Cybersecurity Risks and Organized Cybercrime on Sovereign Fund and Financial Institutions
Introduction
Organizations, regardless of their nature are leveraging the use of information technology for their operations, making information systems’ implementation at the core of the productivity and competitive advantage. Business organizations are not the only ones that use information technology in their operations. Federal and other government agencies have also adopted the trend of application of information technology (Tabansky 117). In fact, there is evidence of an increase in the move of operations to the cyberspace. It is worth noting that those agencies that have adopted the aspects of financial information continue to augment their operations through information technology, some as critical as Sovereign fund and financial institutions. In fact, the financial institutions are the major target of cyber-attacks as showed in figure 1 below.
Figure 1: IBM, 2014
The security of the information is at the core of the operations because any risk can amount to serious costs for the involved organization and those affected by the information. The critical information infrastructure should be well secured, highlighting the criticality of cyber security. However, the security measures have not completely averted cyber-attacks from being perpetrated by skilled hackers and cyber criminals. Figure 1 below shows the incidents that took place in 2013.
Figure 2: IBM, 2014
Definition of Cyber Security
Development in technology has been beneficial for organizations, including the Sovereign fund and financial institutions, but at the same time causing serious threats. The stern advancements in technology have been accompanied by the surfacing of novel kinds of cyber actions which have been characterized as cybercrime and threat to cyber security (Spalević 687). The cyber security or cybercrime phenomenon has emerged as a new threat, which has resulted in diversity in the definitions given to the term. Cyber security is a critical area of focus within the discourse of information technology based on the myriad of potential attacks on any part of the information infrastructure. According to Spalević, cybercrime is the collective term applied to the types of criminal activities that can be perpetrated with, or against the information systems. The author adds that the crime takes place within the electronic environment forming the basis for the criticality of cyber security (687). The concept of cybercrime emerged alongside the concept of cyber security, highlighting the need to negate the effect of the crimes perpetrated within the environment.
Hewes assumes a similar perspective that the concept of cyber security can only be understood within the context of cybercrime (4). The author underscores the importance of the managers to have an understanding of critical issues to watch out for in the efforts to ensure the security of information in the cyberspace (Hewes 4). The author defines cybercrime as criminal activities involving the information systems, computers, and the internet. To understand the criticality of cyber security, the context within which it occurs is critical. Cyber security highlights the means for ensuring that the cyber environment of an organization is safe from various threats that are associated with cybercrime (Schell 20). Hewes goes further to mention some of the threats that amount to cybercrime, including “1) identity theft, 2) phishing schemes’, 3) theft of corporate funds, assets, and computer resources, 4) disclosure, modification, or destruction of personally identifiable information (PII) or proprietary information, 5) abuse of computer resources for unauthorized purposes or to launch attacks on other systems, and 6) causing damage to networks and equipment” (Hewes 4). Any efforts to counter these attacks fall under the cyber security paradigm. Viruses are commonly used where they are installed into a computer and keep replicating allowing access to information (see figure 3).
Figure 3: Elnaim & Elamin 15
Cyber security’s formal models highlight the descriptive standards that can be adopted in the efforts to guarantee that the information systems of an organization are safe from cyber-attacks. The models are critical and can be easily implemented due to their standardization and the ease of implementation. With the increase in the use of information systems, organizations cannot risk operating in an environment without cyber security mechanisms (Tabansky 117). The market is awash standardized measures for ensuring cyber security founded on a solid basis applying formal cyber security models. Within the modern environment, the approaches to cyber security are coming up, which are more targeted because of the sophisticated nature of the mechanisms used by the hackers in perpetrating the attacks (Schell 21). Regardless of the efforts, the attackers have not been deterred from their continued efforts to penetrate the most concerted attacks. In fact, the more the technology develops, the more the attackers define more sophisticated methods to penetrate the information infrastructures of their target organizations.
Current Strategies in Dealing with Cyber Security
From the reality of the cyber threats, organizations cannot risk operating in an environment without strategies for protecting their information systems and the information therein. Hence, diverse strategies have been developed for use in protecting the information infrastructure. Among the commonly used strategies today fall under the categories of access control, protection against subversion, and verifiability, the cyber security defense triad (See figure 4) which in turn, have various particular measures (Schell 20).
Figure 4: Schell 21
Organizations have invested in the efforts to make their computing and information services safer by implementing one or a blend of measures devised towards that end. The most commonly used strategies are those founded on restricted access to the system to ensure that the attackers do not gain access to the system or the information therein (Schell 20). For government information infrastructure, there is investment of billions in adopting cyber security measures. However, the effectiveness of the strategies remains a subject marred by controversy, especially in the face of continued attacks.
Research has focused on the complexity in addressing the problem of cybercrime, the indicator of the continued perpetration of the acts regardless of concerted strategies and approaches to tackle it. The contemporary government organizations have implemented surveillance and monitoring as strategies to identify the threats of vulnerability in the information systems with the goal of adopting countermeasures (Schell 21). The strategy to identify risks is the basis for success in implementing measures to protect the system, given the reality that the crimes are perpetrated by the attackers’ use vulnerabilities. Therefore, the strategy has been used with the aim of addressing the vulnerabilities by fixing the problems that could allow the attackers to penetrate the system. For instance, whenever a gap is identified, it is fixed early before the attackers take note of it and use it to commit a crime. However, the efforts to make the system safer using this approach have suffered a lot of criticism for being ineffective in dealing with the problem of cybercrime. The source of concern is that it is not possible to identify all the flaws and fix them to make the system completely foolproof.
Regardless of the criticism, surveillance, and monitoring remain in use for the purpose of identifying the loopholes, after which the team involved in IT management implements more proactive strategies to seal them. However, “as new classes of vulnerabilities are revealed, the process must be updated.” The reality is that the hackers appear to be steps ahead in developing the means for hacking into the systems and access critical financial information. The paradigm of “penetrate and patch” has worked in the past but might not work with the emerging threats. Using the model, the person responsible for cyber security finds and patches the holes to prevent their use by the attackers (Schell 21). The model is different from the control of access. In this case, the defender implements strategies to prevent access, whether vulnerability is identified or not. Strategies such as the use of firewalls have been used by the financial institutions to bar entry and access to the information within the information systems of the organization.
Current Operation Issues
Research indicates the challenging task ahead of the efforts to prepare the managers of Sovereign fund and financial institutions to leverage the use of information technology amid the quandary of cybercrime. Cybercrime has legal implications which start before the initial attack and culminates at the eventual determination of a lawsuit relating to an attack (Hewes 4). The organizations and the staff responsible for the managerial roles have the challenge of ensuring that their information systems are not vulnerable to cyber-attacks based on the criticality of the information therein. However, the attacks are perpetrated in such a deceitful way, making it a challenge for the managers, even within the IT department to realize. In most cases where an organization has suffered an attack, the management becomes aware in the aftermath of the act, leaving it to deal with the ramifications. Therefore, even where surveillance is in place, some loopholes might remain, which could be used in perpetrating an attack.
The nature of the Sovereign fund and financial institutions pose another challenge in the efforts to implement strategies to counter cybercrime. Given the reality that the organizations deal with financial information, there is a lack of transparency of operations making surveillance and monitoring challenging. Within a financial sector, the undertakings in one department can be concealed from other actors in the network, including those engaged in monitoring and surveillance. Such makes the already complex network even more complicated. In that environment, it becomes challenging to spot vulnerabilities and threats to information security (Spalević 688). Interestingly, the very organizations that have cyber security as a major security concern have their nature hindering the effectiveness of the efforts to ensure the security. Additionally, the main focus of security in financial institution entails confidentiality of information, which emerges as a loophole for identification and use by cyber criminals. Hence, the efforts to address the problem have remained highly counter-productive.
Regardless of the reality that in cyber security there is engagement of multiplicity of subjects, private, public, global as well as non-state actors, there remains a lack of adequate follow-up of cyber security efforts, making the environment quite ineffective in addressing the problem. The size and complexity of the region have created major challenges for the implantation of the policies to counter cybercrime. The complexity of management of networks entails a vulnerability that the attackers can easily use to attack the information infrastructure of the institutions. Also, due to the technical character of the challenges associated with cybersecurity, the defenders have failed to keep at par with the knowledge and skills developed by the attackers (Spalević 688). Evidently, the means used by the perpetrating attackers such as phishing and denial of service among others, are always evolving, creating a challenge for the defenders of the systems and networks to also develop the skills to counter them. In fact, research has indicated inadequacy in developing the skills.
It is worth noting that research has revealed that cyber security is a new and fast evolving field in research and practice (Tabansky 117). As a result, there is a challenge in developing the legal framework for dealing with the predicaments associated with this field. Spalević elucidates that there is complexity in the legal issues affecting cyber security, hindering any efforts to address the problem effectively (688). Within the government institutions and even the private ones, the primary challenge relates to the reality that the legal issues impacting on cyber security are somewhat in conflict with legal rights, such as the freedom of expression and right to expression. From another perspective, there are legal issues associated with the responsibility and control connected with the working of the institutions. The problem is made worse by the fact that the legal framework has failed to evolve at the same rate as the cyber security issues, leaving a vacuum that creates the management challenge of protecting the information infrastructure of the institutions.
In an oversight, the cyber security issues also face implementation challenges. Cybersecurity within complex agencies such as the Sovereign fund and financial institutions cannot be effectively managed by individuals. Hence, it is an area that witnesses the coming together of teams responsible for defending the information infrastructure from cyber-attacks. Working together as a team poses major challenges in the implementation of the strategies devised to ensure the protection of the information systems. The problem is primarily due to the reality that there is a lack of clearly defined locus of control over the system protection and also a lack of clearly defined roles of the participants (Schell 21). The participants’ heterogeneity in the oversight operations also poses challenges for the policymakers in implementing the approaches to ensuring security of the systems (Spalević 688). The operations of the institutions do not allow for well-defined approaches to addressing the problems, as their primary focus is on the measures of protecting the integrity of the financial information.
The global nature of cyber security poses a challenge for the Sovereign fund and financial institutions in implementing measures to defend and protect their information systems. The networks involved in the perpetration of cybercrimes are not localized as would be the case in the conventional crime against the infrastructure such as the stealing of physical storage devices. Instead, the perpetrators do not have to be physically present to be successful in perpetrating an attack. Compared to traditional criminal activities, cyber-attacks have proven to be distributed in scope with networks that are global in reach. In some of the occurrences, the attacker is in a different country from where the crime is committed (Spalević 688). Given the importance of the financial institutions, they have become major targets for the targeted attacks. In addition, the attackers operate within an environment with adequate legal mechanisms, from a global level, to deal with the attacks (Schell 21). In fact, networking and the lack of adequate legal framework has exacerbated the problem.
Organized Attack and Cyber Security Examples
Swift India
Regardless of the concerted efforts to implement cybersecurity standards to protect the financial systems, networking has allowed for the perpetration of most daring cyber-attacks in the modern age. Among the most recent attack is the Swift attack perpetrated in 2016. The attack was carried out on the three government-owned financial institutions where the hackers successfully infiltrated the financial systems, creating counterfeit business documents and using them in raising finances internationally or facilitating business deals items that have been banned (MitKat 1). The banks, whose headquarters are in Mumbai and Kolkata, have been the most recent victims of concerted cyber-attacks perpetrated on a global scale. The attackers penetrated the systems using the SWIFT systems of the banks. The interconnectedness of the operations has allowed room for the attacks to take place. The financial messaging service which operates globally has opened up a vulnerability that can be easily targeted by the attackers. The service is also used in moving documents and millions of dollars internationally. Such networked systems have proven to be critical hubs for the activities of the hackers.
The hacking action was perpetrated using the mechanisms where the attackers launch programs within the systems that appear genuine and through which they are able to collect the information they require from the system. The banks realized that the attacks had already taken place when they realized that the had attackers compromised their SWIFT systems. The nature of the attack is such that the management of the institutions remains clueless for an extended period of time that allows the attackers to get away with a vast damage and with serious ramifications for the institution. Also, given the reality that it is not possible to correctly identify the exact vulnerability that they might use to perpetrate the attack, the remediation measures can only be implemented after the attack. It has been estimated that the attack, which might have started somewhere around June 2016, went on without notice for months, leading to a loss of millions of dollars in global operations (MitKat 1-2). Financial information is proving the most effective way for the attackers to wreak havoc on a global scale.
The daring heist on the information systems of the banks seems to be akin a scene from a cyber-spy movie. Such attacks tend to be very simple in terms of their perpetration, but at the same time, complex in terms of the potential damage they have. The attacks are also highly ambitious in that the attackers tend to target high scale operations with major damage to the institution and an impact on a global scale. The SWIFT attack might have targeted the Indian banks but the effects were felt globally because of the interconnection of operations. The SWIFT system has been characterized as the backbone of the global finance. The use of extremely sophisticated methods would allow the cybercrime to shake the very core of the financial operations. It would be expected for such a critical system to have adequate safeguards to protect the financial and other information from such attacks (MitKat 2-3). However, regardless of the efforts, the attackers always appear to be miles ahead, and prepared to attack the global system at the very core, the financial system.
Aramco Attack
The attackers have also targeted the global oil business by pursuing one of the main institutions in Saudi Arabia dealing with the global business. The attack was targeted on the computer systems of the company. The attack, unlike that on SWIFT, did not take place for an extended period. It was, rather, perpetrated in a manner of hours that saw 35,000 computer systems totally destroyed or partly wiped. The financial and other operations of the company were completely hampered because it would not be possible to continue without the information infrastructure. The attackers tend to carry out targeted operations and understand where to hit and at what time to create unprecedented damage (Bronk 5). The entire automated system of the institution was hit taking it back to the manual systems in use in the 1970s. Evidently, the cost of the attack on the institution, the country, and the global business was vast. The reverberations of the attacks were witnessed globally, making the name common even to people who had not heard of Aramco in the past. Clearly, the attack was a deliberate effort to cripple the oil business in the country and affect the global business in the process.
The attack was carried out during a period when the attackers would be free to infiltrate the systems because of a vacuum left by the employees who had left for the holidays during the holy month of Ramadan. The programs aimed at perpetrating the attacks were installed into the system and the available employees would notice that their systems were not operating optimally. The attack was perpetrated such that the files from the systems were completely wiped out, making it impossible for the operations to continue (Bronk 6). Attacks that target the information system have various motivations, including the intention to access the financial information for use in fraudulent activities or simply hindering the smooth running of the operations of the organization. The attack on Aramco was not financially, but politically motivated, as a warning to the management of the organization against supporting the dictatorial government of the Al Saud royal family. Given the effectiveness in attacking the systems, it was more convenient for the attacker to compromise the company’s operations by targeting the area that would have the greatest impact.
The attack involved was based on virus that was installed into the computer systems such that when executed they could interfere with the working of the computer systems and damage the applications running on them. The environment would make it challenging for the institution to continue operating optimally. Aramco was able to continue with other steady and constant production of oil. However, other functions within the supply chain were greatly hampered by the attack. For instance, the management of shipping, supplies, government contracts, and deals with business partners, which were completely automated, could not be performed optimally. In fact, the organization was forced to avert back to the use of paper in managing the supply chain, greatly hampering its effectiveness (Bronk 5-6). Another area that was mainly affected was the communications between the organization and its stakeholders because of the cutting off the internet. Generally, business between the institution and Saudi Arabia, in general, was negatively affected with serious ramifications.
Latest Attack on Saudi Arabia
The evidence is clear about the reality that Aramco might not be an isolated case of cyber-attack in Saudi Arabia as the government and private entities in the country are becoming soft spots for cyber attackers. There are various victims of the latest attacks perpetrated in the country, including those targeting Hadaf human resources development fund among other institutions. State-run agencies suffer the risk of concerted attacks mostly by attackers who are politically motivated. Data and information, both client information and that relating to financial operations are at a continued risk of being accessed by the hackers and used for malicious ends. The recent past has witnessed an increase in the attacks perpetrated in the country begging the question of what should be done to successfully prevent the attacks from happening rather than waiting to deal with the repercussions (Elnaim and Elamin 16). There are also reports of possible attacks being carried out in the near future.
The case of Saudi Arabia is a clear indication of the statement that the information systems are the most target of choice for adversaries. It is generally agreed that a target on the information systems hurts the backbone of economic operations of an organization or a country because all operations have moved to the online environment. Any efforts to disrupt the working of the economic realm of a country can be easily carried out by attacking the information infrastructure. The cyber criminals carrying out the attacks in Saudi Arabia have a clear knowledge of the fact and appear to have identified the vulnerabilities that can be used in carrying out the attack. Just like attackers successfully targeted Aramco, so has been some of the organizations it is affiliated to in the country, such as Sadara Chemical Co. In fact, Chemical Company is among those that have gone through disruptions through the work of the hackers.
Top of FormBottom of FormThe Relationship Between Cyber Security and Organized Crime
The internet offers major benefits, but the possibilities it offers have changed the lens through which organized crime is viewed in the modern environment characterized by great interconnectedness. The paradigm shift is founded on the ways the Internet can be utilized in perpetrating crimes against individuals, organizations, and countries. The role of organized crimes has completely changed because of the ease of operation capability provided by the internet. The perpetrators of organized crime, with the global rich, are currently targeting vulnerabilities offered by the internet. In fact, the new media has completely transformed the face of organized crime, transitioning to the “global shadow economy,” accounting from about 15% to 20% of the global GDP (Glenny 145). Organized crime has a global reach, which has allowed for more sophisticated mechanisms for use in carrying out the attacks.
The association between the two concepts is clear in an interview with the author of “McMafia: Journey through the Global Criminal Underworld,” Misha Glenny. The author exposes that the greatest risk in the perpetration of cyber-attack is the elevated risk of possible effect on the world that attains a value from the interdependence. The very nature of the internet has allowed for the ease with which organized crime is being perpetrated in the modern days. While cybercrime came up outside the confides of the conventional organized crime because of the precondition of a new skill set, the fact that it occurred in areas prone to crime and by groups of young computer savvy highlight the connection. In addition, the regions in the world that was prone to organized crime before the advent of cybercrime remain the areas prone to the new type of crime (Glenny 145). Ideally, cybercrime has a strong connection to organized crime.
Effects of the Relationship
Organizational Reputation
Cybercrime, suggesting the infiltration of information systems of organization and access to important personal and financial information, has major implications on the affected institution or organization. Among the negative effects is damage to the reputation of the affected organization because of the access to personal information some of which can create harm to the owners of the information. With a successful cybercrime, it becomes difficult for the affected stakeholders to entrust the security of their information to the affected agency. For instance, in an instance where personal information such as names, social security number, and other identifiers are stolen and used to access the account of a client, it would be impossible for the client to remain using the services of the affected agency (Vermeiren and Lips 4). The information in the hands of the hackers will also reach potential clients who will not risk having any deals with the institution.
Panama Papers
Damage to the reputation creates serious ramifications, including loss of revenue and profitability because of compromised reputation as well as the lost business. A case in point of an institution that has suffered damage to its reputation because of a cyber-attack is the Panama Papers. The attack resulted in leaking of 11.5m files from the databases of the offshore law company, the fourth largest globally. It was proven that the loss of the files amounted to a loss of information of the clients (Vermeiren and Lips 1). In such a situation, the clients would not trust the institution with their information because of the safety of their systems. The attack would end up negatively affecting the relationship between the institution and its clients. It would take time to remedy the image of such a company, and also to regain the trust of their clients.
Ongoing Deals and Negotiation on Tenders
The business between an affected institution and the clients is normally damaged in an event of a leak or infiltration of the information system, leading to the information getting into the hands of a malicious person or a criminal. The deals that have gone through are not the only ones affected in the process, but also the deals that are in the pipeline. It is difficult for the potential clients of the company to trust the deals made following a leak. The lost deals are associated with the damage on the reputation of the company in case of such an event (Vermeiren and Lips 4). The ongoing negotiations are most likely to be affected because of the attack since the management cannot convince the potential clients about the safety of their information after the leak.
In the world of media and social media, information about such an attack reaches far and wide with widespread ramifications. The media reports the attack while the social media goes viral with the information. Hence, it becomes impossible for the affected organization to remain in secret with such attacks. With the conventional media and the social media, the information is received globally which means that the effects are also global in reach. The information reaching the clients of the company will affect the relationship and initiate loss of business. Reputation is not the only reason for the loss of business because the organization will also take time on the efforts to remediate the effects of the attack. In addition, the affected systems cannot be used for more business before they are checked and corrected, which might take time and in the process create more tension that will affect any business transaction (Vermeiren and Lips 4). The information is also lost in the process, including the one relating to the ongoing deals. Simply, the affected institution suffers huge losses in the event of a cyber-attack.
Employee Social Life and Social Media
The organization is not the only one that is affected in the event of a cyber-attack leading to the leaking of private information. Employees are a very important part of the organization and are at serious risk when an attack takes place. Basically, a cyber-attack is perpetrated using the same information systems that the employees have to work with, opening them up to vast scrutiny in the process. Once the systems are hacked, the first point of contact with the information contained in the systems is the employees of the affected organization. It is plausible to note that the employees have their personal information contained within the hacked systems and runs the risk of the information falling into the hands of the hackers causing them huge damage (IBM 3). The attackers could mimic their attacks to an event where the employees appear responsible.
The social lives of the employees of that particular institution can be affected in the wake of a cyber-attack. In the world of the social media, personal lives have become open to scrutiny. A leak can make the situation worse for the employees of the affected organization where their private information is obtained and made accessible through the social media. In addition, in case of such an event, the investors can hold the employees responsible, a situation that can bring more damage to their reputation. Any information available on the social media can be used to castigate them. The damage on the image can have serious psychological effects on the affected individuals (IBM 3). Also, such an attack can damage their chances of securing employment, particularly where they are held responsible for the leak even if in most cases they are not aware that the attack is taking place.
Human Error of Employee Activity
A recent study by IBM, one of the leading technology companies in the world, indicated that cyber-attacks do not occur in isolation. In the “2014 Cyber Security Intelligence Index”, the company indicated that “95 percent of all the incidences of security are connected to the human error” (See figure 1 below of IBM Cyber Security and intelligent box). The idea behind this realization is that the attacks are perpetrated following identification of a loophole that they can easily be used to gain access into the system (IBM 2). The study indicated that the attackers, even those operating from the outside, take advantage of on human weakness to perform the attack. In fact, some attacks are carried out on a system whose vulnerability is based on human error in operations. The resulting loophole allows for ease in penetrating the system and gaining access to information.
Figure 5: IBM
Besides, some of the outside attacks are normally inside jobs, where the insiders provide access to important information relating to the institution of the clients. In some cases, the employees are lured by the attackers to provide the key for entry into the premise or to hack into the systems, making the attack easy to perpetrate. The human errors tend to bring a huge loss to the institution, especially if they are used by the hackers to enhance an inside job. In fact, hacking might be devastating and have far-reaching effects, especially when employees are engaged in the operation since, in many agencies, employees have access to the most sensitive and confidential information. Successful attacks that use the information provided by the insiders have been detrimental because of the access to sensitive information, including IP information (IBM 3). They also provide a leeway for the perpetration of serious malware that continue to cause more damage to the institution. Abuse of privileges and deliberate actions of the employees can have serious damage to institutions.
Conclusion
Cyber security issues are on the increase due to the augmented reliance on information technology for business operations. Cybercrime involving infiltration of important computer systems and accessing information has become a common occurrence in the world today. In fact, it is the modern means of organized crime to be perpetrated on a global scale. There are various cases of successful attacks that have taken place in the recent past, with some being underway, including the threats that are taking place in Saudi Arabia. The cost of the attacks is wide-ranging, including on individuals, organizations, and the states in general. It is unfortunate that 95% of the attacks are due to human error and taking advantage of connections with the organization, especially with the employees, to gain access. Therefore, important measures should be put in place to make the information environment safe from cyber-attacks.
Recommendations
Employees are the key to entry into the information systems of an organization either by providing deliberate access or through errors that cause loopholes for use by the attackers. Therefore, the best place to begin in making the information systems of an organization safe is to create awareness to the employees on the reality of cyber security and the effects of cyber-attacks. All institutions, including those engaged in financial operations, should engage in concerted efforts to ensure that their employees have adequate understanding of cyber security to avoid being used by the attackers to compromise any their organization’s information. Awareness creation campaigns should be part of the general strategy adopted by the management within the cyber security policy. With the knowledge, the employees can understand the measures to put in place to avoid and prevent future attacks.
Collaborative efforts are key to coming up with effective measures for the security of information systems of an organization. Therefore, information technology and human resource departments should work together in the efforts to inform and educate the employees on issues relating to cyber security. They can engage in arranging training sessions by inviting keynote speakers and selecting best session providers to educate their employees. With the knowledge, the employees can become a part of effective measures towards achieving a safe environment. Protection of the information systems of a company cannot be adequately achieved where departments are working in isolation since the hackers can take advantage of any point in the information lifecycle to carry out an attack. Therefore, organizations should not shy away from investing in training and creating awareness among their current and new employees.