Counterterrorism Blog

The Department of Homeland Security has issued an advisory to banks and financial institutions that al Qaeda may be planning cyber attacks on their websites, after a jihadist website posted threats of denial-of-service attacks during December. In reality, the financial sector is used to cybercrime and attacks of various types; in early November, 16 people in the US and Poland were arrested on suspicion of involvement in a 2004 phishing attack on a bank, in which over 100,000 credit and debit cards from more than 1,000 individuals were compromised. The 9-11 attacks heightened the importance of sound physical and systems security in the financial markets. Accordingly, the US Congress has paid special attention to this subject and commissioned periodic reports by Congress' audit arm, the Government Accountability Office.

GAO reports over the past 3+ years indicate the increasing ability of financial institutions to withstand terrorist attacks on physical and information infrastructure. In February 2003, GAO issued this report on the impacts to the financial markets from the 9-11 attacks, warning that by October 2002, organizations with critical roles in financial market operations had not taken sufficient protection and recovery measures to prevent a business disruption. Two years later, GAO reviewed the information systems of those organizations again and found that the organizations "are taking steps to prevent their operations from being disrupted by electronic attacks."

During my tenure on Capitol Hill as a counsel for the U.S. House Financial Services Committee, I met often with officials in the industry responsible for protection of critical infrastructure, and I was impressed with the depth of commitment by all major players in the industry and the rapid improvement after the 9-11 attacks. The little-appreciated responses to the attacks included herculean efforts by the Federal Reserve System, the Treasury Department, the New York Stock Exchange, and major institutions to build redundancy into the financial system so a physical or cyber attack cannot disrupt markets, as occurred in the week after the 9-11 attacks (see pages 4 and 5 of the first GAO report linked above). In my last hearing as committee counsel, government and industry officials reviewed the response of the markets to the massive power blackout in the Northeast US in August 2003. The biggest blackout in US history, affecting up to 40 million Americans, caused barely a burp in the financial markets (see this official report coordinated by the Treasury Department).

So while any warning of a potential terrorist cyberattack should be taken seriously, I'm confident the worst such attack would not stop stock and bond trading or payment clearance mechanisms for any significant length of time.