Cyber security Story teller

Humanity is not as far removed from trading three chickens for a sack of flour as we would like to believe.

The international economy works because everyone has agreed, more or less, that some amount in one currency is worth some other amount in a different currency. Central banks from the USA, UK, EU, Japan, and Switzerland sit at the top of this house of cards to orchestrate the global flow of money. The US dollar, pound sterling, euro, yen, and Swiss franc all play complicated roles in global trade. Risk-free rates — a critical baseline for all other finance math — are calculated in these currencies. The Central Banks trade in these currencies. Countries keep reserve stocks of these currencies handy to make deals.

Participation in the global economy is no longer optional in today’s interconnected world. Manufacturing has efficiently optimized a delicate just-in-time Kanban system. Our need for raw materials has changed from common iron and carbon to rare earth lithium and silicon. These raw materials are processed into the variety of goods on the market. On the customer side, it matters when payment is collected. Upfront cash? On arrival of goods? Net 30 days? There is no right answer, but choose wisely: it can be the difference between making a profit and taking a loss. Exchange rates fluctuate by the second.

Of course, we did not arrive at this dangerously interconnected system by accident. It evolved, first from the gold standard, through significant global war, and into an era of floating exchange rates. In our current world order, it is necessary to prioritize two forces out of three options. Does a government give up monetary independence, which is important for combating domestic recessions and inflation, like EU members? Give up free flow of capital, which is important to the ability to make trades for a developing nation? Or give up the stability of a fixed exchange rate, like the United States or Japan?

What if we had to give up either confidentiality, availability, or integrity to fully resource the other two?

The only bright spot is that the global economy can continue to evolve if we let it. It will not be an easy process, as transitions never are, but here we are, roughly a century beyond the classical gold standard. We have all even agreed to change the previous risk-free rate, the London Interbank Offered Rate, to a new system. It turns out people are motivated to change when a large majority LIBOR-based sub-prime adjustable-rate mortgages default.

One vocabulary term that struck out was basis points, which is defined as 0.01%. Rates are frequently denominated in basis points; check Excel number formats accordingly. These are small numbers that have huge effects.

The global marketplace demands that countries keep diligent records of imports and exports. Data collection around this is messy and complicated at best; impossible at worst. Every foreign transaction matters, from sending money back home to support relatives to tourists spending money on foreign hotels. Yes, the data collection for this is incredibly messy. Careful monitoring of these books allows governments to set policies that ripple into business impacts.

When people agree on how to assign value, that value must stay the same across time. The same is true across space: an average citizen should be able to buy a basket of staple foods for approximately the same value. The Big Mac Index famously tracks this parity. From this parity, and knowing domestic inflation rates, cross-border interest rates are calculated. This allows an organization to get foreign investment at perhaps better loan terms than were available domestically.

Keeping the assigned value constant across space and time is a challenge, mathematically speaking. The important part is that the system must remain in equilibrium. Any disequilibrium, like a bigger than predicted fluctuation in domestic inflation or currency devaluation, ripples out into the rest of the system. The impact of COVID-19 on the economy is an example of this.

Financial derivatives exist on top of the main value component. Despite the amount of effort placed on keeping value constant and predictable, market liquidity demands a certain amount of fluctuation. Interest rates fluctuate, inflation happens, and devaluation happens. It’s less important that the value component remain a fixed point and more important that the fluctuations happen predictably. Derivatives exist to make additional profit when predictions are correct, or to hedge a potential loss. They also have a habit of collapsing when the underlying value component — sub-prime mortgages, say — collapse.

However, derivatives serve a very real purpose in mitigating the very real risk of dealing in foreign currencies. They “hedge” by reducing the variability of the risk with a second, opposite deal. Importantly, hedging is not free; the cost to hedge depends on the derivative used. This is a fantastic way to frame security requests! Our goal is to reduce the likelihood of a future attack … and therefore reduce the costs of incident clean-up. Many large organizations have policies around hedging; it is worth a conversation to understand where security policy intersects. This must be done at an individual business level as each organization makes different risk choices.

Another common risk area lies in the daily operations of an organization. Political decisions made by governments impact the future cash flows of an organization, which affects the current value of the organization. A sudden, unexpected change in the exchange rates affects supplier costs and the price consumers will pay. This risk usually requires bigger strategy adjustments to mitigate. It may be helpful to think of security as another kind of operating risk.

For example, every foreign transaction must flow through the exchange system. Today, this is governed electronically through the SWIFT protocol. Like all good standards, there are technically alternatives to SWIFT; none of them are popular. Also, like all good standards, SWIFT is not immune to bad-faith manipulation. A 21st-century bank robber does not need to storm a branch with a ski mask, a weapon, and a dream. They can write some malware and inject transactions into the system.

In 2016, this happened. Malware was injected into a Bangladesh bank to issue almost a billion USD from the New York Fed to the Bangladesh bank. This is not unusual given the role of the USD as a global reserve currency. However, it was unusual enough for the New York Fed to request additional verification on most of the requests. Bangladesh’s “computer problems” prevented timely delivery of these requests. When Bangladesh did finally issue stop payment orders several days later, it was the weekend and New York was closed. The thieves collected a paycheck of USD 101 million out of accounts in the Philippines and Sri Lanka.

Another way to mitigate operational risk is through … more operations. If an organization knows it needs a steady supply of foreign currency to pay a key supplier, it can establish a steady influx of that currency via a loan or other agreement.

The wider international market offers more opportunities for investment and debt. The cost of these funding streams to an organization changes with the increased opportunities. Beta is still used as a measure of systematic risk, which means we can still measure the price of a security risk and see that reflected in the calculations. What may be more challenging is separating the domestic and international components of this security risk — or if that distinction matters. We could separate incidents by threat actor group; this immediately confronts our ability to attribute with confidence attacks to groups and groups to nation-states. The distinction between domestic and international security risk is less clear than the difference between financial risks.

A better question may be the effect of security risk on a market’s liquidity and segmentation. Is it more challenging for an organization in an emerging market to overcome security risks? Is it easier because of the inherent global nature of the security domain? Security also impacts the availability of information. Companies answerable to the US SEC must file an 8-K for security incidents; this is not a global requirement.

Here’s the thing about markets: They ebb and flow as trades are made. You do all the math, pick the resulting answer, and time passes. Continuously, new data emerges that changes the math just enough to change the optimal answer. Are you stuck with your old choice? Of course not. You can change your mind and scale operations up and down as needed. Your actions domino out as new information themselves and create change.

Real option analysis captures this living nature. If certain decisions will send projects down very different paths, have long life spans, or depend on information collected over time, the analysis must similarly be kept up-to-date. A project that was not profitable — say, keeping systems patched and maintained — takes on a different impact in the face of Known Exploited Vulnerabilities. This can also be seen when organizations cut blank checks to the security team in the aftermath of a high-profile incident. Security risk offers critical data to this real option analysis.

Other markets exist. Utility companies buy and sell energy futures for consistent returns. If enough buyers and sellers meet to swap this and that, then a market forms. New dynamics form when these markets interact with each other.

Security operates in its own kind of market; zero-days are a hot commodity. Threat actors leverage vulnerabilities, largely for financial gain via ransomware or selling stolen data. Meanwhile, defenders try their best not to let that happen with various security initiatives that hedge the risk. Instead of the weighted average cost of capital driving budgets and projects, the cost of security can be considered. Will the new project make the attack surface bigger? Will a new service accidentally create a backdoor into a critical system? How will the security risk of the project impact the risk level of the organization? This is separate from the pure financial valuation but perhaps no less important.

To recap: international markets work because we have tenuously agreed that one currency unit from country A is worth a proportion of currency units in country B … or, that three chickens are worth a sack of flour.

A final quote from John Maynard Keynes:

The best way to destroy the capitalist system is to debauch the currency. By a continuing process of inflation, governments can confiscate, secretly and unobserved, an important part of the wealth of their citizens.