scieee Science in your language
[en] (orig)

Toward a global norm against manipulating the integrity of financial data

Author: Maurer, Tim,Levite, Ariel,Perkovich, George
Publisher: Kiel: Kiel Institute for the World Economy (IfW)
Year: 2017
Source: https://www.econstor.eu/bitstream/10419/162579/1/890955921.pdf
Mau e , Tim; Le i e, A iel; Pe ko ich, Geo ge
Wo king Pape
Towa d a global no m agains manipula ing he in eg i y
o inancial da a
Economics Discussion Pape s, No. 2017-38
P o ided in Coope a ion wi h:
Kiel Ins i u e o he Wo ld Economy – Leibniz Cen e o Resea ch on Global Economic Challenges
Sugges ed Ci a ion: Mau e , Tim; Le i e, A iel; Pe ko ich, Geo ge (2017) : Towa d a global no m
agains manipula ing he in eg i y o inancial da a, Economics Discussion Pape s, No. 2017-38, Kiel
Ins i u e o he Wo ld Economy (I W), Kiel
This Ve sion is a ailable a :
h ps://hdl.handle.ne /10419/162579
S anda d-Nu zungsbedingungen:
Die Dokumen e au EconS o dü en zu eigenen wissenscha lichen
Zwecken und zum P i a geb auch gespeiche und kopie we den.
Sie dü en die Dokumen e nich ü ö en liche ode komme zielle
Zwecke e iel äl igen, ö en lich auss ellen, ö en lich zugänglich
machen, e eiben ode ande wei ig nu zen.
So e n die Ve asse die Dokumen e un e Open-Con en -Lizenzen
(insbesonde e CC-Lizenzen) zu Ve ügung ges ell haben soll en,
gel en abweichend on diesen Nu zungsbedingungen die in de do
genann en Lizenz gewäh en Nu zungs ech e.
Te ms o use:
Documen s in EconS o may be sa ed and copied o you pe sonal
and schola ly pu poses.
You a e no o copy documen s o public o comme cial pu poses, o
exhibi he documen s publicly, o make hem publicly a ailable on he
in e ne , o o dis ibu e o o he wise use he documen s in public.
I he documen s ha e been made a ailable unde an Open Con en
Licence (especially C ea i e Commons Licences), you may exe cise
u he usage igh s as speci ied in he indica ed licence.
h p://c ea i ecommons.o g/licenses/by/4.0/
Recei ed May 18, 2017 Accep ed as Economics Discussion Pape June 20, 2017
Published June 23, 2017
© Au ho (s) 2017. Licensed unde he C ea i e Commons License - A ibu ion 4.0 In e na ional (CC BY 4.0)
Discussion Pape
No. 2017-38 | June 23, 2017 | h p://www.economics-ejou nal.o g/economics/discussionpape s/2017-38
Towa d a global no m agains manipula ing he
in eg i y o inancial da a
Tim Mau e , A iel Le i e, and Geo ge Pe ko ich
Abs ac
The inancial c isis ha e up ed in 2007 highligh ed how impo an us is o he global
sys em and how agile i can be. The 2016 Bangladesh cen al bank cybe inciden
exposed a new h ea o inancial s abili y and he unp eceden ed scale o he isk ha
malicious cybe ac o s pose o inancial ins i u ions. Beyond he , using cybe ope a ions
o manipula e he in eg i y o da a, in pa icula , poses a dis inc and g ea e se o
sys emic isks han o he o ms o inancial coe cion. The complex and in e dependen
cha ac e o he inancial sys em and i s anscendence o physical and na ional bounda ies
mean ha manipula ing he in eg i y o inancial ins i u ions’ da a can, in en ionally
and/o unin en ionally, h ea en inancial s abili y and he s abili y o he in e na ional
sys em. Impo an ly, unlike he 2007–2008 global c isis, his isk exis s independen o he
unde lying economic undamen als and will only inc ease as mo e and mo e go e nmen s
make cashless economies an explici goal. The G20 inance minis e s and cen al bank
go e no s should be commended o u ging imp o emen s in he esilience o he global
inancial sys em in hei Ma ch 2017 communique. In a nex s ep, he G20 membe
s a es could commi hei coun ies explici ly o e ain om using o ensi e cybe ools
o co up he in eg i y o da a in he inancial sys em and o coope a e when such a acks
do occu .
(Submi ed as G20 Policy Pape )
JEL F50 F55 G15 H87 K24 K33
Keywo ds G20; cybe secu i y; inancial s abili y; da a in eg i y; inancial ins i u ions
Au ho s
Tim Mau e , Ca negie Endowmen o In e na ional Peace, [email p o ec ed]
A iel Le i e, Ca negie Endowmen o In e na ional Peace
Geo ge Pe ko ich, Ca negie Endowmen o In e na ional Peace
The au ho s would like o ecognize Taylo B ooks, S e en Nyikos, and Elizabe h Whi ield o hei
assis ance on his publica ion as well as o e ou dozen o icials and expe s in mo e han en coun ies o
sha ing hei eedback and insigh s.
Ci a ion Tim Mau e , A iel Le i e, and Geo ge Pe ko ich (2017). Towa d a global
no m agains manipula ing he in eg i y o inancial da a. Economics Discussion Pape s,
No 2017-38, Kiel Ins i u e o he Wo ld Economy. h p://www.economics-ejou nal.o g/
economics/discussionpape s/2017-38
Economics Discussion Pape (2017–38)—submi ed o G20 Policy Pape s
2
In oduc ion
On Ma ch 18, 2017, he inance minis e s and cen al bank go e no s o he wo ld’s wen y leading
economies— he G20—issued a communiqué highligh ing ha
The malicious use o In o ma ion and Communica ion Technologies (ICT) could dis up
inancial se ices c ucial o bo h na ional and in e na ional inancial sys ems, unde mine
secu i y and con idence and endange inancial s abili y. We will p omo e he esilience o
inancial se ices and ins i u ions in G20 ju isdic ions agains he malicious use o ICT,
including om coun ies ou side he G20. Wi h he aim o enhancing ou c oss-bo de
coope a ion, we ask he FSB [Financial S abili y Boa d], as a i s s ep, o pe o m a s ock-
aking o exis ing ele an eleased egula ions and supe iso y p ac ices in ou
ju isdic ions, as well as o exis ing in e na ional guidance, including o iden i y e ec i e
p ac ices. The FSB should in o m abou he p og ess o his wo k by he Leade s Summi in
July 2017 and deli e a s ock- ake epo by Oc obe 2017.1
The G20 inance minis e s and cen al bank go e no s should be commended o u ging
imp o emen s in he esilience o he global inancial sys em. Bu go e nmen s should no only ask
he p i a e sec o o do mo e; go e nmen s hemsel es can help educe he isk o he inancial
sec o . The G20 heads o s a e could commi hei coun ies explici ly o e ain om using
o ensi e cybe ools o co up he in eg i y o da a in he inancial sys em and o coope a e when
such a acks do occu .
The inancial c isis ha e up ed in 2007 highligh ed how impo an us is o he global sys em and
how agile i can be. The 2016 Bangladesh cen al bank cybe inciden exposed a new h ea o
inancial s abili y and he unp eceden ed scale o he isk ha malicious cybe ac o s pose o inancial
_________________________
1 G20 Finance Minis e s and Cen al Bank Go e no s, “Communiqué,” Uni e si y o To on o, Ma ch 18,
2017, h p://www.g20.u o on o.ca/2017/170318- inance-en.h ml.
Economics Discussion Pape (2017–38)—submi ed o G20 Policy Pape s
3
ins i u ions.2 Beyond he , using cybe ope a ions o manipula e he in eg i y o da a, in pa icula ,
poses a dis inc and g ea e se o sys emic isks han o he o ms o inancial coe cion. The complex
and in e dependen cha ac e o he inancial sys em and i s anscendence o physical and na ional
bounda ies mean ha manipula ing he in eg i y o inancial ins i u ions’ da a can, in en ionally and/o
unin en ionally, h ea en inancial s abili y and he s abili y o he in e na ional sys em. Impo an ly,
unlike he 2007–2008 global c isis, his isk exis s independen o he unde lying economic
undamen als and will only inc ease as mo e and mo e go e nmen s make cashless economies an
explici goal.3
In 2015, he UN G oup o Go e nmen al Expe s (UNGGE) and he G20 had al eady sugges ed b oad
no ms agains a acks on c i ical ci ilian in as uc u e in peace ime. The G20 inance minis e s and
cen al bank go e no s ha e now highligh ed pa icula ly he isk o inancial s abili y. In his ex , we
he e o e p opose ha s a es build on hese exis ing ag eemen s and go u he , explici ly commi ing
no o unde mine he in eg i y o da a and algo i hms o inancial ins i u ions in peace ime o du ing
wa ,4 no o allow hei na ionals o do so.5
_________________________
2 Fo an ex ensi e e iew o his and o he pas cybe inciden s in ol ing inancial ins i u ions, please see he
appendix. K ishna N. Das and Jona han Spice , “The SWIFT Hack—How he New Yo k Fed Fumbled O e
he Bangladesh Bank Cybe -Heis ,” Reu e s, July 21, 2016, h p://www. eu e s.com/in es iga es/special-
epo /cybe -heis - ede al/.
3 S a es’ eliance on inancial da a and he sys em’s in e dependence is likely o inc ease. Fo example, in
Decembe 2015, he New Yo k Times an a s o y abou he Swedish go e nmen ’s e o o mo e he coun y
o an en i ely cashless economy, and he UN is suppo ing coun ies’ e o s owa d cashless economies
h ough i s Be e Than Cash Alliance. The Indian go e nmen is also pu suing a cashless economy. See Liz
Alde man, “In Sweden, a Cash-F ee Fu u e Nea s,” New Yo k Times, Ap il 26, 2015,
h p://www.ny imes.com/2015/12/27/business/in e na ional/in-sweden-a-cash- ee- u u e-nea s.h ml?_ =0;
Be e Than Cash Alliance, accessed Ap il 21, 2016, h ps://www.be e hancash.o g/; “F om E adica ing
Black Money o Cashless Economy: PM Modi’s Changing Na a i e Since Demone isa ion,” Indian Exp ess,
Decembe 22, 2016, h p://indianexp ess.com/a icle/india/demone isa ion-modi-cashless-economy-black-
money-na a i es-4439843/.
4 Disk-wiping malwa e can be included he e. Meanwhile, e o s o b eak c yp og aphy as pa o in elligence
da a collec ion would no be co e ed by such an ag eemen . We also p opose ha s a es s udy he po en ial
inclusion o da a a ailabili y o ce ain c i ical sys ems as pa o such an ag eemen bu ecommend explo ing
his in a ollow-up p ocess gi en he de ini ional challenges in ol ed.
Economics Discussion Pape (2017–38)—submi ed o G20 Policy Pape s
4
We p opose he ollowing language o such an ag eemen , o cou se in i ing deba e and e inemen :
A S a e mus no conduc o knowingly suppo any ac i i y ha in en ionally manipula es he
in eg i y o inancial ins i u ions’ da a and algo i hms whe e e hey a e s o ed o when in
ansi .
To he ex en pe mi ed by law, a S a e mus espond p omp ly o app op ia e eques s by
ano he S a e o mi iga e ac i i ies manipula ing he in eg i y o inancial ins i u ions’ da a
and algo i hms when such ac i i ies a e passing h ough o emana ing om i s e i o y o
pe pe a ed by i s ci izens.
S a es ha e al eady demons a ed signi ican es ain om using cybe means agains he in eg i y o
inancial ins i u ions’ da a. Such an ag eemen would he e o e be making explici wha could be
conside ed eme ging s a e p ac ice. Making i explici would
• send a clea signal ha he s abili y o he global inancial sys em depends on p ese ing he
in eg i y o inancial da a in peace ime and du ing wa and ha he in e na ional communi y
conside s he la e o limi s;
• build con idence among s a es ha al eady p ac ice es ain in his domain, and he eby
inc ease hei le e age o mobilize he in e na ional communi y in case he no m is iola ed;
• c ea e poli ical momen um o g ea e collabo a ion o ackle nons a e ac o s who a ge
inancial ins i u ions wi h cybe -enabled means; and
• complemen and enhance exis ing ag eemen s and e o s, namely he 2015 G20 s a emen ,
he 2015 UNGGE epo , and he 2016 cybe guidance om he Commi ee on Paymen s and
_________________________
5 We a e no he i s o p opose such an ag eemen bu belie e ha his publica ion p esen s he mos de ailed
and comp ehensi e analysis and p oposal o da e. Fo example, Richa d Cla ke and Robe Knake p oposed a
simila no m in hei 2011 publica ion; see, Richa d A. Cla ke and Robe K. Knake, Cybe Wa : The Nex
Th ea o Na ional Secu i y and Wha o Do Abou I (New Yo k: Ha pe Collins, 2011), 269. G eg Aus in and
E ic Cappon a he Eas Wes Ins i u e also w o e a sho pape on his issue, making he analogy o he 1997
Con en ion on C imes agains In e na ionally P o ec ed Pe sons; see, G eg Aus in and E ic Cappon,
“In e na ionally P o ec ed Facili ies in Cybe space: The Examples o S ock Exchanges and Clea ing Houses,”
Eas Wes Ins i u e, Decembe 2014.

Economics Discussion Pape (2017–38)—submi ed o G20 Policy Pape s
5
Ma ke In as uc u es and he In e na ional O ganiza ion o Secu i ies Commissions (CPMI-
IOSCO).
While he Ma ch 18 G20 inance minis e s and cen al bank go e no s communiqué does no de ine
“malicious use o ICT,” i is easonable o hink ha i pa icula ly ocuses on he in eg i y and
a ailabili y o inancial da a. Fo , i is ine i able and no necessa ily malicious ha law en o cemen
and in elligence agencies will b each he con iden iali y o da a in banks and o he inancial
ins i u ions in o de o coun e e o ism, weapons p oli e a ion, and c iminali y. This pape he e o e
desc ibes why i is i al o he s abili y o he in e na ional sys em o p ohibi he co up ion o da a in
he global inancial sys em, and o s eng hen a comp ehensi e no m o his e ec .
S a es would be expec ed o ul ill hese commi men s in acco dance wi h he limi s and equi emen s
o na ional and in e na ional laws, bo h o which may ul ima ely need o be adjus ed o e lec he
commi men s sugges ed he e. They would also be expec ed o implemen exis ing guidance and bes
p ac ices, such as hose ou lined in he 2016 CPMI-IOSCO cybe guidance.6
The e is now an oppo uni y o he G20 heads o s a e o p omulga e such a commi men and o ask
he Financial S abili y Boa d o implemen i in de ail, oge he wi h he ele an s anda d-se ing
bodies, he p i a e sec o , law en o cemen , and Compu e Eme gency Response Team (CERT)
communi ies. I would build on he p eceden se in 2015 when he G20 decided o include
cybe secu i y in i s head o s a e communiqué and he p eceden wi h he ac ions aken by he G20
a e he 2007 inancial c isis as well as he G20 inance minis e s and cen al bank go e no s
communiqué.
Backg ound
In 2015, he UNGGE, which included ep esen a i es om he i e pe manen membe s o he UN
Secu i y Council, ag eed in hei consensus epo ha : “A S a e should no conduc o knowingly
_________________________
6 A mo al haza d p oblem h ough such an in e na ional ag eemen is heo e ically possible bu unlikely gi en
he signi ican h ea om nons a e ac o s. Mo eo e , p essu e o imp o e esilience h ough s onge due
diligence al eady exis s and an in e na ional ag eemen es aining s a e beha io would he e o e ollow and
complemen such exis ing e o s.
Economics Discussion Pape (2017–38)—submi ed o G20 Policy Pape s
6
suppo ICT ac i i y con a y o i s obliga ions unde in e na ional law ha in en ionally damages
c i ical in as uc u e o o he wise impai s he use and ope a ion o c i ical in as uc u e o p o ide
se ices o he public.”7
This decla a ion was la e endo sed by heads o s a e a he 2015 G20 summi .8 Such gene al poli ical
commi men s a e laudable. Ye , his o y sugges s ha s a es o en o e p omise and unde deli e in
upholding such b oad no ma i e decla a ions. One p oblem is ambigui y: s a es may di e in how
hey de ine c i ical in as uc u e. The e is also a g owing numbe o expe s exp essing skep icism
ha he UNGGE p ocess will be e ec i e.9 Mo eo e , he language de eloped by he UNGGE
ocuses on he e ec s o cybe ope a ions lea ing a gap in he speci ic con ex o he highly
in e dependen global inancial sys em. The e is alue, hen, in seeking a mo e de ailed ag eemen
building on and cla i ying his language in he con ex o speci ic ope a ions ha could be especially
damaging o he in e na ional sys em.
The inancial sys em is a pa icula ly p omising a ea gi en exis ing common in e es s among mos
s a es. I di e s om mos o he ypes o c i ical in as uc u e, such as anspo a ion o he elec ical
g id, because i is globally in e dependen . Majo powe s, no wi hs anding hei undamen al
di e ences, ha e ecognized his in p inciple and deed. The U.S. go e nmen epo edly e ained
om using o ensi e cybe ope a ions agains Saddam Hussein’s inancial sys ems as well as in
hypo he ical exe cises simula ing a con lic wi h China.10 Russia’s 2011 D a Con en ion on
In e na ional In o ma ion Secu i y explici ly sugges s ha “each S a e Pa y will ake he measu es
_________________________
7 Uni ed Na ions Gene al Assembly, A/70/174, “G oup o Go e nmen al Expe s on De elopmen s in he
Field o In o ma ion and Telecommunica ions in he Con ex o In e na ional Secu i y,” July 22, 2015,
h ps://documen s-dds-ny.un.o g/doc/UNDOC/GEN/N15/228/35/PDF/N1522835.pd ?OpenElemen .
8 “G20 Leade s’ Communiqué An alya Summi , 15-16 No embe 2015,” p ess elease, Eu opean Council,
No embe 16, 2015, h p://www.consilium.eu opa.eu/en/p ess/p ess- eleases/2015/11/16-g20-summi -
an alya-communique/.
9 Joe Uchill, “Is ael Cybe Head: US-Backed Cybe No ms Too B oad,” Hill, Sep embe 13, 2016,
h p:// hehill.com/policy/cybe secu i y/295651-is ael-cybe -head-us-suppo ed-cybe -no ms- oo-b oad.
10 John Ma ko and Thom Shanke , “Hal ed ’03 I aq Plan Illus a es U.S. Fea o Cybe wa Risk,” New Yo k
Times, Augus 1, 2009, h p://www.ny imes.com/2009/08/02/us/poli ics/02cybe .h ml; Cla ke and Knake,
Cybe Wa , 202–3.
Economics Discussion Pape (2017–38)—submi ed o G20 Policy Pape s
7
necessa y o ensu e ha he ac i i y o in e na ional in o ma ion sys ems o he managemen o he
low o . . . inance . . . con inues wi hou in e e ence.”11 China also has a es ed in e es in he
sys em, e lec ed, among o he ways, by i s success ul e o o make he enminbi pa o he IMF’s
global ese e cu ency baske .12 Meanwhile, coun ies a ound he wo ld a e se ing up o
s eng hening hei CERTs speci ic o he inancial sec o , as, o example, India did in Feb ua y
2017.13
Global in e dependence makes he inancial sec o a once mo e ulne able han o he c i ical
in as uc u e and mo e likely o be in he common in e es o s a es o p o ec . The damaging e ec s
o an in usion a ge ing he elec ical g id o he oil and gas sec o will be mos ly limi ed o a single
coun y’s e i o y o immedia e neighbo s. The e ec s o an inciden a ge ing he da a in eg i y o a
inancial ins i u ion, howe e , a e no necessa ily bound by geog aphy. Such e ec s would be e y
di icul o unde s and, and he e o e ha d o ailo and o p edic . An ope a ion a ge ing a paymen
p ocessing sys em could di ec ly co up he ansac ions unning h ough i . Indi ec ly, a
manipula ion o he in eg i y o an ins i u ion’s da a could lead o a bank up cy ha in u n could send
shock wa es h oughou he in e na ional sys em. Fo example, he 2008 collapse o Lehman B o he s
highligh ed he unan icipa ed con agion e ec he bank up cy o e en a single ins i u ion can ha e.
The 1997 Asian inancial c isis was simila ly igge ed by he collapse o he Thai cu ency and he
unan icipa ed con agion e ec ac oss he egion. Such second-o de e ec s a e di icul o an icipa e.
Mo eo e , hey may no be ac o ed in he a acke ’s ba le damage assessmen s.
In e na ional expe ience in ou lawing coun e ei ing cu encies may be ins uc i e he e. S a es ha e
adhe ed o and helped en o ce he p ohibi ion agains coun e ei ing because he e is widesp ead
_________________________
11 Russian Minis y o Fo eign A ai s, “Con en ion on In e na ional In o ma ion Secu i y,” Sep embe 22,
2011. h p://www.mid. u/en/ o eign_policy/o icial_documen s/-
/asse _publishe /Cp ICkB6BZ29/con en /id/191666.
12 Ma k Fahey and Nick Wells, “Cha s: Who Loses When he Renminbi Joins he IMF Baske ?,” CNBC,
Decembe 2, 2015, h p://www.cnbc.com/2015/12/02/who-loses-when- he- enminbi-joins- he-im -
baske .h ml.
13 Sandhya Dangwal, “Budge 2017: Compu e Eme gency Response Team o Be Se Up o Check Cybe
F auds,” India, Feb ua y 1, 2017, h p://www.india.com/news/india/budge -2017-compu e -eme gency-
esponse- eam- o-be-se -up- o-check-cybe - auds-1802854/.
Economics Discussion Pape (2017–38)—submi ed o G20 Policy Pape s
8
mu ual ulne abili y o i s e ec s. And because his es ain is widely accep ed, s a es iola ing i a e
highly likely o ace punishmen . Nons a e ac o s, o cou se, pe sis in coun e ei ing, as do No h
Ko ea and a ew o he s a es, bu he p ac ice is con ained enough ha i does no h ea en he s abili y
o he in e na ional inancial sys em.14
Ano he his o ical analogy con eys why majo economic powe s such as he G20, a leas , would
ha e in e es s in endo sing and upholding a speci ic no m agains manipula ing inancial da a in
peace ime and in wa ime: in 1914, he B i ish go e nmen , using i s dominan posi ion in he global
ade and inancial sys em, conduc ed economic wa a e agains Ge many. The s a egy succeeded a
de anging he global economy bu a e only h ee mon hs, he B i ish go e nmen abandoned i . The
backlash occu ed a mo e in ensely and as e han an icipa ed, including p o es s om UK
businesses, labo e s, and poli ical igu es and p essu e om allies.15 The hen-highly in eg a ed na u e
o he global economy made i impossible o con ain he blowback om an economic a ack.
O cou se, in he wen y- i s cen u y, a ew s a es ha a e ela i ely de ached om he global
economy, and nons a e ac o s who may o may no be a ilia ed wi h hem, ha e capabili ies o
conduc cybe a acks agains inancial ins i u ions. Such hos ile ac o s would no be expec ed o
adhe e o he p oposed commi men . Ye , he s a es ha did endo se such a no m explici ly would be
mo e uni ed and would ha e a clea e in e es and basis o demanding and conduc ing e alia o y
_________________________
14 Wi h ega d o coun e ei ing cu ency in wa ime, he gene al counsel o he In e na ional Mone a y Fund,
F ancois Gian i i, w o e in a 2004 a icle, “Does he p ohibi ion agains coun e ei cu ency apply in imes o
wa ? The e ha e been ins ances o such p ac ices.” Fo example, Ge many’s Ope a ion Be nha d a ge ed he
B i ish economy in Wo ld Wa II. The U.S. go e nmen epo edly coun e ei ed Vie namese and I aqi
cu ency du ing i s wa s wi h hose coun ies. F. A. Mann, The Legal Aspec o Money, 5 h ed. (Ox o d:
Ox o d Uni e si y P ess, 1992); “Nazi Fake Bankno e ‘Pa o Plan o Ruin B i ish Economy,’” Teleg aph,
Sep embe 29, 2010, h p://www. eleg aph.co.uk/his o y/wo ld-wa - wo/8029844/Nazi- ake-bankno e-pa -
o -plan- o- uin-B i ish-economy.h ml; Lizzie Sui e , Jenni e Hucke, and Cou ney Schul z, “The Wa a
Home: A Look a Media P opaganda in WWII, Vie nam, and he Wa in I aq” ( inal pape , S an o d EDGE
p og am, Decembe 2004); Yousse M. Ib ahim, “Fake-Money Flood Is Aimed a C ippling I aq’s Economy,”
New Yo k Times, May 27, 1992, h p://www.ny imes.com/1992/05/27/wo ld/ ake-money- lood-is-aimed-a -
c ippling-i aq-s-economy.h ml?pagewan ed=all.
15 Nicholas A. Lambe , “The S a egy o Economic Wa a e: A His o ical Case S udy and Possible Analogy
o Con empo a y Cybe Wa a e,” in Cybe Analogies, eds. Emily O. Goldman and John A quilla (Mon e ey,
CA: Na al Pos g adua e School, 2014), h p://calhoun.nps.edu/bi s eam/handle/10945/40037/NPS-DA-14-
001.pd ?sequence=1.
Economics Discussion Pape (2017–38)—submi ed o G20 Policy Pape s
15
Figu e 1. Th ee Pilla s o an E ec i e, Sel -Rein o cing Regime
P ocess: Possible Nex S eps o Ancho ing he No m
I he p oposed ag eemen is desi able om he s andpoin o na ional and global in e es s o key
s a es, he ques ion a ises whe e o ancho i , how bes o e ine he de ails o i s implemen a ion, and
whe e o seek adhe en s. The G20 has eme ged as he mos p omising o um in which s a es could
add ess he issues discussed he e. One o mo e such s a es could champion he idea and in i e o he s
o imp o e upon and suppo i . Beyond ha , he p oposal could be aised o conside a ion in se e al
in e na ional o ums and mul ila e al o ganiza ions.
I he G20 we e o ind he p oposed ag eemen compelling, i could:
• Include he language p oposed he e (o o he wise imp o ed) in he communiqué o he G20
heads o s a e mee ing
• Task he Financial S abili y Boa d o
o implemen and p omulga e he ag eemen wi h he ele an s anda d-se ing bodies
and p i a e sec o ins i u ions including CPMI, IOSCO, and he Basel Commi ee

Economics Discussion Pape (2017–38)—submi ed o G20 Policy Pape s
16
( his would include explo ing some o he ques ions lis ed below, namely whe he he
a ailabili y o ce ain da a and sys ems ough o be included and whe he all ypes o
da a o speci ic ypes o da a would all unde he ag eemen , such as ansac ion-
based da a, ope a ions da a, and ledge /owne ship da a); and
o de elop a epo o be submi ed o he nex G20 mee ing ou lining he p og ess made
and a oad map o u he implemen a ion.
Unlike he ac ions aken a e he 2007–2008 inancial c isis, adop ion and implemen a ion o an
ag eemen like he one p oposed he e would equi e engagemen wi h coun ies’ na ional secu i y
communi ies and CERTs. No in e na ional o um o da e exis s ha allows o such in e ac ions.
Howe e , he Financial S abili y Boa d can ac as he con ene o such a p ocess, po en ially
wo king wi h and suppo ed by o he nongo e nmen al o ganiza ions.
The Commi ee on Paymen s and Ma ke In as uc u es and he In e na ional O ganiza ion o
Secu i ies Commissions a e ele an ins i u ions, especially conside ing hei ecen wo k. The
In e na ional Mone a y Fund is ano he ele an ins i u ion as i is one o he ew o a con ening bo h
ep esen a i es om minis ies o inance and om cen al banks, wo impo an s akeholde g oups
ele an o his p oposal. The Wo ld Economic Fo um’s in e es and pas engagemen wi h
cybe secu i y p esen s an oppo uni y o aise a en ion abou his issue among op execu i es om he
p i a e sec o . These execu i es would need o be engaged o p ope ly add ess echnical de ails o
enhance he e i iabili y and obus ness o he no m. The Ins i u e o In e na ional Finance is ano he
ins i u ion ha could engage wi h he global inancial indus y on hese issues.
Finally, he e a e clea ly limi s o he ex en o which o icials in he na ional secu i y communi ies o
each coun y can engage wi h o eign go e nmen s and expe s in he inancial sec o . Gi en ha , we
can en ision a scena io whe e an in e na ional ag eemen h ough he G20 would be complemen ed
by a se ies o unila e al decla a ions by each go e nmen o i s mili a y o bols e he G20’s s a emen
and con ibu ing o he ag eemen ’s e ec i eness. Unila e al decla a ions would also be an easy way
o s a es ha a e no pa o he G20 o exp ess ha hey join he G20 membe s a es in hei
commi men .
Economics Discussion Pape (2017–38)—submi ed o G20 Policy Pape s
17
Ques ions o Be Add essed
We ha e de eloped his p oposal wi h eedback om o icials in go e nmen , ele an in e na ional
o ganiza ions, and inancial ins i u ions in a selec numbe o s a es, including he Uni ed S a es,
Russia, China, he Uni ed Kingdom, Singapo e, and Is ael, o assess i s p oposi ions. The eedback
has been gene ally posi i e; he ounda ional assump ions ou lined in his memo we e con i med o
adjus ed in subsequen i e a ions. In o de o he no m o be widely accep ed and p ac iced, he
ollowing ques ions would need o be cla i ied and mo e ully add essed in i s nego ia ion and
implemen a ion. We in i e eade s o conside hem and o e esponses o he au ho s and/o o o he
in e es ed pa ies.
1. Wha should be he scope o inancial ins i u ions? A e he de ini ions and scope lis ed below
su icien , o would hey need o be na owed o b oadened?27 The ollowing e minology
lis s al eady ag eed-upon de ini ions in in e na ional ade, especially he inal de ini ions
nego ia ed as pa o he T ans-Paci ic Pa ne ship (TPP), and he in e na ional inance
communi y:
• “any inancial in e media y o o he en e p ise ha is au ho ised o do business and
egula ed o supe ised as a inancial ins i u ion unde he law o he Pa y in whose
e i o y i is loca ed” ( his is he de ini ion o a “ inancial ins i u ion” in he TPP’s
inal ex o inancial se ices);
• “a inancial ins i u ion, including a b anch, loca ed in he e i o y o a Pa y ha is
con olled by pe sons o ano he Pa y” ( his is he de ini ion o a “ inancial
ins i u ion o ano he pa y” in he TPP’s inal ex o inancial se ices);
• “any non-go e nmen al body, including any secu i ies o u u es exchange o ma ke ,
clea ing agency, o o he o ganisa ion o associa ion, ha exe cises egula o y o
upe iso y au ho i y o e inancial se ice supplie s o inancial ins i u ions by
_________________________
27 “Policy Measu es o Add ess Sys emically Impo an Financial Ins i u ions,” Financial S abili y Boa d,
No embe 4, 2011, h p://www. sb.o g/wp-con en /uploads/ _111104bb.pd ?page_mo ed=1.
Economics Discussion Pape (2017–38)—submi ed o G20 Policy Pape s
18
s a u e o delega ion om cen al o egional go e nmen ” ( his is he de ini ion o a
“sel - egula o y o ganisa ion” in he TPP’s inal ex o inancial se ices);28 and
• “a mul ila e al sys em among pa icipa ing ins i u ions, including he ope a o o he
sys em, used o he pu poses o clea ing, se ling, o eco ding paymen s, secu i ies,
de i a i es, o o he inancial ansac ions” ( his is he de ini ion o “ inancial ma ke
in as uc u e” in BIS/IOSCO 2012 P inciples o Financial Ma ke
In as uc u es).29
2. Gi en he po en ial signi ican e ec o he sys em a la ge i ce ain da a and sys ems a e
una ailable, how can a ailabili y be added and combined wi h he ocus on he in eg i y o
da a in a meaning ul aming and desc ip ion? Also, is he e malicious ac i i y a ge ing
a ailabili y ha a ec s he in eg i y o ansac ions, and, i so, how should his be add essed?
3. In he con ex o an a med con lic and in e na ional humani a ian wa , can a dis inc ion be
made be ween a ge ing inancial ins i u ions in hei physical o m e sus a ge ing hei
da a? In o he wo ds, i i is pe missible o a ge a bank wi h con en ional means o des oy
cu ency i physically s o es, should i no be pe missible o a ge a bank wi h cybe means
because o he la e ’s po en ial colla e al damage and blowback po en ial h ough o ensi e
cybe ope a ions, in pa icula ?
4. Wi h inancial ins i u ions aking ad an age o cloud se ices o ou sou ce pa o hei da a
managemen o o he companies, is he p oposed language “whe e e hey a e s o ed” an
e ec i e way o cap u e his end? Is i necessa y?
_________________________
28 “Chap e 11: Financial Se ices,” in “T ans-Paci ic Pa ne ship,” O ice o he Uni ed S a es T ade
Rep esen a i e, h ps://us .go /si es/de aul / iles/TPP-Final-Tex -Financial-Se ices.pd .
29 Commi ee on Paymen and Se lemen Sys ems, Technical Commi ee o he In e na ional O ganiza ion o
Secu i ies Commissions, “P inciples o Financial Ma ke In as uc u es,” Bank o In e na ional Se lemen s
and IOSCO, Ap il 2012, h p://www.bis.o g/cpmi/publ/d101a.pd , 176.
Economics Discussion Pape (2017–38)—submi ed o G20 Policy Pape s
19
5. Would he ag eemen apply only o hose s a es ha ag ee o accep i , o would hose ha
accep he no m be expec ed o apply i s equi emen s and limi a ions is-à- is s a es ha did
no make a ecip ocal commi men ?
6. Mo e b oadly, in he case o any no m ha o swea s a e y speci ic ac i i y, how do s a es
a oid seeming o signal ole ance o o he ac i i ies ha may also be ha m ul? O con e sely,
isn’ a modes no m be e han lea ing he domain en i ely una ec ed?
7. When an inciden occu s in ol ing he manipula ion o he in eg i y o a inancial
ins i u ion’s da a, wha coope a ion a e s a es expec ed o p o ide?
a. Wha a e cu en gaps in coope a ion among compu e secu i y inciden esponse
eams and among law en o cemen agencies?
b. Wha in o ma ion a e s a es expec ed o sha e?
c. Should s a es be expec ed o accep join in es iga i e eams?
d. Should s a es be expec ed o pass new o o amend exis ing laws c iminalizing such
ac i i y on hei e i o y and o all hei ci izens independen o whe e he ac i i y
occu s, i hey do no al eady exis ?
e. Should s a es be expec ed o suppo puni i e ac ion h ough he UN Secu i y Council
in case o iola ions by a s a e? Does he s a e need o be a membe o he ag eemen
o should he ag eemen be complemen ed by a UN Secu i y Council esolu ion o
apply o he en i e UN membe ship?
. Wha bes p ac ices among membe s o he Con en ion on Cybe c ime can be
adop ed o his na owe ype o inciden ?
g. Wha measu es beyond exis ing coope a i e mechanisms among membe s o he
Con en ion on Cybe c ime ough o be included?
h. Wha could a empla e inco po a ing hese de ails look like?
8. Can echniques be de eloped o de ec in usions ha unde mine he in eg i y o inancial
ins i u ions’ da a? And can echniques be de eloped o dis inguish be ween in usions o
in elligence-ga he ing and hose ha would also be able o co up da a?
Economics Discussion Pape (2017–38)—submi ed o G20 Policy Pape s
20
9. Wha no i ica ion equi emen s and egime should be in place o s a es o become awa e o
such inciden s? Wha p o ec ions mus exis ?
Finally, we acknowledge ha o he sec o s, such as elecommunica ions and ene gy, and he in eg i y
o da a o o he sys ems a e c i ical o he inancial sys em. Howe e , any ag eemen s co e ing hese
sec o s a e e en mo e complica ed o nego ia e and o implemen e ec i ely. We he e o e o e his
p oposal as he s a o wha is likely going o be a p olonged p ocess un il an e ec i e
comp ehensi e secu i y egime can be pu in place.

Economics Discussion Pape (2017–38)—submi ed o G20 Policy Pape s
21
Table 1: O e iew o Some Rele an En i ies o Ou each and Engagemen
Pe manen UN
Secu i y Council
Membe s
Membe s o he
G20
Membe s o he
2014–2015
UNGGE
Membe s o he
2016–2017
UNGGE
Basel Commi ee
on Banking
Supe ision
Coun ies wi h
Global
Sys emically
Impo an Banks
Coun ies wi h
Global
Sys emically
Impo an
Insu e s
Membe s o he
G7
China China China China China China China
F ance F ance F ance F ance F ance F ance F ance F ance
Russia Russia Russia Russia Russia
Uni ed Kingdom Uni ed Kingdom Uni ed Kingdom Uni ed Kingdom Uni ed Kingdom Uni ed Kingdom Uni ed Kingdom Uni ed Kingdom
Uni ed S a es Uni ed S a es Uni ed S a es Uni ed S a es Uni ed S a es Uni ed S a es Uni ed S a es Uni ed S a es
A gen ina A gen ina
Aus alia Aus alia Aus alia
B azil B azil B azil B azil
Canada Canada Canada Canada
Ge many Ge many Ge many Ge many Ge many Ge many Ge many
India India India
Indonesia Indonesia Indonesia
I aly I aly I aly I aly I aly
Japan Japan Japan Japan Japan Japan
Mexico Mexico Mexico Mexico
Saudi A abia Saudi A abia
Sou h A ica Sou h A ica
Sou h Ko ea Sou h Ko ea Sou h Ko ea Sou h Ko ea
Tu key Tu key
Bela us
Colombia
Egyp Egyp
Table 1 con inued
Economics Discussion Pape (2017–38)—submi ed o G20 Policy Pape s
22
Pe manen UN
Secu i y Council
Membe s
Membe s o he
G20
Membe s o he
2014–2015
UNGGE
Membe s o he
2016–2017
UNGGE
Basel Commi ee
on Banking
Supe ision
Coun ies wi h
Global
Sys emically
Impo an Banks
Coun ies wi h
Global
Sys emically
Impo an
Insu e s
Membe s o he
G7
Es onia Es onia
Ghana
Is ael
Kenya Kenya
Malaysia
Pakis an
Spain Spain Spain
Ne he lands Ne he lands Ne he lands Ne he lands
Swi ze land Swi ze land Swi ze land
Belgium Belgium
Sweden Sweden
+ Bo swana, Cuba
Finland,
Kazakhs an, Se bia
Senegal
+ Hong Kong*
Luxembou g,
Singapo e
Economics Discussion Pape (2017–36)—submi ed o G20 Policy Pape s
23
Appendix: A Re iew o Pas Cybe Inciden s In ol ing
Financial Ins i u ions
This sec ion ou lines signi ican cybe inciden s a ge ing inancial ins i u ions a ound he
wo ld om 2011 un il Decembe 2016, wi h he addi ion o a ew selec ed impo an
inciden s be ween 2007 and 2011. I is no ewo hy ha he e is no public da a ha any o
he inciden s in ol ing he manipula ion o he in eg i y o inancial ins i u ions’ da a
appea o in ol e s a es; his sugges s s a es a e exe cising es ain so a , excep o he
disk-wiping a ack agains Sou h Ko ean inancial ins i u ions allegedly ca ied ou by
No h Ko ea, and pe haps he low–le el, dis ibu ed denial o se ice (DDoS) a acks
a ge ing Russian inancial ins i u ions in Decembe 2016.
The cybe inciden s lis ed in he able below include de acemen o websi es, DDoS
a acks, and in usions using mo e sophis ica ed malwa e. The a ge s o he inciden s
we e mainly banks bu also one s ock exchange and one paymen sys em, and he
coun ies whose inancial sec o s we e hi include Belgium, B azil, Es onia, Geo gia,
Lebanon, Russia, Sou h Ko ea, Uk aine, and he Uni ed S a es. In many cases, i is
di icul o know wi h ce ain y who pe pe a ed he a ack, bu he suspec ed a acke s
ange om c iminals and hacking g oups ac ing independen ly, o hacke s ac ing unde
s a e sponso ship and s a es hemsel es. This e iew was pa o he au ho s’ p elimina y
esea ch and suppo ed he assump ion ha s a es al eady exe cise signi ican es ain in
his a ea compa ed o wha is echnically possible.
Economics Discussion Pape (2017–36)—submi ed o G20 Policy Pape s
24
Table 2: Sho hand o Cybe a acks and Da es
Sho hand Da e
Russian banks DDoS a acks La e 2016
Bangladesh cen al bank heis Ea ly 2016
Belgian Na ional Bank inciden Ea ly 2016
Shanghai Composi e Index manipula ion (unce ain) 2015–2016
Russian banks he La e 2015
Russian cu ency manipula ion Ea ly 2015
Me el malwa e a ack on Russian banks 2015
Uk ainian Minis y o Finance da a b each Mid 2015
Wa saw S ock Exchange b each La e 2014
Uk ainian bank da a b each Mid 2014
Ca banak malwa e a ack 2013–2015
Da k Seoul Sou h Ko ean a acks Ea ly 2013
JPMo gan da a b each 2012–2015
B azilian banks DDoS a acks 2012, 2014
B azilian paymen sys em a ack 2012–2014
U.S. banks DDoS a acks 2012–2013
Shanghai Composi e Index manipula ion (unce ain) Mid 2012
Lebanese Gauss i us in ec ions 2011–2012
Sou h Ko ean banks a ack Mid 2011
Nasdaq in usion La e 2010
Geo gian websi e de acemen s Mid 2008
Es onian DDoS a acks Mid 2007
Economics Discussion Pape (2017–36)—submi ed o G20 Policy Pape s
31
2014 Uk ainian Bank Da a B each
In July, he p o-Russian g oup called Cybe Be ku hacked in o P i a Bank, one o
Uk aine’s la ges comme cial banks, and published s olen cus ome da a on VKon ak e, a
Russian social media websi e.52 The means by which hey gained access o he da a is
unknown. I is belie ed ha hey a ge ed P i a Bank because he bank’s co-owne , Igo
Kolomoisky, had o e ed a $10,000 boun y o he cap u e o Russian-backed mili an s in
Uk aine.53 Cybe Be ku wa ned P i a Bank cus ome s o ans e hei money o s a e-
owned banks. Cybe Be ku may ha e connec ions o he Russian go e nmen , bu he
ela i e lack o sophis ica ion o hei a acks has led some expe s o conclude ha
o icial links a e unlikely.54
2013–2015 Ca banak Malwa e A ack on Va ious Banks
A g oup o c iminals used Ca banak malwa e o a ack inancial ins i u ions including
banks and elec onic paymen sys ems in nea ly hi y coun ies. The malwa e ins alled a
RAT ( emo e access ool) ha allowed he c iminals o su eil he banks’ daily ope a ions
using ideo eeds and pho os o e a pe iod o mon hs.55 The g oup was hen able o o de
ATMs o dispense cash a e minals and impe sona e bank o icials o o de audulen
ans e s. Howe e , he la ges amoun s o money we e s olen when c iminals
impe sona ing bank o ice s hacked in o he banks’ accoun ing sys ems and manipula ed
accoun balances so as o in la e he amoun o money a ailable and hen ans e he
addi ional money, so ha he balance hen e u ned o he o iginal amoun . The a ge ed
_________________________
52 “‘Cybe Be ku ’ Hacke s Ta ge Majo Uk ainian Bank,” Moscow Times, July 4, 2014,
h p://www. hemoscow imes.com/business/a icle/cybe -be ku -hacke s- a ge -majo -uk ainian-
bank/502992.h ml.
53 “P o-Russian Hacke s Mug Key Uk ainian Bank,” Th ea Wa ch (blog), Nex go , July 4, 2014,
h p://www.nex go .com/cybe secu i y/ h ea wa ch/2014/07/s olen-c eden ials-ne wo k-in usion-da a-
dump-p o/1225/.
54 Bill Ge z, “Russian Cybe Wa a e Suspec ed in Bank A acks,” Flash//CRITIC Cybe Th ea News,
Augus 30, 2014, h p:// lashc i ic.com/ ussian-cybe -wa a e-suspec ed-bank-a acks-sophis ica ed-
hacke s/.
55 Da id E. Sange and Nicole Pe l o h, “Bank Hacke s S eal Millions ia Malwa e,” New Yo k Times,
Feb ua y 14, 2015, h p://www.ny imes.com/2015/02/15/wo ld/bank-hacke s-s eal-millions- ia-
malwa e.h ml?_ =0.

Economics Discussion Pape (2017–36)—submi ed o G20 Policy Pape s
32
coun ies included Aus alia, B azil, Bulga ia, Canada, China, he Czech Republic,
F ance, Ge many, Hong Kong, Iceland, India, I eland, Mo occo, Nepal, No way,
Pakis an, Poland, Romania, Russia, Spain, Swi ze land, Taiwan, Uk aine, he Uni ed
Kingdom, and he Uni ed S a es.56
2013 Malwa e A ack on Sou h Ko ean Banks
This was an a ack on Ma ch 20 ha used wha ’s known as Da k Seoul malwa e agains
he compu e ne wo ks o h ee Sou h Ko ean banks—Shinhan, Nonghyup, and Jeju—
esul ing in da a dele ion and dis up ions o ATMs and mobile paymen sys ems.57
Shinhan Bank’s in e ne banking se e s we e empo a ily blocked o pa o he day,
lea ing cus ome s unable o pe o m online ansac ions, while ope a ions a some
b anches o Nonghyup and Jeju we e pa alyzed o wo hou s a e he i us e ased iles
on he in ec ed compu e s. A ou h bank, Woo i, epo ed hacking bu su e ed no
damage. Se e al Ko ean media o ganiza ions we e also hi by he a acks: hei compu e s
we e ozen bu hey we e able o main ain no mal b oadcas s.58 Sou h Ko ea a ibu ed
he a ack o No h Ko ea.59
2012–2015 C ime Ring Responsible o JPMo gan Da a B each
In Augus 2014, JPMo gan epo ed a massi e da a b each in which hacke s had gained
access o con ac in o ma ion o o e 80 million accoun holde s, ep esen ing he bigges
_________________________
56 Kaspe sky Lab’s Global Resea ch and Analysis Team, “The G ea Bank Robbe y: The Ca banak
APT,” Secu elis (blog), Kaspe sky Lab, Feb ua y 16, 2015,
h ps://secu elis .com/blog/ esea ch/68732/ he-g ea -bank- obbe y- he-ca banak-ap /.
57 Choe Hang-Sun, “Compu e Ne wo ks in Sou h Ko ea A e Pa alyzed in Cybe a acks,” New Yo k
Times, Ma ch 20, 2013, h p://www.ny imes.com/2013/03/21/wo ld/asia/sou h-ko ea-compu e -ne wo k-
c ashes.h ml; Juan C. Za a e, “The Cybe Financial Wa s on he Ho izon,” Founda ion o De ense o
Democ acies, July 2015, 1.2–13,
h p://www.de enddemoc acy.o g/con en /uploads/publica ions/Cybe _Financial_Wa s.pd ,
58 Hang-Sun, “Compu e Ne wo ks in Sou h Ko ea ,” New Yo k Times; Za a e, “Cybe Financial Wa s,”
Founda ion o De ense o Democ acies.
59 K.J. Kwon, “Smoking Gun: Sou h Ko ea Unco e s No he n Ri al's Hacking Codes,” CNN, Ap il 22,
2015, h p://www.cnn.com/2015/04/22/asia/ko eas-cybe -hacking/.
Economics Discussion Pape (2017–36)—submi ed o G20 Policy Pape s
33
da a b each o a U.S. inancial ins i u ion in his o y.60 Al hough he e was ini ial
specula ion ha he Russian go e nmen had been in ol ed,61 ede al au ho i ies indic ed
ou men in No embe 2015 o he da a b each, which hey said was pa o a huge
ope a ion ha in ol ed hacking in o o he inancial ins i u ions, a s ock-pumping scheme,
and online gambling ope a ions ha in o al had ne ed hem $100 million.62 The
c iminals used he email add esses hey gained h ough he JPMo gan hack o un a s ock
p ice manipula ion scheme and also hoped o se up hei own b oke age i m using he
s olen da a o con ac po en ial cus ome s.63 Al hough he JPMo gan hack was hei
bigges , he c ime ing had also hacked six o he inancial ins i u ions, Sco ade, E-T ade,
Dow Jones ( he pa en company ha owns he Wall S ee Jou nal), ano he inancial
news o ganiza ion, and se e al online s ock b oke ages.64
2012 and 2014 DDoS A acks Agains B azilian Banks
In Janua y 2012, he hacke g oup Anonymous used DDoS a acks o ake down he
websi es o some o he coun y’s bigges banks, which hey said was in ended o p o es
co up ion and inequali y in B azil.65 The a acks, which hey dubbed
#OpWeeksPaymen , shu down he websi es o Banco do B asil, I aú Unibanco, and
B adesco, among o he s, o hou s a a ime.66
_________________________
60 James O’Toole, “JPMo gan: 76 Million Cus ome s Hacked,” CNN, Oc obe 3, 2014,
h p://money.cnn.com/2014/10/02/ echnology/secu i y/jpmo gan-hack/?iid=EL; Jose Paglie y,
“JPMo gan's Accused Hacke s Had Vas $100 Million Ope a ion,” CNN, No embe 10, 2015,
h p://money.cnn.com/2015/11/10/ echnology/jpmo gan-hack-cha ges/.
61 Michael Riley and Jo dan Robe son, “FBI Said o Examine Whe he Russia Tied o JPMo gan
Hacking,” Bloombe g, Augus 27, 2014, h p://www.bloombe g.com/news/a icles/2014-08-27/ bi-said-
o-be-p obing-whe he - ussia- ied- o-jpmo gan-hacking.
62 Kim Ze e , “Fou Indic ed in Massi e JP Mo gan Chase Hack,” Wi ed, No embe 10, 2015,
h p://www.wi ed.com/2015/11/ ou -indic ed-in-massi e-jp-mo gan-chase-hack/.
63 Ibid.
64 Ibid.; Paglie y “JPMo gan’s Accused Hacke s,” CNN.
65 Ma hew Cowley, “B azilian Banks' Websi es Face Hacke A acks,” Wall S ee Jou nal, Janua y 31,
2012,
h p://www.wsj.com/a icles/SB10001424052970204740904577194930748478316?cb=logged0.1250047
8560104966.
66 Es eban Is ael, “Hacke s Ta ge B azil's Wo ld Cup o Cybe A acks,” Reu e s, Feb ua y 26, 2014,
h p://www. eu e s.com/a icle/us-wo ldcup-b azil-hacke s-idUSBREA1P1DE20140226.
Economics Discussion Pape (2017–36)—submi ed o G20 Policy Pape s
34
In June 2014, Anonymous launched ano he se ies o DDoS a acks, his ime o p o es
he Wo ld Cup.67 The a acks, called #OpHackingCup, ook down se e al B azilian
websi es including he Bank o B azil. O he websi es ha we e a ge ed included
B azilian go e nmen websi es, Hyundai B azil, and he o icial Wo ld Cup si e.68
2012–2014 Malwa e A ack on B azilian Paymen Sys em
Cybe c iminals used “man-in- he-b owse ” malwa e o a ge Bole o Banca io, a popula
B azilian paymen sys em. The paymen sys em allows businesses o issue pape o online
bole os ( icke s) wi h a ba code ha cus ome s can use o emi money a a bank.69 The
malwa e injec ed i sel in o b owse s on nea ly 200,000 in ec ed compu e s, whe e i was
able o in e cep and al e legi ima e bole os so as o ou e paymen s in o he hacke s’ own
accoun s.70 The a ack comp omised $3.75 billion in ansac ions, al hough i is unclea
how much o ha money he c iminals we e able o success ully deposi in o hei own
accoun s.71
2012–2013 DDoS A acks on U.S. Financial Ins i u ions
These we e wo coo dina ed wa es o DDoS a acks agains U.S. inancial ins i u ions’
websi es, he i s in Sep embe –Oc obe 2012 and he second in Decembe 2012–Janua y
2013.72 An Islamic hack i is g oup called he Izz ad-Din al-Qassam Cybe Figh e s
_________________________
67 “#OpWo ldCup: Anonymous wages cybe a acks agains B azil go ,” RT, June 12, 2014,
h ps://www. .com/news/165444-anonymous-b azil-wo ld-cup/.
68 Paul Coope , “Anonymous Li es Up o Th ea s: FIFA Wo ld Cup Hacks Ge Unde way,” IT P o
Po al, June 13, 2014, h p://www.i p opo al.com/2014/06/13/anonymous-li es-up- o- h ea s- i a-wo ld-
cup-hacks-ge -unde way/#ixzz41DPxOwdR.
69 Robe Lemos, “Cybe -A acks Seen De auding B azilian Paymen Sys em o Billions,” eWeek, July
6, 2014, h p://www.eweek.com/secu i y/cybe -a acks-seen-de auding-b azilian-paymen -sys em-o -
billions.h ml.
70 Eli Ma cus, “RSA Unco e s Bole o F aud Ring in B azil,” RSA, July 2, 2014,
h ps://blogs. sa.com/ sa-unco e s-bole o- aud- ing-b azil/.
71 “Bole o Malwa e May Lose B azil $3.75bn,” BBC, July 3, 2014,
h p://www.bbc.com/news/ echnology-28145401.
72 Emilio Iasiello, “Cybe A ack: A Dull Tool o Shape Fo eign Policy” (pape p esen ed a he 2013 5 h
In e na ional Con e ence on Cybe Con lic ), 11,
h ps://ccdcoe.o g/cycon/2013/p oceedings/d3 1s3_Iasiello.pd .
Economics Discussion Pape (2017–36)—submi ed o G20 Policy Pape s
35
claimed esponsibili y o he a acks, which hey dubbed Ope a ion Ababil,73 bu U.S.
go e nmen o icials ha e p i a ely indica ed o media ha hey belie e I an is ac ually
esponsible.74 The scale o he a acks was unp eceden ed in he numbe o inancial
ins i u ions hi and he amoun o a ic looding he si es, wi h one secu i y esea che
commen ing ha “ he e ha e ne e been his many inancial ins i u ions unde his much
du ess.”75 Al hough he g oup announced he a acks and he a ge s in ad ance bo h
imes, he banks we e unable o de end hemsel es and access o he websi es o many
U.S. inancial ins i u ions was dis up ed, including Bank o Ame ica, Ci ig oup, Wells
Fa go, U.S. Banco p, PNC, Capi al One, Fi h Thi d Bank, BB&T, and HSBC.76
De ensi e and emedial measu es ha e cos he banks millions o dolla s o da e.77 Izz ad-
Din al-Qassam Cybe Figh e s announced wo mo e wa es o cybe a acks in 2013, bu
hey appea o ha e been less e ec i e.78
2012 Possible Manipula ion o he Shanghai S ock Exchange (unce ain inciden )
On June 4, he Shanghai Composi e Index opened a a igu e o 2,346.98, and ell exac ly
64.89 poin s by close.79 June 4 is he anni e sa y o Beijing’s in amous 1989 c ackdown
on s uden -led p o es s in Tiananmen Squa e, p omp ing many in China o specula e ha
_________________________
73 Da id Goldman, “Majo Banks Hi Wi h Bigges Cybe a acks in His o y,” CNN, Sep embe 28, 2012,
h p://money.cnn.com/2012/09/27/ echnology/bank-cybe a acks/.
74 Ba ba a Sla in, “US Wi hholds E idence o I an Cybe a acks,” Al-Moni o , Janua y 17, 2013,
h p://www.al-moni o .com/pulse/o iginals/2013/01/cybe -a acks-us-i an-ddos.h ml.
75 Nicole Pe l o h and Quen in Ha dy, “Bank Hacking Was he Wo k o I anians, O icials Say,” New
Yo k Times, Janua y 8, 2013, h p://www.ny imes.com/2013/01/09/ echnology/online-banking-a acks-
we e-wo k-o -i an-us-o icials-say.h ml.
76 Nicole Pe l o h and Quen in Ha dy, “Bank Hacking Was he Wo k o I anians, O icials Say,” Janua y
8, 2013, h p://www.ny imes.com/2013/01/09/ echnology/online-banking-a acks-we e-wo k-o -i an-us-
o icials-say.h ml.
77 Sla in, “US Wi hholds E idence,” Al-Moni o .
78 Ma hew J. Schwa z, “Bank A acke s Res a Ope a ion Ababil DDoS Dis up ions,” Da k Reading,
Ma ch 6, 2013, h p://www.da k eading.com/a acks-and-b eaches/bank-a acke s- es a -ope a ion-
ababil-ddos-dis up ions/d/d-id/1108955.
79 Pe e Sweeney and John Ruwi ch, “June 4 C ackdown Remembe ed in China S ock Index, o
Chance?,” Reu e s, June 4, 2012, h p://www. eu e s.com/a icle/us-china-s ocks- iananmen-
idUSBRE8530F720120604.
Economics Discussion Pape (2017–36)—submi ed o G20 Policy Pape s
36
bo h igu es may ha e been in ended o ep esen he anni e sa y o he agedy.80 The
numbe 2,346.98 can be ead backwa ds as he yea , mon h, and da e, ollowed by 23 o
ep esen ha 2012 ma ked he wen y- hi d anni e sa y o he p o es s. Simila ly, many
obse e s in China specula ed ha he 64.89 poin s ha he s ock ma ke ell ha day also
ep esen ed 6/4/89. The appa en coincidence led o widesp ead, bu unp o en,
specula ion ha he index may ha e been hacked and manipula ed in o de o p oduce
hose numbe s. Nume ology is e y signi ican in Chinese cul u e, and Chinese ci izens
ha e been known o use numbe s as a sub le o m o p o es in he pas .
2011–2012 Gauss Vi us In ec ing Lebanese Banks
On Augus 9, 2012, he Russian secu i y i m Kaspe sky Lab announced he disco e y o
he Gauss i us, which is designed o s eal da a om Lebanese banks—including he
Bank o Bei u , EBLF, BLOM Bank, ByblosBank, F ansabank, and C edi Libanais—as
well as om use s o Ci ibank and PayPal.81 Kaspe sky’s expe s concluded ha he i us
is s a e-sponso ed malwa e designed by he c ea o s o S uxne , Flame, and he Duqu
collec ion o espionage T ojans.82 Mo e han 2,500 compu e s belonging o Kaspe sky
cus ome s ha e been in ec ed in wen y- i e di e en coun ies—1,660 o hose in
Lebanon—al hough he secu i y i m cau ions ha he o al numbe o in ec ed machines
may numbe in he ens o housands.83
Once a PC has been in ec ed, he T ojan s eals de ailed in o ma ion, including b owse
his o y, passwo ds, cookies, sys em con igu a ions, and online banking accoun
_________________________
80 Kei h B adshe , “Ma ke ’s Echo o Tiananmen Da e Se s O Censo s,” New Yo k Times, June 4, 2012,
h p://www.ny imes.com/2012/06/05/wo ld/asia/anni e sa y-o - iananmen-c ackdown-echos- h ough-
shanghai-ma ke .h ml.
81 “Kaspe sky Lab Disco e s ‘Gauss’ – A New Complex Cybe -Th ea Designed o Moni o Online
Banking Accoun s,” p ess elease, Kaspe sky Lab, Augus 9, 2012, h p://usa.kaspe sky.com/abou -
us/p ess-cen e /p ess- eleases/2012/kaspe sky-lab-disco e s-gauss-new-complex-cybe - h ea -desi.
82 Dan Goodin, “Puzzle Box: The Ques o C ack he Wo ld’s Mos Mys e ious Malwa e Wa head,” A s
Technica, Ma ch 14, 2013, h p://a s echnica.com/secu i y/2013/03/ he-wo lds-mos -mys e ious-
po en ially-des uc i e-malwa e-is-no -s uxne /.
83 Kim Ze e , “Flame and S uxne Cousin Ta ge s Lebanese Bank Cus ome s, Ca ies Mys e ious
Payload,” Wi ed, Augus 9, 2012, h p://www.wi ed.com/2012/08/gauss-espionage- ool/all/.

Economics Discussion Pape (2017–36)—submi ed o G20 Policy Pape s
37
c eden ials, and also ins alls a special on called Palida Na ow, he pu pose o which is
unknown.84 Mos in e es ingly, Gauss con ains an enc yp ed payload ha secu i y
esea che s ha e been unable o deciphe , indica ing he p esence o a signi ican exploi
ha he i us’s c ea o s clea ly conside ed impo an o p o ec .85 Gi en ha Lebanon
se es as a banking hub o he en i e Middle Eas and ha he opaci y o he coun y’s
banks has o en been a conce n o inancial egula o s seeking o dis up e o inancing
and money launde ing, i seems likely ha he i us may be designed o moni o and/o
dis up money lows deemed h ea ening o he sponso s a e’s na ional secu i y.86
2011 Malwa e Ta ge ing a Sou h Ko ean Bank
This inciden a ge ing he banking ope a ions o Nonghyup, a Sou h Ko ean ag icul u al
coope a i e, began on Ap il 12. The malwa e ini ially in ec ed Nonghyup’s sys ems in
Sep embe 2010 when a subcon ac o inad e en ly downloaded i on o a lap op, which
he a acke s used o sp ead he malwa e h oughou he bank’s ne wo ks.87 The a ack
des oyed he eco ds o some c edi ca d cus ome s and caused a h ee-day se ice ou age
a ec ing ATMs, online and mobile banking, and c edi ca d usage. Sou h Ko ea a ibu ed
he a ack o No h Ko ea.88
_________________________
84 “Kaspe sky Lab Disco e s ‘Gauss,’” Kaspe sky Lab.
85 Dan Goodin, “Puzzle Box,” A s Technica; Kim Ze e , “Sui e o Sophis ica ed Na ion-S a e A ack
Tools Found Wi h Connec ion o S uxne ,” Wi ed, Feb ua y 16, 2015,
h p://www.wi ed.com/2015/02/kape sky-disco e s-equa ion-g oup/.
86 Za a e, “Cybe Financial Wa s,” Founda ion o De ense o Democ acies; Kim Ze e , “Flame and
S uxne Cousin,” Wi ed.
87 Chico Ha lan and Ellen Nakashima, “Suspec ed No h Ko ean Cybe A ack on a Bank Raises Fea s
o S. Ko ea, Allies,” Washing on Pos , Augus 29, 2011,
h ps://www.washing onpos .com/wo ld/na ional-secu i y/suspec ed-no h-ko ean-cybe -a ack-on-a-
bank- aises- ea s- o -s-ko ea-allies/2011/08/07/gIQA WwIoJ_s o y.h ml; “No h Ko ea ‘Behind Sou h
Ko ean Bank Cybe Hack,’” BBC, May 3, 2011, h p://www.bbc.com/news/wo ld-asia-paci ic-13263888.
88 “P osecu ion Says N. Ko ea Behind Nonghyup's Ne wo k B eakdown,” Yonhap, May 3, 2011,
h p://english.yonhapnews.co.k /na ional/2011/05/03/23/0302000000AEN20110503007100315F.HTML?
1a7c6120.
Economics Discussion Pape (2017–36)—submi ed o G20 Policy Pape s
38
2010 Nasdaq In usion
The in usion o Nasdaq’s ne wo ks was i s epo ed in an exclusi e Bloombe g
Business exposé in 2014.89 In Oc obe 2010, he FBI de ec ed an in usion in o Nasdaq’s
compu e se e s. The in usion u ilized wo ze o-day ulne abili ies and esembled
malwa e p e iously designed by Russia’s main in elligence agency, he Fede al Secu i y
Se ice. The malwa e i s en e ed h ough Nasdaq’s Di ec o s Desk, a sys em ha
hund eds o companies use o sha e con iden ial inancial in o ma ion among boa d
membe s. Nasdaq’s own s a emen a he ime epo ed ha he incu sion was limi ed o
ha sys em alone, al hough Bloombe g’s epo ing indica ed ha , in ac , he incu sion
may ha e sp ead mo e widely h ough he s ock exchange’s ne wo ks while ne e
accessing he ading pla o m i sel .
The NSA ini ially belie ed he malwa e was capable o causing widesp ead dis up ion o
Nasdaq’s compu e ne wo ks and o possibly wiping he en i e exchange. The e we e also
indica ions ha a la ge cache o da a had been s olen, al hough in es iga o s had li le
p oo o wha exac ly had been aken. The CIA la e a gued ha he malwa e was less
des uc i e han o iginally belie ed, and ha while i couldn’ comple ely wipe a
compu e sys em i could ake o e ce ain unc ions and use hem o dis up he ne wo k.
The in es iga o s ul ima ely concluded ha he in usion was p ima ily designed o s eal
c i ical p op ie a y echnology o Russia o imi a e o inco po a e in o i s own s ock
exchanges as pa o a push o u n Moscow in o a global inancial hub. The malwa e has
no been publicly analyzed and Bloombe g’s epo ing included ew de ails, so u he
echnical in o ma ion abou he malwa e and i s capabili ies is una ailable in open-sou ce
li e a u e.
_________________________
89 Michael Riley, “How Russian Hacke s S ole he Nasdaq,” Bloombe g, July 21, 2014,
h p://www.bloombe g.com/bw/a icles/2014-07-17/how- ussian-hacke s-s ole- he-nasdaq.
Economics Discussion Pape (2017–36)—submi ed o G20 Policy Pape s
39
2008 Websi e De acemen Du ing he Russo-Geo gian Wa
O ensi e cybe ope a ions agains a ge s in Geo gia began on July 20, p io o he
ou b eak o he wa i sel , and con inued un il mid-Augus when he con lic ceased.90
This was he i s e e combina ion o o ensi e cybe ope a ions wi h kine ic wa and
was allegedly ca ied ou by he Russian go e nmen o Russian hack i is s wi h ies o
he go e nmen .91 On he day ha he kine ic wa began, websi es sp ang up wi h lis s o
websi es o a ack, p ecise ins uc ions, and su ey o ms o hacke s o epo hei
ac ions a e he ac , demons a ing a elling deg ee o ad ance p epa a ion and
o eknowledge o he beginning o he con lic .92 The ope a ions consis ed o websi e
de acemen s and DDoS a acks, wi h a ge s including he Geo gian p esiden ’s websi e
and o he go e nmen si es. The only impac on he inancial sec o was he de acemen o
he Na ional Bank o Geo gia’s websi e.93
2007 DDoS A acks Agains Es onia, Including Es onian Banks
A se ies o coo dina ed DDoS a acks agains Es onian go e nmen , bank, uni e si y, and
newspape websi es began on Ap il 26, las ing o h ee weeks.94 Du ing he i s week,
he DDoS a acks a ge ed only go e nmen and poli ical pa ies’ email se e s and
websi es, while in he second week he a ge lis expanded o include Es onian news
websi es.95 In o de o b ing hei websi es back online, ne wo k adminis a o s had o
_________________________
90 John Ma ko , “Be o e he Gun i e, Cybe a acks,” New Yo k Times, Augus 12, 2008,
h p://www.ny imes.com/2008/08/13/ echnology/13cybe .h ml.
91 Da id J. Smi h, “Russian Cybe Capabili ies, Policy and P ac ice,” inFOCUS Qua e ly 5, no. 1
(Win e 2014): h p://www.jewishpolicycen e .o g/4924/ ussian-cybe -
capabili ies?u m_con en =bu e bb5cd&u m_medium=social&u m_sou ce= wi e .com&u m_campaign=
bu e ; Ma ko , “Be o e he Gun i e, Cybe a acks,” New Yo k Times.
92 Smi h, “Russian Cybe Capabili ies, Policy and P ac ice,” inFocus Qua e ly.
93 Ma ko , “Be o e he Gun i e, Cybe a acks,” New Yo k Times.
94 Jason Richa ds, “Denial-o -Se ice: The Es onian Cybe wa and I s Implica ions o U.S. Na ional
Secu i y,” In e na ional A ai s Re iew 18, no. 2 (2009): h p://www.ia -gwu.o g/node/65.
95 “Cybe wa a e 101: Case S udy o a Tex book A ack,” S a o , Ap il 18, 2008,
h ps://www.s a o .com/analysis/cybe wa a e-101-case-s udy- ex book-a ack; Jason Richa ds,
“Denial-o -Se ice,” In e na ional A ai s Re iew.
Economics Discussion Pape (2017–36)—submi ed o G20 Policy Pape s
40
shu hem o o o eign a ic, i onically limi ing he abili y o Es onia’s media o ell he
es o he wo ld wha was happening.
The hi d wa e o he a ack, which began on May 9, was he hea ies ye and ocused on
he Es onian banking sec o .96 These a acks o ced wo majo Es onian banks—including
Hansabank, he coun y’s la ges — o suspend online banking ope a ions while also
se e ing he banks’ connec ion o ATMs and p e en ing cus ome s om using Es onian
debi ca ds ou side he coun y.97 This wa e o a acks was hea ies on May 9–10, and
hen slowly dec eased he ea e un il ending on May 19, when he hacke s’ bo ne
con ac s appea o ha e expi ed.98
The a acks we e ca ied ou by Russian hack i is s communica ing openly on Russian-
language cha ooms, whe e use s sha ed p ecise ins uc ions on how o conduc he
a acks. Es onia accused he Russian go e nmen o being esponsible o o de ing he
a acks bu couldn’ p oduce de ini i e p oo .99
_________________________
96 “Cybe wa a e 101,” S a o ; Richa ds, “Denial-o -Se ice,” In e na ional A ai s Re iew.
97 ““Cybe wa a e 101,” S a o ; Richa ds, “Denial-o -Se ice,” In e na ional A ai s Re iew.
98 “Cybe wa a e 101,” S a o ; Joshua Da is, “Hacke s Take Down he Mos Wi ed Coun y in
Eu ope,” Wi ed, Augus 21, 2007, h p://www.wi ed.com/2007/08/ -es onia/.
99 “Cybe wa a e 101,” S a o ; Da is, “Hacke s Take Down,” Wi ed.