The Immediate Tasks at Hand
MORE than three months have passed since the Bangladesh Bank (BB) heist, and in the interim much water has flown down the Padma, Meghna, and Brahmaputra. The internal commission chaired by Dr. Farashuddin has submitted its interim report. He has held SWIFT responsible for making the payment system vulnerable to cyber attacks. Other accounts, including the CID report, have revealed many of the shortcomings of the security environment and practices followed by BB before the heist. The country is eagerly waiting to know if the more egregious of the weaknesses or "vulnerabilities" in BB's cyber network has been addressed, whereby we can enjoy our weekends knowing that some other miscreants and hackers have not been roaming undetected in the infamous SWIFT room or in BB's cyberspace.
It is laudable that the government is directing its efforts to limit the damage done by the "weekend caper" of February 4 in many directions, most notably to recoup the lost money, identify the culprits and their modus operandi, and strengthen BB's electronic infrastructure. I do not intend to harp on the same tune, listing the many failures or existing vulnerabilities of the apex financial institution of Bangladesh, but if we do not learn from our mistakes, we are bound to repeat them in future. Therefore, from the intense investigation, review, and overhaul of BB's cyber security set up, the public would like to know the following questions: what happened and how; what are the various commissions' and investigative bodies' recommendations; and finally, what changes have been implemented and are being planned.
As ICT professionals working with sensitive data that is often compromised across the USA, we are constantly reminded of the administrative, physical, and technical safeguards necessary to protect our electronic data and transactions. In this light, I can list a few lapses at BB that stand out for me. Lack of firewall and use of obsolete routers are examples of weak technical safeguards. Other instances of weak technical safeguards include lack of procedures on virus monitoring, emergency access (e.g., inability of weekend staff to access the transfer advice on February 5, because of non-functioning equipment), audit control (to record and analyse the activities within BB's information system), and transmission security. Adequate policies and procedures pertaining to transmission security would have ensured that there were technical controls in place to ensure that SWIFT transmissions are authentic and are not tampered with, and that the encryption protocols are secure.
There are also many evident loopholes in the "policy and procedures" followed by BB's administrative departments, including the Forex Reserve and Treasury Department, and the Budget and Account Department. In a rare pronouncement last week, SWIFT reported that "The attackers clearly exhibit a deep and sophisticated knowledge of specific operation controls within the targeted banks - knowledge that may have been gained from malicious insiders or cyberattacks, or a combination of both." The report also mentioned that the criminals attacked the banks' connections to the SWIFT network and obtained login credentials and dispatched fraudulent SWIFT messages.
This indictment from SWIFT raises the following questions (and answers to these will serve as stark reminders of the work that lies ahead of us):
Who was responsible for maintaining the hardware, for example, the printer connected to the SWIFT financial messaging company which was not functioning?
What is the protocol for escalating the problems that the weekend staff came across on February 5? To remind the reader, BB staff "visited again the following day, also a holiday, and attempted to fix the issue but the software connected to the terminal did not respond, instead displaying a message saying "a file is missing or changed"!
What do the existing rules and regulations stipulate when critical equipment and the software that supports them have such catastrophic failures?
Where are these activities logged/documented in real-time during the weekend, and what procedures were followed to review them?
Were the backup procedures for the task followed?
Has the lack of oversight audit reporting been addressed?
I hope that one of the administrative safeguards in place now will remedy the negligence evident in its failure in securing the SWIFT communication room, which, "considering the importance of the room, the bank should have deployed staff to monitor activity round the clock, including weekends and holidays."
If all the above sounds like I am beating a dead horse, allow me to mention that Bangladesh Bank can take some comfort from the fact that the central banks of India, USA, and other advanced countries are currently undertaking a "detailed examination of the status of the information technology (IT) that's currently being used by banks." The Governor of Reserve Bank of India (RBI), Raghuram Rajan, recently said, "Across the world, we understand too little IT and there are various ways of getting through cyber defenses, including through people rather than through processes or networks." RBI will be issuing IT examination reports to judge the security preparedness of banks, as well as assess the effectiveness of the technology adoption of banks, Mr. Rajan said. Similarly, in the US, where cyber security is now apparently religiously followed, the Federal Deposit Insurance Corp (FDIC) reported to Congress that five major incidents of data breaches have occurred since October 30.
To sum up, with regard to cyber-security, Bangladesh Bank and other financial institutions need to devise a "Great Leap Forward" strategy to catch up with the modus operandi of cyber criminals and take advantage of the latest tools available to protect the system and detect such crimes. Therefore, news headlines which pronounce that the BB heist is just a wakeup call causes ICT professionals some dismay. Like the Red Queen in Lewis Carroll's story, BB needs to run faster to stay in the same place. In the next op-ed on this topic, I will weigh in with some best practices from the international community. In the meantime, allow me to leave the readers with the following to chew on. In a presentation on April 3, 2016, Boston Federal Reserve president warned of cyber risks, and how with the growth of electronic transactions, the onslaught on the banking and financial systems is only likely to increase. The Fed President warned that the industry must be proactive.
The writer is an economist and has been working in ICT for three decades.