This story in the New York Post has been all over the net:
CYBER FEARS ON FED’S WEB PLAN
By HILARY KRAMER
August 15, 2004 — With little fanfare, the Federal Reserve will begin transferring the nation’s money supply over an Internet-based system this month — a move critics say could open the U.S.’s banking system to cyber threats.
The Fed moves about $1.8 trillion a day on a closed, stand-alone computer network. But soon it will switch to a system called FedLine Advantage, a Web-based technology.
The story is quite confused. What is “a Web-based technnology”? Is it one that uses web pages for entry? Or is this typical confustion of the web with the Internet? And does FedLine actually run over the public Internet, or does it simply use Internet protocols over private leased lines?
The story doesn’t answer any of these questions. It also says:
“Patti Lorenzen, a spokeswoman for the Federal Reserve, said the agency is taking every precaution.
“Of course, we will not discuss the specifics of our security measures for obvious reasons,” she said. “We feel confident that this system adheres to the highest standards of security. Without disclosing the specifics, it is important to note that our security controls include authentication, encryption, firewalls, intru sion detection and Federal Reserve conducted reviews.””
Somehow I’m not comforted by the first and most frequently mentioned method being security by obscurity. And the mention of firewalls would seem to indicate that this service does run over the public Internet. Let’s see what Fed has to say about FedLine Advantage:
“FedLine Advantage is coming!
“In recent years, we have announced our strategy to provide access to all Financial Services using web technology. We are pleased to announce FedLine Advantage, the Federal Reserve Banks’ next generation of service access, is on the horizon.
“FedLine Advantage will extend the use of web technology to provide access to critical payment services such as Fedwire Funds Service, Fedwire Securities Service and FedACH Services. In addition, FedLine Advantage will also enable the use of financial services that are currently accessible via FedLine Web, making it the access method of choice for Federal Reserve Financial Services.“
That Fed web page in turn links to a PDF of Volume 2 Issue 2 of the newsletter Fedfocus
which is dated May 2004. Hm, it appears this is old news.
Fedfocus May 2004 defines Virtual Private Network (VPN) and Frame Relay, notes how
the former works over a public network and the latter does not, plus various kinds of encryption such as SSL, and various kinds of user authentication, such as passwords or USB. However, it never quite seems to say which of these technologies FedLine Advantage will use.
That issue of FedFocus does emphasize conversion from an MS/DOS earlier version. So it seems to be largely a user interface move. Which would indicate a change to a web interface, perhaps using the same underlying physical links as before.
If I had to guess, I’d say that they’d probably start with Frame Relay, and offer VPN service to those who want to risk it. And I’d guess that convenience would increasingly win out, resulting in many more VPN customers than FR ones.
Even if it stays completely on leased lines, there’s still the issue of the computers that are used to use the web interface. The Fedfocus issue mentions that an old version of Internet Explorer will no longer be supported for FedLine Web (a service currently in use) but newer versions of IE will be supported. What if someone compromises IE on such a computer?
I suppose what happens is that some transactions may get compromised. Of course the same thing can already happen if you use IE to access your bank account over the Internet, although the scale may be bigger. In other words, it’s the usual tradeoff of more convenience for somewhat more risk. Maybe this change will promote enough additional commerce through convenience to offset any losses from the increased risk.
That’s many smallish risks; not one huge risk of the entire Federal Reserve system being compromised all at once, as the newspaper article might lead one to believe. Well, probably not. I wonder if the Fed practices software diversity and topological and physical distribution of resources?
We’re moving into Tom Clancy territory here, and it’s already late as I type, so I’ll leave more on this to another day.
Suffice it to say that this is yet another case where technology alone will not completely manage risk, and non-technological means are also needed.