A month before September 11, 2001, President Bush was given his Presidential Daily Briefing (PDB), with an item entitled, “Bin Laden Determined to Strike the U.S.” The PDB didn’t contain any specific evidence of an impending attack; just that federal agencies had bits and pieces of information indicating a desire to attack the U.S. The problem, as the 911 Commission pointed out, was that the intelligence agencies failed to share with one another what they felt was insignificant intelligence.
Lack of an effective independent cyber threat information sharing puts the nation’s economic stability in grave danger.
Today, American banks and financial institutions are fighting a quite war. This war is raging on the cyber front, with attacks from foreign governments (Russia, China, North Korea and Iran); criminal syndicates; terror organizations, and so-called “lone-wolf” actors. All continually attempt to access banks’ computer networks. Fighting this war is not cheap. A 2015 MarketsandMarkets report estimated private spending on cyber-security to rise to $170 billion in 2020.
The computer networks that allow the global financial markets to communicate with one another make them vulnerable to cyber bank robbers. The only proven way to prevent these attacks it is to go back to the days when a bank’s records were maintained on stand-alone computer systems. But as the Stuxnet malware demonstrated, even “off-line” systems can be hacked.
One way to mitigate some of the risks to the country’s financial networks is deep and sustained information sharing among individual banks, as well as between the public and private sectors. Given the interconnectedness of the nation’s financial system, it makes no sense for each bank to try to “go it alone” when it comes to cyber-security.
The private sector has attempted to do this through the Financial Services Information Sharing Analysis Center (FSISAC), which describes itself as “the only industry forum for collaboration on critical security threats facing the global financial services sector.” The bigger the bank, the greater its cyber threat. Last week eight of the largest U.S. banks, have agreed to share more information on cyber-threats to their systems, under the aegis of FSISAC.
While FSISAC is a good starting point for information sharing, there are obstacles that prevent maximizing its usefulness. Private companies’ and banks’ board members and shareholders are reluctant to share all relevant information—however useful—for fear it may be used by a competitor for business advantage and lead to financial loss. And banks also face legal restrictions regarding disclosure of certain personal/proprietary information.
Moreover, members of FSISAC who shared their findings with the government found out that the government is reluctant to reciprocate, claiming security concerns. In response to members complains,
Phyllis Schneck, the undersecretary of cybersecurity at the Department of Homeland Security stated, “We [the DHS] are working very rapidly to declassify everything we can to push it out as quickly as we can to all of our partners.” Apparently, not fast enough.
Another obstacle to an effective information-sharing is the so-called “silo-mentality” of the users. David Blunkett, a former chairman of the International Cyber Security Protection Alliance, said back in 2011: “We need to overcome the silo approach to security in the cyber world…It is no longer enough to have collaboration in government, law-enforcement, and business silos. All three elements have to come together.”
Silo-mentality also increases the chance that the big banks view the forum as a tool to aid their interests and not the financial industry as a whole. Such an attitude would defeat the purpose of developing an effective cyber-security strategy.
To advance productive information sharing information across the financial sector, the Economic Warfare Institute (EWI) proposes an independent financial-threats “clearinghouse.” It would be staffed by a small group of professional analysts with top level security clearances, whose job would be to look at the plethora of seemingly insignificant information and connect the dots to identify wide-spread attack that could bring down the U.S. financial system.
This independent FSISAC clearinghouse would gather all incoming information on cyber-attacks from both the private banks and federal intelligence agencies. Since they would not be employed by either a specific bank or a government agency, they could take a big picture approach to the analytics, looking for patterns and trends that could point to possible threats to the global financial markets and develop mitigating strategies. For example, when a cyber attacker is looking for specific types of information in several banks, the group may identify the sector/companies whose accounts are targeted and warn the companies.
An independent clearinghouse with the most advanced technologies is likely to generate the confidence among members of FSISAC that other financial institutions have no direct access to any individual member’s information. Such confidence would encourage sensitive data regarding cyber-attacks and other vulnerabilities. In addition to real-time warnings, the analysts at the clearinghouse would put together “intelligence assessments” and analytic products on a regular basis (daily or weekly) for all members—cleansed of any proprietary data and sensitive business information. The group would also produce geopolitical situation analyses and trend reports that will allow the anticipation and curtailing of future threats.
To protect the independence of this clearinghouse, it would be devoid of any federal government policy or regulatory responsibilities. This would prevent bureaucratic “turf” battles and allow it to advance the cyber security systems of our financial markets. Creating such a financial-threat-tracking clearinghouse should be a priority for the next Administration.
* Daniel Corbin is a Fellow, David Hamon is a Senior Fellow and Rachel Ehrenfeld is the Director of the Economic Warfare Institute (EWI) at the ACD.