The recent release of the long-awaited government report on the May 6 “flash crash” highlighted one specific trade as the catalyst for a series of chain reactions, accelerated by computer algorithms, that whipsawed the market. While the report goes a long way toward explaining the events of that afternoon, it doesn’t begin to address the systemic weaknesses of the market, highlighted by the nearly 600-point drop in the Dow Jones industrial average in a matter of minutes — and the Dow’s even faster recovery.
To an observer of global security risk, the flash crash looked like a horrific new way to cause economic, political and social damage. Although the crash played out in the U.S., the systems that underpinned it are being used globally and are currently seeing their greatest growth in Asia. The rise in the use of high-speed technology and reactive algorithms to conduct a variety of market functions is driven in part by the innovation and growing dominance of high frequency trading.
One of the more startling pieces of news to come out of the flash crash is the geographic shift in trading. Wall Street is no longer the heart of the U.S. financial market, nor is London’s Square Mile the epicenter of the U.K. market. The data and trading components of the financial systems are now centered in New Jersey and Essex, respectively.
Does this mean that the “ring of steel” surrounding the City of London or the New York Police Department presence outside the Big Board can be scaled back or eliminated? Not entirely, as both market centers are still symbolic targets. But it might be a good idea to move some of these protective resources to the data centers supporting critical financial systems. Although the security of the data centers has no doubt been considered at some length, resulting in bomb-proofing and improved data protection, it would be surprising if all vulnerabilities surrounding the staffing of these sites have been fully explored.
The potential cyberwar element of high frequency trading is a fascinating area of future security risk — not only for financial markets but also for the countries that host them.
One of the fundamental concerns with the system becomes apparent when examining what has been described as the democratization of trading. In short, the use of technology allows companies to offer trading platforms at very low cost to anyone by locating their services in data centers alongside the exchanges themselves. For a small amount of capital, anyone can connect an algorithm to a financial market from anywhere. It remains fundamentally unclear who is responsible for conducting real-life due diligence on the traders tying into the financial system. Much political noise is devoted to which people are allowed to enter a country, but little thought is put into who is tapping into the financial system.
Anonymity, of course, is not a crime. And it has taken a while to understand what, if anything, a rogue algorithm could do if introduced into a particular market. Clearly, the ability to crash the entire market would make for a spectacular attack if the events of May 6 could be replicated, but this seems unlikely.
However, further examination suggests that a kind of denial-of-service attack could be discretely aimed at particular nodes in the financial system, as evidenced by the practice of using algorithms to bombard a market with buy and sell offers to slow it down enough to create a financial arbitrage opportunity elsewhere. It’s not that far-fetched to imagine a terrorist creating a number of algorithms that could act in concert as a denial-of-service attack against financial exchanges.
On a larger scale, the order by mutual fund firm Waddell & Reed to sell $4 billion in index futures contracts, which is being blamed for setting off the May 6 crash, will not have escaped the notice of national governments interested in exerting financial pressure on their opponents. The size of this trade may be beyond the ability of smaller groups to execute, but it is entirely possible for a government to sponsor this kind of market manipulation against its international opponents. In fact, there is a long history of using financial manipulation to gain diplomatic and even military advantage; the weakness of a massively networked system relying on trading algorithms can clearly be exploited during times of international tension.
The ability to crash or negatively impact financial markets would be an incredible cyber-warfare tool. For this reason, the flash crash should be examined further through the lens of security risk to ensure that the vulnerabilities and opportunities are well understood.
Roderick Jones is CEO of Concentric Solutions International, a San Francisco–based security risk management company.