Banks and the Cloud: how safe are financial institutions from foreign intrusion?
Nearly everyone who uses technology relies on the cloud. The photos and music on your cell phone. The programs on your computer. You save them confident they will be there. But what if they aren’t? And what happens if the data you lose is more valuable than precious memories? National investigative correspondent Mark Hyman takes a deep look at banks using the cloud.
A lot of people that are using the cloud don't really understand where the data is going, how it's controlled, and how it's secured.
Rob Enderle told us, “A lot of people that are using the cloud don't really understand where the data is going, how it's controlled, and how it's secured.”
The cloud refers to software, programs and databases that are stored on remote servers that can be accessed via the internet 24/7. There’s been rising concern over the potential vulnerability of cloud service providers, or CSPs. Global management consultant Gartner has listed cloud concentration as a top 5 risk facing US organizations. There are hundreds of CSPs but the three largest – Amazon, Microsoft & Google – control two-thirds of all cloud services globally.
“That's the great white whale, isn't it?” correspondent Mark Hyman asked.
“Well, to a certain extent, yes, it's the scary thing,” Enderle answered.
With AI, you can do phishing at scale. You could phish every single employee in a company with AI.
Rob Enderle is a technology analyst who has worked for Fortune 500 companies. He said CSPs must be vigilant 100% of the time to protect against attack. “The ability of quantum computer to breach virtually every type of encryption we have today is almost certain,” he observed before adding, “With AI, you can do phishing at scale. You could phish every single employee in a company with AI.”
Phishing is when hackers send email enticing an employee to reveal confidential information or to click on a link that might release malware or malicious code to infect a network.
Enderle warned, “We're reaching a point where we could have a catastrophic problem.”
Anyone who might successfully hack a single CSP could potentially have access to an unlimited number of clients. Accessing a CSP has been likened to having a hotel master key. It could get real ugly real fast.
“When you're breached, you're going to take down all your clients and be out of business,” Enderle noted.
This is more than speculation. In 2016, it was learned Chinese intelligence hackers breached as many as a dozen CSPs giving them broad and unprecedented access to perhaps hundreds of companies and government agencies. Intrusions may have begun as early as 2010. The Chinese government has denied involvement.
Even today, US officials appear to have little understanding how widespread the hack was. Nicknamed “Cloud Hopper,” the hackers are believed to have accessed many of the world’s leading technology companies. Industrial espionage is high on the list of likely goals.
And if data is the new gold, the cloud needs to be like Fort Knox.
John Pendleton told us, “And if data is the new gold, the cloud needs to be like Fort Knox.” Pendleton was a 35-year investigator with the Government Accountability Office. He recently led a major scrutiny of cloud services as a non-resident scholar for the Carnegie Endowment for International Peace.
“After a year of study, we did conclude that the cloud providers were too big to fail. And that's because so much of our lives, daily lives, our commerce is concentrated in only a few companies,” he stated.
Possible threats to the cloud include external state actors such as Russia, China, and North Korea. Before the Russia invasion, Ukraine was home to a large population of cyber criminals. Terror and criminal groups are also possible. Then there are internal actors such as a disgruntled employee. Even a technical failure or natural disaster pose some risk.
We wondered, could an adversary such as China seriously damage US banks for a lengthy time? Yes, but it’s unlikely because it could spiral out of control, according to Enderle. “The issue would be almost an immediate nuclear escalation,” he added.
Such a doomsday scenario would not be necessary to cause widespread panic, Pendleton told Inside Your World.
I'm more concerned about is a loss of trust. You don't have to shut the system down to cause problems.
“I'm more concerned about is a loss of trust. You don't have to shut the system down to cause problems. If you get in and you affect something like bank accounts that could have a widespread economic impact,” shared Pendleton.
Polling has shown that public trust in institutions is already at a low.
“A century ago the public had a run on the banks. It's simple uncertainty,” Hyman observed. Pendleton continued that line of thought adding, “Right. I think trust in the system is one of the vulnerabilities that is sometimes under-appreciated.”
The Chinese hackers in the Cloud Hopper breach were undetected for years as they ransacked industries including IT, energy, healthcare, finance, and defense. They were so brazen they reportedly posted insults and vulgar taunts mocking company IT professionals and the National Security Agency. It is believed most access was gained by phishing emails targeting IT system administrators with high level access.
For competitive and marketing reasons, CSPs and companies have been tight-lipped about being hacked. There are unconfirmed reports some victimized companies were never informed by their cloud providers they were attacked.
A large system failure or data breach at one of these [cloud-service providers] could impact multiple financial institutions or U.S. consumers.
The Treasury Department recently warned, “A large system failure or data breach at one of these [cloud-service providers] could impact multiple financial institutions or U.S. consumers.” The agency did not respond to our repeated requests to elaborate. However, in a 2023 report it listed several concerns including:
CSPs do not provide enough information for banks to assess possible risks.
There are not enough experienced technicians to staff all banking needs.
CSPs are not fully cooperative in aiding banks to assess their needs.
Concentration of cloud services is deeply worrisome.
Minimal competition among CSPs puts banks at a negotiating disadvantage.
Six US agencies have fragmented oversight of CSPs with no one organization having a broad overview.
Enderle noted the patchwork oversight is eerily reminiscent of the days before 9/11 when several US agencies had partial intelligence, but no one organization had an overall picture of the terror threat. He told us, “If they'd aggregated those together, they would've known the attack was imminent.”
Pendleton’s Carnegie study offers a roadmap at how CSPs could assure the public their systems are secure. “We offered a cloud resilience framework where the cloud providers could demonstrate and assure the public and policy makers that what they're doing will be resilient.” He added the uncomfortable truth, “We are going to be attacked, we are being attacked.”
Two Chinese nationals believed to be affiliated with China’s Ministry of State Security -- that nation’s CIA -- were indicted by the Justice Department in December 2018 for their role in the Cloud Hopper hack. They are not expected to surrender to US officials.
