Don't think of big banks solely as overseers of money flowing from account to account, bank to bank, but as the keepers of an array of secret information about business deals and economic intelligence.
An attack on a big bank by a nation-state could be conducted to amass intelligence to help that country protect or boost its economy, help its businesses to compete against the target bank and others institutions and/or economically wound its adversaries.
George Washington University's Allan Friedman on political motivation.
"The top financial firms all have quite of bit of intelligence because they need to know what their risk exposure is and how it is changing in very real terms," says Allan Friedman, co-author of Cybersecurity and Cyberwar: What Everyone Needs to Know, published earlier this year by Oxford Press.
Some initial news reports suggested that Russian hackers are behind an attack against JPMorgan Chase and perhaps other U.S. banks (see FBI Probes JPMorgan, Other Bank Attacks). But cybersecurity experts warn against jumping to conclusions about the culprits in the apparent attacks, based on the scant evidence available so far.
No one knows (or is publicly saying) who attacked JPMorgan Chase, and neither the bank nor federal investigators, including the FBI and Secret Service have disclosed what information was pilfere (see: New JPMorgan Chase Breach Details Emerge). But experts say that if a nation-state breached the banks' computers, it was highly unlikely done to steal money or to poach account and personally identifiable information that could be used to conduct fraud.
"A government-sponsored actor doesn't have the same goals as a crime organization - the objective is much bigger than that," says Philip Casesa, director of IT service operations at (ISC)2, an IT security education and certification organization. "It isn't stealing dollars - it's manipulating world politics by shifting the economic balance of power."
(None of the experts quoted in this blog have direct knowledge of the suspected breach or any alleged Russian government involvement. They base their observations on their understanding of past acts of Russia and other nation-states and on how American banks defend themselves against cyber-assaults.)
But one line of speculation - and it's only conjecture at this point - is that the Russian government might be behind the apparent attacks, in part, as payback to the United States for imposing sanctions on the Russian government, its officials and businesses, including several banks, for Moscow's invasion of Ukraine.
"Our sanctions of Russia back in July identified key individuals who play a role in the Russian economy and had holdings in Russian banks," Casesa says. "Clearly, the U.S. government had information on them and this may be an attempt to even the playing field."
Steve Hultquist, chief evangelist at RedSeal Networks, a provider of network visibility and analytics products, picks up on that same theme. "Specialized knowledge of the mechanics of the finance industry could potentially be combined with information they found to help them determine financial strategies, risks taken, potential options for causing financial loss and related actions to take against either JPMorgan or against those who have funds held by JPMorgan."
If the Russian government was behind the intrusions, it might have used confederates to carry out the attacks. "There is a tradition by several nation-states of loosely directing groups of private individual actors to conduct attacks," says Bob Stratton, general partner of MACH37, a business that helps entrepreneurs launch cyber startups. "This allows for deniability of anything occurring within the context of a chain of command. It also allows those independent attackers to use whatever intermediaries they wish as stepping stones along the networks that connect to their targets."
Still, such a large, advance attack as the one apparently staged against JPMorgan Chase would require an adversary with significant resources, such as a nation-state or a highly sophisticated criminal gang. And with sufficient resources, assailants can successfully breach even the most secure networks.
To boost security, banks use different types of safeguards to protect their financial systems than they use to protect their corporate secrets.
"It is very likely that the defenses will be different for different types of information. In fact, that is a best practice," RedSeal Network's Hultquist says. "By segmenting the network and information, breaches in one area do not directly provide access to others, rather like buoyancy systems in watercraft: you don't want the failure of one to cause the ship to sink. It is likely, then, that the information will be defended in different ways. What this means in terms of what information may have been accessed we cannot tell from outside."
Another possible reason that a nation-state would breach banks is to send the United States a message that the foreign government isn't to be messed with. To the outsider, the United States could seem like a weak, willing target because of the U.S. government's focus on protecting the nation's critical infrastructure.
Is America Scared?
Immunity CEO Dave Aitel on possible reason behind breach.
The U.S. government frequently pronounces the need to protect its critical infrastructure, including banking, and that could make financial services companies tempting targets for the Russian military or other nation-states. "They know we're scared of it because we keep telling them we're scared of it," says Dave Aitel, chief executive of Immunity, a penetration testing company.
But would Russia or another nation-state be setting the stage to bring down the banks' IT systems? The experts say that's unlikely. But unlike the Cold War, when neither the U.S. nor Soviet Union would initiate a nuclear attack because of the fear of mutual destruction, that line of thinking has yet to develop among adversaries in cyberspace.
"Neither side has made it clear how they would respond to different actions," says Friedman, visiting scholar at George Washington University's Cybersecurity Policy Research Group. "We don't know where the red lines are to provoke a response."