The Russian invasion of Ukraine has been unsettling. In addition to the traditional weapons of war, Russia is allegedly waging cyberwarfare against the Ukrainian government, service providers, and the digital infrastructure of the country. Experts have warned that the US could be targeted for cyberattacks as well.
Fidelity's chief information security officer, Adam Ely, sat down with Viewpoints to explain what that means for Americans, how Fidelity prepares for cyberattacks, and what investors can do to protect themselves.
When we talk about cyberattacks, what does that mean?
Ely: We see a wide range of cyberattacks across the internet and the motives behind them can differ. Some cybercriminal organizations are trying to steal data to use. Others are trying to ransom data to get paid. There are some cyberattacks meant to cause destruction.
That is what we’re seeing now in Ukraine—attacks meant to destroy computer systems and data to really take things offline in an effort to slow that country and its economy down.
In today's ecosystem, the threat is that the US will see these destructive attacks that are meant to harm our economy, a particular sector, or specific companies. Financial services, especially the brokerage sector, is not traditionally one of the primary targets.
What are the specific ways that cyberattacks could be used against a country?
Ely: In times of war and conflict, the biggest targets are those affiliated with the energy sector because if you can take a gas company offline, for example, you can disrupt the power supply for areas of the country. This has the biggest impact on a country’s operations. Second, attackers would try to disrupt other critical services, such as food distribution.
There are many ways to create mayhem and destruction from thousands of miles away: launching a cyberattack against a power grid, as I mentioned; causing a nuclear reactor to go offline as we’ve seen in the past; or disrupting a large food company’s distribution and logistics system. These could all cause large-scale disturbances.
We know some of that is playing out in Ukraine now, but we have not seen this happening outside of that immediate area.
Is there anything surprising or unexpected in the actions you've seen Russian cyberattackers taking against Ukraine?
Ely: Part of our normal, day-to-day operations involves watching the tactics and techniques of cybercriminal organizations around the world.
We've seen activity that we believe shows the current Russian cyberattacks against Ukraine. Those attacks match the same techniques we’ve seen in the past. So not really anything new or novel. The only thing that has changed is the intended outcome. The goal is not to steal data or to ransom data for monetary gain. The goal is destruction.
How does Fidelity defend against cyberattacks?
Ely: We run a 24/7 cybersecurity operation with people staged in multiple countries, constantly watching what's happening across the threat environment and analyzing attacks we see—including those happening to other sectors and companies.
Our cyberintelligence team is constantly taking in this information from a variety of sources, including the cyberintelligence-sharing community, government agencies, and peer companies, both from within financial services and other sectors, foreign and domestic.
We're constantly analyzing the data in order to understand trends and patterns. We use this information to pressure test our own operations, constantly looking for new ways to protect ourselves.
We always operate in a state of high alert and consider all kinds of scenarios—some highly improbable. If we were to see full-scale cyberwar across the globe, we’d be prepared. Fortunately, the world is not there yet.
How does Fidelity protect client data?
Ely: We employ a concept called defense-in-depth and focus on 3 factors: prevention, detection, and recovery.
Based on all of the intel we’re constantly gathering, we think about various techniques attackers are using, and we play out threat scenarios to determine how well we can detect and prevent them. We want to learn what additional controls we can layer in to our existing environment to give us as many opportunities as possible to prevent an attack from occurring and/or impacting the firm.
Finally, we think about recovery. If something did happen, how will we recover systems and data, and bring accounts back to the right state?
So we think across all of these dimensions and apply multiple layers of protection to make sure we have the ability to prevent attacks, detect attacks, and recover from any sort of data loss that may occur.
What can investors do to protect themselves?
Ely: For clients and customers it's always important to prioritize personal security.
Make sure Fidelity has your current contact information, most importantly your email addresses and phone numbers as these are the primary ways we would contact you in the event of an account compromise. Additionally, I cannot stress how important it is to use unique passwords and add multi-factor authentication to your accounts. If someone calls or emails you about any of your accounts, validate who’s calling.
These may seem like basic steps to take, but they're the best things you can do to keep yourself protected. Good, fundamental cyberhygiene is always important.