Bangladesh Bank to form emergency response team to thwart cyber attack

Highlights:

• The Fin-Cert will
  • Take measures to stave off cyber attacks on financial industry.
  • Monitor the banking sector's cyber security situation
  • Help banks to prevent imminent cyber attacks.
  • Facilitate exchange of information among all the financial institutions
• Banks will be able to share information on attacks and their solutions on the platform

The Bangladesh Bank is going to launch a computer emergency response team for the financial sector (Fin-Cert) to avert cyber attacks like the one in which hackers managed to steal $81 million from its accounts with the Federal Reserve Bank of New York five years ago – in the biggest digital heist in the country's banking history.

A senior official of the central bank told The Business Standard that Fin-Cert will exclusively concentrate on the financial industry for emergency security and will take measures to stave off any imminent cyber attack.

For example, if a bank faces a malware threat from hackers and is unable to counter it, it will be able to share the issue anonymously on the Fin-Cert platform to alert other banks and check if anyone else is having similar problems. If any other bank has a solution, it will share the information on the platform, said the central bank official.

The Fin-Cert will monitor the banking sector's cyber security situation and provide necessary support and advisories to help prevent probable and imminent cyber attacks. It will also facilitate the exchange of information among all the connected financial institutions, he added.

The country already has Bangladesh Government's e-Government Computer Incident Response Team (BGD e-GOV CIRT), which was set up under the government's Digital Security Agency.

The central bank officials held a meeting on the Fin-Cert recently, said sources.

Project Director of BGD e-GOV CIRT Tarique M Barkatullah told The Business Standard, "The Fin-Cert will work to ensure cyber security for all financial institutions. The central bank has already formed a team to develop a system to respond to cyber attacks and we are coordinating the issue."

He said, "If there is a cyber attack in the financial sector, the central bank will address the issue first and if they seek any help from us, we will go forward with assistance."

With the advancement of technology, the banking system is now facing more security threats. Earlier, the banks imposed restrictions on using ATM services at night and made announcements about possibilities of cyber attacks to make customers aware.

Pubali Bank's Managing Director and CEO Safiul Alam Khan Chowdhury said, "As a private commercial bank we have the largest banking chain in Bangladesh and we are trying to provide Internet-based services as better protection in cyber security has always been prioritised."

Some security practitioners said the big challenges in cyber security are the lack of precautions before an attack. Besides, developing a realistic framework for the Fin-Cert activities and carefully defining its role to ensure better security for the financial sector is also a challenge.

Former professor of computer science and engineering in Bangladesh University of Engineering and Technology Mohammad Kaykobad, said, "It is too late for implementing such an initiative now. These plans almost always look fine on paper, but I doubt if the central bank programmers are efficient enough to develop such cutting edge technology."

He said, "They haven't been very much active in the past as we have already lost nearly $1 billion from our banking system. This is a huge loss and for some reasons, we are taking such initiatives for our banking sector after 5-6 years after the cyber heist."

The computer scientist advised the central bank to play a proactive role in ensuring cyber security by consulting the national and international cyber security practitioners.

Cofounder of Shadhin Fintech Shadman Y said, "Cyber security is by far the biggest threat to the financial institutions worldwide. We are very eager to learn more about the cyber security initiatives taken by the Bangladesh Bank and ICT ministry.

"This [the Fin-Cert] will be an excellent development for the overall financial ecosystem and strengthen the customers' trust. As a fintech startup, we would be more than willing to understand these issues and incorporate relevant solutions if asked."

According to the global cyber security leader Trend Micro's report, they blocked 40.9 billion email threats, malicious files, and malicious URLs for customers worldwide in the first half of 2021, a 47% year-on-year increase.

The world's banking industry was affected at a disproportionately high rate, experiencing a 1,318% year-on-year increase in ransomware attacks in the first half of 2021, according to Trend Micro.

Ransomware was a major threat to global organisations in the first half of 2021, but it was not the only one.

Trend Micro's report also revealed that business email compromise (BEC) attacks increased by 4% in the first half of this year, potentially as a result of new Covid-19 opportunities for threat actors.

Cryptocurrency miners became the most detected source of malware, having surged ahead of WannaCry and web shell attacks in recent months.

Fin-Cert's structure and expectations

The Fin-Cert has some major tasks, including building a threat intelligence platform and spelling out security standards.

The Fin-Cert will be fully independent to monitor the cyber security situation in the financial sector, but it will report to the BGD e-GOV CIRT and the Digital Security Agency at the national level, in accordance with the Information Technology Act and rules, a government official said.

"Fin-Cert will have an advisory board. It has also been recommended that each financial institution will have a separate entity that will provide real-time information to the Fin-Cert," he added.

Some security practitioners recommended that the Fin-Cert should devise a framework to manage and oversee the third parties which are often responsible for maintaining the financial institutions' cyber security.

Experts also want the Fin-Cert to be an independent entity composed of stakeholders from the government, central bank, law enforcing agencies, law ministry, and all the banks and financial institutions.

"There is a lack of skilled resources for developing such a computer emergency response team, especially in the banking industry. As we have a shortage of skilled manpower, we should focus on cyber literacy and industry-oriented tech education," said Mohammad Kaykobad.

"I think such a platform must include a new generation of dynamic programmers, who will work effectively and efficiently. It will ultimately develop effective measures for ensuring cyber security," he added.

In addition to Fin-Cert, the BGD e-GOV CIRT is planning to have a computer emergency response team each for chemical and commercial facilities, communications, critical manufacturing and emergency services, food and agriculture, healthcare, nuclear, waste management, transportation and water and wastewater systems sectors.