HFT Security Risk?
A Concentric Blog: Examining Security Risks surrounding HFT
To an observer of global security risk the Flash Crash of May 6th 2010 looked like a horrific new way to cause economic, political and social damage to society. While the crash was played out in the United States the systems, which underpinned the crash are being used globally and are currently seeing their greatest current growth in Asia. The vulnerabilities, tactics and security risks, which have been demonstrated to date are therefore, global in nature but rooted in the nations where financial markets are dominant. While investigators are still puzzling over the exact cause of the crash the systemic weaknesses, which it highlighted are unlikely to disappear quickly. The rise in the use of high speed technology to conduct a variety of market functions is at the heart of the issue and particularly high frequency trading. The technology itself is not to blame, it is disruptive as with any new technology adoption, but it is at heart janusian in nature and is neither fundamentally good or bad. It is however, a vast paradigm shift and has opened up an array of security challenges and offensive opportunities (depending on which side you want to play). The purpose of this statement is to highlight what (currently) we consider to be the main security risks exposed by the flash crash and some potential solutions.
One of the more startling pieces of news associated with any investigation into High Frequency trading is the geographic shift in the physicality of trading. In short, Wall Street is no longer the heart of the US financial Market and neither is the Square Mile in London. The data and trading components of the financial systems now sit in data centers located in New Jersey and Essex. Does this mean that the Ring of Steel in London or the NYPD presence outside the NYSE can be scaled back or dispensed with? Not entirely as they are still symbolic targets, but it might be a good idea to move some of these protective resources to the data centers supporting the countries critical financial systems. This therefore, is the first security risk associated with the move to high-frequency trading, the security of the data centers supporting the trading functions and the co-location services supporting the high frequency traders. While the physical and virtual security of the data centers has no doubt been considered at some length, with bomb proofing and virtual attempts at penetration, it would be surprising if other vulnerabilities surrounding the staffing of these sites had been fully explored. Concerted attempts at infiltration would probably realize significant results.
Aside from the physical move to data centers the cyber-war element of high-frequency trading is a fascinating element of future security risk not only for financial markets but for the countries in which they are hosted. One of the fundamental concerns with the system becomes apparent when examining what has been described as the ‘democratization of trading’. In short, the use of technology allows companies to offer trading platforms at very low cost to anyone through their services, which are co-located in data centers with the financial exchanges themselves. The company Gravitas is a good example of this. Therefore, for a small amount of capital anyone can connect their algorithm into the financial market from anywhere. It is unclear who is responsible for conducting real-life due diligence on who is connecting into the system but given the downside risk it should be the exchanges that may want to know more about who exactly is behind a particular algorithm connecting into their market.
Anonymity is of course not a crime and it took a while to understand what, if anything, a rogue algorithm could do if connected into a particular market. Clearly, the ability to crash the entire market would be a spectacular attack if the events of May 6th could be replicated but this seems unlikely. However, further examination suggests that a kind of Denial of Service attack can be discretely aimed at particular nodes in the financial market to create arbitrage conditions. An algorithm can send enough requests into a particular market to slow it down enough to create a financial arbitrage opportunity elsewhere. The scenario of most concern is that an adversary could create a number of algorithms, which could act in concert as a Denial of Service attack against financial exchanges. This should be of significant concern to the National Security communities in countries exposed to high frequency trading.
As a side note there is also an interesting practice noted in some of the research surrounding the otherwise unexplainable movements of orders transmitted by high frequency traders. These orders do not make any sense unless they are being used as an intelligence gathering device to test the speed and capacity of the financial nodes the traders may be targeting or of speed and resiliency of the system itself. This kind of network capability intelligence gathering is an interesting tool that could be adapted for offensive use if these practices were to be developed into cyber-warfare tools.
As it stands there appear to be some measures that could be used to mitigate the security risks associated with high frequency and algorithmic trading. The SEC is likely to recommend and institute some controls around ‘Quote Stuffing’ or ‘Spoofing’, which is the practice that has the appearance of a Denial of Service attack. There has already been some indications that this will occur and individual exchanges are beginning to take some action against rogue algorithms. As well as some regulatory oversight it may be useful for the exchanges themselves to conduct more significant due diligence on the companies and individuals connecting into their markets. While the issue of human immigration is seldom far from the political megaphone the issue of who is actually migrating into financial networks attracts significantly less attention.
The movement of critical information into data centers is happening globally and the financial services industry is probably ahead of most when it comes to security. However, while it can be debated whether some data center’s should be regarded as critical infrastructure there is no debate over the financial exchange data centers and their co-location companies, they are critical infrastructure. Therefore, security of these sites should be seen in that light.
The ability to crash or negatively impact financial markets would be an incredible cyber-warfare tool. For this reason the flash crash of May 6th should be examined further through the lens of security risk to ensure vulnerabilities and opportunities are well understood.