Opinion
Six month audit of the Bangladesh Bank heist

Can we have full disclosure, please?

Can we have full disclosure, please
Illustration: Amiya Halder

Bangladesh is well-known around the globe for its many achievements. Rapid economic progress, exceptional exports growth, universal primary education, elimination of poverty and bold strides in addressing income inequality. Unfortunately, some recent damaging incidents have also sullied our reputation. The Bangladesh Bank heist, which came to light on March 3, 2016, came at a time when things were really looking good for us, and exploded in our face--unannounced, unexpected, and completely shrouded in mystery. The government acted swiftly and promised to find the miscreants, recoup the money stolen, and prevent such mishaps from happening in future. Six months have passed since then, and it is time for a review of the actions and remediation efforts undertaken by the parties charged with guarding our foreign exchange and ensuring cyber- security. After considering all the information available to the public, various reports and pronouncements of the government and its surrogates, and some informed guesswork, it is my conclusion that the powers that be receive a grade of C+. A barely passing grade!

Since last May, we had been anxiously waiting for the government to release the report of the investigating committee chaired by Dr. Farashuddin. However, last week the Finance Minister voiced the opinion that release of the report would jeopardise our efforts to recover the money from Philippines. It would have been helpful if the Finance Minister had also indicated why the report, which apparently should have helped the various agencies responsible for identifying the flaws in the Bangladesh Bank's operations, will remain a secret in the interest of "recovering the money". It is hard to imagine that the Government of Philippines would have been offended by anything that another sovereign country is doing to protect its vital interests. 

It is an open secret that Bangladesh Bank is still struggling with the many challenges it faces in the wake of the February 2016 heist. In this context, the reluctance of the government to release the report is also a surprise to many, given that the new Bangladesh Bank Governor Fazle Kabir is a veteran in the administration and is aware of the risks posed by gaps or vulnerabilities in a major financial system. Many of the recommendations made by the various experts and investigators, including the CID and Dr. Farashuddin, are not too expensive or complicated to implement. For example, following the February heist, Society for Worldwide Interbank Financial Telecommunication (SWIFT) has advised its members to update its software for sending and receiving messages to transfer money, and stronger systems for authenticating users. Others include stronger rules for password management and better tools for identifying attempts to hack the system or its components. As we all know, these may be common sense procedures but they need the support of the Governor and his top management team.  

Cyber thieves are always ahead of the watchdog! There is an old saying in Bangla: "Tumi thako daley daley, ami thaki patay patay."  The cyber crooks around the globe might well be saying now, "While you are on the branches, we operate on the leaves." However, the BB security team needs to turn this game upside down and stay ahead of the tricks used by the criminals. The team responsible for plugging the holes found in BB's Forex Reserve and Treasury Department, and the Budget and Account Department, must adopt this practice as their goal, while they develop and configure the systems to prevent future attempts to exploit vulnerabilities and foil any attempted intrusions.

"It's a cat-and-mouse game," says Dan Schiappa, a senior IT analyst at Sophos, a British company that offers security products to small and midsize companies. "If you are not a rapid innovator in this business, and if you don't prepare for the next big threat, you're going to die on the shelf."

Last week, I was at a seminar organised by the Massachusetts eHealth Institute at the Massachusetts Technology Collaborative (MeHI). The takeaways from this gathering are:

All agencies must make security and data protection their highest priority

Protocols must be crafted to ensure that data is safe on site and during transmission

All staff members who have access to protected data (ID, account information, protected information) must follow best practices and be held accountable for any violations

Any breach must be immediately reported to the controlling officer/authority

Bangladeshi citizens have a right to know if our central bank and other financial institutions are following these basic guidelines. In the case of the February heist, we know that BB knew of the breach, and kept it under wraps for a month, only to report it to the Finance Ministry after Philippine Daily Inquirer broke the news at the end of February. BB must now reassure the general public that this breach of trust is a matter of history. 

SWIFT had earlier reported that "the attackers clearly exhibit a deep and sophisticated knowledge of specific operation controls within the targeted banks - knowledge that may have been gained from malicious insiders or cyber attacks, or a combination of both." Ironically, CID recently has washed its hands off any understanding of the basic goals of criminal investigation: how and who; even worse, CID may be at a loss in identifying the criminals, and the odds are gradually turning against us. They now believe that if they can trace the money, the criminals would be identified. Interestingly enough, after handing his final report to the finance minister in May, Dr. Farashuddin had said, "Earlier we thought no one from Bangladesh Bank was involved, but now there is a small change." The country is eagerly waiting to know what this "small change" might be. Fortunately, one silver lining in the cloud is that 40 percent of the stolen money was recovered. That means we got 40 cents on the dollar back, and that is not bad at all.

In the gazette announcement on the probe team, it was reported that the committee would check how the payment instructions were sent and to whom, what measures the central bank took to stop the theft, the logic behind concealing the theft and whether central bank officials related to the matter were negligent in their duties. The committee was also asked to assess the possibility of recovering the stolen funds and check measures to stop a recurrence of such incidents. Since the terms of reference were publicly announced, the findings of the committee must be done and soon.

The bottom line is, the government has to give us assurances that it has identified the vulnerabilities and systemic failures that invited the crooks. We need to know how the vulnerabilities were exploited and whether these loopholes were closed.  And most importantly, Bangladesh Bank must provide an update of its recent risk assessment and assure the public that it will be able to detect any unauthorised access, or such attempts, in real time and there is a system in place to audit our security performance periodically.

The writer is an economist and has been working in the ICT sector for over three decades. 

Comments

Six month audit of the Bangladesh Bank heist

Can we have full disclosure, please?

Can we have full disclosure, please
Illustration: Amiya Halder

Bangladesh is well-known around the globe for its many achievements. Rapid economic progress, exceptional exports growth, universal primary education, elimination of poverty and bold strides in addressing income inequality. Unfortunately, some recent damaging incidents have also sullied our reputation. The Bangladesh Bank heist, which came to light on March 3, 2016, came at a time when things were really looking good for us, and exploded in our face--unannounced, unexpected, and completely shrouded in mystery. The government acted swiftly and promised to find the miscreants, recoup the money stolen, and prevent such mishaps from happening in future. Six months have passed since then, and it is time for a review of the actions and remediation efforts undertaken by the parties charged with guarding our foreign exchange and ensuring cyber- security. After considering all the information available to the public, various reports and pronouncements of the government and its surrogates, and some informed guesswork, it is my conclusion that the powers that be receive a grade of C+. A barely passing grade!

Since last May, we had been anxiously waiting for the government to release the report of the investigating committee chaired by Dr. Farashuddin. However, last week the Finance Minister voiced the opinion that release of the report would jeopardise our efforts to recover the money from Philippines. It would have been helpful if the Finance Minister had also indicated why the report, which apparently should have helped the various agencies responsible for identifying the flaws in the Bangladesh Bank's operations, will remain a secret in the interest of "recovering the money". It is hard to imagine that the Government of Philippines would have been offended by anything that another sovereign country is doing to protect its vital interests. 

It is an open secret that Bangladesh Bank is still struggling with the many challenges it faces in the wake of the February 2016 heist. In this context, the reluctance of the government to release the report is also a surprise to many, given that the new Bangladesh Bank Governor Fazle Kabir is a veteran in the administration and is aware of the risks posed by gaps or vulnerabilities in a major financial system. Many of the recommendations made by the various experts and investigators, including the CID and Dr. Farashuddin, are not too expensive or complicated to implement. For example, following the February heist, Society for Worldwide Interbank Financial Telecommunication (SWIFT) has advised its members to update its software for sending and receiving messages to transfer money, and stronger systems for authenticating users. Others include stronger rules for password management and better tools for identifying attempts to hack the system or its components. As we all know, these may be common sense procedures but they need the support of the Governor and his top management team.  

Cyber thieves are always ahead of the watchdog! There is an old saying in Bangla: "Tumi thako daley daley, ami thaki patay patay."  The cyber crooks around the globe might well be saying now, "While you are on the branches, we operate on the leaves." However, the BB security team needs to turn this game upside down and stay ahead of the tricks used by the criminals. The team responsible for plugging the holes found in BB's Forex Reserve and Treasury Department, and the Budget and Account Department, must adopt this practice as their goal, while they develop and configure the systems to prevent future attempts to exploit vulnerabilities and foil any attempted intrusions.

"It's a cat-and-mouse game," says Dan Schiappa, a senior IT analyst at Sophos, a British company that offers security products to small and midsize companies. "If you are not a rapid innovator in this business, and if you don't prepare for the next big threat, you're going to die on the shelf."

Last week, I was at a seminar organised by the Massachusetts eHealth Institute at the Massachusetts Technology Collaborative (MeHI). The takeaways from this gathering are:

All agencies must make security and data protection their highest priority

Protocols must be crafted to ensure that data is safe on site and during transmission

All staff members who have access to protected data (ID, account information, protected information) must follow best practices and be held accountable for any violations

Any breach must be immediately reported to the controlling officer/authority

Bangladeshi citizens have a right to know if our central bank and other financial institutions are following these basic guidelines. In the case of the February heist, we know that BB knew of the breach, and kept it under wraps for a month, only to report it to the Finance Ministry after Philippine Daily Inquirer broke the news at the end of February. BB must now reassure the general public that this breach of trust is a matter of history. 

SWIFT had earlier reported that "the attackers clearly exhibit a deep and sophisticated knowledge of specific operation controls within the targeted banks - knowledge that may have been gained from malicious insiders or cyber attacks, or a combination of both." Ironically, CID recently has washed its hands off any understanding of the basic goals of criminal investigation: how and who; even worse, CID may be at a loss in identifying the criminals, and the odds are gradually turning against us. They now believe that if they can trace the money, the criminals would be identified. Interestingly enough, after handing his final report to the finance minister in May, Dr. Farashuddin had said, "Earlier we thought no one from Bangladesh Bank was involved, but now there is a small change." The country is eagerly waiting to know what this "small change" might be. Fortunately, one silver lining in the cloud is that 40 percent of the stolen money was recovered. That means we got 40 cents on the dollar back, and that is not bad at all.

In the gazette announcement on the probe team, it was reported that the committee would check how the payment instructions were sent and to whom, what measures the central bank took to stop the theft, the logic behind concealing the theft and whether central bank officials related to the matter were negligent in their duties. The committee was also asked to assess the possibility of recovering the stolen funds and check measures to stop a recurrence of such incidents. Since the terms of reference were publicly announced, the findings of the committee must be done and soon.

The bottom line is, the government has to give us assurances that it has identified the vulnerabilities and systemic failures that invited the crooks. We need to know how the vulnerabilities were exploited and whether these loopholes were closed.  And most importantly, Bangladesh Bank must provide an update of its recent risk assessment and assure the public that it will be able to detect any unauthorised access, or such attempts, in real time and there is a system in place to audit our security performance periodically.

The writer is an economist and has been working in the ICT sector for over three decades. 

Comments