An obvious case of a targeted attack, using vulnerability exploit tactics, the 100 million dollar Bangladesh Bank heist will remain one of the most profiled cyber crime case studies throughout 2016. It has all the ingredients of a bestseller. A star victim, none less than the central bank of a country, a sizeable value of crime in terms of money, and a media coverage following the story of how the money moved across countries and banks and casinos and chips -- a classic cyber crime thriller material.
However, the incident is real. The hacking has happened. Our central bank reserves have been robbed of millions. Whether we can recover the amount (as Bangladesh bank officials are claiming) or not, the fact remains that our central bank is vulnerable. It also means the entire financial and banking sector of Bangladesh is vulnerable.
These could have been remote hack exploiting vulnerabilities in the system, or an intrusion based hack in collaboration with insiders (which some are trying to call a malware attack) or even a state or organisation sponsored attack. The “sponsored” attack part may seem like a conspiracy theory, but only to be written off after a full professional and certified cyber intelligence investigation. I repeat the word investigation, which is not to be mixed up with the concept of incidence response management. Unless we have a professional level investigation the facts of the incidence and the vulnerability loops and identification of involvements will never be discovered. From what is coming out in the media it seems that the central bank focus is on incidence response. It is a step towards speculated cure but not diagnosis and a way to future preventions.
The hacking of the Bangladesh Bank system is not a real life bank robbery. The crime scene is not at the bank premises. It is on cyber space -- on computer servers across the globe, in devices the hackers have used, across the internet traffic used in the operation starting from the Bangladesh Bank servers, in logs and files and activity of the systems linked.
The hackers are talented and they would have masked their paths. It is important to first investigate, come to a finding and then start planning and implementing a security system for the infrastructure with proper solutions and practices in place. Without a diagnosis there will be no prescription.
Nevertheless, the Bangladesh Bank incidence is just the tip of an iceberg. Not a caution beep but a mega horn. The cyber threats everyone loves to talk about in seminars and symposiums are now real right on our tables. And it is ugly. The concern is not just about the incidence at hand, but at what it has brought out to light.
1. Our central bank does not have a chief security officer in IT. Is there anyone and a team responsible for cyber security? Cyber threats and security are standard issues. It cannot be that the central bank does not have responsible and dedicated personnel for cyber security. If there is, question is why the CSO is not answering the questions to the queries or why the personnel commenting and answering are not identifying themselves as cyber security personnel. Again what are the opinions of the central bank's IT team and findings on the incidence?
2. Media reports suggest that the corresponding Bangladesh Bank servers are not firewall protected. That again cannot be. It is a standard procedure particularly in a crucial infrastructure. What are the access policies? Who controls the policies? How are the policies implemented? What measures were taken to filter web based attacks? Who is answerable to the questions related to this?
3. The central bank's IT head (or maybe joint heads) has not identified himself or themselves and accounted for the incidence.
4. Clearly enough the central bank is not prepared for an incidence like this. No reason why they should not have been. The nation is moving through a digital revolution. The central bank itself has comments and statements on digital developments of the Bangladesh banking sector. They must have been going through various cyber security reports and alerts. Did they not subscribe to professional cyber threat intelligence services and reports? This is the central bank of a country. This is all standard in the IT world. Seems they had no plan or policy on reporting or responding to a cyber incidence at all. Answering to the press has been a PR failure also as nothing has been clearly stated or denied even.
5. Neither the central bank nor the government has an emergency response policy, plan or team for cyber incidences. Nor do they have a plan to contact the right agencies and establishments in a crisis situation like this. No authorised contracts. No advance threat intelligence service subscriptions. No specific point to consult with. It's all being done now in the midst of a commotion in bits and patches. How are the security experts involved at the moment being vetted? Are we giving access to any form of investigation on a central bank transaction system? What about national security?
6. Does the central bank have regular certified cyber security related trainings for dedicated team members? If they have, what are that team's findings and opinions? Security training is a standard process in a mission critical IT setup.
7. There are stories about involving the US Secret Service and FBI in the investigation process. As far as it is concerned it should be the Interpol's cyber intelligence team. The crime has been carried out across the borders beyond the US and Bangladesh. The Interpol carries out investigations in collaboration with all the countries across borders.
8. Imparting speculative comments on the incidence before a concluded investigation harms the image of the country and hampers the investigation process. The concerned and the media should take that into serious consideration. Everyone seems to be having a say on the incidence without responsibility.
Questions and observations can continue. But the base line is that we were not ready for a cyber threat. We are not ready even now. If the central bank is not secure, the other banks in Bangladesh are not also. That brings to questions on our national power grid systems, crucial government infrastructures or even the national ID database. How secure are we? What security measures are maintained? Why don't we have a national IT chief security officer with an expert and trained team at disposal?
The time is past already. The incident of hacking has been an expensive eye opener for us and our lacking is great news for the cyber criminal community. We can expect more threats now. And this is just one area. We haven't spoken yet about our children being bullied online, our women being harassed on the net, random access to pornographic contents having serious impact on the social aspects, or terrorist targeting propaganda across the circuit. Establishing a cyber security platform is not a one day run. It takes a long time covering various aspects. And there is no magic formula for an instant cure.
We live in a connected world and will remain to live so. And in this world, cyber threats are real. It's time to take the right steps and implement the right solutions and practices in cyber security.
The writer is CEO of Officextracts.