-
Efforts to bolster the nation's cybersecurity will hinge on the willingness of financial firms, utility operators and other owners of critical infrastructure to share information about threats.
April 3 -
The White House issued an executive order on Tuesday that aims to strengthen protection of the nation's critical infrastructure against cyberattack.
February 12
The nation's biggest banks have a message for the government on efforts to bolster cybersecurity protections: We're already facing plenty of standards.
Owners of financial networks already are subject to a series of laws and regulations that govern their efforts to safeguard their networks against unauthorized intrusions, the Financial Services Sector Coordinating Council said in
Efforts by NIST to fortify the nation's cyber defenses should augment current efforts by the financial industry, according to JPMorgan Chase (JPM), Bank of America (BAC), Citigroup (NYSE:C), Wells Fargo (WFC), Fannie Mae, MasterCard (MA), PayPal, Visa (NYSE:V) and roughly 45 other companies, exchanges, coordinating groups and trade associations that signed on to the council's comments.
The council was among dozens of commenters who weighed in by
An
The effort follows a series of
In February, Mandiant
In a letter to the NIST, Charles Blauner, the council's chairman, said the financial industry, "working in close cooperation with federal banking, law enforcement and other agencies, has a long history of facing cyber threats and, in response, has developed strong data security controls, protocols, procedures and business standards."
"Accordingly, FSSCC urges NIST to heed the significant work that U.S. financial services institutions and their regulatory agencies have done to ensure that its cybersecurity framework does not impede the on-going, well-functioning public and private sector partnerships that the financial services industry has developed," Blauner added.
The comments themselves address a series of 33 questions by NIST that cover current risk management practices, standards and guidelines, and specific industry practices. The institute asked companies to detail what they see as challenges in improving digital security practices, how commenters define cybersecurity risk, and the extent to which firms incorporate such risks into companywide management.
The council said its members maintain a series of controls, techniques and practices for managing cybersecurity across their institutions. Though approaches vary, most members situate functions that manage cyber risks in varied information security, technology or operations departments that have varied connections to members' chief executives or boards of directors.
Standards that govern cybersecurity come from the Federal Financial Institutions Examination Council, the Sarbanes-Oxley Act and the Gramm-Leach-Bliley Act, as well as a patchwork of federal and state laws, regulations and domestic and international standards that govern activities ranging from securing data to responding to disasters.
As for interdependences, the communications and energy industries are "uniquely critical" to financial firms' ability to function, according to the counsel. And outages on those sectors' systems "can create a cascading outage effect to other critical infrastructure sectors," the council wrote.
Whatever framework NIST proposes should adapt for the rapidly evolving nature of cyber threats, which "may shift faster than the assessment, policy, standards and remediation can adapt," according to the commenters.
The council said a successfully designed framework would "harmonize existing standards" while mapping it to risks and threats would help too. "However, no approach will be useful unless it has developed clear and actionable frameworks, standards and guidelines," the council added.
Boosting awareness of consumers and financial firm employees about the need to secure confidential information also matters, according to the group. "Without this knowledge, individuals may unknowingly be aiding in a cyberattack," the group said.
The group added that some network security services may be more efficient if implemented by Internet providers that serve multiple institutions rather than by individual companies.
The accounting and consulting firm also noted the industry's dependence on telecommunications and energy infrastructure. "For example, if the New York Stock Exchange had telecommunication issues, no trades could be executed outside of the market itself, which could bring down the entire financial industry and cause significant financial impact around the world," PwC said.
PwC called for legislation that creates tax breaks for investments in cybersecurity and limits liability under antitrust laws to firms that share information about breaches. "Financial incentives will lead to a greater chance for [executive-level] attention and more widespread adoption," PwC said.
The firm says the market may "place a premium" on doing business with financial firms consumers perceive as being able to safeguard their accounts.
The communications company also said the framework should be flexible because owners of critical infrastructure need to be able to take "whatever measures may be necessary" to deter particular cyber threats. Evolving technologies and "new tactics deployed by the cyber criminals all have significant ramifications for industry countermeasures," Verizon wrote.
For its part,
Microsoft suggests six principles the company says should serve as the basis for the framework: that the framework be risk-based, that it focused on outcomes, that it prioritize threats, that it be capable of adoption by the largest possible group of owners of critical infrastructure, that it respect privacy and civil liberties and that it integrate international standards.
The firm also says the framework should support companies that feed lessons learned from cyber threats back into their processes for detecting others. "Any framework that is going to be useful against persistent adversaries needs to reflect the idea of incident response as a consistent process rather than an isolated one, and any new frameworks developed should reflect this characteristic of successful organizations," Mandiant wrote.