Ground Zero

by Theodore Iacobuzio

Bank Systems + Technology
November 1993, p.44

If the gang that, authorities say, succeeded last winter in detonating a bomb on parking level B of New York's World Trade Center had a message, it was twofold, and Part Two is if anything more disturbing than Part One, which was, simply, It Can Happen Here. For if that is the case, It Can Happen Again. And it will.

"There's no question," says Paul A. Strassmann, Defense Department CIO during the Bush Administration and currently visiting professor of information warfare at Washington, D.C.'s National Defense University. "The only question is when. An electronic Pearl Harbor will happen."

The very haplessness of the suspects currently on trial for the blast, which killed six people, including a pregnant woman, implies the most disturbing message of all. Next time, there's a good chance that professionals will do the job. The world situation-- which includes the end of the Cold War, as well as newfound hopes for peace in the Mideast--and our open borders, which reflect the openness of our society, combine to create a climate ideal for terrorists. Experts and law enforcement officials agree that the U.S. financial services industry is peculiarly vulnerable.

Even the amateurs currently thought to have set off the bomb in the financial district were quite savvy enough to know that, with so much money taking the form of digitized electronic information, it is possible, in targeting financial institutions, to do much more than blow up bricks and mortar and murder innocent people. It is possible to halt the flow of funds that keeps this nation's economy going. The professionals, in fact, know that the really weak link in the chain is the data center. There is no such thing, experts say, as a building to which terrorists can not gain access at will. And a data center blast, combined with attacks on the telecommunications networks and hot sites--an attack much more focused than the World Trade Center--would raise the stakes considerably: It would be a kind of terrorist triple play: Death, mayhem and evidence that it's as easy to disrupt the American financial system as throwing a hand grenade into a crowded bus.

It is not its power and success alone that makes the American financial services industry terrorism's prime target. It's vulnerable precisely because its disaster recovery plans, put together with natural catastrophes in mind, are simply not up to the destructive power today's terrorists can bring to bear. And the adopted preventive, as opposed to recovery, measures are in even worse shape. "The security systems which are in place are dealing with the kinds of threats that were current 15 years ago," says Strassmann. "The protective measures that are in place are adequate against amateurs, not against professionals," he adds. "Many of the existing protections are laughable. By the time the police show up, the thing's done, and you've blown up the computers, and, most importantly, the telephone system."

Before the digital age, an outrage perpetrated against a bank would have been merely symbolic. But the level of technology banks have attained broadens the scope of a terrorist attack. The destruction of a significant portion of the American financial system is more tempting than the demolition of some bricks and mortar. And the American banking system's reliance on computers and tele-communications may make the temptation nearly irresistible.

"More and more of the transactions have become automated," Strassmann says, adducing credit cards and ATMs. At the same time, he notes, "The number of nodes of information processing has dramatically decreased because of downsizing and consolidation." This means that political and technological factors, as Strassmann says, "intersect" He explains: "If opportunity of damage increases and the vulnerability increases, these things make it very attractive to go to the destruction mode."

Or beyond, to terrorism for profit. Strassmann cautions against regarding terrorists coming from the Mideast as the only threats to the U.S. financial system. "There are approximately 90 professional terrorist organizations in the world," he says. "Many of them are trained soldiers who work for political or other reasons." Strassmann notes that during the '80s the U.S. trained a veritable army of such experts in its support for the Afghan rebels. Further, the destruction of the Soviet system has put a number of Russian professionals on the job market And, Strassmann says, "You get a very motley assortment of people in a terrorist organization, including some very disgruntled PhDs. There are a number of Soviet mathematicians who used to work in defense and who are on the world market trying to make a living."

These people are offering their services to more than political organizations. Some of them are available for crime, although the lines blur between terrorist outfits with a political agenda and plain old bad guys. Terrorism for profit could, Strassmann says, include covering the tracks of a large drug transaction. "If somebody's trying to execute large transfers of money, one of the ways to cover the traces would be to blow up the records of the transactions." Then there's extortion: threatening to destroy a financial institution's computer network if the records of a given transaction are not destroyed. Strassmann knows of one such case, but refuses to divulge details.

Coupled with the professional's sophistication as regards to strategy are a truly terrifying technological know-how and an ability to come and go more or less as they please. "It takes a very small team," Strassmann says. "The professionals can land at Kennedy Airport without any capability. Within a day of shopping at the electronics shops downtown they can equip themselves with some of the most sophisticated equipment available today." Nor, says Strassmann, are blueprints at all difficult to obtain.

...Michael Simmons, evp for technology and operations at the Bank of Boston says "If you planned for an earthquake-type of disaster, you would be ready for a terrorist attack."

Oh, no, you wouldn't, says Strassmann. The fact is, he says, no one bank can resist a concerted terrorist strategy undertaken by professionals, who, unlike an earthquake, plan their attacks. A global U.S. bank would be quite symbolic if forced to suspend operations. And since so many businesses like trust, mutual funds and stock placements are today outsourced to money centers, the entire financial system is interlinked, and this the terrorists know.

"You have to look beyond any organization, you have to look at the system itself," Strassmann says. "The point is, you cannot protect against professionals, but you can build redundancy." And, he says, Simmons's redundancy is simply not enough. Rather, banks must band together to cover for each other and present a terrorist with a bewildering array of nodes on the network the loss of one of which, while obviously presenting difficulties, would not bring down any institution.

Such a consortium must come from the banks themselves, Strassmann says. "You don't need the government," he notes. "Instead of having three data centers for bank A, two for bank B and, God forbid, one for bank C, then how about taking the 30 nodes and making sure one of them is 'hard,' a point from which you can restore the restorers?" That's how AT&T Co. did it, Strassmann said, because it had to: Carrying on its network as it does Defense Department information, Ma Bell had to install state-of-the-art data security at the behest of the federal government If the telephone network can, why can't a consortium of banks? If they don't, Strassmann warns, the next terrorist attack could make the World Trade Center blast look like a firecracker.