By WARREN GETLER

Last week, the European Union revealed that its headquarters had come under a major cyber attack, likely state-sponsored, on the eve of the EU summit. Earlier this month, the French announced that they had been hit with a cyber assault at the end of 2010, probably launched by Chinese hackers, aimed at pilfering sensitive G-20 documents from finance ministry computers in Paris. Last fall, the Nasdaq suffered what looks like an organized-crime attack on a service it provides to corporate executives for exchanging confidential files.

But what if e-espionage aimed at the financial sector suddenly escalated into e-war? What if, for example, China, North Korea or Iran initiated a crippling assault against the West’s electronic financial network, where trillions of dollars worth of transactions occur every day?

Such an event would mean a massive and potentially long-­lasting disruption to the flow of dollars and euros among banks, businesses and consumers. At a minimum, it would mean the loss or corruption of financial data at major stock and commodity exchanges.

Experienced Washington hands, such as former Homeland Security Secretary Michael Chertoff, rightly worry about insidious Stuxnet-type worms that might be insinuated into financial networks. Such worms can wreak havoc slowly and methodically by corrupting financial data without creating immediate alarm.

“At some point people would no longer have confidence in the ability to trust the transactional records,” Mr. Chertoff cautions. “We’ve seen what happens when you have a meltdown in public confidence in the financial sector in 2008. And I think that would be small potatoes compared to what we would see if we had this kind of attack.”

As things currently stand, the Department of Defense protects military assets against the global cyber threat, while the Department of Homeland Security protects critical government institutions and facilities. Other than some enhanced information-sharing between Homeland Security and leading private financial institutions, there’s not much, if any, cyber-war defense planning going on in the financial world. So, who’s protecting the banks and the stock exchanges against a direct cyber attack? No one.

View Full Image

AFP/Getty ImagesFormer Homeland Security Secretary Michael Chertoff

Most attacks to date have been launched by either criminal or hacker elements “phishing” for information about bank clients and investment positions. While the financial industry, working with government, has done a decent job identifying those threats, much more needs to be done when it comes to global financial network resilience—the ability to absorb an attack by a nation-state.

In the banking district of London, war-gaming exercises involving the banks and government are taking place this month, though under the radar. Here in the U.S., similar simulations have been discussed but have not been put into action.

The U.S., working with EU and NATO countries, must do all it can to provide and receive real-time intelligence about the financial sector in periods of heightened geopolitical tensions, privacy issues notwithstanding. Should such an attack occur, friendly governments will need to provide cross-border authority to identify, investigate and pursue the attacker servers in the source country.

Even with agreement to work collectively, what could governments do to contain the attack? Could they isolate a single large bank or financial institution that may have come under cyber assault or become infected with a disabling worm? “We’re still not appropriately positioned to take any individual major financial intermediary out of the picture—be it for cyber or financial instability reasons,” acknowledges Jane Carlin, global head of operational risk management at Morgan Stanley in New York.

Perhaps the toughest question, and one that will reside squarely within the Oval Office, is when to strike back, and against whom, if a state-sponsored cyber weapon is launched against our financial backbone. How do we prove who did it, and do we have to prove attribution before we respond? “Are we helpless in the face of those who would hijack servers in third countries to mount attacks?” asks Mr. Chertoff.

Such a strike can be swift, silent and damaging. Estonia—and its two major banks—experienced what many believe was a cyber attack originating in Russia in 2007. It heavily disrupted online banking and other financial services for more than a week.

No single approach can address all the nuances and layers of cyber war, particularly when it comes to the global financial system. But it’s crucial for practitioners to come up with a plan, perhaps as members of a White House Cyber Council, that will enable the financial network to survive what surely one day will materialize as the silent shot heard ’round the world.

Mr. Getler, a former correspondent for the International Herald Tribune and The Wall Street Journal, is an international risk-management adviser in Washington, D.C.