Financial institutions impacted by distributed-denial-of-service attacks and other cyberthreats have benefited from information sharing. But Paul Smocer, president of BITS, the technology policy division of the of the technology policy division of the Financial Services Roundtable, says more communication is needed.
"More effective public-private information sharing will be very helpful," Smocer says during an interview with Information Security Media Group [transcript below].
Smocer recently testified before the House Select Committee on Intelligence, voicing BITS' support for the Cyber Intelligence Sharing and Protection Act, which could pave the way for more sharing of threat information among various business sectors.
"The nature of these attacks and the methodologies and techniques that are used are often used across different sectors," Smocer says. "If a different sector encounters a new technique before financial services happens to, it will be very valuable for us to know that and prepare our defenses."
Another area for improvement is enhancing law enforcement cooperation around the globe.
"Much of this cyber-activity comes from multiple countries, and so the ability to enhance law enforcement to be able to reach out and deal on a cooperative basis with these other countries to deal with the cyber-actors more effectively will be something that would be very helpful," Smocer says.
During this interview, Smocer discusses:
- The increasing threats attacks backed by nation-states pose;
- How real-time information sharing has benefited the financial sector;
- Why information sharing among various business sectors as well as the government will help minimize the risks tied to cyber-attacks.
Smocer is president at BITS, where he leads initiatives to enhance e-mail security and advance practices for identifying and validating online customers. BITS is the technology policy division of The Financial Services Roundtable, which was established to protect and promote the economic vitality and integrity of the United States financial system. Smocer joined the Roundtable in February 2008 as vice president of security.
In this role, he led BITS' work in promoting the safety and soundness of financial institutions through best practices and successful strategies for developing secure infrastructures, products and services. Before BITS, Smocer focused on technology risk management at BNY Mellon and led information security at the former Mellon Financial Corp., where he previously served as the CISO and manager of the Technology Assurance Services Division. Smocer began his career at Mellon in 1974, when he joined its Information Technology Audit Group.
Greatest Cybersecurity Threat
TRACY KITTEN: What would you say is the greatest cybersecurity threat now facing the U.S. financial services infrastructure?
PAUL SMOCER: I would actually say it's the rise in the level of risk that we've been seeing over the last few years. In prior conversations you and I have had, we've spent time talking about the risk from organized crime and we've spent time talking about the risk from hacktivism, and now with the introduction of what appears to be either nation-state or sponsored nation-state attacks, I think we've seen a rise in risk that has us all focused much more on cybersecurity. We certainly still have organized crime and hacktivism, so we can't ignore those. But this latest wrinkle is upping the anti in terms of looking at the question of cybersecurity and, in particular, how it might affect our critical infrastructure.
Threats to Banking Institutions
KITTEN: In your statement before this Congressional committee, you note that cyber-attacks are waged for three primary reasons: theft, disruption and destruction. Is one type of attack more concerning or damaging than another when it comes to threats that banking institutions face?
SMOCER: Each threat has its own issues and, to some extent, its own mitigations. The mitigations probably cross over. Institutions have been working for a long time to deal with all three issues, in particular trying to put in mitigations to defend against all three.
In addition to the defenses that have been put in place, there have certainly been in place contingency plans; for example, backing up data to assure the ability for continuity in the event of destruction. But beyond that, I think we're actually seeing, and have seen over the last few years, a lot of collaborative efforts under way in the industry when it comes to dealing with all three issues. To say that one attack is more concerning or damaging than the other is really difficult. I think all three are of concern to us, and all three continue to be a focus of what we're trying to deal with.
Financial Stability Oversight Council
KITTEN: The Financial Stability Oversight Council was established under the Dodd-Frank Wall Street Reform and Consumer Protection Act. What can you tell us about this council and the work that it's doing with BITS?
SMOCER: The council is working across the industry and it was created to focus on risks across the financial system. Cybersecurity is one of those risks, and the Financial Stability Oversight Council has had a level of focus on cybersecurity; but that certainly is not its only risk focus. It really exists to assure the continuity of the financial system, overall, and the risks that affect it - be those financial, operational or otherwise.
I think it's important to recognize, too, that the Financial Stability Oversight Council is only one component of the government influence in this space. Obviously, we're in a highly regulated industry and so our institutions are dealing on a regular basis with their primary federal regulators around the subject of information security. They're examined around that subject as well independently by those agencies. The agencies have issued a lot of guidance through the Federal Financial Institutions Examination Council, and our members engage with the FFIEC, to help provide feedback to the developments that occur there. FSOC is one component and certainly it's a component that has focused on cybersecurity, but I think the industry has for a long time been focused on this subject. I would consider it more supplemental than a new focus area for us.
CISPA's Impact to Institutions
KITTEN: How will this proposed Cyber Intelligence Sharing and Protection Act impact banking institutions?
SMOCER: It will have a positive impact, as I indicated in my testimony. Information sharing in the financial services sector is probably far more advanced than it is in most other sectors, perhaps maybe for defense which has a strong information sharing program right now. I think it will help institutions in terms of limiting their risk. There are provisions in the act that restrict the use of the information, once it's shared within the federal structure, and I think those will be good incentives for institutions in our sector, as well as companies throughout the other critical infrastructure sectors. I think it will be a slight enhancement to where we are in financial services. But I think for us the benefit is that we really see it as a positive opportunity for other sectors to share.
As you know, many of the attacks - be they against financial services or against other sectors - bear a lot of similarities, in terms of technique and approach. Getting data from other sectors and being able to share that will, we think, help us defend our industry even more effectively.
Consumer Privacy Concerns
KITTEN: What about the consumer privacy concerns? What should banking institutions be concerned about there?
SMOCER: As I indicated in my testimony, we're an industry that's built on trust. We have had a long history of respecting the privacy of our customers, recognizing that customers trust us to maintain their information, just as they trust us to maintain their assets. In addition to that, because of Gramm-Leach-Bliley in particular, we have a legislative requirement and a regulatory requirement to protect the privacy of our customers. So this is really an area that we focus on as an industry on a day-over-day basis.
In terms of the bill itself, what's really important, and as I mentioned in my testimony, is that there are two components. One is that when we're sharing the kind of data, this is not data about private individuals. This is data that's much more technical in its nature about the attacks and the sources of attacks; it's not about an individual. In addition to that, I think it's important to recognize that there are two sides to the privacy question. One is that much of what information sharing will enable us to do is actually protect the private information that many cyber-actors today are after. That's often the kind of data that cyber-actors are going after. A bill like this, and just the overall efforts that we make in cybersecurity, really do focus on trying to protect private information, as opposed to in some way impacting it in a negative fashion.
Concerns for CISPA
KITTEN: Does BITS have any concerns about challenges that this act might face?
SMOCER: There will be a process in which the act and the processes around it will have to be developed, and certainly one of the things that we will help to facilitate in that process is to make sure that privacy is maintained. But I think we're an industry, as I said earlier, that already is in the information-sharing business, at least within our sector between institutions. In terms of the motivation to share information, we're already there. In terms of the mechanics of how this gets implemented, particularly on the inter-sector sharing of information and the private sector to government sharing of information, there will have to be processes that will be developed. As we indicated in our testimony, we're there to help in those processes to make sure they're done effectively and have a positive impact, as opposed to a negative impact, on the industry.
KITTEN: What can you tell us about some of these recent attacks that the financial industry has faced?
SMOCER: Through the Financial Services Information Sharing and Analysis Center, the institutions that were under attack were able to come together on a real-time basis and share information about the nature of the attacks, so that as we went through progressive institutions being attacked, there was a preparation that was available from the learning of the last institution that was attacked. Over time, you probably saw that the impact of the attacks was not as significant as it was at the beginning.
But I think more importantly, it wasn't just about sharing information with the institutions that were attacked; it was sharing information through the FS-ISAC with other institutions that had the potential to be attacked. That's probably one of the values of good information sharing. You're not just dealing with an organization that happens to be being attacked at the moment. You're also able to communicate information to those who are potential victims and to be able to allow those victims to recognize any additional defenses they need to put in place, based on the characteristics of the attack that's under way. That was a very helpful example.
Obviously, no institution wants to be attacked, and all institutions, as I said earlier, have built a lot of defenses, but this is an iterative space and learning from and sharing information on the nature of emergent techniques when it comes to attacks is something that good information sharing allows you to do very effectively.
KITTEN: Information sharing did help to diffuse the impact of some of those attacks, as you noted, but what more do you think needs to be done as far as information sharing about some of these attacks that the industry has faced?
SMOCER: I would answer that in two ways. What I mentioned earlier is that better intersector information sharing and more effective public-private information sharing will be very helpful. The nature of these attacks and the methodologies and techniques that are used are often used across different sectors. If a different sector encounters a new technique or an emergent technique before financial services happens to, it will be very valuable for us to know that and prepare our defenses.
Likewise, if the government becomes aware of something that at the sector level none of us have seen, and can forewarn us of the new technique and allow organizations across the critical infrastructure sectors to defend themselves more effectively, that will obviously have a positive. That would be the first way I would answer it.
The second way I would answer is if you're thinking more broadly, in terms of what needs to be done, I think there are additional areas that we have articulated and, as well, have been articulated in the new executive order and the new policy directive, with regard to issues around better research and development to get to some of the core issues. Stronger law enforcement on the international level also is needed, since much of this cyber-activity comes from multiple countries. So the ability to enhance law enforcement to be able to reach out and work on a cooperative basis with these other countries will be something that is very helpful.
The third area is better education, particularly in the ability to continue to expand awareness and education among citizens and customers across the various sectors.
Role of Government
KITTEN: What increasing role will government play?
SMOCER: Government will play a couple of key roles. It will obviously play a role if CISPA or something similar to it gets passed, and certainly as a result of the executive orders in the information-sharing space. This kind of public-to-private information sharing will be an increasingly important role for the government to play.
The government will also play a role legislatively, when it comes to some of the areas I talked about, for example, CISPA's ability to allow institutions or organizations to share information under more of a hold-harmless type of agreement. But it will also play a role, I think, in the R&D space, particularly with regard to funding. And it will certainly play an increasing role in the law enforcement space. That role will be played very effectively going forward..
Future of Info-Sharing, Cybersecurity
KITTEN: What final thoughts would you like to share about the future of information sharing and cybersecurity?
SMOCER: We all recognize this is a fairly constant battle that we're in. The actors have changed a bit. Some of them are historic, in terms of things like organized crime and hacktivism, as I mentioned earlier. Some are emerging threat actors. This is something that I think, collectively, we all need to keep a very strong focus on. As the sophistication of cyber-actors becomes greater, and as the funding for them, in some cases, becomes greater, we need to equally increase our focus and funding and be able to recognize and repel the attacks that we're facing. This is something that's not going to go away soon.
As the risks increase, we need to continue to fight the battle. There are a lot of folks, particularly in our sector, that are engaged in that battle; but it's something that we will just have to continue to fight. I'm enthusiastic about the emerging public-private partnerships. I'm enthusiastic about some of the existing collaborative efforts that are going on, particularly through organizations like BITS, through the Financial Services Information Sharing and Analysis Center, and through the Financial Services Sector Coordinating Council. We all recognize the importance of this battle and we're there to keep fighting it.