Chapter 13. Global Dialogues On Security At The World Bank

At a Glance

The following international examples of IT security breaches, solutions, and current policy initiatives are drawn from two events held by The World Bank. The first Global Dialogue, “E-Security: Risk Mitigation in the Financial Sector” took place on September 25, 2002. The second Global Dialogue, “Electronic Safety and Soundness” took place on September 10, 2003. Videos for both sessions are available in online.102 This chapter contains the highlights of each session including the comments of representatives from participating countries.

Global Dialogue 2002 “E-Security: Risk Mitigation in the Financial Sector”103

The session opened with an introduction to e-risk. Themes included the shift from closed to open networks within the past ten years. On open networks, the dependence on silver bullets, such as SSL which has been cracked, has become problematic because they perpetuate vulnerabilities. For banks, not only are there dangers of blended threats, such as Code Red, but also of organized hacking crime rings. Many of these crime rings use online casinos as money laundry tools. The International Data Corporation (IDC) estimates that 57% of hacks have been against the financial industry. Furthermore, as the level of sophistication in hacks increases, the skill level decreases due to the ubiquity of downloadable, malicious code that anyone with even limited knowledge can launch large-scale attacks.

Methods of e-fraud include identity theft and extortion— both highly profitable—especially in attacks originating in Eastern Europe against the United States. Other methods include salami slicing, funds transfers, and stock manipulation. Attacks in Asia specifically targeted the financial sector for obvious purposes, as well as the technology sector for intellectual capital.

The introduction to e-risk also addressed the topic of wireless vulnerabilities, specifically in GSM (Global Standard Mobile). Two key points were made with regards to wireless risks: the gateway vulnerability, and the “man in the middle” attack. The latter can occur because cellular towers fail to authenticate to cellular phones.

Legal and Regulatory Issues

While five years ago, e-commerce laws were relatively uncommon, today, there are forty countries with e- commerce laws and the number is growing. Of particular importance, consumer electronic transaction law, rights and responsibilities, are all vibrant areas of legal development. Key issues include:

- the validity of electronic signatures and transactions,

- individual data protection, note Privacy and the Fair Information Practice Guidelines,

- payment systems between banks, particularly e-banks,

- money laundering and the level of international cooperation required to prevent it,

- advances in cyber crime law that address the use of computers in criminal acts

Enforcement requires compliance, cease and desist orders, and the ability for regulators to remove malicious data from systems. While there has been inter-industry cooperation on some levels, the security of e-payments, for example, has led to a collision of telecom and banking. The banking industry defined safety and soundness as the “non-discriminatory access to safe and sound financial systems.” The telecom industry paradigm, on the other hand, was “universal access for the public interest and welfare.” These slightly different approaches to the definition of “safe service” create difficulty when organizations are attempting to secure networks and meet commercial needs simultaneously.

102 Please note, the full streaming video for the 2002 proceeding can be obtained on The World Bank website, at: http://www.worldbank.org/wbi/B-SPAN/sub_e-security.htm. The video for the 2003 proceeding may be obtained at http://www1.worldbank.org/finance (Click on E-security, within the Conference section.)

103 This session was conducted by The World Bank, Integrator Group Members: Thomas Glaessner, Tom Kellermann, and Valerie McNevin, with Global Dialogue Participants from a range of countries including Brazil, Chile, Mexico, Ukraine, Bulgaria, Slovakia, Singapore, South Korea, Philippines, Hong Kong, Sri Lanka, and P.R. China.

Supervision and Prevention

In spite of the difficulty with meeting the dual needs of safety and soundness, electronic security is a critical need of most organizations and there must be a concerted effort to reduce operational, legal, and reputational risk in the IT environment. Plans to increase the security of systems must include:

- Education, awareness, and skills training. The World Bank study shows that 50% of the e-security intrusions are by insider threats. This figure is larger when including misuse or failure for safe computing techniques.

- Auditing and examination processes. There must be cross-border coordination in order to effect change in the speed at which issues are addressed. For example, EU banks have servers in Antigua; this illustrates the ease with which banks can fail, if servers are shut down, and immediate action is hindered by cross-border coordination problems.

- Public-Private Cooperation. Reputational risk leads to a lack of reporting. Thus, it is critical to hold roundtables to discuss both legal issues as well as emerging threats. Some examples of functional public-private partnerships are the NIPC’s InfraGard, a partnership between private industry and the U.S. government, represented by the FBI. The Forum of Incident Response and Security Teams (FIRST) is another form of partnership, bringing a variety of computer security incident response teams from government, commercial, and academic organizations together. FIRST aims to foster cooperation and coordination in incident

prevention, prompt rapid reaction to incidents, and promote information sharing among members and the community at large. Other collaborations include: The Internet Security Alliance (www.isalliance.org) and the Computer Emergency Response Team (CERT). This is a collaborative effort between Carnegie Mellon University’s CERT Coordination Center and a cross-section of private international companies.

-Layered Security. The most effective approach to IT security is a layered approach that is not just covered by technology, but also by people and processes. Over-reliance on silver bullet solutions such as encryption will not protect organizations against every threat possible. 12 core layers of proper security are essential for maintaining the integrity of data and mitigating the risks associated with open architecture environments, and in many instances, actual implementation of a specific layer need not entail large capital investments or outlays. The 12 layer checklist is presented in Chapter 11, Part 3.

Country Contributions

Hong Kong

Representatives from the Hong Kong Monetary Authority opened with an overview of three recent fraud cases:

1) A Hacker used Trojan horses to get passwords and IDs, with which (s)he conducted an unauthorized transfer of over US$35,000;

2) A case of E-Payment fraud in Australia occurred as a result of poor customer awareness of password security; this enabled hackers to crack the payment system and, because institutional limits were not imposed, it is estimated that over US $3 million were stolen;

3) In a case of online dealing fraud, hackers broke into a system in order to sell 5 million shares (equivalent to US $21.7 million), and effectively manipulated the stock prices.

The lessons learned from these incidents were as follows:

1) Pre-register all third party accounts - this entails controlling all unauthorized accesses and transfers.

2) Monitor e-bank transactions and control suspicious accounts and transactions (over SMS, or e-mail accounts to unregistered third party accounts)

3) Use multiple factors for customer authorization, such as customer specific information (something that only the individual customer knows or has, like a smart card. Passwords may only be valid once.

4) Secure awareness of customer (the weakest link) - due to the ability to use multiple channels or methods for transfers, communications should be secure, including installing personal firewalls and updating intrusion detection systems.

5) Incidents must be handled and reported quickly, in order to ensure effective responses from the security team.

In Hong Kong, the government is collaborating with banks and police for handling incidents, ensuring responsiveness, reporting incidents, controlling damages, and ensuring public confidence through effective PR management. Hong Kong also noted that, with regards to ISPs, the variety of existing standards make it difficult to control, secure, and create awareness of security issues.

Singapore

Singapore’s discussion revolved around four key areas: the Korean connection, the state of e-finance, the national PKI (Public Key Infrastructure), and recent incident and government actions. Beginning with the topic of connectivity, Singapore juxtaposed the following figures from 1998 and 2001 to illustrate the rapid technological diffusion:

-in 1998 revenues from e-commerce totaled US $40 million; in 2001, the total is US $91 billion;

-in 1998 there were about 14,000 households with high speed access; in 2001 was 7.8 million, or 64% of the total population;

-in 1998 Internet usage was at 3 million, this figure is up to 24 million in 2001 (half the population in Korea);

-Mobile penetration is greater that 50% of the total population.

E-Banking has proven to be very popular in Singapore. E-Banks are both popular and pervasive in Singapore. Despite a small population of 4 million people, approximately 25% of the population engages in online banking. In addition, the industry is experiencing rapid growth. Online trading began in 1997 and now accounts for about 50% of all trades. As a counterpoint, the insurance industry is not growing as quickly, though this may be attributed to the nature of the product; insurance products tend to be customized and allow for little standardization.

Looking at the criminal side, the statistics for cybercrime incidents shows that there were approximately 100 hacking incidents between the years 1996-1997. In the year 2000, there were 5,000 reported cases. This figure is increasing exponentially. Although e-Banking is popular, two recent security incidents have underscored the importance of security policies and procedures in the e-finance environment:

1) In one incident, customers of the biggest bank in Singapore had their PC’s penetrated by Trojan horses. These Trojans illicitly acquired confidential user information in order to extract large sums of money. This particular Trojan was so sophisticated that it escaped the notice of both anti-virus software and intrusion detection systems, thus highlighting that these tools should not be the only forms of defense employed by a commercial entity.

2) An earlier incident involved the second largest bank in Singapore and did not attract as much international attention. In this case, the bank’s systems were attacked on unpatched vulnerabilities. The incident specifics were not shared for reasons of confidentiality. However, this incident illustrates the need for cooperation among regulatory agencies.

In Singapore, the government has been actively involved in endorsing Public Key Infrastructure. The Digital Signature Act of 1999 governs the national PKI with the Ministry of Information Communications holding responsibility. The National PKI designates licensed certificate authorities (CA). There is a mutual recognition of the certificate. The Korean Information Security Agency (KISA) handles more technical issues, including overseeing issues of CA, licensing CA, and conducting research and development for both wired and wireless PKI.

There are currently six, licensed CA’s. Due to this variety, certificates are mutually recognized so that customers can engage in diverse financial services with a single signature. Thus, the user of a digital signature is protected legally. However, there are challenges, for example, in the banking industry, there is widespread use of licensed CA’s. However, this is not the case in brokerage firms; only 4 of 36 securities firms use licensed CA’s. There are two reasons for this:

1) Online trading started in 1997, 2 years prior to the enactment of the Digital Signature Act. Thus, users are comfortable trading online in the absence of a licensed CA.

2) The use of CA delays the securities transaction and customers do not want the inconvenience and potential loss associated with delayed trades.

However, a recent incident in Korea has altered the e-security landscape in the context of online trading. In August, several brokerage firms found dormant brokerage accounts. They placed buy-orders for US $20 million, buying stocks from institutional investors that were also part of the scheme. As a reaction, security measures have been augmented. Licensed CA’s will become mandatory at a faster rate than originally conceived. On December 1, 2002, private certificates will no longer be allowed. As of September 1, 2002, only licensed certificate authorities (LCA’s) can be used. By May 2003, all certificates must be licensed. In online trading, it will be mandatory for all large brokerage firms to use licensed CA’s by November 2002, and all small firms by January 2003.

In the spring of 2003, Singapore will publish Technology Risk Management Guidelines. Their efforts are guided by international efforts and best practices in industry, based on a series of informational meetings between banks, industry participants, and government officials. One of the key questions for Singapore, which has a single regulator to enforce compliance to standards, is how a larger nation, like the U.S., deals with standards enforcement when faced with a much larger number of regulatory agencies.

Philippines

The Philippines discussion focused on ramifications of three possible trends as an indication of the growing threat of cyber crime. These are the dissemination of viruses (e.g. “I Love You”), the continuing battle against credit card company fraud, and, 9/11. Though 9/11 occurred in the U.S., the Philippines use this example to demonstrate their government’s measures to protect national financial institutions.

In the Philippines, the spread of the “I Love You” virus prompted immediate regulatory actions. This incident was important because it exposed weaknesses in both the public and private sectors. The government responded by passing e-commerce laws and cyber-strategy laws. Furthermore, it exposed the capacity of law enforcement to understand and respond effectively to technology driven incidents. A program on computer security training was launched for law enforcement personnel.

Credit card fraud has proven to be a challenging area for the Philippines (and elsewhere). The country is home to 2-3 million credit card holders, approximately 17 issuing banks, and supports many millions of business transactions a year. It is estimated that approximately 400 million pesos (roughly equivalent to US $8 million) of lost revenue are attributable to credit card fraud. ATM cards are also in widespread use, with approximately 10 million cardholders.

Third, 9/11 pushed banks to reach out to other countries in order to seek international cooperation on the topic of e-security.

As with other locations around the world, in the Philippines e-finance is still in the early stages of development. Of the 8 recommended pillars in E-Security: Risk Mitigation, the Philippines has incorporated the legal framework and enforcement, public private cooperation, and improving law enforcement capabilities. The Philippines still needs law enforcement experts, including special courts comprised of expert panels. Other areas of need include information databases and education to all stakeholders, including consumers, corporations, and vendors.

The Philippines had two main questions:

1) To what extent has the United States addressed trade-offs between reporting and protecting reputations? and

2) What is the state of international enforcement on cyber crime laws?

Sri Lanka

Sri Lanka began by providing a background on the of e-finance, discussing its limitation on account of penetration of Internet users and awareness among users on e-security. Sri Lanka believes telecom expansion issues will be resolved in the near term. The problem with awareness is that it does not exist at the Board level. Thus, it is difficult to gather support for issues such as expansion of connectivity. Among customers, there is an additional lack of awareness on how secure online transactions can be. As a result, trust is low among customers and they are reluctant to engage in online transactions. Instituting guidelines and frameworks for service providers can help generate confidence in the customer base.

Sri Lanka’s question concerned Internet Service Providers. They asked whether there were policy guidelines or frameworks for e-security regulation for ISPs? They also requested information about the Korean security agency, and whether it was private or national and what role(s) they support.

Bulgaria

Bulgaria’s bank services were established in 1989, with a culture similar to that in the United States and Europe. Recent developments include the establishment of a payment system and software packages specifically for the commercial banking industry. One such example is BANKNET. Bulgaria approaches e-security by asking fundamental questions about what must be protected. They identify the critical elements as the physical network, internal information systems, applications, and data protection, specifically, data exchanges between banks and clients.

From an organizational standpoint, Bulgaria has an Internal Commission who is responsible for analysis and recommendations. The establishment of e-security policies requires monitoring and supervision of networks and applications, including up-to-date software and hardware, and lists of concrete, specific actions. Bulgaria identifies e-security of payment systems to be extremely critical. Supervision and prevention changes include education, which is a critical component of their security planning. They note that they need work on legal frameworks and enforcement, including legal and technological conventions between the various network participants.

In Bulgaria, there is a legal framework on e-signatures, which also includes an e-document law, regulation of certificate authority activities, and requirements for advanced e-signatures. Currently, the bank would like to establish a common PKI. Banks may become the CA within the common PKI for specific applications; though there is a need for flexibility in their layers and uniform technologies for interbank systems. Bulgaria also has an issue with security policies - they must define reliability, as well as business requirements. E-signatures are not simple to implement on many applications. The key facets in Bulgaria’s payment systems are vendors, reliability, and price. There is a demilitarized zone for bank services, which includes the gateway for all Internet facing applications, and firewalls. Through BANKNET, Bulgaria has strict access from the Internet to the network. Most attacks occur on websites and e-mail servers because they face the Internet. Behind the firewall, there is much scrutiny over bank services and interbank applications.

In Bulgaria and elsewhere, central banks are building legal frameworks on electronic payment systems, which consists of new regulation on payments and national payment systems. This establishes a legal basis for the numerous national payment systems, which include central depository payment systems and bankcard payment systems, among others. Bulgaria finds that the currency policy presents a challenge, as the conditions are difficult for attaining a legal balance. They ask about the role that payment systems oversight must play in communicating e-security of payment systems. They ask whether laws should be flexible and soft on cooperation, or whether should there be more stringent oversight of the system. Brazil and South Africa have a stringent approach on surveillance and oversight on payment systems; they are aiming to design an efficient and competitive system. In some areas, regulation can become a de facto monopoly in provisions of retails systems and careful consideration of regulations and third party operators must include an assessment of how the technology will affect the retail system.

Conclusion

In conclusion, all participating nations identified the need for further cross-border educational and training efforts in the area of e-security. At The World Bank, the Integrator Unit is recognized for its dedication to providing best practices reports and seminars on electronic risk mitigation.

Global Dialogue 2003 “Electronic Safety and Soundness”104

This session stressed the importance of addressing e-security issues in a global context, particularly since the risks in emerging markets are growing at a dramatic rate. Security issues are exacerbated by the irregularity in press reporting; between hype and conjecture, much of the information regarding electronic safety is inaccurate. Meanwhile, worms, viruses, and other types of electronic threats are taking a toll on critical infrastructures around the world.

The problem of e-security is compounded by a shortage of trained information security teams, a lack of sound governance procedures, and emerging technologies including mobile communications. The information technology (IT) backbone is growing at a rapid rate, and as cyber threats and vulnerabilities rise with equal rapidity, trillions of dollars are put at risk. The purpose of the Global Dialogue is not to ask why security breaches occur, but to ask what can be done to curb the problems.

E-Security Risk Mitigation: Soft and Hard Infrastructure Combined

E-security may be defined as “any tool, technique or process that protects a system’s information assets from threats to confidentiality, integrity, or availability.” E-security is composed of two infrastructures: a soft infrastructure that includes policies, procedures, processes, and protocols, and a hard infrastructure that includes hardware and software. An increased reliance on technology escalates the potential for e-security threats. As we have seen in previously, attacks are taking place more frequently and are often launched as blended threats, which are difficult to disarm. The speed and tenacity of the hacking community is growing quickly, due in part to activities of organized crime and terrorists.

The task of deploying effective e-security programs is a significant challenge for several reasons:

First, e-security efforts tend to be reactive rather than proactive; this approach should be changed to a continuously proactive effort to combat present and future threats.

Second, cooperation on international issues is critically important, particularly for supervisors and law enforcement agencies. However, even in a single country, intra-agency cooperation can become a complex endeavor.

Third, incident reporting is a serious obstacle to understanding the scope of the threats facing us today, as there is still considerable reluctance to expose security breaches.

Fourth, in tandem with reluctance to report security incidents, response times to breaches lag in many e-security efforts.

Finally, personnel issues remain central: it only takes one naive user to compromise the integrity of an entire network. Increased awareness of the threats is necessary. Ultimately, e-threats will create a loss of public confidence in communication technologies if they are not handled correctly. Bearing that in mind, several steps should be taken to further progress e-security efforts:

First, regulators, financial institutions, and other market participants should determine and contribute to the dissemination of best practices in IT security.

Second, collaboration should become commonplace, particularly with respect to resolving the key security threats facing organizations and the consumer-public.

Third, security personnel and auditor training should be a top priority in commercial and government practice. The definition and containment of operational risk should include the various forms of cyber-risk, in addition to the traditional forms of physical and information risk.

104 This session was conducted by The World Bank, Integrator Group Members: Thomas Glaessner, Tom Kellermann, Valerie McNevin, Yumi Nishiyama and Shane Miller, with commentary from Global Dialogue Participants including Brazil, Chile, Colombia, Mexico, Saudi Arabia, Ukraine, Australia, Beijing China, Hong Kong China, Malaysia, Philippines, Singapore, and Sri Lanka.

See http://wbln0018.worldbank.org/html/FinancialSectorWeb.nsf/SearchGeneral?openform&E-Security/E-Finance&Presentations for original documentation of these sessions.

Supervision of Information Security and Technology Risk

While the IT sector grows beyond the bounds of local talent capacity, outsourcing has become a major trend. International outsourcing, in particular, has taken off, a situation that creates both problems and opportunities for organizations worldwide. Recent efforts to mitigate e-threats include a proposed guidance requiring banks to develop a response program for protecting against threats to customer information that is maintained by the bank or its service providers. The components of such a program would include procedures for notifying customers about any incidents of unauthorized customer information disclosure that could result in substantial harm or inconvenience to the customer.

In spite of fairly complex policy and procedure initiatives, security continues to take a backseat to ease of use. Therefore, continued education, training, and vigilance are crucial for augmenting contemporary security efforts. Some emerging security areas that warrant additional attention include: vulnerability assessment, penetration testing, intrusion detection systems (IDS), and forensics.

Mobile Technologies: New Rewards and New Risks

In 2002, Global System Mobiles (GSM) had approximately 787 million users worldwide. Wireless is growing at a rate three times faster than that of landlines. GSM is just as susceptible as other transmissions technologies to contract malicious code, such as Trojan horses, e-mail viruses, and denial of service (DOS) attacks. In the hostile environment of the Internet, wireless is the “Achilles heel of security.” Often, the wireless connections are the weakest link in the security chain. The GSM vulnerabilities include SIM-Card vulnerability, SMS bombs, WAP vulnerabilities, and what is commonly referred to as the “man in the middle” attacks.105

Although it is not possible to secure the GSM technologies completely, there are several easy steps which users are encouraged to strengthen their resistance to attack, user should: 1) enable a power-on password, 2) install anti-virus software, 3) install a personal firewall along with robust encryption (e.g. S/MIME), 4) ensure that devices are stored securely and that the desktop applications mirroring software is password protected, and 5) virtual private network (VPN) software should be installed. In the smart card context, third parties should not handle PIN numbers.

Country Presentations

In the course of the global dialogue, each of the participating countries were asked to answer the following three questions:

1. What trends do you see with regard to e-security incidents? What are the largest challenges/ vulnerabilities (e.g., identity theft, denial of service/ systems access, money laundering over the Internet, other forms of electronic fraud, etc)?

2. At present, what processes are your financial institutions following to mitigate electronic security risks and what changes in supervision process are you considering?

3. How could the multilateral institutions, in coordination with other supervision agencies and the EBG, best assist you?

Brazil

The representative from Brazil noted that competition drives companies to implement high technology, but these technologies tend to be vulnerable. There is a trade-off between the costs of the services and frauds. With respect to supervision, examination techniques in Brazil are increasing in effectiveness.

In answer to how multilateral institutions can best assist Brazil, they respond that they would like assistance with: training examiners, creating security methodologies and standards, and creating security models and minimum bank regulations.

Questions:

Brazil asked how they can create a legal framework to deal with crime, especially considering that the dynamic nature and the rapid pace of technology make legislating problematic.

Reponses:

In response, a representative from Singapore suggested instituting tough penalties, as well as updating laws on a regular basis. To take Singapore’s example, laws such as the Computer Misuse Act have proven to be beneficial in clarifying what computer crime is and reducing its appeal for casual hackers.

A representative from Infragard, FBI, stated that this is a social phenomenon across all boundaries. In some cases, perpetrators do not realize the severity of the crimes they are committing, and in fact, some people may not consider computer crimes “crimes” at all. Moreover, banks tend to perpetuate a “myth of safety.” More public recognition of the risks in e-finance and e-commerce is necessary, as shielding the data on security incidents only exacerbates the problem. In particular, there is a tremendous problem with the cross-border nature of e-crime, including cyber hacks and bank site alterations. As a result, international collaboration is necessary.

105 In this type of attack, a modified cellular phone acts as a rogue base station for other cellular phones, therefore given the ability to steal information over the air. Information is naked at the Gateway, leaving a massive vulnerability to users and their information.

MÈxico

In response to the question concerning trends in e-security incidents, Mexico noted that PIN numbers are increasingly accessible via the web, making it a large risk. However, they are making a substantial effort to mitigate e-risk; financial institutions have strong monitoring capabilities and there are many security and monitoring companies with expertise in IT security. In addition, Mexico has adopted the BASEL recommendations for technology risk management.

On the question of how multilateral institutions can assist Mexico, they recommend a global information exchange among multiple agencies order to share incidents, assessments, and risk mitigation needs.

Question:

Mexico inquired about the depth about Singapore’s guidelines.

Response:

The general security practices of Singapore can be accessed online.106 The Guidelines include 26 practices that range from the operating system (OS) level, patches, roles and responsibilities, anti-virus software, firewalls, and so on.

Colombia

The representative from Colombia stated that the security challenges they face are the same as those faced by all countries, yet Colombia feels ill-prepared. At the present time, Colombia has no standard for incident response. There is no Computer Emergency Response Team (CERT). Colombian clients are liable for cyber incidents. Identity theft is rising. Bank cards are being cloned. There is no privacy regulation. Risk mitigation is an auditor problem. PKI and smart cards are used, but e-security for banks seems to be an abstraction. Unfortunately, employees do not generally care about security practices and security is not ingrained into the banking culture in Columbia. Keeping up to date is a huge problem.

In this context, there is clearly a role for multilateral organizations. For example, UNCITRAL is a model law for computer crime, vandalism, privacy, denial-of-service, and transnational issues. Model laws should be based upon civil law rather than common law.

Question:

Colombia inquired how does one raise the integrity of security within financial institutions, especially with cost-benefit considerations. Liability and risk management are fundamental concerns, especially with respect to customers.

Responses:

Collaboration is necessary because of jurisdictional issues, even in identifying the location of the loss associated with a cybercrime incident. To begin with, cross border standards should be adopted so that a common language can be used to describe the problems and set up a plan for their mitigation. As an example, there has been difficulty with defining “fraud” within the EU. One example of a cross-border organization working in this area is the Financial Action Task Force (FATF), which deals with anti-terrorism and money laundering.

106http://wbln0018.worldbank.org/html/FinancialSectorWeb.nsf/(attachmentweb)/Singpore_TRMguidelines28Feb03/$FILE/ Singpore_TRMguidelines28Feb0

107 All banks are a part of the National Bank system.

Ukraine

Following the Ukraine’s independence, there was a re-organization of the bank system that included new technology practices, such as electronic transfers. Security technologies such as e-signatures and cryptography are headed by National Banks.107

Since independence, e-signatures and e-transfer laws have been adopted. While there have been several attempts at cyber intrusions into banks, there have been no reported financial losses.

On the regulatory front, the Ukraine signed the cyber crime convention in 2001 and the country does prosecute for computer misuse. In addition, Parliament has been considering a draft on personal data protection. There are provisions of cyber crime in the criminal code, however, the laws are limited in their effectiveness because they require proof that the offense was intentional. In this regard, the lack of forensics becomes a key issue, as preserving evidence of intentionality is highly problematic. There must be training for security staff and law enforcement personnel on handling evidence.

Question:

The Ukraine’s primary question concerned responsibility and liability, especially with internal monitoring and reporting efforts. Incident reporting by bank employees, for example, is critical to creating a more secure banking environment. To help incident response capabilities, there is a CERT in the Ukraine.

Response:

On the issue of evidence, it is noted that electronic data perishes quickly and there is no standardization for handling forensic evidence in cases of computer crime. Though there is a clear need for digital forensics guidelines, there are no standardized methods accepted by the courts currently.

Australia

Australia adopted and implemented the BASEL 2 to categorize the loss of information. However, they have found that increased use of intrusion detection systems has been difficult to justify with so many false positives and misconfigured systems. New technologies are built upon old technologies, thereby increasing the complexity and interdependent nature of the system. At the same time, the system may not be well documented. Learning about system interdependencies is critical, but resources remain limited. Australia points out that free educational downloads are available to the public on this particular topic.

Australia makes three key points.

First, Cyber-Crime legislation will exist in all APEC by October 2003. This cyber crime legislation includes e-fraud and cross-border electronic law enforcement.

Second, Law Enforcement education and cooperation is needed across all borders. There will be a compendium of IT development standards. APEC cyber-security will address wireless, and will conduct a study on risks of technologies such as Wi-Fi.

Third, Computer Emergency Response Teams will exist in all APEC countries by October 2003.

China, Beijing

The representative from China explained that there is an overall need to raise public awareness about the e-security situation and more external assessments are required. Some of the challenges faced by China in e-security include a lack of risk awareness and risk management ability, especially considering the complex nature of technological practices in e-security. This problem is exacerbated by the lack of cooperation among regulatory and supervisory bodies.

While the security front is uneven, Internet banking is growing rapidly in China; between 1999 to 2003, the number of Internet banks has grown from 1 to 27, and the volume of banking transactions has increased over a hundred-fold. It was noted that during the recent SARS epidemic, Internet banking surged in popularity. China makes the following suggestions:

1) Encourage information sharing on a domestic and international level;

2) Establishment of international e-security standards;

3) Enhance transparency in e-Banking.

China, Hong Kong

In Hong Kong, spoofed e-mails are very common, as are viruses and worms. Concurrently, there is a change in the behavior of criminal syndicates. Instead of directly targeting banks, they are now targeting the weakest link, the customer. In this regard, customer education is critical.

A recent incident of a fraudulent bank website illustrates the security problem. One bank website generated particular concern, as the URL was an incomplete Hong Kong address and no digital certificate existed for the website. The fraudulent website claimed the bank had offices in New York and elsewhere, but upon investigation, it was determined that the bank website, as well as the bank itself, were fraudulent. The website was hosted in China. This incident illustrates the critical need for cross-border cooperation and is especially true as criminal syndicates conduct cross-border crimes. The HKMA is taking initiatives to enhance the supervisory framework, including customer education, and disseminating leaflets to inform the public on critical e-security issues and tips for combating crime.

To further enhance e-security supervision, the HKMA is in close relations with domain registrars. Hong Kong employs an automated process to screen local domain names (.hk). If the word “bank”, “banque”, or any other form of the word is used in a domain name, it is immediately referred to the HKMA. Additional intra-country cooperation exists with the Hong Kong Police force, CERT, and the government to set up industry wide incident responses. The Supervisory Control Self-Assessment (CSA) includes 70-80 banks, though since a yearly review is difficult, it is an automated assessment.

Republic of Korea

While the Republic of Korea was unable to participate in the Global Dialogue, they submitted their response to the questions posed by the World Bank. They note that while Korea possesses highly advanced information networks, their security level could be improved. In Korea, 65% of total stock transactions occur online and approximately 25 million people use the Internet. Recent incidents, such as the January 2003 Slammer worm, have had serious effects in Korea and illustrate the fragile nature of the networks.

Korea provided statistics to convey the existing low level of awareness on systems security. According to the Ministry of Information and Communication, only 12.9% of e-commerce companies, 16.7% of academic institutions, and 9.2% of corporations had information security teams. Korea noted that e-security tends to be considered a cost, which may only be addressed given sufficient resource and time. As an example, a relatively small fraction of (12.9%) of e-commerce companies, and 6.1% of all companies, have installed intrusion detection systems (IDS).

Sri Lanka

The representative from Sri Lanka explained that threats such as worms and wireless vulnerabilities exist, but Sri Lankan authorities have not heard of any attacks on their banks. There have been no publicized or reported threats to the banking systems. Sri Lanka has had ATMs for 20 years. While e-banking is still in its infancy, its popularity is growing rapidly. The public may purchase stocks online, but again, such capabilities are in their early stages. In Sri Lanka, leapfrogging is proving to be the biggest issue at the present time. For financial institutions, awareness is the key and examiners must assess risks accurately.

Cyber Security in the Singapore Financial Sector

Tony Chew, Director of Technology Risk Supervision at the Monetary Authority of Singapore (MAS) provided a glimpse of Cyber Security initiatives in Singapore. He opened by saying that the Monetary Authority exists to “Inform, control and pressure institutions.” Singapore is trying to be a financial hub, and therefore IT is an extremely important issue.

Two of Singapore’s largest banks were attacked by hackers in 2001 and 2002, illustrating the urgent need for electronic risk mitigation practices. In 2001, the largest bank in Singapore, the United Overseas Bank Ltd. (UOB), discovered an intrusion into its Internet banking system. While much of the information concerning the incident remains confidential, it is known that hackers from Eastern Europe attacked the bank’s online system. Bank records were probed and penetrated, and the bank’s system was manipulated in order to update customer accounts. Not only did it take several months for the bank to detect the problem, but it proved labor-intensive and costly to find out who/what caused the problem.

In 2002, another attack took place on Singapore’s second largest bank, DBS Bank. In this incident, networking sharing capabilities and inadequately configured systems enabled hackers to target customer systems. The hackers planted Trojan horses and keystroke loggers into 21 DBS customer accounts, allowing them to capture personal identification numbers (PIN) numbers and user identification numbers. While this incident resulted in a relatively low monetary loss of USD $62,000 from customer accounts, it is important to note that the greater loss occurred in the negative publicity resulting from the breach. Newspapers ran stories concerning the attack for an entire month, ultimately, such incidents could lead to a crisis of confidence in online banking.

One critical point of weakness that may have contributed to these incidents is the common use of single factor authentication. As an example, most ATM machines use very basic authentication measures, though that it will only take one or two more large break-ins to make banks reconsider their overly simple authentication processes. There is also an over-reliance on Secure Sockets Layer (SSL) technology; SSL is very limited because it only protects channels during transmission, and not end-to-end. Databases and other storage units must be encrypted at all times to ensure security. Strong cryptography is required end-to-end and PIN numbers, for example, are done in a crypto box so that they are never in the clear. However, even then, PINs are not protected enough, because they are short, and can easily be captured by hackers.

The MAS created a “Technology Risk Management Guidelines for Financial Institutions.” These Guidelines contain 26 recommendations for layered security. Three core themes in the Guidelines include: 1) establishing a robust risk management process; 2) strengthening system availability, security, and recoverability; and,

3) deploying strong cryptography to protect data.

In addition to technological policies, the MAS requires banks to conduct on-site evaluations and penetration tests at least once per year. The MAS has a Technology Risk Assessment Team, as well as its own rating system for banks within the Singaporean system. The rating is based upon 6 criterion established by the MAS. It consists of a scale ranging from 1 to 5, with 1 being the most secure, and 5 being least secure. Banks are required to maintain at least a level 2 grade of satisfactory. They are also expected to have rapid recovery plan for their systems. The ratings information is published to banks as an incentive for improving their security initiatives, and promoting a sense of standards. Additionally, banks are required to report any security incidents.

With the increased use of mobile payments, wireless vulnerabilities must be addressed; security practices in wireless banking are monitored in Singapore currently.

Concluding Questions and Comments

The final comments and questions outlined key themes dominating the Global Dialogue.

First, information and awareness plays a critical role in educating the public on existing e-security needs. Government mandates such as suspicious activity reports are only useful when they are put into practice.

Second, information disclosure and transparency are important for improving the systems of the future. It was noted that incident cover-up is damaging because customers will go to the press. Instead, companies should rectify the situations immediately – addressing the problem directly with a plan of action is a better response to a security breach. Clearly there is a question of how much to disclose and when to disclose it, some guidelines for handling security incidents are offered in other parts of this Handbook.

Third, most participating countries stressed the need for cross-border cooperation. One area of potentially fruitful collaboration lies in the use of certification programs. In this area, agencies should work with the software community in order to define the security needs of each sector. The EBG is one example of a network of communications and outward dissemination and InfraGard, a public-private cooperative organization in the Federal Bureau of Investigation (FBI), is another. InfraGard includes all critical infrastructures, and approximately 10,000 members. The purpose of this organization is to generate trust, and to encourage information sharing among members. It is an example of how bridges must be created in the field of IT security.

Fourth, roles and responsibilities in the matter of e-security liability must be established; fulfillment of fiduciary duty and maintaining a standard of care are very important for e-finance entities. The issues involved are deposits, public trust, and confidence in the financial system.

Finally, outsourcing was a major concern among participants. One example of the problems associated with outsourcing took place in 2001 where a hosting company in the United States was hacked, resulting in a security compromise of over 300 banks. In closing, it is critical for regulators and supervisors to re-evaluate their regulatory umbrella, particularly in the case of third party money transmitters, such as hosting companies; further details on outsourcing may be found in this Handbook and other references cited in the Bibliography.