Going forward - Balance between convenience and security
The country and the rest of the world are eagerly waiting for the recommendations from the investigating committee led by Dr. Farashuddin. In a recent press conference, Dr. Farashuddin laid the blame for Bangladesh Bank's (BB) vulnerability squarely on the Society for Worldwide Interbank Financial Telecommunication (SWIFT), and on their technicians who purportedly introduced loopholes while connecting the real-time gross settlement (RTGS) system to SWIFT. I am not going to question the validity or the motive behind this accusation. However, the US Federal Bureau of Investigation (FBI) has raised the possibility of internal foul play, and Dr. Farashuddin has acknowledged the same when he said that "BB staff had contributed to the situation through their carelessness, callousness, irresponsibility and ignorance". His commission's final report must bring some closure to this issue.
Now that the various investigations have revealed weaknesses that can be exploited, and we know there are systems, protocols, and software to protect future "intrusions", it is crucial that the nation gear up for some action to minimise the risk of attacks in the coming days. Fortunately for Bangladesh, and the consultants lending us a helping hand in strengthening our cyber security "Iron Dome", we can use tools that have already been tried and tested in other parts of the world. Bangladesh must constantly stay in touch with international experts and banking regulators to learn from their proactive initiatives. We must undertake the following steps:
* Conduct regular IT security assessment, review access control and validation, and record maintenance procedures;
* Instruct employees on proper protocol to follow while using equipment;
* Review employee clearance level, audit control, and ensure accountability;
* Use software to ensure encryption of all data and transmissions;
* Deploy a well-tested "contingency plan" that includes plans for data backup, disaster recovery and emergency mode operation.
The above is just a sprinkling of the many "best practices" followed by IT security professionals who are International Organisation for Standardisation (ISO) 27000 compliant. The ISO and the International Electrotechnical Commission (IEC) develops the specialised system for worldwide standardisation of cyber security practices. Let me quote from ISO/IEC 27039 modified in 2016: "Organisations should not only know when, if, and how an intrusion of their network, system, or application occurs. They also should know what vulnerability was exploited and what safeguards or appropriate risk treatment options (i.e. risk modification, risk retention, risk avoidance, risk sharing) should be implemented to prevent similar intrusions in the future."
A familiar term used in the profession is intrusion detection and prevention systems (IDPS) to address threats posed by malware, hackers, and other breaches. IDPS came into use in the 1990s and Bangladesh Bank appears to have been at least two decades behind in its readiness to effectively utilise IDPS. ISO recommends that in order for an organisation to derive the maximum benefits from IDPS, the process of IDPS selection, deployment, and operations should be carefully planned and implemented by properly trained and experienced personnel. The ISO/IEC 27000 series provides guidelines for effective IDPS selection, deployment, and operation, as well as fundamental knowledge about IDPS.
Bangladesh Bank, as it attempts to catch up with best practices around the world, could adopt guidelines, tried in the EU financial sector, such as developing and maintaining a set of security standards for product development; performing security evaluations and tests on devices, applications and systems; providing guidance to help end-users configure ICT systems to comply with ISO standards; performing in-house and independent third party security testing of vendor solutions; and evaluating and developing responses to possible vulnerabilities potentially affecting installed systems as they're discovered.
If we stay attuned to the experts and practitioners working in the financial and banking sectors worldwide, new threats and methods used by the crooks can be neutralised before any damage is done to our own emerging system. New products are marketed by "fintech" entities such as eBay, bKash, and Bitcoin which compete against traditional banks. To quote an expert, Boston Fed's Eric Rosengren, "Customers are looking for convenience; so not surprisingly, new applications and devices continue to evolve in unexpected ways." Our regulators and supervisory bodies need to craft an infrastructure that carefully balances the need between convenience and security.
In this new environment, Steve Hill, Director of External Engagement at The Open University, advises that "Businesses need to recognise that investing in IT infrastructure and retraining staff must go hand in hand. As the techniques used by hackers to breach networks and servers become more sophisticated, companies need to do more than simply update their IT systems. Instead, they must ensure that their employees have the knowledge and skills to maintain best practice and future-proof the company's defenses. … Cyber security measures cannot simply rely on the expertise of a skilled IT team. Knowledge about best practice must be widespread across an organisation."
At the 2016 Cybersecurity Conference organised by the Federal Reserve Bank of Boston in April, Boston Fed President Eric Rosengren offered the following warning: "Rapid evolution generates risks… The risks in the cyber realm are, unfortunately, not abating".
Given our recent interactions with the US Federal Reserve System following the February Heist, BB can seek ways to collaborate with the Fed, and they can proceed in taking proactive measures to meet the challenges brought about by electronic business.
The writer is an economist and has been working in ICT for three decades.