On March 18, 2017, the G20 finance ministers and central bank governors issued a communiqué highlighting that:
The malicious use of Information and Communication Technologies (ICT) could disrupt financial services crucial to both national and international financial systems, undermine security and confidence and endanger financial stability. We will promote the resilience of financial services and institutions in G20 jurisdictions against the malicious use of ICT, including from countries outside the G20. With the aim of enhancing our cross-border cooperation, we ask the FSB [Financial Stability Board], as a first step, to perform a stock-taking of existing relevant released regulations and supervisory practices in our jurisdictions, as well as of existing international guidance, including to identify effective practices. The FSB should inform about the progress of this work by the Leaders Summit in July 2017 and deliver a stock-take report by October 2017.
The G20 Finance Minister and Central Bank Governors should be commended for urging improvements in the resilience of the global financial system. The 2016 Bangladesh central bank cyber incident exposed this new threat and the unprecedented scale of the risk that malicious cyber actors pose to financial institutions. The economic crisis that erupted in 2007 highlighted how important trust is for the global system and how fragile it can be.
But governments should not only ask the private sector to do more; governments themselves can help reduce the risk to financial stability by explicitly committing their countries to refraining from using offensive cyber tools that could undermine financial stability.
In a Carnegie Endowment for International Peace white paper published yesterday, we propose just such an agreement and outline how it would build upon existing efforts. The most pertinent norms against attacking critical infrastructure in peacetime have been propounded by the UNGGE and G20. As a next step, states could explicitly commit not to undermine the integrity of data and algorithms of financial institutions either in peacetime or during war, nor to allow their nationals to do so, and to cooperate when such attacks do occur.
What follows is a comprehensive overview of our proposal.
States have already demonstrated significant restraint from using cyber means against the integrity of data of financial institutions. Our proposed agreement would make explicit what could be considered emerging state practice, with significant benefits:
- send a clear signal that the stability of the global financial system depends on preserving the integrity of financial data in peacetime and during war and that the international community considers the latter off limits;
- build confidence among states that already practice restraint in this domain, and thereby increase their leverage to mobilize the international community in case the norm is violated;
- create political momentum for greater collaboration to tackle nonstate actors who target financial institutions with cyber-enabled means; and
- complement and enhance existing agreements and efforts, namely the 2015 G20 statement, 2015 UNGGE report, and the 2016 cyber guidance from the Committee on Payments and Market Infrastructures and the International Organization of Securities Commissions (CPMI-IOSCO).
An explicit agreement against manipulating the integrity of financial institutions’ data would build on recent international efforts to develop rules for cyberspace and existing international law. The most important example of such efforts to date is the UNGGE process. Yet thus far the group’s 2015 declaration and its G20 endorsement lack detail and concrete steps for developing effective and robust security regimes. The financial system is a particularly promising area for beginning the process of operationalizing what has already been agreed upon and clarifying what could be considered emerging state practice.
The use of cyber operations to manipulate the integrity of data poses a greater set of systemic risks than other forms of financial coercion. Importantly, unlike the 2007–2008 global crisis, this risk exists independent of the underlying economic fundamentals and will only increase as more governments make cashless economies an explicit goal.
The financial system’s global interdependence creates shared interests among states. Whereas the damaging effects of an intrusion targeting the electrical grid, for example, will be mostly limited to a single country’s territory or immediate neighbors, the effects of an incident targeting the data integrity of a financial institution are not necessarily bound by geography. In addition to the direct effects of an offensive cyber operation, indirectly, a manipulation of the integrity of an institution’s data could lead to a bankruptcy that in turn could send shock waves throughout the international system. If the integrity of data is doubted, the confidence on which financial stability depends will be difficult to restore.
Major powers, notwithstanding their fundamental differences, have recognized this in principle and deed. The U.S. government reportedly refrained from using offensive cyber operations against Saddam Hussein’s financial systems, as well as in hypothetical exercises simulating a conflict with China. Russia’s 2011 Draft Convention on International Information Security explicitly suggests that “each State Party will take the measures necessary to ensure that the activity of international information systems for the management of the flow of . . . finance . . . continues without interference.” China also has a vested interest in the system, reflected, among other ways, by its successful effort to make the renminbi part of the IMF’s global reserve currency basket. Meanwhile, countries around the world are setting up or strengthening their Computer Emergency Response Teams (CERTs) specific to the financial sector, as, for example, India did in February 2017.
Of course, in the twenty-first century, a few states that are relatively detached from the global economy, and nonstate actors who may or may not be affiliated with them, have capabilities to conduct cyberattacks against financial institutions. Such hostile actors would not be expected to adhere to the proposed commitment. Yet, the states that do endorse such a norm explicitly would be more united and would have a clearer basis for demanding and conducting retaliatory action against violators of the norm, be they states, terrorists, or cybercriminals.
The Logic of the Proposed Agreement
The March 18 G20 Finance Ministers and Central Bank Governors communiqué does not define ‘malicious use of ICT.’ Because the integrity and availability of financial data are most vital to the financial system’s functioning, and susceptible to cyber attack, we propose the following language for a G20 heads of state agreement, of course inviting debate and refinement:
A State must not conduct or knowingly support any activity that intentionally manipulates the integrity of financial institutions’ data and algorithms wherever they are stored or when in transit.
To the extent permitted by law, a State must respond promptly to appropriate requests by another State to mitigate activities manipulating the integrity of financial institutions’ data and algorithms when such activities are passing through or emanating from its territory or perpetrated by its citizens.
The proposed agreement has three connected and mutually reinforcing elements. It combines a negative norm, that is, states commit not to do something, as well as a positive norm, that is, states commit to do something. States would also be expected to implement existing due diligence standards and best practices, such as those outlined in the 2016 CPMI-IOSCO Cyber Guidance. Linking these three elements would augment the effectiveness of this normative regime. Linking the agreement governing state behavior with expectations for the private sector to implement due diligence standards addresses potential moral hazard problems. States’ commitments to provide assistance and information, upon request, circumvent the attribution problem by shifting the burden from the victim of attack to states that profess interest in helping to respond to and ultimately prevent such attacks. States would be expected to comply with these obligations in accordance with the limits and requirements of national and international laws, both of which may ultimately need to be adjusted to reflect the norms described here. These provisions also build on the 2015 UNGGE report’s declaration that “States must not use proxies to commit internationally wrongful acts using ICTs, and should seek to ensure that their territory is not used by non-State actors to commit such acts.”
In order to achieve effective reciprocal adherence and wide acceptance among UN member states, the agreement should not be limited to a subset of financial institutions. The envisioned prohibition would be conveyed from states to states. If and when key states subscribe to something like the agreement proposed here, future work could seek to broaden it in terms of actors and sanctuaried targets. Finally, we acknowledge that other sectors, such as telecommunications and energy, and the integrity of data of other systems are critical to the financial system. However, any agreements covering these sectors are even more complicated to negotiate and to implement effectively. We therefore offer this proposal as an effective first step in the long process of instituting a comprehensive security regime.
Focus on Data Integrity
Focusing on the integrity of data does not devalue the importance of protecting its availability and confidentiality. However, it can be argued that the national and international consequences of manipulating data are greater than those stemming from violations of confidentiality and more difficult to address technically than the interruption of availability. Corruption of data integrity can pose significant challenges for recovery. In addition to technical challenges, certain legal provisions specific to the financial system pose further hurdles, such as settlement finality. For these and other reasons, the manipulation of the integrity of data is a significantly bigger problem than malicious activity undermining the availability of data. Last but not least, while experts might disagree about what constitutes “systemic risk” for the financial system, there is widespread consensus that the integrity of data is the most worrisome risk.
Application in Wartime
The Law of Armed Conflict currently falls short of accounting for the nature and importance of data. There are at least two large issues here. One relates to jus ad bellum (the just cause for war). Legal experts are divided over whether an attack on financial data (however portentous and massive its potential effects) qualifies as a use of force. Article 2(4) of the UN Charter only prohibits the use of armed force, not political or economic coercion. More broadly, with the emergence of hybrid warfare and information warfare, the international community is now wrestling with whether and how to legally treat acts of coercion that fall short of the use of force. The 2017 Tallinn Manual 2.0 on the International Law Applicable to Cyber Operations focuses on this issue.
More pertinent is whether jus in bello (the just conduct of war) requires or allows data to be judged off-limits from targeting. Legal experts again are divided here. For example, the group of legal experts that compiled the 2013 Tallinn Manual argued that data do not constitute an object and that therefore offensive cyber operations targeting the integrity of financial data are beyond the scope, principles, and protections of existing international humanitarian law. Consequently, the status of financial data under international law is a subject of debate.
Moreover, whether financial institutions are considered civilian or military objects depends on whether a country defines “military object” narrowly to only include war-fighting capabilities or, as the United States does, broadly to include “war-fighting and war-sustaining” capabilities. In the latter case, financial institutions and their data could be seen as legitimate military targets in wartime (though, as noted earlier, the United States appears to have eschewed such attacks to date. One could argue that the U.S. war-sustaining doctrine as such would not need to be changed for such an agreement if it distinguishes between potentially permissible targeting of financial institutions in their physical form but prohibits targeting the integrity of financial institutions’ data.)
Thus, an explicit agreement not to manipulate the integrity of financial data could indicate, at least in this narrow domain, how subscribing states intend international humanitarian law to evolve. In the specific context of the global financial system, the potential unintended negative consequences of an attack on the integrity of data, including blowback, weigh heavily against any benefit. Moreover, in case of armed conflict, money will be needed to rebuild and to pay any potential reparations. It is therefore desirable and feasible for states to agree not to manipulate the integrity of financial data in any circumstances.
The G20 heads of state now have an opportunity to promulgate such a commitment and to ask the Financial Stability Board to implement it in detail, together with the relevant standard-setting bodies, the private sector, law enforcement, and CERT communities.