A “Source” of Serious Concern (By Bill Harts, Modern Markets Initiative)
If there is any agency in the world that can be trusted to keep data safe it would be the National Security Agency (NSA). It employs the world’s elite cybersecurity personnel and at one time had a top secret budget as high as $10.5 billion. How do I know the NSA had a top secret budget of $10.5 billion? Because it had sensitive planning documents stolen and posted as a PDF on The Washington Post website!
Now a government agency with a much smaller budget of $322 million, which specializes in futures not firewalls, wants the ability to have subpoena-less access to the computer source code (trade secrets) of our country’s biggest and most successful trading firms. In addition, it wants the ability to take said source code off the premises and show it to outside consultants. What could possibly go wrong?
Few outside the community of algorithmic trading firms are even aware that the US Commodities Futures Trading Commission (CFTC) has proposed Regulation Automated Trading which contains a provision that could have an impact beyond the sovereignty of the commodities and futures markets.
Since large automated trading firms that trade commodities and futures often trade stocks as part of hedging strategies, asking them to hand over their computer code would also reveal the strategies that collectively drive half of the $166 billion transacted daily on our stock exchanges. Even the code that underlies the New York Stock Exchange’s most strategic liquidity providers—the Designated Market Makers—would be in the sights of those looking to undermine our financial system. With this code untethered from their respective company safeguards, hackers around the world would likely feel like Goose and Maverick gleefully perusing a portable “target rich environment.”
I have the utmost respect for the CFTC and I know the professionals there will take every precaution to try and ensure that the code in their care is not compromised. But the same NSA I mentioned before, the one whose core competency is cybersecurity, was embarrassed again just this week when a group of hackers claimed it stole cyber burglary tools from the agency and is threatening to auction them off for $500 million.
Putting aside the very real security threat that hauling sensitive source code off-site by fiat poses, there’s no precedent for a government agency to have this kind of power. It is a proposal so potentially dangerous that one of the CFTC’s own Commissioners, said: “As a lawyer, I am aware of no legal foundation on which to haphazardly set aside long-established, due process protections afforded by agency subpoena practice.”
It is not self-serving hyperbole to say this is regulatory overreach that sets up a slippery slope for all technology companies. If one regulator can search intellectual property with no judicial oversight, who is to say the Federal Communications Commission, with its court victory this past June classifying broadband internet as a telecom service, can’t begin demanding source code from Google, Facebook, Microsoft and Apple? And wouldn’t this intrusion contradict the Defend Trade Secrets Act signed into law just a few months ago?
The goal of the CFTC’s proposed regulation is a good one. Namely, to codify the best practices and risk controls of electronic trading firms to ensure the stability of the markets. MMI stands in broad support of just about all the proposed measures. But I firmly believe that intellectual property belongs under the care of companies for whom stealing the source code is stealing the company. I hope the CFTC moves quickly on the other provisions, but when it comes to assessing the merit of subpoena-less access to source code, they should drop the provision altogether and not feel the need for speed.
COVID-19 pandemic and geopolitical tensions round out the top three threats in DTCC survey.
The Australian regulator concluded its investigation into the ASX equity market outage in November 2020.
Quantum Dawn VI tested over 900 participants' responses to a simulated ransomware event.
There is no standard approach to identify data that needs to be protected.
The new unit will employ up to 400 high value, experienced and graduate level roles.