Chris Clearfield and Andras Tilcsik examine the vulnerability of markets to cyber manipulation.
Never in the history of written communication could 140 characters have the impact that they can have now. Two weeks ago, after gaining access to Associated Press' main Twitter account (@AP), the Syrian Electronic Army posted a fake tweet reporting two explosions in the White House and the injury of President Barack Obama. Within seconds, US financial markets dropped by about 1 per cent.
Minutes later, Twitter was abuzz with refutations. Reporters at the White House tweeted that they felt no explosion, and AP reporters and the AP Politics Twitter account announced that @AP had been hacked. At his afternoon briefing, White House press secretary Jay Carney confirmed that Obama was indeed unharmed. Financial markets returned to their pre-hoax level.
The hoax represents systemic risk that cannot be eliminated, for it arises from the interaction of highly integrated financial markets and increasingly democratised news delivery. Given strong incentives for malicious parties to perpetrate such hoaxes, we should expect to see an increase in incidents. Financial markets are vulnerable to manipulation, because they are not in the business of evaluating the truth. Trading often favours first movers, so being fast but wrong can still be profitable.
Imagine that a sophisticated trading firm has invested significant resources to develop an algorithm that quickly evaluates the potential market impact of news, and then automatically sends orders to trade based on that predicted impact. When that algorithm parses a tweet from AP containing important key words (explosion, White House and Obama), it will send orders to sell with the expectation that the market will drop as others - first, slower algorithms, then even slower humans - process the same news.
The first mover is happy to make such trades without verifying that the news is true. If it is true, the market will stay down or continue dropping, and the first mover will profit from the sales that it has made. If the story is a hoax, the market will probably return to its earlier, fairly valued level, and the first mover will break even on its sales, and possibly profit from any position purchased as a hedge when the market was down. The first mover's algorithm worked, regardless of the story's veracity.
The likely losers in the @AP Twitter hoax were later movers who did not react quickly to the news, but reacted instead to the market's movement. These late movers were also likely to have been sophisticated electronic or institutional traders; some were probably using arbitrage-based strategies that relied on the futures market for a calculation of the fair price.
The market's vulnerability to hoax stories is thus difficult to eliminate, for it is inherent in its structure. It cannot be regulated away or fixed by technology or surveillance. Even if markets moved more slowly, there would still be a first mover who responded before such a news story was revealed as a hoax. This dynamic is similar to that of an asset bubble, albeit faster. In a bubble, valuations are based on collectively evaluated evidence, and those who enter the market earliest often benefit. Whether evaluating an assumption about the rise of house prices or whether a news story is true, the market does not provide a definitive answer instantaneously.
If protecting against hoaxes is not the market's purview, can news agencies or new media entities like Twitter prevent such deception? To be sure, they have suffered reputational damage from this fiasco and will likely try to improve. But their efforts will not be enough.
Twitter's vulnerabilities were technically understood before this event, and the service was already moving towards a more sophisticated authentication model. But, while such measures would increase the difficulty of hacking the system, no technological fix can make it impenetrable.
What about AP's vulnerabilities? Attackers launched a "phishing" attempt against AP's emails shortly before the hoax tweet was sent. Phishing attacks, in which an employee is duped into sending a password to a third party or clicking a link that installs malicious software, represent a hybrid of cultural and technological failures.
As attackers become more sophisticated, they send better-crafted emails, sometimes impersonating trusted sources that lure unwary users. Crafting a culture of security is difficult and often at odds with the dynamic work environment of a fast-moving newsroom.
As technologies change, so must awareness of vulnerabilities, and this awareness must be disseminated through means other than corporate memos that are disconnected from day-to-day business realities. Empirically, few firms get this right: America's National Public Radio and the BBC were both recently hacked by the Syrian Electronic Army, while McDonald's and Burger King recently had their Twitter accounts compromised. The proliferation of security lapses means that people are more likely to shrug their shoulders than to cast the first stone at a company that is breached.
Finally, AP is unlikely to face financial penalties for this mistake. A lawsuit for losses stemming from the hoaxed tweet would face nearly insurmountable obstacles.
Because few mechanisms can prevent the proliferation of hoaxed tweets, and given the high-profile response that successful hackers can expect, Twitter will remain a vehicle of malicious hoaxes, even as technological barriers make attacks more challenging. Indeed, the Securities and Exchange Commission recently approved the use of social media such as Facebook and Twitter for publicly traded companies' disclosures to investors. Imagine what might happen if
@BP_America tweets: "#Explosion reported at Gulf well. Details to follow."
The incentives to hack such accounts are obvious: publicity for hackers, and profit opportunities from the almost inevitable sharemarket movements that will result.
On Twitter, as elsewhere, caveat emptor.