Finance Services Leaders Appeal for Limited Government Aid to Fight Cyber Attacks

A group of industry experts representing the financial services industry, an increasingly popular target for cyber criminals, on Friday appealed to members of a House subcommittee for limited government action to help banks and other institutions protect themselves and their customers from the growing breadth and sophistication of online attacks.

Their wish list includes policy changes to facilitate greater sharing of threat information among public- and private-sector entities, stricter law enforcement in the United States and abroad, and a more holistic approach to the policing the Internet ecosystem.

Banks and other financial services firms already have sophisticated cybersecurity mechanisms in place, of course, but even state-of-the-art perimeter defenses can’t guard against every threat vector, according to Michele Cantley, senior vice president and chief information security officer with Regions Bank, who testified at Friday’s hearing on behalf of the Financial Services Information Sharing and Analysis Center. That group counts more than 4,400 members, accounting for the majority of the U.S. financial services sector.

“[C]orporate account takeover attempts cannot be stopped solely by the financial institutions,” Cantley said. “All participants in the Internet ecosystem have roles to play. Banks, for instance, have no direct control over the end customers’ computers, nor can banks control what emails bank customers open or what websites they visit prior to accessing their online systems.”

Cantley concurred with other witnesses in their appeal for removing legal and compliance barriers to sharing threat information, an issue addressed by a bill that recently won approval in the House and awaits consideration in the Senate, where it faces an uphill climb amid competing cybersecurity legislation in an election season. Though they expressed some reservations about privacy and confidentiality concerns in the bill, the witnesses said they broadly supported the Cyber Intelligence Sharing and Protection Act.

But Cantley also told lawmakers that financial firms and others across the public and private sectors need to do more to educate users about safe computing, training them to detect the warning signs of phishing attacks, malware and other threats. Additionally, Cantley suggested that lawmakers could pursue legislation that would give Internet service providers more flexibility to filter out traffic carrying malicious content so that fewer threats would ever make to unsuspecting users’ desktops.

Those appeals came with the predictable caveat that industry groups would resist initiatives to impose more prescriptive regulations that would oversee their cybersecurity efforts on a technical level.

Friday’s hearing comes amid rising concerns about vulnerabilities not only to individuals transacting with financial institutions, but to the corporate networks themselves. After all, as the notorious outlaw Willie Sutton is said to have quipped when asked why he robbed banks, “That’s where the money is,” recalled Rep. Scott Garrett (R-N.J.), chairman of the House Financial Services Committee’s Subcommittee on Capital Markets and Government-Sponsored Enterprises.

“Unfortunately, just as there have been many and numerous instances of identity theft out there, where individuals have credit cards stolen or accounts looted, there has also been a significant rise in corporate account takeovers as well,” Garrett said.

But there is an important distinction between the garden-variety denial-of-service attacks perpetrated by hacker collectives such as Anonymous that can knock a site off line—grabbing headlines in the process—and the attacks that can infiltrate the inner walls of critical digital infrastructure such as financial trading platforms or top-secret nuclear systems, said Mark Graff, chief information security officer at NASDAQ OMX.

Graff, who only joined NASDAQ in April, has spent more than two decades in information security, including a recent stint overseeing the defenses at Lawrence Livermore National Laboratory, where nuclear secrets were among the more sensitive assets under his guard.

“I changed industries, but most of the challenges and many of the adversaries remain the same,” said Graff, who stressed the need for tiered security that isolates mission-critical assets behind additional firewalls or in distinct network zones, keeping them away from the Internet.

“One key message in both institutions is the isolation of critical systems from the Internet at large. While many of the services we deliver to customers worldwide are housed on Internet-facing Web services, our trading and market systems are safely tucked away behind several layers of carefully arranged barriers,” he said. “This is an important distinction to remember, and we should all keep this in mind when you hear about denial-of-service attacks against one institution or another. Any troublemaker can run up to the front door of a house and ring the doorbell over and over again, and that’s what most denial-of-service attacks amount to.”

Graff said that those attacks, while they might temporarily block consumers from accessing certain websites, are typically nothing more than an act of “vandalism,” hardly a sign that anyone has gained entry to the house, by his metaphor.

But even in seeking to remove the sensationalism from the often breathless media coverage of cyber attacks, Graff acknowledged that the threats are very real.

“Effectively, all of the systems represented at this table,” he said, “they’re all under attack all the time at some level, in contrast to the situation just a few years ago. Today Internet attacks are a little bit like weather. We have a little bit more rain or a little less rain. Sometimes there’s a hurricane that comes at us, but generally speaking they’re all under attack.”

In addition to a more fluid information-sharing framework—a point on which nearly all observers agree— Graff argued that corporate systems could achieve a higher degree of stability if hardware manufacturers and software producers did a better job of building security in at the time of production.

Additionally, he suggested that lawmakers and government officials could dramatically improve the nation’s security posture if they took steps to shore up the supply chain for parts that tech companies import from overseas, citing concerns that compromised hardware could provide hostile foreign actors, including those working at the behest of their government, with an entry point into critical U.S. systems.

“The supply chain problem, the threats of supply chain attack, are really, I think, perhaps the knottiest problem, the most serious issue that faces us, and the one that would be most susceptible to help from government,” Graff said. “I think it’s one where the U.S. government really could make the biggest assistance.”

Kenneth Corbin is a Washington, D.C.-based writer who covers government and regulatory issues for CIO.com.

Follow everything from CIO.com on Twitter @CIOonline, on Facebook, and on Google +.