Let's make a safer web for digital banking, ex-regulator says

A former banking regulator who joined forces with his law partner to launch a public policy center this January is advocating for a major overhaul to the regulations that govern fintech and cybersecurity, as well as the creation of a more secure internet and the use of private network alternatives.

Thomas Vartanian, executive director of the new Financial Technology & Cybersecurity Center, is a frequent commentator on financial regulation and author of a book documenting the past 200 years of American financial panics. His partner at the Washington law firm Vartanian & Ledig, Robert Ledig, is an adjunct professor of law at the Antonin Scalia Law School at George Mason University, where Vartanian also taught until May.

Prof-Vartanian.jpg
"If we know the internet is insecure and is getting more insecure every day, why would we continue to put every inch of data and every ounce of value onto those insecure networks? It makes no sense," says Thomas Vartanian, co-founder of the Financial Technology & Cybersecurity Center.
Photo via the C. Boyden Gray Center for the Study of the Administrative State, Antonin Scalia Law School, George Mason University

In announcing the launch of the center, Vartanian and Ledig said it will support policy developments that “advance the adoption of financial technologies such as artificial intelligence, peer-to-peer networks, quantum computing, 5G communications, and the Internet of Things, while at the same time advocating for increased online security.”

During their time at George Mason, Vartanian and Ledig launched the school’s program on financial regulation and technology. In an interview with American Banker, Vartanian said securing the internet has been like “swimming upstream” and argued for a reinvention of the infrastructure that undergirds it. (This interview has been edited for length and clarity.)

You have argued in the past that one of the major things that is broken in financial services is the regulatory system, but you also believe that’s not the only part of the industry that is broken. What else needs repair?

THOMAS VARTANIAN: The other thing that’s broken is the internet. I don’t think anybody can watch what’s going on and think the internet is secure. It is not secure, and it’s getting more insecure every day because the markets reward innovation and don’t punish insecurity.

If your software is crummy, or the coding is bad, or there’s a breach, you apologize to the consumers and give them some free credit reports, do a few other things, and move on. Why would you spend a lot of time worrying about security and the quality of the coding and the quality of the hardware when you get financially rewarded for getting to market first as an innovator?

We have a system that’s basically creating vulnerabilities twice as fast as it’s creating solutions to those vulnerabilities, so ask yourself the following question: If we know the internet is insecure and is getting more insecure every day, why would we continue to put every inch of data and every ounce of value onto those insecure networks? It makes no sense.

What is the alternative, then? How do you make the internet more secure?

What I’m proposing is the construction of a new internet, or new internets, to try to deal with that problem because the likelihood of getting the enhancements necessary to correct this internet and make it secure is somewhere between slim to none.

If you tried to fix the existing internet, it would be viewed as heretical. People view the internet as a cultural device where anything goes, and you’re anonymous from beginning to end.

Just to clarify: On this issue, you’re thinking reinvention rather than reform?

Yes.

Up until 1994, everything banks did was offline on private networks. It wasn’t until 1994, when Stanford Federal Credit Union in California issued the first online banking facility, that financial institutions started dealing on the open architecture of the internet.

That changed the future of financial services forever, but that also changed the security of every piece of data and every ounce of value that was on a bank’s books at that time.

What I’m suggesting is we go back to the future and move back towards private networks that are offline or secured in ways that the full internet is not.

If you have a license to get into a private network to do your banking, and that license is geared to you with a digital ID, and you have terms and conditions you have to live with if you want that digital license to continue, that’s going to change a lot about the internet and its security.

It won’t change the fact that people are always going to be susceptible to phishing; it won’t change the fact that employees can be bribed for their passwords.

When we begin to talk about artificial intelligence, quantum computing, the Internet of Things, 5G — those are going to change the delivery and the creation of financial services so dramatically that we’re not going to recognize it. If we haven’t taken the steps to create security now, it isn’t going to get any easier later.

You mentioned markets today don’t punish insecurity. Tell me more about that.

The internet was not created to be secure. The pioneers who created the internet — the people who created the original coding and infrastructure for the internet — say in books and public statements, “It’s not that we forgot about security; we just didn’t know what the internet would become in terms of determining what security should be.”

We started with something that was never meant to be secure, and we’ve now piled onto that infrastructure everything of value on the face of the planet.

Security has become enormously important, but consumers haven’t caught up yet. I don’t think consumers understand the jeopardy they are in as they continue to put every scintilla of their lives into insecure networks.

People are starting to see some of those problems. The last four or five hacks that we’ve had, beginning with SolarWinds, JBS and the Colonial Pipeline, they begin to show you what’s going on here in terms of the vulnerability of these systems.

If major tech companies, Homeland Security and the most important providers of technology and protection of government regulation are susceptible to being hacked, what about the rest of us?

Why do we need to reinvent the internet? Why can’t we just improve the one we already have?

Having read 75 books in this area, and I’m now into my about 20th interview of cybersecurity experts, you get the feeling of swimming upstream. Everybody’s trying to fix something that isn’t really fixable. We’re doing our best, and we’re basically living with what we’ve got because it’s good enough.

I think we have to go back and zero-base our analysis and say, “How do we make the internet secure?” If we have to create sidecar networks, if we have to create more private networks, if we have to do things more offline, that will impact efficiency, it will impact convenience, it will impact users, and everybody will be pissed. But, at the end of the day, it’s a risk-reward analysis.

I characterize this in my book as the search for the best worst option, because there aren’t a lot of good options to fix it. Everybody will be upset with however we change the internet, but we have to find the best worst option and balance it against the worst that can happen to us in the future if we keep going down this path.

I’ve lived on this path now for 30-something years, and I can see each year, we get a little further out on the ledge, and nothing gets more secure. Nothing convinces me that I ought to be putting my entire life online. In fact, I get more convinced every day, I ought to be trying to get off the grid.

For reprint and licensing requests for this article, click here.
Data security Cyber security Data privacy Technology
MORE FROM AMERICAN BANKER