Want to know what its like to lose a few billion dollars? Why not study Nick Leeson, Jerome Kerviel, John Rusnak, and Kweku Adoboli? John Gapper's eBook "How to Be a Rogue Trader" gives you an inside look at what makes these people tick. For people whose job it is to defend these systems from malicious actors, there is a lot to learn.
I mentioned that in terms of building out a defensive plan, I prefer to start with assets. John Gapper's comments on why rogue trading, not exactly a new issue, continues to happen show why I prefer this approach over threats first:
“Rogue traders exploit the gullibility of their bosses by producing low-volatility returns, which is what every bank craves,” Gapper writes. “They do not appear to be reckless gamblers; they seem to have solved the conundrum of finance, that high rewards involve high risks. It is so enticing that no one realizes it is too good to be true.”
It’s so good, why not leave it alone until the losses mount into the billions and threaten the continued existence of the entire firm?
“The simplest thing you can do is follow the money,” Gapper said in a telephone interview. “It’s a weird thing that banks, after all these years, keep falling into this trap.”
“A lot of this stuff is extraordinarily simple. A lot of times, rogue traders are just putting on fake trades and canceling them. And they are taking advantage of these little gaps in the reconciliation system,” Gapper said.
That's the gap that gets missed in taking a software centric view of threat modeling. Of course, software matters, so do threats. But when its the model that is broken and/or being targeted, it cannot perceive the problem from within its own context. The asset view lets you step outside the system. The key isn't knowing how the system is supposed to work, as the software model tells you, but how the assets can be compromised. Rogue traders know how the system works, better than most of its developers. They are deliberately gaming the automation and clearing. And their techniques are deliberately targeting the system's blindspots. As Jeremy Epstein wrote in IEEE Security & Privacy - low tech attacks are easier.
There is also the banks' role here. How much room to roam are the traders given? Gapper asks in effect are the banks involved, rogue banks?
UBS's executives did not 'behave like gamblers at a casino, constantly taking greater risks as their profits and bonuses increased, until they finally lost everything' concluded Straumann. 'In fact, the contrary was the case. Top management was too complacent, wrongly believing that everything was under control, given that the risk reports, internal audit, and external reviews almost always ended in a positive conclusion.'
UBS was a rogue bank. It just fooled itself that it wasn't.
Known risky assets blow up, this should be "in the plan", but its way more hazardous when assets thought safe do. The illusion of safety causes the real trouble comes, as Mark Twain says - " is not what we don't know. It's what we know for sure that just ain't so."
Of particular interest is that to try and identify a rogue trader, Gapper shows that you do not look for wild spikes and losses, in fact you look for their absence. When a track record is a little too smooth is where someone may be covering their tracks. Think Bernie Madoff and his clockwork returns. Gapper summarizes -"the trader who is doing something wrong is the one who appears to be doing everything right."
Another flag is not taking vacation time, Kerviel was urged to take a holiday four times by the head of the trading desk. Its hard to head to the beach if you need to be on site entering fake trades.
Still detection can be elusive:
Helga Drummond, a professor of management at the University of Liverpool who examined the Barings collapse, says that its executives became blinded to what was going on under their noses. 'Humans tend to walk around with a frame of vision in their heads, their theories and expectations of the world, ' she says. 'They will discount evidence to the contrary unitl it is so obvious that it can't be ignored. The bubble can persist a long time.'