TL;DR: Central banks may become the juicy cyber theft targets of the future so they need to step up their info sec game.
Last month, the Bangladesh central bank became the target of cyber thieves. It is interesting how easy it was for the cyber criminals to penetrate the servers of Bangladesh Bank (BB). Using a common cyberattack tool, the ubiquitous malware, thieves managed to steal $100 million, and would have ended up with a whopping $1 billion had it not been for a printer error at the BB. The illegal transfers went through the Federal Reserve Bank of New York, where BB has an account to make international payments, making the US central bank a conduit for money laundering.
By stealing from the Bangladesh central bank, the thieves effectively stole from one of the world’s poorest countries, with a GDP per capita of $1,086 (compared to the US’ $54,629.5, to put it in context). Like all forms of robbery, someone loses and someone gains. In this case, the Bangladeshi people lost $100 million, which goes a long way for the country, while, an organized criminal syndicate with apparent ties to the Philippines and Sri Lanka gained. The central bank is the guarantor of private banks, but when someone steals from the guarantor, there is no recourse but for the central bank to dip into the country’s foreign reserves to replace the stolen money and meet its foreign payments.
Central banks have certainly seen their share of cyber attacks, usually in the form of DDOS or personal information theft. The Bank of Lithuania, the European Central Bank, and the Reserve Bank of Australia, have been a few of the targets. But the BB heist appears to be a step up for cyber criminals. The FBI is helping Bangladeshi authorities investigate the attack but who is to say that this feat won’t be replicated sooner than later in another central bank?
Are Central Banks Secure?
In addition to setting monetary policy, central banks set virtually all standards imposed on a country’s banking system. The Fed, for instance, has set supervisory policy and guidance on information security, covering risk assessments, identity theft, online banking authentication, customer information safeguards, among others. The Fed, similarly, has guidance on anti-money laundering, which is relevant here as the Fed was not the victim of the cyber theft but was the channel to funnel the stolen money to a bank in the Philippines. But looking at the Fed’s info sec guidance, there seems to be no specific policy on actual theft of monies from the central bank’s vault. The Bangladesh central bank similarly has guidelines for domestic banks, including integrated risk management and money laundering. However, neither of the two central banks, bound to the hip by the heist, have disclosed their own management of info sec.
I checked the website of the Bangko Central ng Pilipinas (BSP), the Philippine central bank, which is indirectly implicated in this heist. Info sec clearly in its radar but similar to the Fed and BB, the BSP’s management of its own info sec is not publicly disclosed. It is worth noting that both the BB and BSP’s websites are so antiquated that is almost physically painful to search them for information, which means that these sites are probably child’s play for sophisticated hackers.
Practice What You Preach
The inadequate disclosure on info sec management by the three central banks loosely sampled here is probably indicative of the world’s central bank system. Perhaps this is so because of the belief that nobody would steal from a central bank. The Bangladesh cyber heist should change that mindset.
Central banks should, therefore, be held up to the same standard on info sec management as private banks. How? Through the following:
- Treat information security as a management issue. Information security is not just a IT problem, it is a management problem. Hold senior management accountable for info sec failures.
- Publicly commit to implement info sec measures. The bank does not have to disclose what these measures are as it would tip off cyber attackers, but having a public commitment would signal the importance of info sec to constituents.
- Implement a robust info sec program that would include regular training of personnel, regular risk assessments and security audits.
- Transparency . Taxpayers are entitled to know if government funds have been stolen, don’t you think?