Treasury, banking groups band together to fight cyberattacks

Treasury Liquidity Is Better Than Traders Feared, JPMorgan Says
The Treasury-led Project Fortress initiative provides defensive tools for banks. Community banking groups and regulators' associations say small banks in particular need the free and accessible help.
Ting Shen/Bloomberg

The federal government is trying to help banks protect themselves from cyberattacks. Banks, so far, are eager for the assistance.

As the Department of Treasury rolls out its cybersecurity initiative Project Fortress, already the largest public-private partnership it has ever created, efforts are still underway to bring financial institutions into the fold. But early reviews are unanimously positive.

Among those excited to promote the project, which includes two free cybersecurity services available to all U.S. banks, is the American Bankers Association, which in early June hosted a free webinar with Todd Conklin, who leads the Treasury's cyber portfolio under Deputy Secretary Wally Adeyemo.

Paul Benda, executive vice president of risk, fraud and cybersecurity at ABA, also spoke during the webinar. In an interview this week, Benda spoke highly of the project, saying he was impressed with the Treasury's efforts to make the defensive tools available not just to large banks, but also to small ones as well.

"I think this is a really great thing that the Treasury's done here," Benda said of Project Fortress. "We're really pleased with the partnership and the direction they're going."

One of the two defensive tools that is part of the project is the Cyber Hygiene Services, or CyHy, offered by the Cybersecurity Infrastructure and Security Agency, the nation's top coordinating agency for cybersecurity. The service is free for any critical infrastructure organization, including banks and credit unions.

The service automatically scans participating firms for significant cyber vulnerabilities and points out any gaps. It includes continuous monitoring of all internet-accessible network assets at a bank. In addition to weekly reports, participating organizations receive ad hoc alerts about urgent findings, like potentially risky services and known exploited vulnerabilities.

Benda said the tool is "a great place to start" for smaller institutions looking for free, regularly updated feedback on where the institutions might have vulnerabilities that need attention. The service has few hidden costs, as well; banks can use the information provided by the service with just their existing staff, according to Benda.

Operations Inside Micron Technology Headquarters

Project Fortress encompasses four initiatives Deputy Secretary Wally Adeyemo hopes will "improve the security and resilience of the financial services sector."

July 25

"The barrier to entry is very low," Benda said. The tools come from a "trusted vendor," he added, and are free to either try or use long-term.

The same goes for the Treasury's Automated Threat Intelligence Feed, or ATIF, the other defensive tool that is part of Project Fortress. The feed aggregates threat signals — tangible bits of information that banks can use to scan their internal systems for cyber threats — from Treasury, other U.S. government agencies, international partners, participating financial institutions and more than 40 open-source threat intelligence feeds.

The feed offers highly valuable insights that banks cannot get anywhere else. While the signals from open-source threat feeds are freely available to anyone, Treasury includes downgraded intelligence data in the feed that banks would normally get through a multistep email process rather than a simple, automated feed.

An example of where this feed is particularly useful is when a bank discloses that it is being disrupted by ransomware. Peer banks would typically have difficulty identifying whether they have the same vulnerability and need to quickly address it, but the ATIF gives banks the opportunity to see what threats their peers are facing, and much closer to real time.

The Conference of State Bank Supervisors is also pushing its members — state banking regulators — to promote Project Fortress to the banks they oversee, according to Mary Beth Quist, senior vice president of bank supervision at CSBS. According to Quist, getting banks across the country participating in the project is key.

"Project Fortress is only as successful as the banks that are using it," Quist said. "We are very supportive of it. Banks of all sizes, but in particular community banks — they struggle with cybersecurity, and they want tools."

Cybercriminals are indiscriminate in who they target, according to Brad Robinson, senior director of cybersecurity policy and supervision at CSBS. That means banks of all sizes are potential targets, hence why Treasury has catered the defensive tools to large and small banks alike.

According to Robinson, the message CSBS wants to get across is simple, and it's the same message it wants state regulators to share with the community banks they regulate:

"Project Fortress is for you."

For reprint and licensing requests for this article, click here.
Cyber security Treasury Department American Bankers Association CSBS Technology
MORE FROM AMERICAN BANKER