The U.S. Securities and Exchange Commission voted on Tuesday to impose new rules to help oversee what experts warn is a burgeoning and little understood shadow market of ultra high-speed, computer based trading. But one security expert warns that new reporting rules are only part of the problem. High frequency trading systems are also dangerously insecure, with few protections against manipulation by outside actors or rogue insiders.
Independent security consultant James Arlen says that banks and financial services organizations are ignoring the threat of attacks on the systems they use to conduct high frequency trading – sometimes referred to as “algorithmic trading.” The absence of both security and oversight of security for the trading systems could pose a systemic risk to the U.S.- and global financial system, Arlen warns.
Arlen will be discussing his findings at next week’s Black Hat Briefings in Las Vegas in a discussion, “Security When Nanoseconds Count.” He said that the rapid evolution of high frequency, computer based trading has happened in an environment devoid of security, while contemporary IT security products are geared to traditional IT environments that operate at much slower speeds.
“You’re talking about security products that have operational latencies that are measured in milliseconds,” Arlen told Threatpost on Wednesday. “That’s about 100,000 times too slow to be a player in real time environments like these.”
The result, Arlen warns, is that high frequency trading systems that connect brokers to exchanges and other parties involved in the trades are vulnerable to attack. “These systems are executing trades on very short time scales, and when we’re talking about ‘short’ we’re talking about microseconds.” New, ultra low latency switches and other hardware from vendors like Cisco and Juniper may push that threshold even lower -offering latencies in the nanosecond (or one billionth of a second) range, he said.
High frequency, computer based trading has already been blamed for large scale market disruptions. In the most lurid example, high frequency trading was blamed for a May 6, 2010 “flash crash” that saw the Dow Jones Industrial Average drop 900 points in a matter of minutes before quickly recovering. An SEC report on that incident determined that “The combined selling pressure from the Sell Algorithm, HFTs (High Frequency Trades) and other traders” were the causes of that crash. Automated, high frequency trading has also been linked to other precipitous drops in equity and commodities markets in recent years.
The new SEC rule is intended to provide some oversight of high frequency trading operations. It requires large traders to identify themselves to the SEC and broker-dealers to maintain transaction records for each large trader and report that information to the SEC upon request. But the new rule does nothing to address security concerns that are rife within HFT system, Arlen says. Among the challenges of providing security around high frequency trading systems is that they often rely on custom or altered hardware and software that is optimized for speed. “These systems are not using normal network cards, they’re doing complete OS (operating system) bypass – so you have an application building the trade as an Ethernet frame in memory an dumping it directly to the wire,” he said. HFT systems often rely on custom TCP/IP stacks that are ill equipped to manage unexpected or malicious traffic from within the system. Similarly, the algorithms used to execute trades are often tweaked in real time during the trading day to respond to market conditions often with only minor regression testing on the back end- akin to pushing an alpha code into production. Such actions are hardly the exception to the rule, Arlen said.
“This is just part of (HFTs’) operational profile. If the only way to make money is to have great algorithms, then you have to put that change in in real time,” he said.
Vulnerabilities abound. The Flash Crash of 2010 was ultimately traced back to operator error, which is an ever present danger. But Arlen said that bad actors and even state sponsored threats are equally worth considering. “You have to think about this in the way that nerdy people think, which is ‘How many ways can I cause disruption?’” Among the ways he envisions is for bad actors within the HFT system to take out – or just slow down – competing trading systems using malicious traffic. Additionally, companies doing HFTs should scrutinize any exposure their HFT systems have to outside attacks. Contractor laptops or even desktop systems used by traders to work on trading algorithms could all be points of access for a malicious actor or nation state that wants to disrupt the markets, possibly as the opening salvo in a wider cyber war, he said.
Arlen says the problem isn’t limited to trading systems. Critical infrastructure, including energy and transportation are increasingly using high frequency, realtime systems to manage more and more complex systems efficiently. Unfortunately, the information security field hasn’t responded to the growth of such systems. “We’re still operating in a mode where we think its OK to add miliseconds of latency. Because we think information security doesn’t demand low latency, security vendors haven’t delivered on low latency.”
In the meantime, financial services firms and others in the HFT second are taking a “see no evil, hear no evil” approach – believing that no security is necessary around HFT systems because there hasn’t yet been a security incident involving them. “Their attitude is that nothing has happened yet, so there’s not a problem,” he said.
Unfortunately, when that event does occur, it could be disruptive, with global exchanges collapsing in flash crashes, or merely quieter scandals involving the manipulation of high frequency trades by rogue insiders.
Recent incidents suggest that cyber criminals and even state sponsored hackers have taken an interest in the software and systems that undergird Western markets and exchanges. An attack on systems belonging to NASDAQ in February caught the attention of the U.S. Secret Service. In July, the Chicago Mercantile Exchange admitted that a rogue employee had attempted to hand proprietary software to competitors in China.
Arlen believes that attacks targeting high frequency trades are inevitable, in the same way that attacks on critical infrastructure like power generation plants were predicted long before the appearance of worms like Stuxnet. The solution, he says, may be a combination of regulation and oversight, as well as investment by IT firms in new systems that can provide security in ultra fast computing environments where the outcome of specific events is less predictable.