Norwich University, the oldest private military academy in the country, has long been a training ground for the next generation of U.S. warriors. But, because 21st-century combatants can inflict as much damage in cyberspace as they can in the real world with bullets, rockets and explosives, Norwich’s research-and-development arm now devotes significant resources to protecting another flank of the nation’s critical infrastructure: financial markets and institutions.
In November, representatives from the Norwich University Applied Research Institutes (NUARI) were at the Chicago Mercantile Exchange to test-drive a prototype of their new cyber “war game” simulator, called DECIDE, which is specifically designed for the financial sector. A second demonstration was held last month at the New York Stock Exchange, and a third is scheduled for March with representatives from the U.S. Treasury and Federal Reserve Bank in Washington, D.C.
DECIDE — short for “Distributed Environment for Critical Infrastructure Decision-making Exercises” — simulates some of the real-world computer threats to financial markets and institutions, such as banks, credit unions, investment firms and stock exchanges. The technology is being developed using a $15 million federal contract secured in 2005 by Sen. Patrick Leahy and former Utah Sen. Bob Bennett.
Phil Susmann, president of NUARI, explains that major financial institutions are just beginning to learn how to recognize, identify and respond to “operational risks,” such as cyber attacks and unscheduled disruptions of service. He says such simulations are based on an assumption that applies to every entity in the financial industry: “You know you’re going to be attacked. You know you’re going to be hacked. You know you’re going to be broken into. Now, what do you do?”
One challenge of developing financial-sector war games, Susmann explains, is to design software that accurately replicates the thousands of business relationships a financial institution maintains via computers — with banks, global exchanges, investment firms, clearing corps, etc. — while simultaneously protecting the highly proprietary nature of those relationships.
And those simulations, like any war game, need to be as realistic as possible. In January, NUARI — working with its partners at Utah State University’s Space Dynamics Laboratory as well as a private firm called Delta Risk — ran three scenarios to show the New York Stock Exchange how to identify its vulnerabilities to cyber interruptions.
The first “war game” posited a natural-disaster scenario: A major hurricane is expected to hit lower Manhattan within six hours. NYSE officials know there will be some loss of connectivity for an unknown period. How will the world’s largest exchange, which engages in billions of transactions each day with countless financial entities worldwide, reconfigure its operations to maintain its business continuity?
Such a scenario is the easiest kind to prepare for, Susmann explains, since the event can be predicted, is relatively localized and can be expected to reach an end.
More problematic are the two other scenarios NUARI ran. One was a simple “denial of service” activity, in which the NYSE’s internal computer systems are all functioning fine but, for some unknown reason, can’t connect to the outside world. The third was an “insider-threat” scenario, in which a person or group of people deliberately tamper with the system.
To make the war games still more realistic, Susmann says a future version of DECIDE will impose time limits — and penalties — on the decisions and actions taken by the financial institutions.
Cyber attacks, which can be launched by individuals, terrorist cells, organized-crime groups and foreign countries, are now so pervasive and sophisticated that, in 2009, they caused losses of nearly $560 million in the United States alone. At any given time, more than 100 foreign countries are trying to penetrate American computer networks, according to the October 15, 2010, issue of the Lipman Report, published monthly by the global security firm Guardsmark. Most of those attacks originate in Russia and China. In 2007, Estonia suffered a national-level cyber attack so severe that it took the entire country offline for a week, snarling up government operations, telecommunications and financial networks.
Though such events cannot be predicted, Susmann emphasizes that the final version of the DECIDE software will enable financial institutions to see how their own computer systems would respond and plan contingencies accordingly. Fundamental to the exercise are simply learning how to recognize that an attack has begun and knowing which “buttons and knobs” to turn to minimize the damage.
The final, market-ready version of DECIDE will be ready by July 15, 2012. Ultimately, the goal of its creation isn’t just to “harden” the financial sector against attack, Susmann says, but to develop simulations that are also applicable to other critical infrastructures, such as communications, transportation, energy and information technology. Eventually, the researchers of NUARI hope to commercialize their efforts, possibly by setting up an “operational-risk” company in central Vermont that specializes in safeguarding U.S. infrastructure.
It made sense to start this kind of work in the financial sector because, as Susmann puts it, the operational risk is “purest” there.
“For the most part, money completely exists within the electronic realm,” he says. “What you have in your pocket is just a metaphor for a one and zero somewhere.”