Security Is About More Than Who Has the Keys
Very often in computer security, too much trust is put in access controls -- passwords, identification cards, biometrics, and so on -- and not enough thought is given to limiting the consequences if those controls are defeated and unauthorized access occurs. I was reminded of this when reading Bill Snyder's reporting on new work from cPacket Networks.
Modern financial markets, powered by automated and high-frequency trading, operate on the microsecond scale. cPacket has developed a proof-of-concept attack that could create tiny delays in trades that an attacker could turn into a trading advantage. In cPacket's attack, the attacker would be profiting by exploiting the system underlying our financial markets (at the expense of other traders). It is very interesting, but as far as bad acts go, it is unlikely to keep anyone up at night, other than traders.
However, the "flash crash" from last May -- where the Dow dropped nearly 1000 points over the course of a couple of minutes -- was probably responsible for more than a few sleepless nights. The ultimate cause of the crash varies depending on who you talk to, but the dynamics of automated and high-frequency trading is always part of the picture and it is widely agreed that the crash was unintentional, set into motion by accident.
So what if an attacker was not interested in making easy money, but in causing harm? At the time of the flash crash, protection from attacks was generally limited to the access controls on the electronic exchanges. And while those controls are undoubtedly significant, that was it. Anything an attacker could set into motion, using real or forged orders, would play out. Now, could an attacker, with some form of unauthorized access, deliberately cause the kind of crash we saw on May 6? I cannot say.
Fortunately, regulators and financial institutions are taking action, and while their efforts to build sanity checks into automated trading -- including volatility interruptions or so called "circuit breakers" -- are being implemented to counter the uncertain dynamics of automated trading, those checks are also an improvement to the security of our financial system, and ones that arguably should have been in place from the beginning.