When the Reserve Bank of Australia’s data centre was unexpectedly unplugged by an errant fire control system test in August last year, it took just seconds for adversaries to start sniffing around some of Australia’s most critical infrastructure for holes to exploit.
Despite the best laid preparations for system redundancy and fail over, a master power kill switch deep inside the RBA’s Martin Place vault and data center – the kind the firefighters use to make sure there is no live current when they turn on their hoses – had been thrown by a contractor without warning.
Australia’s central bank was down, not just at a technology and transaction level but across internal phones, lifts and building control systems.
But as senior staff hurriedly started making calls on their mobiles to appraise key stakeholders of the situation, RBA chief information officer Gayan Benedict was quietly watching another scenario unfold: opportunists looking for weaknesses.
“When the RBA experienced an operational incident last year our security monitoring detected increased vulnerability scanning on our internet presences almost immediately,” Benedict revealed in a speech delivered on Tuesday.
“It indicated to us that releasing updates to markets on operational matters provides information to malicious actors that is weaponised by machine learning systems almost immediately.”
When retail bank systems or payments networks croak, for whatever reason, the public relations protocol is a well-trodden path. Confirm what you know, apologise profusely, plead for patience and understanding and then try to temper the flamethrower of social media.
But as digital dependency increases, the persistence of outages and compromises like breaches – whether caused by error or malicious design – is becoming unsustainable.
Away from the security FUD and vendor threat marketing, the RBA is quietly but firmly pushing for a more fundamental rethink on what it call ‘resilience’, especially as the bulk of the economy shifts to digital channels.
Benedict is on the operational side of the RBA rather than the policy side that sets the rules for other banks and financial infrastructure and applies public and regulatory pressure.
But as his speech articulated on Tuesday, the institution is now a key part of Australia’s transactional and digital infrastructure through platforms it has built like the fast settlements service, RITS and a raft of APIs that are modernising once archaic legacy batch systems.
A major development is the gradual rollout of what’s dubbed T-0 (or T-zero) which replaces the previous T+2 (transaction plus two working days) legacy batch settlement protocol.
At a broad level, it’s the heavily networked technology that allows people to shift money into each other’s bank accounts instantly and speeds-up the efficiency of commerce as well as allowing the government to deposit emergency funds into accounts instantaneously.
And as user interface for financial system is pushed across to real-time and phones, apps and digital identities that replace branches, ATMs and plastic cards the RBA is quietly but firmly pushing banks and business to make sure their systems will keep running in the face of increased complexity and threats.
Notably, it’s also leading by example and eating its own dog food, so-to-speak.
While policy matters are usually raked over by a small army of bank lawyers, corporate affairs and stakeholder engagement types, Benedict is being allowed to talk publicly about technology, operations and risk and what the RBA has learned, wants to share.
Resilience is a key theme, and he’s the first to acknowledge it’s not easy or simple.
“The operational and cyber resilience of our digital platforms are key capabilities we constantly seek to improve. The effort of maintaining the continuous and secure operation of such deeply varied and interconnected systems can at times be a wicked problem,” Benedict said frankly.
In a shot over the bow of the vendor community, especially in terms of how secure code pushed into production is, Benedict cautioned that some software medicine can have side effects.
“I'm sure many of you are familiar with the challenges presented by patching. Patches are improvements released by vendors that are often aimed at increasing the security of systems. Implementing timely patches reduces the likelihood that a security vulnerability in your technologies will be compromised by a malicious actor. Conversely, they can also confound our ability to maintain the ongoing operation of our key systems," Benedict said.
“Patches often fix vulnerabilities, though also commonly introduce incompatibilities and sometimes instability. Organisations, including the RBA, are often left weighing the risks of addressing security vulnerabilities with the risks of introducing operational instabilities.”
To deal with this, Benedict said the RBA had adopted an approaches that included “improving the visibility of resilience risks and our ability to address them by wrapping these platforms with common integration, security, infrastructure and, increasingly, cloud management platforms as well as creating a layer of oversight that allows for simplified management, operational availability and ongoing security.”
“In many cases this oversight is informed by real-time analytics and now machine learning to allow us to understand and respond to risks immediately or predictively.”
It is understood it was these systems that detected the sniffing for vulnerabilities.
While risks between operational and cyber resilience needed to be managed, the view the RBA is taking on its own systems is that it’s not a binary choice between operational and cyber resilience. They both have to happen at once.
This applied more broadly across the economy Benedict observed.
“Balancing these often-competing risks is a defining characteristic of the post-digital transformation environment into which many organisations are now emerging, Benedict said.
“You are either operating a digital platform that your stakeholders rely on to be secure and available, or you are reliant on one.”