Sunday, August 15, 2004

Perspectives on "Fed's Web Plan"

Today's New York Post opens with the following scare line:

"With little fanfare, the Federal Reserve will begin transferring the nation's money supply over an Internet-based system this month — a move critics say could open the U.S.'s banking system to cyber threats."

Apparently this is not the case. Reading from the Fedline Introduction, we find the following:

"FedLine is the Federal Reserve Bank’s proprietary electronic delivery channel for financial institution access to Federal Reserve financial services, and includes DOS-based FedLine and FedLine for the Web. FedLine for the Web is available to financial institutions for access to financial services deemed low-risk by the Federal Reserve but does not currently offer access to high-risk payment-related applications such as funds transfer." (emphasis added)

Federal Reserve Financial Services documents differentiate between the existing DOS-based, dial-up system and the new Web-based system. An informative Slashdot post by a former FRB Boston staffer explains the NY Post FUD:

"The Fed is not going to be transferring money over the Internet. Clearing and settlement will continue to take place over dedicated, leased, secured IP lines or in data centers with military-level security.

The change being made is how individual commercial banks interface with the computers at the Fed in order in initiate wire transfers and transmit data for bulk transaction processing. FedLine for the Web is a great improvement over the MS-DOS-based systems that are currently in use for small and medium-sized banks. Through these systems, banks do a variety of things, including initiate wire transfers, check intraday overdraft balances, submit batch files for overnight ACH payments processing, and many others."

I find the NY Post article interesting because the writer, Hilary Kramer, emailed to ask my opinion on the issue. Now that I have some background concerning the Fed's move, I know what she meant by "the Fed moving to the Internet with its money transfers." There's a big difference between a system which allows financial institutions to essentially perform online banking and a system used for settlement and clearing!

It may be easier to disrupt a Web-based system, since anyone in the world with Internet connectivity can potentially connect to the new "FedLine for the Web." It's slightly more difficult (and costly) to dial-up the target Fed system, and preserving anonymity is also tougher when making phone calls.

I found the comments by a Fed spokesperon interesting:

"Patti Lorenzen, a spokeswoman for the Federal Reserve, said the agency is taking every precaution. 'Of course, we will not discuss the specifics of our security measures for obvious reasons,' she said. 'We feel confident that this system adheres to the highest standards of security. Without disclosing the specifics, it is important to note that our security controls include authentication, encryption, firewalls, intrusion detection and Federal Reserve conducted reviews.'" (emphasis added)

I highlight the last two points for different reasons. Regarding intrusion detection, I like seeing people tasked with important security decisions still speaking of intrusion detection and not "intrusion prevention," since prevention fails and the "IPS" is a marketing invention. (An IPS is a layer 7 firewall.) On the Fed conducting "reviews," I hope these assessments are done by independent third parties. If the same group who designed the system is auditing it, the Fed is setting themselves up for a fall by violating an important security principle.

No comments: