NASDAQ OMX has hired from national labs and the military to improve its security against cyber attacks, its CEO, Robert Greifeld, said during a panel on exchanges at FIA Boca.
“We had to look for best of breed, and the only place to find that was in the military,” he said. The exchange has also hired security experts from Livermore National, Laboratory, and some from the NSA.
His aspiration is to be achieve a military level of security, and even the military has been hacked, he added. (Iranian hackers penetrated the unclassified Navy network for four months.)
On a positive note, Greifeld said that distributed denial of service (DDOS) attacks are down 30 to 35 percent this year, which he suspects may be the result of improving relations with Iran.
Jeffrey Sprecher, CEO of Intercontinental Exchange, said that cyber security is now a concern of his board.
“My board set up a risk committee a few years ago. Now the risk committee demands that the head of cybersecurity come to their meetings. Risk has expanded to external risk.”
Sprecher highlighted the connections of trading venues as a vulnerability.
“The spaghetti of connectivity in U.S. equities markets is unbelievable,” he added, citing reports that the Target attack, where hackers stole 40 million credit card details, came through a vendor. “The threat of not just what we are doing as a company, but what we are doing as a community, is real.”
ICE participates in working groups including some with the government, he said.
“Recently President Obama ordered all agencies to look at the U.S. infrastructure and figure out what is critically important, and exchanges are on the list. We have a much closer relationship with government now.”
Magnus Böcker, CEO at SGX, said cooperation among exchanges on security issues is coming, but it is taking far too long.
The FBI is a great resource for exchanges, said Greifield.
“The FBI is the tightest partnership and they clearly can deliver value to us. They were ahead of where we were in cybersecurity, although we have narrowed the gap. It is the most effective partnership i had had with government.”
Eurex has good contacts with the political establishment on cyber security, said its CEO, Andreas Preuss.
“The message I want to get across is that if any of us think that Stuxnet-like attacks can only hit centrifugal systems in Iran and not exchanges or clearing houses, then I would say just continue dreaming. There is a lot of catching up in awareness, understanding is possible and then we need a lot of implementation of appropriate measures across the industry. If four or five government agencies can penetrate any system, that system can also be penetrated by criminal organizations. Even if we get all this right, we are not better off if the rest of the industry isn’t as good.”
Gillian Tett, the Financial Times assistant editor and columnist who was chairing the exchange panel, said the U.S. government has been frustrated by the lack of cooperation from American companies, and particularly from the Chamber of Commerce.