An Important "What If" of the NASDAQ Flash Freeze

There was a collective holding of breath on Thursday when the NASDAQ suddenly shut down trading. Terse reports and statements that "technical problems" caused the halt raised the specter of an information technology meltdown or--worse yet--a deliberate, malicious event. Fortunately, as the day wore on trading resumed and at least, for now, it does not appear that the "flash freeze" was due to a cyber-attack. As the gaming of the event along with the forensic analyses moves ahead, however, it is worth contemplating some questions that would be asked if in fact the flash freeze was the result of a cyber-attack.

Let us assume for a moment, and just for purposes of this blog, that the flash freeze was in fact the result of a cyber-attack. An important question to ask ourselves is whether it matters "who" conducted the attack. On the one hand, as the cyber-attack is occurring determining the responsible is irrelevant. The job of the victim is to try and contain the attack as quickly as possible and mitigate or repair any damage done.

On the other hand, however, attribution is absolutely critical in reviewing the foreseeability of the attack and whether the victim could have done more to mitigate, much less stop it. I want to highlight one issue in particular: what if the attacker happened to be nation-state or one of its agents? Imagine instead of an "Anonymous" type event or even organized criminal activity, the flash freeze was conducted by Iranian agents or paramilitary groups actively supported by Iran.

In my view, a state sponsor of the attack would be a game-changer. First and foremost, it should alter expectations as to who would be responsible for responding to the attack. Obviously NASDAQ needs to maintain robust cyber-defenses. However when you start talking about defending against much less repelling an attack from a nation-state, there is a limit as to what a private entity can do to defend itself. A country utilizing military and intelligence resources to design, develop, and implement a cyber-attack poses an entirely different level of threat than individuals or even sophisticated criminals.

Simply put, asking a private entity to stop a deliberate attack from a technologically sophisticated adversarial nation is unrealistic. Private sector companies have access to some very sophisticated cybersecurity technologies and crack cybersecurity service firms, but at the end at the day, they do not have the resources much less the intelligence network to stay abreast of threats from nation-states. So, I would argue that if the flash freeze was the result of an attack from another country, we would do well to hold our tongues a bit when launching criticism at a victim like NASDAQ.

For some reason this concept is lost on a lot of people, but it should be fairly apparent. If an attack occurred in the "physical" realm, there would be no question about this issue. No one would be pointing fingers at NASDAQ or other cyber victims if the Iranian military launched an air attack on its facilities or stormed the trading floor. Even the most ardent cyber regulation advocates wouldn't argue that the NASDAQ was at fault for not having surface to air missile batteries or fortress-like defenses deployed at its buildings. Instead, and rightfully, questions would be directed at the U.S. government.

In the case of the "flash freeze", thankfully we are exploring a hypothetical question. Still, it is an important one to consider and remember should the day come when the United States suffers a deliberate attack from a foreign adversary. Frankly, it is not hard to imagine that such an attack would occur. If, for instance, we were to bomb military targets in Syria or Iran, even if such attacks were done as part of an international consensus and thus viewed as the "right" thing to do, it is entirely reasonable to assume that those countries would lash out in any way they could, including through electronic means.

Now, to be fair, I'm ignoring some pretty thorny issues like how would one determine that the attack came from and was authorized by a foreign enemy and, of course, how could the U.S. government go about thwarting or responding to the attack. We are already embroiled in a significant civil liberty and privacy debate about monitoring communications traffic to identify terrorist attacks, and those same debates color the actions that have to be taken to counter a military cyber-attack. But I will save that for another day, and end by noting that we have to get ourselves in a mindset of not immediately blaming the victim when a cyber-attack happens.