This year, the Department of Treasury has been rolling out the largest public-private partnership it has ever established: Project Fortress, an effort to improve the security and resilience of the financial services sector.
The project encompasses four main components: two free cybersecurity tools for banks; a physical space for collaboration between banks and Treasury's cyber officials in downtown D.C.; and offensive efforts by federal law enforcement against cyber attackers. They are new and existing offerings, all consolidated in May under the collective banner of Project Fortress.
To date, more than 900 institutions have enrolled, according to Wally Adeyemo, deputy secretary of the Treasury.
"Individual banks — be they the smallest bank in the country to the largest bank in the country — we all have a responsibility as parts of the financial system to make sure that we're providing the financial tools that are necessary to the functioning of our economy," Adeyemo said in an interview. "And the best way to do that is by working together."
Adeyemo said this is the first time the Treasury has worked with financial institutions to provide such services, and the department is folding in financial institutions of all sizes. Whether the institution has a few hundred million dollars in assets under management, or billions or trillions, "you have the same responsibility to your customers," he said.
"We want to work with you to make sure that we're building a cybersecurity force that will help you protect your institution and protect the financial system at large," Adeyemo said.
One of the banks that has reportedly participated in Project Fortress is BNY Mellon, whose CEO Robin Vince told CNN that investing in a strong cyber defense is good for business, and that maintaining a very strong financial system is a "shared" responsibility among both the private and public sectors.
"There has always been fraud and crime. In the past, it might have been a stagecoach robbery. This is the modern-day equivalent," Vince said.
The Treasury's offerings to banks include two high-value defensive tools that would normally represent significant costs to banks.
The first scans a banks' computer systems for known cyber vulnerabilities, and it has been most popular with smaller institutions. The second aggregates threat signals from participating financial institutions, multiple U.S. government agencies and open-source feeds to provide perhaps the most comprehensive threat intelligence feed available to banks today.
Cyber hygiene services
Since last year, the Treasury has enrolled more than 500 smaller financial sector firms onto the
The vulnerability scanning offering includes continuous monitoring of all internet-accessible network assets at a bank. In addition to weekly reports, participating organizations receive ad-hoc alerts about urgent findings, like potentially risky services and known exploited vulnerabilities.
The second part is web application scanning, which provides deep dives into banks' publicly accessible web applications to uncover vulnerabilities and misconfigurations that attackers can exploit. The service provides detailed monthly and on-demand reports evaluating the firm's defenses against vulnerabilities including the
Both tools offered as part of the Cyber Hygiene Services strictly scan internet-facing systems and do not provide CISA with any internal access to systems. Metaphorically, the services constitute CISA checking enrolled banks' windows and doors to ensure they are secure rather than looking at the safes and closets inside. This also ensures that enrollees get insights about what bad actors are able to glean about their systems from outside the institution.
These Cyber Hygiene Services provide many of the same offerings that other scanning services offer. For example,
For organizations that do not have the ability or resources available to institute internal or third-party vulnerability scanning services, CISA's Cyber Hygiene Services can replace these open-source and commercial tools, according to a Treasury spokesperson. This is especially helpful for small organizations that might lack the technical expertise to maintain their own vulnerability scanning built from open-source tools.
Even for larger banks, CISA's Cyber Hygiene Services can supplement and corroborate findings from the internal or third-party scanning services.
Automated threat intelligence feed
The other major defensive offering as part of Project Fortress is the Treasury's Automated Threat Information Feed, or ATIF, an information-sharing program that provides financial institutions with access to a tailored feed of cyber threats.
The feed, which is currently in a pilot phase, will aggregate indicators from the Treasury, U.S. government entities, international partners, participating financial institutions and more than 40 open-source threat intelligence feeds.
An analysis of 13 comment letters from the financial industry highlights the most important changes banks want to see to rules proposed by CISA.
The Pacific Northwest National Laboratory, or PNNL, a national lab with $1.5 billion in annual spending that counts cybersecurity and threat analysis as two of its major focuses, is the primary support organization behind ATIF, and it will also provide data to the feed.
While the Treasury could not publicly share examples of the data included in ATIF, threat intelligence feeds typically provide IP addresses, domain names, file signatures and other signals that cybersecurity software — particularly endpoint detection and response, or EDR, technologies — can use to detect novel threats as soon as they are disclosed.
The Treasury already provides downgraded intelligence data to banks about cyber threats, but the automated feed will ensure that banks receive this intelligence in a timely, actionable format rather than the multistep email process that would require banks to manually translate the intelligence into files or data that their cybersecurity software could ingest and use.
ATIF is free for existing Cloudflare customers because the Treasury incurred the development costs of the program in 2023. Nonetheless, Treasury is working with Cloudflare and PNNL to ensure ATIF can scale to non-Cloudflare customers in a cost neutral manner.
Ongoing offensive actions
Project Fortress also encompasses ongoing offensive actions by federal law enforcement, including the Treasury's sanction-issuing Office of Foreign Assets Control, or OFAC, targeted at cyber threat actors that target the financial services industry.
Most recently, these actions have included sanctions announced in April against four individuals who allegedly conducted malicious cyber activities on behalf of the Iranian Islamic Revolutionary Guard Corps Cyber Electronic Command. The actors targeted more than a dozen U.S. companies and government entities, including the Treasury, through cyber operations, including spear phishing and malware attacks.
Recent offensive actions also include the February sanctions against two individuals who allegedly supported ransomware operations on behalf of the major Russia-based threat actor LockBit. The sanctions accompanied
A physical space for collaboration
The fourth benefit Project Fortress is offering banks is improved collaboration with the Treasury on cyber defense. On April 20, the Treasury opened the Treasury Cyber Collaboration Suite, or T-Suite, in downtown D.C., located just a few blocks from the White House.
The T-Suite enables financial sector representatives to sit side-by-side with U.S. government cyber intelligence analysts, according to a Treasury spokesperson. The suite, the Treasury hopes, will advance industry collaboration with intelligence officials in the course of identifying and mitigating cyber threats identified by U.S. intelligence and other sector entities, including other banks.
In an email to banking industry leaders reviewed by American Banker, Adeyemo described the four pillars of Project Fortress, adding that the Treasury "spends a significant portion of our annual appropriations on cybersecurity."
Adeyemo's email went to officials at the Conference of State Bank Supervisors, Financial Services Information Sharing and Analysis Center, Analysis and Resilience Center for Systemic Risk, Financial Services Sector Coordinating Council, Bank Policy Institute and the American Bankers Association.
In the email, Adeyemo acknowledged that the Treasury has "historically been oriented toward supporting larger critical infrastructure institutions." But, he said, Project Fortress is designed to change that.
"The amount of information we can share with each other is also a function of how many institutions participate," Adeyemo said in the email. "Through Project Fortress we made sure that our options support every financial institution — large or small — including community banks and credit unions."