The roots of cyber security lie in the City of London
- December 19, 2022
- Ashley Sweetman
From the 1950s to the 1970s, the City of London, Britain’s historic and global financial centre, was a hotbed of technological advancement. Many of the discussions, motivations and actions relating to computer security in this period echo those today.
If there is such a thing as a perfect crime, then the so-called Lazarus Heist is surely a contender. In 2016 an audacious, $1billion cyber-theft was attempted, and came close to succeeding. The perpetrators? The North Korean state. A criminal group funded by the North Korean government had attempted to steal $1billion dollars by redirecting a payment instruction in SWIFT, the global payment system. In the ultimate twenty-first century bank robbery, hackers attempted to exfiltrate the money from the Bank of Bangladesh, and launder the proceeds through casinos in Macau. By luck, the heist was spotted while underway and stopped. Along the way, SWIFT had been broken into by the hackers.
SWIFT (Society for Worldwide Interbank Financial Telecommunications) plays an integral role in modern financial markets. In 2022, to July, it recorded an average of 45.3 million payment messages per day. Its security and integrity are critical to the working of the global financial system. So far, so modern. But the system’s conceptualisation — and initial thinking about its security — were initiated in the early 1970s, almost half a century ago. SWIFT was launched in 1977, amid a flurry of international activity to make the transfer of huge sums between banks more efficient. A host of systems appeared around the same time, including CHAPS and BACS in the UK, alongside CHIPS in New York and Scope in California.
From the 1950s to the 1970s, the City of London was a hotbed of technological advancement. Many of the discussions, motivations and actions relating to computer security in this period echo those today, and demonstrate how ‘cyber’ goes to the core of banking and the banker-customer relationship itself. Cyber security maintains customer confidence and trust, and has always done so, and is integral to the business model and very existence of banks.
SWIFT was designed with security in mind. But as early as 1972 there was an awareness that malicious actors could potentially use the system for their own gain. Security consultants agreed that messages in communications networks were vulnerable to both accidental alteration and to fraudulent manipulation. From the outset it was realised that SWIFT must be continuously available, reliable, and offer an ‘exceptionally high standard of security’ in keeping with the value of transactions the system would process and transmit. Clearly visible in these discussions was not only the recognition that the system had to be secure against both deliberate and non-deliberate threats, but also that computer security had to be proportionate to the value of what it was trying to protect.
The London clearing banks — including Barclays, Midland, National Westminster and Lloyds — recognised the importance of computer security almost as soon as they purchased the technology. Motivated by long-run cost savings, they began purchasing computers in the late 1950s and early 1960s to automate processing large numbers of calculations and transactions. Computers had demonstrated their efficiency and reliability for such activities during the Second World War. They emerged from the laboratory and research establishments, and became commercially viable.
Barclays purchased its first machine in 1959, with National Westminster and Lloyds Bank following in 1960, and Midland the year after. The original tasks these computers did were the most labour intensive: branch accounting (managing the current and savings accounts of customers); and cheque clearing (processing customer cheques and ensuring the right money was requested and received from fellow banks). For an idea of scale, by the early 1970s the banks were collecting payments for roughly four million cheques per day: enough to be four times taller than the Post Office Tower (now The BT Tower) in London, should their paper versions be stacked up.
The Bank of England had purchased three mainframe computers by the end of the 1960s which allowed it to automate existing process including the issuance and registry of bonds. This also facilitated new thinking: namely the ability to forecast economic measures over future years. ‘Computers are unquestionably the tools of the future,’ the Bank of England declared.
Though computers offered a more efficient means of processing on which the banks were keen to capitalise, their rapidly growing dependency on those machines meant the need to think clearly about their security. One of the most obvious vulnerabilities was the risk of these machines failing. It would be difficult, if not impossible, to return to paper-based accounting. Barclays, for example, was one of the largest computer users in the world by the 1970s, requiring it to develop contingency plans should it suffer a computer security incident, and to test those plans in advance, much in the same way banks do today.
Unique to financial institutions is the commercial sensitivity of the data they store and transfer. Data loss was therefore a driving concern, far more so than for those managing comparable systems such as airline or even military applications. Finance required a more tailored and thorough approach to security. The answer was a combination of physical and technical measures. Controlling access to the spaces in which computers were held, through perimeter fences and CCTV for buildings and access controls on internal doors to computer rooms, were common tactics, as were the basics of employee ID cards and logon passwords.
Yet the banks were also clear that total security was unattainable. They often referred to resilience and assumed that they would inevitably fall victim to some kind of computer fraud, breach of confidentiality, or physical damage. Computer security thinking at this point therefore also took into account industrial action and even weather-related risks, with banks investing significant amounts of money in back-up sites and uninterruptible power supplies. The focus was on ensuring customers could still use their important services, mirroring contemporary thinking around operational resilience currently being led by the Bank of England.
Threats abounded. Externally, the risk came from the potential for eavesdropping either on the radiation emitted from computer terminals or the signals sent across communications lines. Such was the concern that the Bank of England wrote to GCHQ in the mid-1970s to assess the ‘vulnerability of its computer configuration to fraudulent use by persons of high intellect with a knowledge of electronic engineers’, and suggested that a ‘red-team’ of its system could prove useful. Internally, programmers could add in fraudulent code and manipulate systems to their advantage.
At around the same time, the major banks were also collaborating to develop the payment system known as CHAPS: the Clearing House Automated Payment Systems. The techniques used in CHAPS to protect its users are illustrative of the growing concern over the external threat, that of hacking and payment fraud.
Following a decade of research, by its launch CHAPS had an in-built cryptographic method of ensuring the authenticity and confidentiality of payment messages, and its encryption algorithm had been evaluated by the National Physical Laboratory. Donald Davies, the renowned Welsh computer scientist famed for his development of the packet-switching technique, which still underpins the Internet, claimed that although the cipher being used had certain weaknesses, they would not lead to a ‘very serious threat by an attacker.’
A consensus had formed by the end of the 1980s, and persists today, that the financial sector is one of the most aware and active sectors in relation to computer security. Barclays, at the time it began to use computers, recognised it ‘could not afford to take a risk with other people’s money’ and was already spending, along with its peers, prodigious amounts of money on computer and network security. Perhaps that is why by the middle of the 1970s Barclays declared it had not experienced a significant loss due to computer fraud.
Banks talked about the ‘confidentiality,’ ‘integrity,’ and ‘availability’ of data and networks, terms which pervade the sector today. The Bank of England in 1984 persuaded the banks to agree to the confidential exchange of information concerning both successful and unsuccessful attempts to misuse bank computer networks, foreshadowing the continued efforts of the sector to exchange threat intelligence and tactics, techniques, and procedures of malicious actors.
At that there were increasingly common references to the amending of payment instructions to, for example, transfer money to illegitimate recipients, exactly as was attempted in the Lazurus Heist decades later.
Though the scale of the threat, the potential losses and the scope of malicious actors in cyber space continues to evolve, there is significant continuity in the computer and network security threat that has existed since at least the late 1950s. This is bank robbery by modern means. At the core is the need for banks to protect the trust and confidence of their customers, something so fundamental to their existence. It has deep roots.