Pages

25 March 2019

Defense Alone Won't Stop Cyber Threat To U.S. Finance

Taylor Armerding

There are any number of reasons for a Fed chairman to lose sleep – he or she is, after all, overseeing the nation’s financial system – both its stability and its existential effect on the overall economy. So, it’s about more than whether or not to increase the prime interest rate.

There is responsibility for bank lending standards, tracking whether they are over-leveraged, whether they are too big to fail etc. And, as Fed Chairman Jerome Powell told 60 Minutes correspondent Scott Pelley recently, there is the ongoing, escalating threat of cyberattacks.

Which is a somewhat unusual admission. Fed chairs tend not to go looking for high-profile media interviews, and if they do consent to one, tend to speak in broad generalities.


That’s mostly what Powell did. But while he didn’t get into specifics on the cyber threat, when Pelley asked if that was what “keeps you up at night,” Powell said, “of the risks that we face, that certainly is the largest one.”

Indeed, cyber risk goes well beyond the theft of personal information or draining of bank accounts. It could include bringing the entire system to a halt, which would then have major physical as well as financial consequences.

Andrew Kilbourne, managing director at Synopsys, said the magnitude of the threat means that “ultimately this is a war, and we’re probably going to have to start treating it like that.”

Powell told Pelley that the Fed spends “very large amounts of time and resources” to mitigate the cyber threat. “The banks we supervise are required to have plans in place and state of the art, you know, technology and the like,” he said, to build both “resilience and redundancy.”

But he also acknowledged that it is a “constantly evolving risk … where the playbook (for defense) is still being developed in real time.”

“I've never felt a time when I think we're doing enough,” he said.

Does that mean the rest of us should be losing sleep too? Perhaps. Another unsettling thing Powell said came during testimony last month before a congressional committee. He told U.S. Rep. Jack Reed, D-RI, that large banks “have the resources” to defend themselves against constant cyberattacks, but that for smaller banks, “that is a real vulnerability in the payment system.” As in, they don’t have the resources.

Bank deposits, up to $250,000, are federally insured, so smaller depositors are not in imminent danger of losing their savings because of a cyberattack on their neighborhood bank.

But a couple of recent papers conclude that Powell’s feelings may be correct – that the U.S. financial system is not as resilient or as redundant as it ought to be, given the level and sophistication of the constantly evolving cyber threat.

Not that everybody thinks cyber is the Fed’s direct responsibility. Jason Healey, senior research scholar in cyber conflict and risk at Columbia University’s School of International and Public Affairs, and lead author of a paper published by the Brookings Institution on the cyber threat to the financial sector, said Powell “ought to be far more concerned with the normal worries of financial stability” than cyberattacks or technological failures.

Still, that paper, published last fall, said the financial sector remains vulnerable even though there are ongoing efforts, including tabletop exercises designed to simulate different attack scenarios.

It concluded that while there has been “great progress” on cyberdefense, both domestically and internationally, four major concerns still exist:

- “Increasingly knowledgeable and sophisticated adversaries” who could, deliberately or unintentionally, undermine the stability of the financial sector.

- Lack of understanding of “the potential interactions of cyber risks, financial contagion channels, and possible ‘amplifiers’ within those channels, such as single points of failure.”

- Fragmentation of effort. “Even though cyberspace, like the financial sector, is global and interconnected, responses to major crises remain significantly national.”

- New technologies, including blockchain and the cloud, that could be helpful in some ways but risky in others. “It will be especially difficult to develop controls in the face of increased financial and technological complexity.”

The Brookings paper is not the only one raising concerns. Erica Borghard, assistant professor at the Army Cyber Institute at West Point, in a paper published last fall by the Carnegie Endowment for International Peace, wrote that “the U.S. economy remains highly vulnerable to cyberattacks carried out by foreign threat actors,” especially against financial firms that are “critical for the stability of the financial sector as a whole.”

All of which raises the obvious question: Are the Fed and other guardians of the financial stability of the nation (and the world) doing enough to protect and defend against a potentially catastrophic cyberattack?

At one level it seems there may be too much being done. In just the two papers cited above, there are references to the following councils, committees, boards and centers devoted to the security of banks and the financial system:

- Financial Services Information Sharing and Analysis Center (FS-ISAC) – created in 1999.

- Financial Services Sector Coordinating Council (FSSCC) – 2002.

- Financial and Banking Information Infrastructure Committee (FBIIC), public-sector cousin to the FSSCC – 2002.

- Financial Stability Board (FSB) – creation of the G20 in 2009.

- Financial Stability Oversight Council (FSOC) – created in 2010 by the Dodd-Frank Act.

- Committee on Payments and Market Infrastructures and the International Organization of Securities Commissions (CPMI-IOSCO) – 2014.

- Financial Systemic Analysis & Resilience Center (FSARC) – created in 2016 by a consortium of eight financial services firms that has now grown to 16.

Is it possible for that many (and more) organizations, which look like an unwieldy, fragmented bureaucracy, to focus effectively on the threats to the financial system?

Katheryn Rosen, a senior research scholar in cyber security and financial stability at Columbia, and a co-author with Healey of the Brookings paper, said those organizations are “all important in their own right,” that each has its own function and that that there has been considerable progress in improving communication among them.

She said fragmentation does still exist “at the regulatory level – not just domestic, but cross borders.”

But she said there is also improving communication between the technical and business side. “The industry is starting to ask really good questions,” she said. “Cyber folks are asking what they need to understand about market structure so they can defend it.”

Progress and improvement may not be good enough, however. Sammy Migues, principal scientist at Synopsys, said there is no good, simple answer to a cyber threat landscape that is so large, growing so fast and diversifying so rapidly.

“It is so large that there isn’t anything you can do,” he said. “As we get bigger and bigger, there’s just more of everything – more software and more problems in today’s level of technology.”

And, like medications that have side effects, every “solution” has downsides. “If we decide to run all [financial] traffic through a hole where we can have security, then we’ve got a single point of failure and single point of attack,” he said. “And it gives government an unprecedented ability to snoop.”

Migues said improving financial sector cybersecurity would likely have to put some of the burden on consumers – requiring things like two-factor authentication and long, complex passwords. Taking a couple of minutes to log into an account might be inconvenient but “far better than the cascading failures we have now.”

There is general agreement that the threat is large enough and complex enough that it will require both private- and public-sector cooperation to meet it. And that brings its own set of challenges.

Healey, like many other security experts, said while government agencies regularly call for more mutual information sharing, the reality is that it goes mostly one way – government does little to no sharing.

And in this area, he said, the opposite needs to happen. “Government doesn’t need that much information from banks, but banks sure need more from the government,” he said.

Kilbourne said another reason there needs to be involvement from both government and the private sector is that government can take physical actions – such as attacking cyberattackers – that financial institutions can’t.

Government may be demonstrably lousy at protecting data – the catastrophic breach of the Office of Personnel Management offers plenty of evidence of that – but it’s really good at military action.

“Military good – cyber bad,” he said of government.

Indeed, nation-states or terrorist groups that could never challenge the U.S. militarily could cause catastrophic economic, and therefore physical, damage with some relatively cheap laptops operated by some skilled hackers.

Migues agreed. “These guys could shut down banks, the Fed and the stock exchange,” he said. “What if that all went down for three days and there was no money coming out of ATMs? You’ve got a giant national problem.”

That, Kilbourne said, is why it will ultimately take more than defense to protect the financial sector. “It doesn’t do anything to wreck their laptops,” he said of cyberattackers. But if a hacker, working for a hostile government, thinks his life might be in danger, that might change the calculus.

“The government can do all sorts of things in the rules of war,” he said. “And war means putting lives in danger. We’re not there yet. But defense alone isn’t going to stop it. The only thing that will stop it is to make [attacking the U.S.] too costly.”

I write about software security - and insecurity - personal privacy and Big Data. I have written for CSO Online, the Sophos Naked Security blog and now for Synopsys.

No comments:

Post a Comment