Federal Hall at Wall and Broad Street, New York City. Wikimedia Commons Hu Totya
Blog Editor’s Note: This week’s “Time and Money” by ATIS at the New York Stock Exchange was a huge success. Check out the event site for the presentations.
It was the first time, as far as we recall, that the financial press has attended and covered the symposium. Kevin Coggins from BAH and our President, Dana A. Goward, spoke at length with the reporter.
January 30, 2020
By Penny Crosman
There’s a seldom-talked about cybersecurity threat that could easily take out ATMs, card networks, exchanges, trading floors and other pieces of financial services infrastructure.
It’s in the way we tell time.
Digital time clocks obtain the time through signals from Global Positioning System satellites that are subject to vulnerabilities, some malicious and others not.
Because of this threat, in the past year, large U.S. banks have been buying atomic clocks that cost $100,000 to $1 million each and are linked to the U.S. Naval Observatory. These give the banks an independent way to verify that their time servers are in sync with the rest of the world.
“The big financial institutions are very serious about protecting access to the precise time and have put in some of the most pristine solutions in the form of these very expensive atomic clocks,” said Kevin Coggins, vice president and lead of positioning, navigation and timing at Booz Allen Hamilton and former cross-functional team leader for PNT across the U.S. Army.
He and others spoke in interviews conducted at a conference hosted by The Alliance for Telecommunications Industry Solutions at the New York Stock Exchange on Tuesday.
Financial companies have done so partly because they have to: The Securities and Exchange Commission’s Rule 613 requires participants in U.S. equity and options markets to synchronize their clocks to within 50 milliseconds of the time maintained by the National Institute of Standards and Technology.
They also do it to be competitive. In trading especially, time lags as small as 10 microseconds can be a deadly disadvantage.
And they do it to stay in business. In any financial network, lack of synchronization among nodes leads to outages. This is true for ATM, card and branch networks. It will also be true as banks adopt distributed-ledger technology.
What is the vulnerability?
The GPS system, which is run by the U.S. Air Force, is generally considered to be accurate. Computers, smartphones, ATMs and other connected devices all rely on it.
It is not that the satellites themselves, which are 12,500 in the air, are getting hacked. The vulnerabilities come about through the signals they emit, which are weak by the time they reach Earth.
“That means that any noise or countersignal on that frequency is going to block reception,” said Dana Goward, president of the Resilient Navigation & Timing Foundation, a nonprofit dedicated to promoting policies that would protect the GPS network.
Any server or device that generates a little bit of noise, intentionally or unintentionally, can prevent a signal from reaching a nearby receiver.
In 2012, a New Jersey truck driver who plugged a $29 GPS jamming device into the cigarette lighter of his company pickup truck to hide his location from his employer interfered with Newark airport’s satellite-based tracking system every time he drove by.
“This happens every day,” Goward said.