Attend any speech by a current or former defense official these days, and you will likely hear a description of the grave threat posed by cyberattacks, particularly to the financial system.
Yet to date those speeches have failed to question the existing paradigm for cyber defense: critical civilian infrastructures defending themselves; regulators supervising that defense; and law enforcement and intelligence communities providing ad hoc assistance. If we are to defend financial services and other civilian infrastructure (power, telecom), that paradigm should be rethought.
Consider that if a major U.S. bank suffered an anthrax or missile attack, no one would ask its regulators to testify about the attack, and no one would expect them to write more regulations to prevent a recurrence. But if a major U.S. bank were to suffer a cyberattack, that is precisely what would happen — even though the most serious attacks now generally come from foreign actors, including nation states and foreign crime syndicates.
Because they are on the hook, regulators are frequently establishing new standards for cyber defense and examining against those standards. They do so even though the firms they regulate are already devoting extraordinary resources to that task and have every incentive to do so. And those firms employ hundreds and in many cases thousands of cybersecurity employees to engage in this defense.
Given the complexity of the cyber arena and limited expertise of regulators in this area, those regulatory standards tend to be generic and simplistic — an especially bad fit for an ever changing cyber battlefield. Indeed, it is difficult to think of any area more poorly suited to traditional bank regulation than cyber security.
What is needed is defense, not regulation.
In the last 20 years, five significant steps have been taken to assist financial firms in defending themselves: the establishment of the industry’s Financial Services Information and Analysis Center, or FS/ISAC (in whose founding I played a role); the establishment of CERT (the Community Emergency Response Team) at Carnegie Mellon and the related CERT-US with direct Department of Homeland Security involvement; the founding of the National Cyber-Forensics & Training Alliance (NCFTA); the establishment of the Financial Systemic Analysis & Resilience Center (FSARC) in 2016; and the FS/ISAC’s recently announced Sheltered Harbor project, whereby firms will now back up data on a daily basis in case a cyberattack wipes out any firm’s data. All of these initiatives were industry generated, often with support from the Treasury Department and law enforcement and defense communities, and focused on the actual defense of critical infrastructure. None was adopted pursuant to any regulation or regulatory guidance.
"The government must assume responsibility for defending the financial services sector and other critical infrastructures, alongside the financial sector itself."
So, with that experience in mind, here is a three part proposal for a complete rethinking of how to defend the financial services sector (and perhaps other critical infrastructures) against cyberattack.
Step 1 is easy: Shift the focus from how significant the threat is – which is now universally acknowledged – to what the government is doing to defend civilian infrastructure against attack.
Step 2 is also easy (or should be): State and federal regulators should stop developing new standards for cyber defense, and they should propose conduct a zero-based review of all the ones they have created to date. As a Presidential Commission on cybersecurity explained in a 2016 report, the National Institute of Standards and Technology guidelines on cyber security, crafted with considerable input from the best minds in this area, establish sufficient standards in this area, and regulators should tuck in behind rather than trying to develop their own. Indeed, those NIST guidelines have just completed a public comment process, and a recent Financial Stability Oversight Council report recommended that regulators engage in that process — not ignore that process and maintain all their own standards. To the extent that regulators believe that any standards in addition to the final NIST 1.1 guidelines are necessary, they should publish them for public comment and explain why — and then rescind any existing guidance, circulars and handbooks that do not pass that test.
Step 3 is hard: The government must assume responsibility for defending the financial services sector and other critical infrastructures, alongside the financial sector itself. What is the practical difference between defense and regulation? Under the current paradigm, every major financial firm receives regular visits from examiners to ensure that it has policies and procedures for defending itself, and has a large compliance and audit program to ensure those policies are followed to the letter. Under a new paradigm, only people with technical expertise would engage major firms, with the Department of Treasury’s existing Office of Critical Infrastructure Protection serving as a key interface. (Certainly, some work of this type is currently going on behind the scenes, but it is not the central focus.) Any residual role for examiners should be played by a single centralized, interagency team with strong experience in cyber defense and requisite security clearances.
Step 3 would come with accountability. A senior Administration official at the Treasury Department or DHS would be assigned the responsibility of defending the financial services sector. That person (along with the firm, of course) would be the one explaining to Congress how it happened, not some unfortunate bank regulator.
Note also the difference between “defend” and “regulate.” The former looks to end results — is the firm safe? — while the latter looks to process — do they have auditable procedures designed to make them safe? Given the constantly evolving threat our country faces, the difference is everything.