The financial industry has done such a good job of bringing itself to its knees over the past four years that it is easy to overlook the threats it faces from outside. High among them is electronic attack.
In 2010, Symantec, a cybersecurity firm, estimated that three-quarters of all "phishing" attacks, in which people are deceived into surrendering private details such as account numbers, are aimed at the finance sector. Bob Greifeld, the boss of Nasdaq, has described his exchange as being under "literally constant attack."
Many of these assaults are carried out by hackers bent on mischief. Some are the work of organized criminal groups in pursuit of loot. But plenty of people fret that some attackers are aiming to cause more serious damage.
Leon Panetta, the U.S. defense secretary, has suggested that a cyberattack on financial markets, the power grid and government systems could be "the next Pearl Harbor." In a move that received surprisingly little attention, President Obama signed an unprecedented executive order in July declaring the infiltration of financial and commercial markets by transnational criminal groups to be a national emergency. It also pointed to "evidence of growing ties between [these groups] and terrorists." In a sign that Congress, too, is twitchy, its latest appropriations bill calls for a report into the risks posed by financial terrorism.
Officials' anxiety has grown amid circumstantial evidence that malefactors helped to exacerbate the market turmoil in late 2008. A report on the risks of economic warfare by Cross Consulting -- which was written in 2009 for the Pentagon's Irregular Warfare Support Program, or IWSP, but which surfaced only in 2011 -- cites a paper prepared for law-enforcement officials by a group of anonymous moneymen who were alarmed by trading patterns around the time that Lehman Brothers failed.
The paper analyzes trading data from U.S. exchanges. It shows that a handful of small and midsized regional brokers saw their market share in equities trading skyrocket in 2008 to the point where some were, for a while, doing more business than giants such as Goldman Sachs and J.P. Morgan Chase. The brokers' business was conducted under multiple trading symbols, the market making identities used in electronic trading so that counterparties know whom they are dealing with.
The bulk of the trading appears to have been "sponsored access" agreements, under which established brokers can in effect rent their identities to other traders so that the latter do not have to jump through the usual regulatory hoops. There is no suggestion that the brokers in question were doing anything wrong. They say they were doing business with regulated entities, including other brokers, but the report raises questions about the trades these sponsored entities were conducting.
These trades were heavily concentrated in big, troubled stocks such as Citigroup and Wachovia, the survival of which were seen as critical to the stability of the financial system. They were mostly short-selling, the paper concludes, and a good deal of the shorting may have been of the illegal "naked" kind, where the short-seller does not bother to locate and borrow the shares first.
Trading data alone are insufficient to draw firm conclusions about motives, but the anonymous paper raises red flags. If the brokers were inadvertently greasing the wheels for bear raiders, then who was doing the raiding? The obvious suspects are hedge funds looking to make a killing. But rumors persist of involvement by those with non-economic motives.
Regulators have been tightening the rules. In November, the Securities and Exchange Commission voted through various restrictions on sponsored access, which Mary Schapiro, the SEC chairman, had previously likened to handing car keys to an unlicensed driver. In private, SEC staffers worry that some of the driving might be deliberately dangerous.
Sponsored access is not the only way that a determined assailant could create havoc. The "flash crash" of May 6, 2010, in which U.S. equities spectacularly nosedived, showed the damage that can be done by high-speed algorithmic trading. It is much easier to drag markets down when they are already reeling, by the use of such things as short-selling, options and swaps, points out James Rickards of Tangent Capital, an expert on financial threats. This is what the military would call a "force multilier."
Just how much danger America's financial system is in from deliberate attack is hard to judge from the outside. What is clear is that politicians, regulators and the industry have struggled to forge a coherent response. The Financial Services Sector Coordinating Council, an industry group that works under the auspices of the U.S. Treasury, has developed a "threat matrix" in consultation with a group of financial regulators with an equally snappy name, the Financial and Banking Information Infrastructure Committee. But information is not always shared promptly. Banks were miffed that regulators did not tell them about a big attack on Nasdaq in 2010 until more than three months later.
Within government, responsibility is fragmented. In America, the Treasury, other financial regulators, the Department of Homeland Security, the Pentagon, the FBI, the National Security Agency and others all have a hand in financial cybersecurity.
But the dots are not always connected, even within departments. The Treasury has been keenly focused on combating the financing of terrorists, for example, but appears to have given less thought to how terrorists might use that money to undermine banks and markets.
That is unfortunate. As policymakers wrestle to protect finance from its own instability, they shouldn't neglect the potential for threats from outside.