Finance Services Leaders Appeal for Limited Government Aid to Fight Cyber Attacks
Industry experts seek limited action from feds in areas such as sharing information about threats and securing the supply chain.
Mon, June 04, 2012
CIO — A group of industry experts representing the financial services industry, an increasingly popular target for cyber criminals, on Friday appealed to members of a House subcommittee for limited government action to help banks and other institutions protect themselves and their customers from the growing breadth and sophistication of online attacks.
Their wish list includes policy changes to facilitate greater sharing of threat information among public- and private-sector entities, stricter law enforcement in the United States and abroad, and a more holistic approach to the policing the Internet ecosystem.
Banks and other financial services firms already have sophisticated cybersecurity mechanisms in place, of course, but even state-of-the-art perimeter defenses can't guard against every threat vector, according to Michele Cantley, senior vice president and chief information security officer with Regions Bank, who testified at Friday's hearing on behalf of the Financial Services Information Sharing and Analysis Center. That group counts more than 4,400 members, accounting for the majority of the U.S. financial services sector.
"[C]orporate account takeover attempts cannot be stopped solely by the financial institutions," Cantley said. "All participants in the Internet ecosystem have roles to play. Banks, for instance, have no direct control over the end customers' computers, nor can banks control what emails bank customers open or what websites they visit prior to accessing their online systems."
Cantley concurred with other witnesses in their appeal for removing legal and compliance barriers to sharing threat information, an issue addressed by a bill that recently won approval in the House and awaits consideration in the Senate, where it faces an uphill climb amid competing cybersecurity legislation in an election season. Though they expressed some reservations about privacy and confidentiality concerns in the bill, the witnesses said they broadly supported the Cyber Intelligence Sharing and Protection Act.
But Cantley also told lawmakers that financial firms and others across the public and private sectors need to do more to educate users about safe computing, training them to detect the warning signs of phishing attacks, malware and other threats. Additionally, Cantley suggested that lawmakers could pursue legislation that would give Internet service providers more flexibility to filter out traffic carrying malicious content so that fewer threats would ever make to unsuspecting users' desktops.
Those appeals came with the predictable caveat that industry groups would resist initiatives to impose more prescriptive regulations that would oversee their cybersecurity efforts on a technical level.
Friday's hearing comes amid rising concerns about vulnerabilities not only to individuals transacting with financial institutions, but to the corporate networks themselves. After all, as the notorious outlaw Willie Sutton is said to have quipped when asked why he robbed banks, "That's where the money is," recalled Rep. Scott Garrett (R-N.J.), chairman of the House Financial Services Committee's Subcommittee on Capital Markets and Government-Sponsored Enterprises.