The Feds’ Plan to Protect Stock Exchanges From Hacking Isn’t Going to Work

Bad news for stability in the financial markets.

<a href="http://www.shutterstock.com/cat.mhtml?lang=en&search_source=search_form&version=llv1&anyorall=all&safesearch=1&searchterm=hacker&search_group=#id=81211444&src=cJ15uJxDIJ_naKb2C0KyZA-1-96">F. ENOT</a>/Shutterstock

Fight disinformation: Sign up for the free Mother Jones Daily newsletter and follow the news that matters.


Last week, a US federal court indicted a Russian hacker named Aleksandr Kalinin for allegedly hacking into the NASDAQ stock exchange. Kalinin had access to two NASDAQ servers for a couple of years between 2007 and 2010, and during that time was able to enter commands to change and delete data. The case has heightened fears that the next time a trading system is hacked—which is becoming pretty common—rogue programmers could cause a financial collapse. The good news is that the US government has recently drafted a plan to combat stock exchange hackers. The bad news, experts say, is that the government’s plan is not going to help much.

The government’s anti-hacking plan comes in the form of a regulation recently proposed by the Securities and Exchange Commission (SEC), a Wall Street regulator. The rule would require exchanges, including NASDAQ, the New York Stock Exchange, and the Chicago Mercantile Exchange, to ensure that their trading technologies adhere to a set of standards that the SEC has for two decades urged exchanges to adopt voluntarily. It would force exchanges to conduct stress tests of their core technology, submit to regular system reviews to identify vulnerabilities to hackers, and draft recovery plans in case of security breaches. But financial reform advocates, software security experts, and cybersecurity gurus say the rule is far too weak to provide any meaningful protection against cyber criminals.

The way that the SEC defines whether an exchange is adhering to the regulation is too vague, says Dennis Kelleher, the president of Better Markets, a financial reform group. Instead of laying out specific requirements for system reviews, for example, the SEC “defer[s] to unspecified practices and standards set by other regulators or ‘widely recognized’ organizations,” Kelleher wrote in a letter to the agency. Without clearer language, Kelleher worries, exchanges could comply with the letter of the regulation without making any meaningful security upgrades. (The SEC declined to comment for this story.)

The vagueness of the proposed SEC rule also means that it won’t require real security testing of exchange software, warns Bill Curtis, director of the Consortium for IT Software Quality, an industry group that develops software quality standards. Instead, Curtis says, exchanges will be able to get away with a mere functional test of the technology, to make sure “it computes the thing I’ve asked it to compute,” Curtis says. Unfortunately, Curtis notes, testing whether a piece of software works is not the same as testing whether it is vulnerable to hackers.

The financial industry, which hates the proposed rule, may be able to weaken it even further. In letters submitted to the SEC, the New York Stock Exchange and the Chicago Mercantile Exchange warned that the rule will “cost significantly more than any derived benefit.” Both the Financial Industry Regulatory Authority, a private corporation that oversees the NYSE, and the Securities Industry and Financial Markets Association, the leading securities industry trade group, say that the SEC’s anti-hacking measures are overly broad and should be scaled back.

Ultimately, it may not matter all that much whether the industry gets its way and weakens the regulations, because “policy is never sufficient to secure your environment,” says Steve Surdu, a vice president at the cyber-security firm Mandiant. Although cybersecurity experts agree that new security regulations will do some good, when you’re dealing with trading systems that are massive and complex, it’s impossible to imagine all the security precautions that are necessary, let alone enforce them, Surdu says: “The NASDAQs of the world—they have large infrastructure, there are many systems…there are changes in the environment all the time…and the bad guys only need to find one lapse to take advantage of it.”

It’s hard to outfox a hacker, agrees Alyssa Hutnick, a partner at the law firm Kelley Drye, which represents clients in computer protection cases. “Yes, it’s reasonable to have a written information security program and risk assessment program,” she says, but that’s more to “make people feel good,” she jokes. “It’s a whack-a-mole issue…Whatever [hackers] were doing last month is not what they’re doing today, and not what they’re going to be doing next month.”

The best way to outsmart a potential stock exchange hacker, Surdu says, would be to “isolate yourself physically” from the internet—”which is not possible” for exchanges.

All this to say we could easily be careening towards a hacker-induced financial disaster. “There’s an awful lot of confidential information in those systems,” Curtis says. “If they can get in there and can crack into these systems and get into trading and get into your accounts, they can start doing all kinds of things…to disrupt markets…and create mayhem.”

WE'LL BE BLUNT

It is astonishingly hard keeping a newsroom afloat these days, and we need to raise $253,000 in online donations quickly, by October 7.

The short of it: Last year, we had to cut $1 million from our budget so we could have any chance of breaking even by the time our fiscal year ended in June. And despite a huge rally from so many of you leading up to the deadline, we still came up a bit short on the whole. We can’t let that happen again. We have no wiggle room to begin with, and now we have a hole to dig out of.

Readers also told us to just give it to you straight when we need to ask for your support, and seeing how matter-of-factly explaining our inner workings, our challenges and finances, can bring more of you in has been a real silver lining. So our online membership lead, Brian, lays it all out for you in his personal, insider account (that literally puts his skin in the game!) of how urgent things are right now.

The upshot: Being able to rally $253,000 in donations over these next few weeks is vitally important simply because it is the number that keeps us right on track, helping make sure we don't end up with a bigger gap than can be filled again, helping us avoid any significant (and knowable) cash-flow crunches for now. We used to be more nonchalant about coming up short this time of year, thinking we can make it by the time June rolls around. Not anymore.

Because the in-depth journalism on underreported beats and unique perspectives on the daily news you turn to Mother Jones for is only possible because readers fund us. Corporations and powerful people with deep pockets will never sustain the type of journalism we exist to do. The only investors who won’t let independent, investigative journalism down are the people who actually care about its future—you.

And we need readers to show up for us big time—again.

Getting just 10 percent of the people who care enough about our work to be reading this blurb to part with a few bucks would be utterly transformative for us, and that's very much what we need to keep charging hard in this financially uncertain, high-stakes year.

If you can right now, please support the journalism you get from Mother Jones with a donation at whatever amount works for you. And please do it now, before you move on to whatever you're about to do next and think maybe you'll get to it later, because every gift matters and we really need to see a strong response if we're going to raise the $253,000 we need in less than three weeks.

payment methods

WE'LL BE BLUNT

It is astonishingly hard keeping a newsroom afloat these days, and we need to raise $253,000 in online donations quickly, by October 7.

The short of it: Last year, we had to cut $1 million from our budget so we could have any chance of breaking even by the time our fiscal year ended in June. And despite a huge rally from so many of you leading up to the deadline, we still came up a bit short on the whole. We can’t let that happen again. We have no wiggle room to begin with, and now we have a hole to dig out of.

Readers also told us to just give it to you straight when we need to ask for your support, and seeing how matter-of-factly explaining our inner workings, our challenges and finances, can bring more of you in has been a real silver lining. So our online membership lead, Brian, lays it all out for you in his personal, insider account (that literally puts his skin in the game!) of how urgent things are right now.

The upshot: Being able to rally $253,000 in donations over these next few weeks is vitally important simply because it is the number that keeps us right on track, helping make sure we don't end up with a bigger gap than can be filled again, helping us avoid any significant (and knowable) cash-flow crunches for now. We used to be more nonchalant about coming up short this time of year, thinking we can make it by the time June rolls around. Not anymore.

Because the in-depth journalism on underreported beats and unique perspectives on the daily news you turn to Mother Jones for is only possible because readers fund us. Corporations and powerful people with deep pockets will never sustain the type of journalism we exist to do. The only investors who won’t let independent, investigative journalism down are the people who actually care about its future—you.

And we need readers to show up for us big time—again.

Getting just 10 percent of the people who care enough about our work to be reading this blurb to part with a few bucks would be utterly transformative for us, and that's very much what we need to keep charging hard in this financially uncertain, high-stakes year.

If you can right now, please support the journalism you get from Mother Jones with a donation at whatever amount works for you. And please do it now, before you move on to whatever you're about to do next and think maybe you'll get to it later, because every gift matters and we really need to see a strong response if we're going to raise the $253,000 we need in less than three weeks.

payment methods

We Recommend

Latest

Sign up for our free newsletter

Subscribe to the Mother Jones Daily to have our top stories delivered directly to your inbox.

Get our award-winning magazine

Save big on a full year of investigations, ideas, and insights.

Subscribe

Support our journalism

Help Mother Jones' reporters dig deep with a tax-deductible donation.

Donate