerably from the government’s or the military’s approach to secrecy. “The business approach should be that this is one big experiment, and you have to adapt and learn,” Crook said.
Crook pointed out that hacking into secure computer systems is on the rise, and that as many as five instances a day are reported. He identified several risk factors. Concentration of computing power engenders vulnerability, he pointed out, as does interconnectedness. “The Internet is not a linear network, and you can’t isolate yourself from the world,” he said. “There used to be so-called air gaps, but these no longer exist.” Standardization is another risk factor. Among the major providers of information technology, companies such as Microsoft, Intel and Cisco have market shares as high as 80% to 90%. “This means if you have a problem somewhere, you have it everywhere,” Crook said.
Yet another risk stems from what Crook described as the customer security paradox. “The government’s approach to security is to keep the potential adversary out, while the approach of businesses is to invite the customer in.” The contrast between those perspectives is crucial, because “inside the customer base resides the adversary.” Crook emphasized that in designing security systems, it is critical to recognize three principles of security: first, never trust a network; second, always authenticate the user but don’t trust the user; and third, the application must protect itself.
Finally, Crook offered several rules of cyber-security. Among them:
- The future is unknowable. As such, vision is more important than detailed plans.
- Everything is an experiment. Therefore, think in terms of experiments rather than safe bets.
- Formulate plans in a way that assumes long-term transparency. Ultimately, there are no secrets.
- Previous experience can be a liability. Like detailed plans, it can create what Crook called “cognitive locks” on understanding a situation and detract from the flexibility that might be necessary to deal with it.
- Technology is a force for change; embrace it, don’t avoid it.
- The world is interconnected. Engage with it, don’t isolate yourself from it.
Bio- and Other Forms of Terrorism
Robert Moore, executive director of the global security group at Merck, the pharmaceutical giant, addressed the threat that organizations face as a result of bio-terrorism. In the aftermath of the anthrax killings in the U.S. last year, this question features high on the security agenda of most companies. According to Moore, Merck recognizes the need for being prepared. “No one says that lightning will strike your house today, but it will strike somewhere sometime,” he said.
Moore points out that an effective strategy to combat bio-terrorism must be based on the recognition that the first lines of defense are health-care providers and emergency rooms, not the police and anti-terrorist squads. In addition, mutual cooperation between the private and public sectors is crucial, and partnerships must be created to achieve it. “We are risk managers,” Moore said. “If we are to evaluate risk, we must do so on the basis of the relationships of trust between institutions rather than just between individuals.” Moore added that risk factors must be jointly evaluated, emergency plans designed together, and information must be shared among partners.
Arthur Johnson, senior vice president of corporate strategic development at Lockheed Martin, advocated the importance of companies balancing the need for security with that of personal privacy. Referring to security screening at airports, he said that while the process was too cursory in the past, now it has become too intrusive. “One solution might be for passengers not to fly, but society will not be more secure, nor will terrorists be dissuaded by that solution,” Johnson said. In order to be effective, he added, any screening process must combine “thorough security with minimal personal invasiveness.”
Johnson said the tasks of security officials are daunting. In the U.S. alone, they must monitor 700 airports and 20,000 flights a day, in addition to 4,000 miles of coastline. “They must inspect 2 million railcars and 11 million trucks that come into the U.S. each year,” he noted. Given the volume involved, how can security be ensured? According to Johnson, deterrence is not an option against those who are willing to die. “We’ve got to embrace deep technology rather than labor-intensive solutions,” he said. “These systems will have to be integrated. The right hand of the government must know what the left hand is doing. Otherwise we’ll be out-strategized by Al Qaeda.”
“Destroy Your Brand”: The Wharton Approach
In a more detailed examination of strategies that can be employed to counter the threat of terrorism, Rick Lieb, president of SEI Investments and a senior fellow at the Wharton SEI Center, led a session on the challenges of the financial sector. William Doran, a partner at the law firm of Morgan Lewis and Bockius, and Colin Crook, also participated in the discussion.
Their premise was that terrorists who target financial firms for attack are very bright. (For example, the Russian hacker who attacked Citigroup was a math grad from the St. Petersburg Tekhnologichesky University.) To identify inflection points that are vulnerable to the attention of such cyber-terrorists, a group of Wharton faculty has developed a method based on the “destroy your brand” initiative that Jack Welch, former CEO of General Electric, had introduced at that company.
The technique involves bringing together one or more cross-functional teams and asking them to answer the question, “If you were a competitor or a terrorist and wanted to put this company out of business, how would you do it?” The team members proceed to brainstorm about the tactics they would employ. When this exercise was conducted with the Depository Trust Co. – which processes most securities transactions in U.S. financial markets except for those involving government bonds – as a potential target, panelists suggested devilishly simple methods of crippling its operations. For example, one suggestion was to corrupt data back-up tapes by attacking the person responsible for transporting it at the end of each workday.
The goal of the destroy-your-brand exercises is obvious. Once points of vulnerability are identified, the team members (or possibly other teams) can develop defense strategies to counter such attacks. Assuming that terrorists come up with similar or identical scenarios in their planned attacks, these exercises would ensure that the defenses would already be in place before such attacks occur.
After the Sept. 11 attack last year, several Wharton faculty members suggested to the Department of Homeland Security that the “destroy-your-brand” method be employed to identify vulnerable points in the U.S. economy and to generate counter-strategies. While the department was slow to respond, the Bush Administration’s strategy for homeland security announced last month calls for the creation of such teams.
In order to be truly effective, these exercises should be conducted in an iterative fashion, where each scenario incorporates possible defenses and new threats to those defenses. For example, if terrorists were to combine an attack on an institution that handles credit supply with a move involving contamination of cash currency – some 25% of Americans have no bank account – they could pose a formidable challenge to the economy.
“These are troubling scenarios, and they could shut the economy down,” says Lieb. Hopefully, however, being aware of such areas of vulnerability is also a step toward preventing attacks or tackling them with minimal disruption if they do occur.