Monday, February 27, 2006

Frontiers in systemic risk - computer security

Over the years, the materiality of computer security problems appears to have escalated. The game now seems to be of a person X writing a virus which infects a large number of Windows machines with software which listens to his instructions and performs actions as per the commands sent out by X to all the machines that he controls. This "large number of Windows machines" is called a "botnet". On 19 February, Washington Post has fascinating story where the reporter has managed to locate and photograph one young man who builds and controls botnets for a living. I have read of botnets which are as big as a million machines. Botnets are a whole new development, compared with the benign old days when viruses merely formatted your hard disk. Imagine the power of having a million machines standing ready and willing to do your bidding.

The two classes of uses of botnets appear to be advertising and blackmail. Advertising is where a captured machine is used to emit email promising to improve the sex life of everyone on the address book of users of that machine. Blackmail is where a `distributed denial of service' attack is mounted against a website, and then money is demanded from the owner of the website in order to desist.

These days, there are jobs in job advertisement classifieds in the "underground" portions of the Internet, for programmers. The employers are large organised crime syndicates, often with bases in East Europe. They are offering upto $100,000 a year for talented programmers to stay in Russia and work for them, developing spyware and keyloggers. Expressed as purchasing power parity wages, this is probably equivalent to $250,000 paid in the US.

An "off-the-shelf" program to exploit a Windows or IE vulnerability and install a piece of spyware is available typically for $60-$100. There are many programmers who sell such programs on the underground Websites of the Internet. These sites are also referred to as "hacker Websites" or "cracker sites". A more customised version of these programs is available for as little as $200.

As Shuvam Misra of Starcom Software says, I frankly think the entry of organised crime syndicates into this arena has made the picture far more alarming than we tend to believe. And there's a general consensus among such gangs that this is cleaner, easier money than drugs.

I think these developments have important ramifications for finance. At a policy level, I think it's time to start exploring the consequences of such vulnerabilities for systemic risk.

If you control a botnet within a stock exchange trading system, you could wreak havoc and profit from it. A dreadful recent story is about a Windows virus that brought down the Russian Stock Exchange. If a problem can bring down a stock exchange, I call it `systemic risk'.

I read recently about a freshly-discovered Windows vulnerability that may have been sold on the black market for a measly $4,000. At some point, a criminal could put the pieces together. Someone could buy a freshly pressed Windows vulnerability, adopt a long vol position, and bring down the exchange at 2 PM on futures expiration date. He will surely make much more than $4,000 out of this. (Full design details are left as an exercise for the reader).

One kind of mistaken response is to say `internet trading is dangerous and should be stopped'. The problem is not with Internet trading. I think the real problem is that Microsoft Windows is embedded inside a lot of Indian finance.

No comments:

Post a Comment

Please note: Comments are moderated. Only civilised conversation is permitted on this blog. Criticising me is perfectly okay; uncivilised language is not. I delete any comment which is spam, has personal attacks against anyone, or uses foul language. I delete any comment which does not contribute to the intellectual discussion about the blog article in question.

Please note: LaTeX mathematics works. This means that if you want to say $10 you have to say \$10.