Country, banking long overdue for cyberdefense upgrade

The country’s financial future is hanging by its digital thumbs.

Look no further that the recent cyberattacks on multiple federal agencies, including the U.S. Treasury Department.

These recent attacks were the result of an elaborate and well-planned global cyber espionage campaign believed to be orchestrated by the Russian government and spanning to earlier this year.

Now, U.S. agencies and financial institutions will be testing their systems for months to determine the extent of the incursions and damage done. Experts say that there are preliminary reconnaissance missions in preparation for a future cyberwar that will jeopardize everyone’s financial well-being.

Cyberattacks cannot be treated as harmless games of “tag you’re it.” But figuring out just how to respond proportionally against countries like Russia, China, North Korea and Iran is a challenge that has been debated for decades.

Two years ago, I urged the administration and Congress to give the highest priority to the development of a financial services and capital markets strategy to protect against technological threats. This could be done by creating a national commission focused solely on protection of the country’s economic infrastructure. Today, we may have passed the point where that is still a prudent course of action.

The Treasury is one of several central government hubs that make the country’s economic grid work. Even a stutter in its ability to issue notes or irrigate the economy would be remarkably damaging. And yet, no single U.S. agency, combination of agencies, or partnerships between the governmental and private sector are responsible for the comprehensive identification, protection, detection, response and recovery of the country’s economy and its component parts.

Why?

Presidents and congress have studied cybersecurity issues for the last 25 years, only raising passing references to concerns about the country’s economic infrastructure. Legislators, regulators, academics and policymakers have been distracted by less important issues or hopelessly mired in yesterday’s stale policy debates about Glass-Steagall and too-big-to-fail, forcing them into a world that is quickly passing by.

But the number of Cassandras are increasing. Indeed, the largest banks are spending hundreds of millions of dollars on their individual defense systems. A new Carnegie Endowment study, called The FinCyber Project, documents the increase in significant global financial cyberattacks since 2007. The 50 that have occurred in 2020 have impacted Brazilian bank account holders, Hungarian banking and telecommunication services, the nationwide operations of one of Chile’s largest banks and cash machines in Belgium.

A 2019 Cyberspace Solarium Commission Report echoes similar concerns in that the United States has failed in its overall efforts to defend against cyberattacks and defaulted to a norm of inaction.

Such inaction is likely due to confusion over who or what is supposed to act. The U.S. Government Accountability Office recently warned that there is an urgent need to clearly define a central leadership role in the nation's cyber-related efforts. And that was before the December reports of the massive suspected Russian hack.

Global leaders from some of the largest central banks and financial institutions have all suggested that the very stability of the global financial system is at stake. The staff of the New York Federal Reserve noted in early 2020 that the impact of a cyberattack on significant financial institutions in the country could be “very large.”

Unfortunately, the best America has to offer at the moment are strategies that rely on a company-by-company, agency-by-agency detection and defense systems. Think of the consequences if that were the way the United States constructed its strategic military defense. A large bank like JPMorgan Chase would have to acquire its own supply of ballistic missiles to defend and protect its square block in Manhattan.

This is a problem that neither the government nor the private sector can solve by themselves. All too often, the private sector is legitimately reticent about allowing the government to peer under the shades. It also demands the sharing of information that may impact the relative competitive advantages of those private companies.

Private organizations such as the Financial Services Information Sharing and Analysis Center and its Sheltered Harbor prepare thousands of participating financial institutions for catastrophic cyberattacks and create the business and technical processes necessary to restore critical systems. But this can only go so far.

In the end, there must be a clear delineation of responsibility between government agencies and private companies.

The winds of financial cyberwars are forming, but there is no U.S. cyber coast guard, no effective cyberwar early warning system, no advance strike team, and no corps of cyber financial engineers to protect or rebuild the economy.

Not enough serious resources are being dedicated to this issue by the government. It must take the lead to implement a comprehensive cyberwarfare economic strategy that contains an achievable set of goals and recovery plans that ensure that backup systems can sustain the damage, be immediately rebooted and become operational.

There have been more than enough studies urging the construction of enforceable mechanisms that deter and protect against cyberwarfare through layered defenses and systemic resilience. It’s time for action.

The willingness and capacity of the Biden administration to undertake the challenge to safeguard the economic infrastructure of the United States may also define its capacity to defend democracy itself.

Parts of this article are drawn from Thomas P. Vartanian’s upcoming book, “200 Years of American Financial Panics.”