Keeping SWIFT safe
Protecting against cyber-threats requires increased collaboration between IT and Operations functions, both within SWIFT and across the SWIFT community
Craig Young, SWIFT’s CTO, has been tackling threats to the integrity of both hardware and software for most of his working life. “I’ve dealt with threats throughout my career,” he says. “Working for a retail company like Verizon, I’ve seen cyber criminals very active in account-level takeovers and fraud, even going back to the early days of cellular number cloning.”
The magnitude of the threat to a market infrastructure like SWIFT is, however, amplified. “If you look at the amount of money banks have put into their own security, much of it has been on the customer-facing side, not necessarily in the back-office,” says Young. “Yet once inside a bank’s back office, it becomes much easier for a perpetrator to access significant amounts of money very quickly, as opposed to nibbling away at the edge with typical ATM fraud.”
I’ve seen cyber criminals very active in account level takeovers and fraud, even going back to the early days of cellular number cloning.
Craig Young, CTO, SWIFT
A global recognition that criminals have realised the potential gains from more ambitious targets has led to a joint effort by Young and Marcel Bronmans, SWIFT’s COO, both to reinforce SWIFT’s own defences and to strengthen community engagement in identifying potential vulnerabilities elsewhere in the SWIFT ecosystem.
How SWIFT works with its customers on cyber issues has changed, most notably since the much reported fraudulent transactions suffered by Bank of Bangladesh earlier this year. “That event has led to us working much more intensely with our community to support them in their efforts to become more secure, to gain a clearer picture of the types of cyber issues they are facing and assist them build their defences,” says Bronmans.
You need some capability at the centre of the process – a function we are now fulfilling – to translate alerts into useful and actionable information.
Marcel Bronmans, COO, SWIFT
While each bank has its own IT infrastructure with its own challenges, the centrality of SWIFT in connecting individual customer institutions means it is inevitably drawn into the picture. “We have no indication that the SWIFT network or core messaging services have been compromised, but we continue to see cases in which our customers’ environments have been compromised and subsequent attempts made to send fraudulent payment instructions,” says Young. “The threat to our community is real and requires industry-wide cooperation and a long-term response.”
SWIFT’s new Customer Security Programme (CSP) leverages SWIFT’s infrastructural role to work with its community on cyber threats. “Very concretely, it has led to a customer intelligence sharing function,” says Bronmans. What happens at one bank can, in an anonymous way, be translated into information that is useful for all the other banks to check for signs of similar activity in their environment.
SWIFT’s terms and conditions require that all users must promptly inform SWIFT of any security related incident related to the provision or use of SWIFT services and products. One of the streams of the CSP is to reinforce the responsibility to share cyber intelligence. “Of course,” says Bronmans, “you need some capability at the centre of the process – a function we are now fulfilling – to translate those alerts into useful and actionable information.”
First, he explains, cyber experts inside and outside SWIFT need to understand what has happened. “It begins with a very technical investigation; we then look at the signature of the attack and describe it in a way that we can usefully share with our community, and only our community. It is actionable security information, which, although based on specific incidents, is provided on a totally anonymised basis.”
As part of the CSP, SWIFT has created a dedicated Customer Security Intelligence team, bringing together a strong group of IT and cyber experts from within SWIFT, supported by leading IT security firms, BAE Systems and Fox-IT. The team investigates customer security incidents and supports customers’ own investigations. It has already published customer-anonymised findings about modus operandi, developed multiple Indicators of Compromise (IoCs), and provided details on how to protect against such attacks. “We will continue to share security updates and develop new IoCs, informing users through our Security Notification service when new IoCs become available,” says Bronmans.
He stresses that while the CSP is already delivering tangible results, each organisation’s role in this effort is critical. “Any customer that fails to ensure the physical and logical security of its environment is potentially at risk,” he says.
In recent years, SWIFT has maintained a cyber-roadmap, keeping track of evolving threats. “Today we face a much more sophisticated landscape with advanced and persistent threats, so we look at our roadmap yearly and adjust our implementation priorities in terms of new cyber defences and cyber techniques,” says Bronmans.”
An essential part of this process within SWIFT itself is a constant interplay between IT and Operations teams to expose vulnerabilities. “I explain to my team that we’re 20% friends and 80% enemies,” Young explains. “My team plays the bad guys and acts as criminals trying to get into the SWIFT network, essentially acting like a group of ethical hackers.”
The ‘blue’ team on the Operations side are meanwhile tasked with detection and response readiness. “When the red team attacks, my team is not aware of whether it is real or not; we are not forewarned,” says Bronmans.
“It’s an active game of cat and mouse that our teams are engaged in; it’s equivalent to doing wargames,” says Young. This approach reflects a mind-set that Young has encouraged since joining SWIFT as CTO: “Assume breach; don’t assume you’re secure,” he says. “Inspect what you expect – test often, and make sure you’re putting the right level of control at each stage of the software development lifecycle so that you have the ability to identify, understand, and close an issue as fast as possible. It’s an ongoing evolution of our security footprint that we all need to keep working on.”
* This article originally appeared in Monday edition of SWIFT at Sibos magazine. Download your copy of the complete Monday edition to read the latest news from the conference!