The Taiwan Banker

The fundamental aspect of cybersecurity distinguishing it from other forms of security is the power it gives to entities which have the power to challenge domestic governments, and to expand the reach of globalization as never before. Those entities may be working for good or evil. Among the latter, international criminal groups and state-sponsored attackers are able to cause unprecedented damages. In response, meanwhile, new types of platforms have arisen, with global ramifications. One example which has inspired much discussion over the past decade is social media. To a large extent, the concept of “cognitive warfare” which has received much attention in Taiwan, China, and elsewhere reflects the ways it challenges national sovereignty. Taiwan, for instance, complains that its Facebook content moderation decisions are made in China. The concept of cognitive warfare has received decidedly less recognition in the US, which may be related to its emphasis on catastrophic military scenarios regarding Taiwan over more ordinary “gray zone” attacks. Nevertheless, in a broader sense, the US is also thinking about many of the same challenges, except emphasizing Amazon over Facebook. Cloud service providers (CSPs) hold underappreciated importance as geopolitical actors: the latter depends upon the former much more than the reverse. Furthermore, internal management decisions by CSPs can also affect the security of smaller countries in similar ways to social media. Concentrated risk is managed risk The US has started devoting increased attention to CSPs and their regulatory implications for the financial sector. In February, the Department of the Treasury released its first interagency report on implications of public cloud usage for the financial sector, entitled The Financial Services Sector’s Adoption of Cloud Services. Although the industry broadly recognizes the value of the cloud, there are definite tradeoffs involved, and even new classes of problems created. Furthermore, CSPs hope to capture some portion of the value of banking business, forming a competitive challenge. “While cloud services can increase access and reliability for local communities as well as empower community banks to compete with financial technology firms…financial service firms ramping up their reliance on cloud-based technologies need more visibility, staff support, and cybersecurity incident response engagement from CSPs,” wrote the Department of the Treasury. The cloud inherently creates a so-called “Fort Knox problem.” In the 1964 James Bond film Goldfinger, critical assets were all stored together in Fort Knox – a scheme which worked well until the fort itself was compromised. A 2020 report by the Carnegie Endowment for International Peace pointed to high risks to availability resulting from several types of environmental factors, which could rise to systemic importance in various industries. So far, however, the situation has been the opposite. Microsoft has been one of the most active players in the Ukraine cyber-conflict, for instance, becoming an unexpected source of American power projection. Bigger is better One consistent theme throughout the Treasury report is that smaller financial institutions tend to have less bargaining power against CSPs. Smaller and mid-sized financial institutions have had greater problems securing rights to audit their cloud providers, as well as other benefits such as backup capacity and contractual obligations against sudden termination. For smaller, more complex deployments, the economic rationale for cloud migration in the first place is less convincing. Ideally, CSPs would prefer to leave industry regulatory requirements up to clients, focusing instead on the cross-sector technical expertise which forms their competitive advantage. In short, they prefer clients who bring volume with minimal complications. The report points to “pooling” among smaller clients as one way to manage the costs of audits, which allows the CSP to notionally deal with one larger client. In addition to systemic risk, meanwhile, an additional type of security risk newly created by cloud deployment involves the interface between the CSP and the client. Cloud configuration is becoming an increasingly pressing topic, yet it comes with its own human resource constraints. In many cases, older IT skills have become completely obsolete, even to the point that new staff are required. This new type of work is not just a staffing problem, however, and it has already altered the commercial landscape. Various types of consultants and intermediaries have arisen to manage cloud deployments, which economist Rasha Makhlof has called “meta services” – adding to cost while potentially diluting accountability. Unsurprisingly, the Department of the Treasury finds that smaller institutions are disproportionately afflicted by all these burdens. The complexity of service-level agreements (SLAs) naturally favors the vendor due to their experience in such regulations. The interface between CSPs and their clients is an area that might benefit from regulation. The report even notes that US financial institutions have benefitted from some regulations by the European Banking Authority in that regard, considering that CSPs frequently port their most highly-regulated products over to other markets. Locked in Security arrangements determine the work scope of cooperation by CSPs with their clients, but the other aspect of such negotiations is of course money. Traditionally, the most convincing justification for cloud deployment was scalability, saving costs when utilization was low. These cost savings are real, but such a relationship also ties clients to their provider as volume increases. One way clients can retain their leverage is to duplicate capabilities across multiple CSPs, although once again, the Department of the Treasury notes that this is more feasible for larger institutions. In any case, it is generally an inefficient use of resources, undermining some of the advantages of the cloud in the first place. Thus, CSPs will inevitably be able to capture some portion of the value from banking services. In response, financial institutions must find new sources of value. Fortunately, the cloud offers them the opportunity to do just that, helping enable innovations that customers and other stakeholders are increasingly coming to expect such as AI-powered personalization, API services, and work-from-home employment. Thus, while legacy on-premises systems still function for daily operations, the temptation to save on upgrade costs can cause further problems down the road. The economics of the cloud help determine its uptake, which in turn determine how much a country may be able to benefit from its security advantages. Two guys Economics has always been a nebulous aspect of cybersecurity. In the past, because revenue models were so unclear, related work was often done on a volunteer basis. As an example, OpenSSL is a free and open-source cryptographic library for the HTTPS secure protocol. A flaw in OpenSSL known as Heartbleed was estimated to cause was estimated to cause $500 million in damages in 2014, yet the OpenSSL Software Foundation was (and is still) a small nonprofit organization that could not afford market salaries. “The internet is being protected by two guys named Steve,” wrote Buzzfeed in a writeup of the incident at the time. The workload had led to a disorganized base of some half a million lines of code. This was not a sustainable model. Nowadays, as cybersecurity has moved closer to the core of national security, and state attackers have developed advanced persistent threats, true accountability by profitable entities is required. The cloud even has implications for cognitive warfare (although Western countries are more likely to use the term “psychological warfare.”) In Ukraine, for instance, the military has reportedly been calling the mothers of Russian troops and referencing personal information about their sons, which would have been acquired through data breaches. Some aspects of psychological warfare undoubtedly involve the open media, and Ukraine has also been busy hacking traditional media, among a broad variety of other strategies. Nevertheless, the plumbing of the modern internet, which may not be immediately visible to outsiders, is a much broader area of concern, as relates to national security, property rights, and business models in the financial sector.