By: Michael Chertoff and Frank Cilluffo
2016 was the year that dramatized how cyber criminals can threaten the global financial system with the click of a mouse. Portending more ominous developments, banks around the world have disclosed losses in the millions from cyber heists that manipulated the critical interbank financial messaging platform, SWIFT. While the cyber thefts and fraudulent transfers are troubling in their own right, they disconcertingly highlight systemic risk and a potential single point of failure in the financial services sector.
In response to these developments and the generally expanding cyber threat, leading American financial institutions, with the direct support of their CEOs, came together in November to launch a cooperative effort to curtail systemic vulnerabilities and improve resilience in the financial infrastructures that undergird modern nations and their economies.
The President-elect has stated that cybersecurity will be an immediate priority of his administration. Given the massive resource commitment and the technical and operational sophistication that this coalition of banks is eager to bring to the table, invigorating government support of this initiative is quite possibly the next administration’s low-hanging cyber fruit. Moreover, success in this area could create a valuable model for cybersecurity coordination in other critical infrastructure sectors.
Newly minted, the Financial Systemic Analysis and Resilience Center (FSARC), is designed to partner with the federal government to identify and mitigate systemic risks throughout the financial services sector. It will do so by sharing expertise and capabilities that will facilitate cutting-edge analytics, sharpen cyber threat intelligence, and coordinate defensive engagements and contingency plans.
The FSARC is an intensive and deeply integrated operational organization embedded within the financial sector’s broader voluntary information sharing coalition. It is led by the banks and financial infrastructure companies that the government has designated as the most crucial to national safety, security and economic integrity.
Why the need for another cybersecurity-focused industry partnership? The FSARC will be able to provide well-resourced, contextualized, in-depth analyses of long- and short-term cyber threats in a way that is simply infeasible for existing broadly based information sharing organizations to efficiently replicate. At the same time, it will provide a hands-on perspective that the government does not possess. This is exactly the kind of initiative that the incoming administration should be looking towards in its efforts to leverage private sector innovation to measurably improve the nation’s cybersecurity.
The FSARC has already begun to integrate some of its activities with those of federal agencies. However, this cooperation is still nascent. The following three mission areas of the FSARC are critical to its functionality and efficiency and can be significantly bolstered if the President-elect heeds these tailored recommendations to further direct government support to such initiatives.
1. First is the matter of intelligence collection and the role of the FSARC in informing intelligence collection priorities. The federal government already obtains troves of threat indicators from private sector targets of malicious cyber actors. The challenge the intelligence community will increasingly face is identifying the most critical elements of the financial system that require protection, so that intelligence collection can be focused on the highest systemic threats.
The government should therefore give representatives of the FSARC, who will serve as representatives of the broader financial services sector, a seat at the table when cyber threat intelligence collection priorities are set. Only these representatives will have the industry knowledge to contextualize the motivation of hackers, assess the relative importance of developing threats to the systemically important operations of financial firms, and identify future trends in financial sector vulnerabilities. This relationship would engender an organized system of crowd-sourced intelligence collection on threat actors, tactics, techniques and procedures, and current attack methods and patterns.
2. A second mission area meriting attention is the public-private sharing of advanced analytic capabilities, to include artificial intelligence and machine learning, and the coordination of operations based on such analyses. Significantly, the entities that lead the FSARC are positioned to rapidly analyze complex cyber attacks, such as those based on developing malware strains, and have the resources to fund and operationalize a more integrated and innovative analytics initiative at a larger scale.
The government should therefore pursue a more direct partnership with the FSARC when it comes to analyzing threat intelligence. The government should also utilize the FSARC as a hub to coordinate and synchronize public-private operations such as botnet take-downs and other active defense measures that track and disrupt cyber threats aimed at the financial services sector. Such an arrangement has value to the government in that it builds upon the unique expertise, extensive resources and advanced technologies of large financial institutions. The financial services sector will benefit from a closer partnership with law enforcement and prosecutors who can punish the criminals behind systemic cyber threats, imposing real costs on such actors that will contribute to a broader cyber deterrence posture.
3. One final area in which the government can support the FSARC relates to the personnel decisions that must be made on both sides of this public-private divide. If the government truly wants to leverage the FSARC to effectively pursue a financial cybersecurity mission, it will need to set the stage for a dedicated and shared workforce. The collection and analysis operations of the FSARC will not be successful if financial sector representatives need to compete for time in a multitasking government employee’s call schedule. The FSARC will work best if deep operational partnerships can be forged with government actors.
Therefore, the government should create a cadre of staff members who can work side by side and even temporarily swap roles with FSARC representatives. A model for such cooperation can be found in the Defense Security Information Exchange, which provides the defense industrial base with many of the mechanisms for coordination with the government that the financial sector increasingly needs. A dedicated federal cadre would also be a welcome signal that the significant efforts and investments of the financial services sector are not met with ambivalence on the part of the government.
The time for leaders to play Cassandra about systemically disastrous cyber threats to financial services and other critical sectors is over. The threat is now active and it is time to forcefully counter it. As it is one of the most capable, target-rich, and vitally integrated segments of private industry, protecting the financial services sector from cyber threats must be prioritized as a matter of national and economic security. The nation’s largest and most critical banks have stepped forward to enhance intelligence collection, threat analysis and contingency planning. An opportunity exists for the incoming administration to throw its support behind the FSARC and significantly contribute to a much-needed paradigm shift in private sector cybersecurity.
Mr. Chertoff was also Secretary of Homeland Security from 2005 to 2009 and is co-chair of the George Washington University Cybersecurity Initiative.
Mr. Cilluffo also served as a Special Assistant to President George W. Bush for homeland security immediately following 9/11.