From Nick O’Connor – Capital & Conflict (Great Britain) –
In today’s Capital & Conflict… how 20,000 hacked accounts could lead to a “modern day bank run”… can we trust the banks to be secure and solvent… behind Russia’s election day masterplan… explaining “financial misinformation”… and more…
You don’t have to have a penny in a Tesco Bank account to understand how unpleasant Sunday morning must have been. It was one of those occasions when the most “macro” of stories becomes suddenly “micro” – intrusively up close and personal.
I don’t bank with Tesco. But I got a taste of the unpleasantness. I had an electrician at my house. As he peered at our fuse box with a furrowed brow, his phone rang. It was his wife. She’d had a problem with their banking. Then she’d seen news of the cyber attack and figured out what had happened. It wasn’t a case of outright panic. But it’s not a nice experience.
On the off chance you’ve been on “election watch”, fixating on the final days of the presidential race that you’re blind to all else that happens, here’s the story in brief. Tesco Bank has 136,000 current account holders. Over the weekend 40,000 of them saw their accounts compromised due to a cyber attack. Roughly 20,000 of them had money taken – stolen – in amounts ranging from £20 to £600.
Like I said, not nice.
It’s one thing to know that the threat of cyber attacks is real and growing. It’s another to have someone reach into your bank account and extract cash.
In my (albeit limited) experience of this kind of thing, I’ve always found the banks to be helpful and to bear the costs themselves. I would hope that’s the case here and everyone who has lost money in the attack gets it back.
But there are wider implications of a story like this.
I organise the threat of cyber attacks into three categories: attacks on the individual, on a corporation or business, and against the state itself. They’re not discreet categories, as this case proves. There’s a crossover. This was an attack on a large corporation that directly affected individuals.
It’s easy to just look at it like that – from the individual level upwards. But what does this mean on the next level up, the corporate level? Tesco Bank is part of a wider marketplace – the UK banking system. What does an attack of this sort mean for the industry as a whole?
A modern day banking run
Could an attack in cyberspace lead to a systemic panic in the “real” world of the banking system? It’s possible.
Think about it like this. If you’re familiar with the fractional reserve banking system, you’ll know that the banks do not keep enough cash in reserve to pay back all depositors at once. That means if all 136,000 current account holders at Tesco Bank asked for their money back at once… the bank would not be able to meet its obligations.
That’s how bank runs start. People know there’s enough cash on hand to pay some depositors back… just not all. It becomes a race: a study in strategic queuing. Very British.
What that means is a bank operates on faith. Or as a giant confidence trick if you prefer to think of it that way. If depositors trust the bank is safe, secure and solvent they won’t all ask for their money back at once. So long as that doesn’t happen the system is fine.
Of those three s-words – safe, secure and solvent – we’d usually concern ourselves with the last here at Capital & Conflict. In the 21st century, bank runs don’t start because people feel a bank’s vaults are unsafe. They question its solvency. That’s what starts panics.
Ultimately we trust the walls, the doors and the guards more than we trust the dodgy balance sheet.
But cyber attacks flip that equation on its head. The dodgy bit of code in the firewall is just as dangerous as the toxic loan on the balance sheet. That’s new and dangerous.
Once something destroys people’s faith in the banking system… that’s when the trouble starts. That’s never happened because of a cyber attack before. That doesn’t mean it will never happen.
You can have a solid capital reserve and sound balance sheet, but if you can’t keep people’s assets safe from theft or interference they’ll ask for them back en masse and you’ll succumb to the fundamental flaw in the fractional reserve system.
Russia’s masterplan: eroding faith in the system
This same principle applies in other systems too. It’s not the first attack that causes the problem – the damage comes if you change people’s mindsets and make people question the system itself.
Let’s take the big story of the day as an example: the US election.
Whether you consider the race to become the next president a farce or a tragedy is your call. We’ll pick the bones out of the result tomorrow. But I doubt anyone would argue there’s been a clear cyber subplot running parallel to the antics of both candidates.
For instance, recently the intelligence services in the US officially announced they believe Russia is behind the series of leaks of key US public figures – mostly democrats. A joint statement by the Office of the Director of National Intelligence and the Department of Homeland Security claimed:
The U.S. Intelligence Community is confident that the Russian Government directed the recent compromises of e-mails from U.S. persons and institutions, including from U.S. political organizations… These thefts and disclosures are intended to interfere with the U.S. election process.
The news tends to focus on the contents of the emails. That’s fair enough. To a large extent they prove what many people believe: that behind closed doors at the highest levels there’s a different conversation going on… a private, less palatable one.
This all reminds me of a bit of historical precedent. When the Soviets took power in Russia in the 1917 Revolution, one of the first things they did was release secret war treaties between Russia, France and Britain concerning which country would gain which regions and strategic assets in the event of a victory. It embarrassed the Entente powers, who’d always insisted such treaties didn’t exist.
But let’s not get distracted by history. Let’s say the US intelligence services are to be believed (I’m not saying we should just assume that blindly, but for the purposes of our argument let’s do so). Why would the Russians strategically hack and leak key people’s emails? Could they really influence the election?
Perhaps. But I’d argue the bigger threat would be to foment distrust in the political system itself. You could argue politicians don’t need much help to make us distrust them. But rather than achieve a single, narrow goal, these cyber attacks erode people’s faith in the political system they live in.
I’d argue a long-term loss of faith is worse than a short-term controversy, the same as a loss of faith in the security of the banking system would be infinitely more dangerous than a single attack.
And there are numerous ways cyber attacks can achieve this. As a CNBC story earlier in the month claimed (with added emphasis from me):
U.S. intelligence officials do not expect Russia to attack critical infrastructure — which many believe would be an act of war — but they do anticipate so-called cyber mischief, including the possible release of fake documents and the proliferation of bogus social media accounts designed to spread misinformation.
Spreading misinformation. That’s the opposite of leaking genuine emails from key public figures, but it can achieve the same result.
There’s been several reports into whether a cyber attack could compromise voting booths directly. But why bother? Why not simply change the way real results are perceived? Change the way the media reports the results, either through blackouts on coverage counter to your goals or by altering media output itself.
That would have far more profound consequences. Imagine if the BBC or ITV newsfeed had been subtly altered during the EU referendum. It doesn’t matter what it said or how it was corrected. It’d start to destroy people’s trust in the system itself.
Or go back to the Tesco Bank situation. Theft is intrusive and it must have been awful. But long term, what happens if cyber attacks undermine people’s faith in a more subtle way – it could be adding to some balances and subtracting others, pushing people into arrears on a mortgage payment, withholding direct debits to insurance firms. Let’s call it “financial misinformation”. Enough of that and you get to the point where you simply couldn’t trust what you were seeing.
I’d argue that’s the real threat here. These systems require our faith in them to survive. That’s as true of the banking system as it is the democratic process or the media.
Large scale loss of faith in these institutions would lead to chaos. And cyber attacks help achieve that.
By the way, on one level this may feel slightly depressing… but on another it leads to huge opportunity for the companies trying to protect us in cyberspace.
The value of those firms’ services is directly related to the scale of the cyber threat. It creates opportunity – a problem to be solved. And an investment opportunity for us. More on that in another issue.