In 2016, at the Group of Twenty (G20) leaders’ summit at Hangzhou, China created the Digital Economy Task Force to propose a common understanding, principles and key areas for development and cooperation in the digital space.[1] The task force focused on its core agenda of bridging the digital divide, on innovation and promoting investment in information and communication technologies. However, it has not paid sufficient attention to cyber security, particularly the security and integrity of critical financial infrastructure i.e. banks, stock market trading platforms and digital payment systems, all of which undergird a digital economy.
This anomaly must be addressed on a priority basis. The next financial crisis can potentially occur not just because of financial mismanagement as seen in the 2008 financial crisis. Tomorrow’s crises will result from a debilitating cyber attack on financial infrastructure and critical business systems like banks, stock markets and payment systems.
The G20, which brings together leading digital and industrial powers, therefore has a self-interest in securing critical financial infrastructure. There is no precedent for this. But attacks on traditional industrial systems and the subsequent addressal of issues, can serve as a guide. For instance, the Stuxnet virus of 2009-10, which hit Iran, infected its nuclear reactors and also other countries’ national and commercial computer networks. This resulted in specialised agencies being set up by states, such as India’s National Critical Information Infrastructure Protection Centre and UK’s National Cyber Security Centre, to protect critical industrial infrastructure like nuclear reactors, oil pipelines, airports etc.
Bilateral agreements on critical infrastructure also show the way. In 2015, the United States and China signed an agreement to contain their industrial or economic cyber espionage activities against each other.[2] Both countries had suffered economic losses from the theft of Intellectual Property and sensitive business plans of companies, like Lockheed Martin and Huawei.
The timing for a G20 framework on critical financial infrastructure networks is opportune given the rapidly digitising world. It can start with formulating a common definition of critical financial infrastructure since countries define it differently based on their risk perception. An ideal definition will include payment, clearing and settlement systems, stock market trading platforms and insurance companies.
Second, the focus of the digital economy task force should be expanded specifically to include cyber security. For this, cyber security and critical financial infrastructure should be added to the existing priority areas, such as fintechs and digital inclusion.
Third, member states can be encouraged to voluntarily offer best practices to secure networks. These include hardware specifications, information security practices for the workforce and third party vendors, supply chain management, and standards for maintenance of industrial control systems. Some G20 countries, like the U.S., have already put such guidelines in place, laying out cyber security governance principles and crisis management for all critical infrastructure from banks to nuclear facilities and election networks etc. [3]This can be studied by the digital task force, and similar guidelines developed for critical financial infrastructure.
Grave danger lurks in the form of web forums and digital black markets from which hackers buy viruses and malicious software for stockpiling. North Korea has been accused of running a cyber operation that has targeted inter-banking transaction systems to steal an estimated $1.1 billion from banks in Bangladesh, Ecuador, Taiwan, Nepal and India.[4] Multiple joint operations by the U.S. and European security agencies have targeted these forums and black markets—an effort that the G20 Digital Task Force can contribute to by building technical and forensic capacity of the member-states.
Finally, the G20 leaders should pledge not to attack one another’s critical financial infrastructure. While this may sound idealistic in the fluid digital era, such agreements have famously worked, as in the nuclear and other arms control regimes. While the world has not seen nuclear warfare after the bombings of Hiroshima and Nagasaki in 1945, the arms race continues unabated and now extends to cyber space. The G20 leaders can take a leaf out of the nuclear book to devise a similar regime for cyber space.
Sameer Patil is Director, Center for International Security and Fellow, National Security Studies, Gateway House
This article was exclusively created for Gateway House: Indian Council on Global Relations. You can read more exclusive content here.
For interview requests with the author, or for permission to republish, please contact outreach@gatewayhouse.in.
© Copyright 2019 Gateway House: Indian Council on Global Relations. All rights reserved. Any unauthorized copying or reproduction is strictly prohibited.
References
[1] G20 Information Centre, G20 Digital Economy Development and Cooperation Initiative, 5 September 2016, <http://www.g20.utoronto.ca/2016/160905-digital.html>
[2] Office of the Press Secretary, The White House, Fact Sheet: President Xi Jinping’s State Visit to the United States, 25 September 2015, <https://www.whitehouse.gov/the-press-office/2015/09/25/fact-sheet-president-xi-jinpings-state-visit-united-states>
[3] National Institute of Standards and Technology, NIST Cybersecurity Framework, <https://www.nist.gov/cyberframework>
[4] Fraser, Nalani, Jacqueline O’Leary, Vincent Cannon and Fred Plan, “APT38: Details on New North Korean Regime-Backed Threat Group”, FireEye, 3 October 2018, <https://www.fireeye.com/blog/threat-research/2018/10/apt38-details-on-new-north-korean-regime-backed-threat-group.html>