Podcast

Banks’ forever war against cyberattacks

Sponsored by
Complimentary Access Pill
Enjoy complimentary access to top ideas and insights — selected by our editors.

Bloomberg

Below is a lightly edited transcript of the podcast:

JOHN HELTMAN: Anyway, how are you? It's been … it's been a little while.

NATHAN TAYLOR: It has been a hot minute. I've been ... been hanging in there and living my best pandemic life. How about yourself?

HELTMAN: I mean, it's like, “Good, doing doing well — with an asterisk,” you know?

TAYLOR: Sure.

HELTMAN: This is Nathan Taylor, a partner at the law firm Morrison & Foerster who specializes in cybersecurity and information technology law. I met him back in 2019 when I was working on a podcast called Zero Day — which, by the way, check it out, smash the subscribe button, yadda yadda yadda — and I thought I might follow up with him for this episode because it is also about cybersecurity. And while we were talking he said something kind of eerie.

TAYLOR: I guess I'm on a recorded line, so I should...

HELTMAN: Well, this is all just for shooting the shit purposes anyway.

TAYLOR: Well, I know, but the service that you ... you purchased, right, is owned by a Chinese company and the servers ...

HELTMAN: Right, is on a Lenovo, server or whatever. I don't think I certainly don't feel like I'm important enough for anyone to spy on.

TAYLOR: I mean, I would think that nation-states have a significant interest in journalists’ confidential notes and source lists, but you're probably not in an area that's ... I don't know, you know, I never put it past a nation-state to ... and you're writing about cyber security then ...

HELTMAN: Yeah.

TAYLOR: ... it’s possible.

HELTMAN: Cybersecurity and cyber crime are not at all new — they’ve been around from the very dawn of the internet. When I talked to Nathan a couple of years ago, cyber crime was a big problem, but the worst possibilities of what hackers could do still seemed kind of theoretical. But not anymore.

CNBC: Yeah, John, that's right. Over at the White House, the new Deputy National Security Adviser Anne Neuberger just wrapped up a briefing offering some new details now on the scope of that so called Solarwinds, cyber security breach that we saw over the past couple of months, she called it of likely Russian origin, and told us that nine federal agencies and as many as 100 private sector companies have been compromised as a result of this hack.

CNBC: President Biden signing an executive order aimed at strengthening U.S. cyber defenses, The move comes as the hacked and shut down Colonial pipeline comes back online. The President is expected to speak this morning, about the nearly weeklong cyber security incident. Joining us now Transportation Secretary Pete Buttigeg.

BUTTIGEG: I think for many Americans, this has been a wake up call on how actors anywhere in the world could impact us, right here at home. And when you look at our policy framework, our laws, a lot of them were not written for the cyber era.

BIDEN: The reality is most of our critical infrastructure is owned and operated by the private sector. And the federal government can't meet this challenge alone. So I've invited you all here today because you have the power and the capacity and responsibility, I believe, to raise the bar on cyber security. And so ultimately, we’ve got a lot of work to do.

HELTMAN: If it seems like these cyberattacks are getting more brazen and more frequent, it’s because they are. In the Solarwinds attack, hackers infiltrated a cybersecurity company and used its network of clients to install malware in hundreds of private and federal government databases. And another group of hackers installed ransomware in a gasoline pipeline, a part of the nation’s critical infrastructure that led to gas shortages and people panic-buying fuel. So the idea that someone somewhere might be watching you doesn’t feel quite so paranoid.

So are banks just as vulnerable as everyone else? And what can lawmakers and private businesses do to reduce the severity of these attacks? From American Banker, I’m John Heltman, and this is Bankshot, a podcast about banks, finance and the world we live in.

Cybersecurity is a pretty broad topic, and it has implications far beyond banking. But all cybersecurity really is is a series of measures meant to stop or deter cyberattacks, which are efforts by hackers to steal, disrupt, corrupt or otherwise infiltrate a database to which they have not been granted access.

Lots of things can disrupt banks’ operations — earthquakes, hurricanes, solar flares, bank robberies, you name it. And banks tend to lump those many various contingencies, including cybersecurity, together as “operational risk,” or op risk for short.

PAUL BENDA: Operational risk is a, I'll use the word generic term, but it's a broad term that does normally include, you know, cybersecurity, physical security, health, security, fraud, all those different aspects of it.

HELTMAN: That’s Paul Benda.

BENDA: My name is Paul Benda, I'm the Senior Vice President of operational risk and cyber security and the American Bankers Association. We included it in my title simply because it is the preeminent risk — you know, before COVID came along -- in terms of what happened for what our bankers are focused on.

HELTMAN: There aren’t any hard numbers on how much the banking industry spends on cybersecurity, but one 2020 survey from Deloitte suggested that banks spend roughly 11% of their information technology budget on cybersecurity — or about $2,700 per full time employee per year. Brian Moynihan, CEO of Bank of America, said earlier this year that the bank spends upwards of $1 billion a year on cybersecurity. And as cyber threats get more sophisticated and take up more of banks’ attention, many banks have started to reorganize themselves around those challenges.

BENDA: A lot of the fraud we see in banking is cyber-enabled fraud. And so there's a lot of — in terms of op risk — you have a lot of overlap. And I think, in a lot of banks, the fraud group’s been around for hundreds of years, and they kind of grew up on their own. And then the cyber group grew up on its own, as an information security first and now cybersecurity piece. And we're starting to see banks merging those two aspects of it. We know some large banks that are just starting to combine those two capabilities.

Right now we're starting to see banks recognizing that they need to have much tighter integration of their cyber capabilities to help mitigate fraud. And a perfect example is, as we know, some banks during the PPP process were receiving lots of fraudulent applications. Turns out, in some instances, they're all coming from the same IP address. So only if the cyber people knew that we're able to come back and tell the fraud people that that was the same IP address, there's a red flag there. And so it's obvious in hindsight, but in the real world, it's hard to make those connections in real time. And I think those are the kinds of things that banks are really trying to invest in to figure out, how can my cyber people help me disable the fraud side?

HELTMAN: While sending out dozens of fraudulent Paycheck Protection Program applications from the same computer isn’t a very sophisticated cyberattack, there has been an uptick in more nefarious types of cyber crime just since the beginning of the pandemic. And it’s actually kind of because of the pandemic.

BRIAN VECCI: So more of it's happening, but we're also hearing about a little bit more.

HELTMAN: This is Brian Vecci.

VECCI: My name is Brian Vecci, I'm the field CTO at Veronis. And if you're not familiar with Varonis, we're a B2B data software data security/cybersecurity company. We make software that helps protect companies and other organizations, helps them protect their data. Even if you go back in time, a year and a half, suddenly, now everybody's working from home. I kind of flippantly was using a quote from a CISO that we work with at the beginning of last year, and he said, “You know, in March or in February, the beginning of 2020, I had five offices, 1,500 people, it was a complex organization. It wasn't a massive enterprise. It's not like a fortune 50 company, but it's still big and complex, and my job is really tough. Fast forward to March 15.

Suddenly, I've got 1,500 offices to worry about, and I have no control over them. It's people's home, you know, WiFi networks, with their kids’ laptops and Alexas and Google assistants and mobile devices. I have control over one device in that household, it's the corporate laptop that our employee's using. But I have no control over the WiFi network, I have no control over their neighbor's WiFi networks, I have no control over their kids' devices, I have no control over the hygiene of that network. I have no visibility to it whatsoever. So my threat surface went from five offices and 1,500 users to 1,500 offices each with a single user.” So all of this contributes to the fact that there is more opportunity, more financial incentive — especially with cryptocurrency it's so easy for someone to get anonymously paid now in a distributed way from anywhere — and the environment is so much more complex. And the damage, like the impact of something going wrong is bigger than it's ever been.

HELTMAN: The FBI’s Internet Crime Complaint Center said in its 2021 annual report that the number of complaints about real, attempted or suspected internet crime went up almost 70% since 2019. And there is a greatdeal of anecdotal evidence that suggests that cyber crime is up. But those statistics are all kind of soft, and there’s a few reasons for that. One is because there is no real central repository for cyberattacks, and most companies aren’t required to disclose a breach even if it happens. But more to the point, cybersecurity experts are more concerned with the quality rather than the quantity of cyberattacks lately.

VECCI: Towards the beginning of last year, even as the pandemic was ramping up, we have an incident response team and one of the things that we track a lot and measure is, what are they actually responding to, what kinds of incidents are we actually seeing? And at the beginning of COVID, March in April, we saw and this is gonna make sense, based on what we're talking about, we saw a lot of brute force — a lot of attackers were just they knew there was suddenly, you know, a company that normally had 5% of their workforce working remotely now had 95%. And just managing that is so much more complicated. So they were brute forcing, they were brute forcing accounts like VPN accounts to get in, it's basically the equivalent of just going up to a locked door and trying every key and eventually, it's going to work a little bit, they were also doing things like companies in the scramble to get working would expose parts of their network, just so that people could get to work, they didn't have the time or the resources to be able to properly secure things.

So there were things like exposed servers that would normally never be exposed to the internet by necessity, so there were a lot of very simple attacks, but there were a whole lot more of them. Then, as the summer wore on, and we started getting used to this remote work environment, a lot of those barn doors got closed, a lot of the biggest gaps, the biggest holes, got filled in. And so attackers started being a little bit smarter. We saw lots of relatively sophisticated phishing campaigns — “Check out the COVID News in your area,” right? I'm of course, I'm going to click on that, and everybody did. So there was a lot of phishing and credential, spear phishing and, you know, credential hijacking. So the attacks changed. But it's not necessarily about the number, but the severity.

HELTMAN: Banks are very much subject to these attacks, particularly more sophisticated attacks like ransomware and spear phishing — that is, when a hacker is specifically targeting the credentials of a high-profile individual. But banks as a sector are relatively well-prepared for these kinds of attacks — after all, they spend so much money deterring them.

BENDA: The larger banks, obviously have a larger attack service, you know, just by nature of who they are, the more branches, they more users, the more access points, you know, they need more sophisticated, you know, if you got 15 million records, and 15 million, you know, IPs, it's gonna require more sophisticated tools to manage that than if you have 1,500. And so I think that there is, there is a differential between different size banks in terms of the tools they use, because they have to use different tools, because they have different requirements. But I think the fundamentals are always there, you know, banks are the most regulated critical infrastructure that's out there, quite frankly. And, you know, we go through cyber assessment reviews with our, with our regulators, you know, with our examiner's, and so banks get looked at whether it's every 12 months, 18 months, 24 months, you know, they come in, there's a baseline in place.

CHRISTOPHER WOLFE: You know, I would say the banking sector has probably been at the forefront of this issue for a lot of reasons. I'm Chris Wolfe, managing director, and I head up the North American bank team at Fitch Ratings. You know, when you think about, you know, the old adage of, you know, when the, when the bank robber was asked, Why do you rob banks, it's because where the money is. And so I think, you know, banks have always been probably one of the early prime targets for cyber criminals. And so I think they've had to deal with this issue for, you know, a very long time.

HELTMAN: But that doesn’t mean banks are sitting pretty. There are just under 5,000 FDIC-insured banks in the United States, and most of them are small. And smaller institutions have smaller budgets for everything, including cybersecurity.

WOLFE: They're probably further ahead in the cyber risk, you know, development than other sectors or industries, it doesn't mean that they're, you know, they're not vulnerable to attack. You saw, you know, Capital One a couple years ago had a pretty massive breach. Desjardins, which is a large credit union in Canada, had a substantial breach. So, it's not that, you know, the banking sector is immune to these things.

HELTMAN: It also doesn’t mean that because banks have generally been very good at avoiding the worst outcomes from cyberattacks so far that they will be just as good at deterring them going forward. And Fitch put out a report in August that found that the banking industry could still be subject to considerable material losses from a concentrated cyberattack.

WOLFE: We've been thinking about two things. And I'll get to this, do you think both about? Can we get better visibility into who might be more vulnerable? And if so, what could that mean, in terms of costs? And therefore, how does that affect our view of, you know, the overall creditworthiness of the institution? So it's trying to put those two pieces together? So, you know, when we think about quantifying what was really behind that was, banks increasingly rely on a lot of different service providers, or, if you will, third party vendors, and if you think about where some of the more recent, some, some attacks, and that's, that's the channel that the attackers come through, it's a third party vendor, or reliance on a lot of, you know, you know, some data providers, cloud providers, what happens if there's a hack there? How can that affect the industry?

HELTMAN: The report took an approach to modeling risk that kind of resembles the Fed’s stress test, examining the baseline for banks’ losses from cyber events and then examining potential losses from more uncommon — but far more disruptive — cyberattack scenarios.

The report found that across the banking industry, annual average losses related to cybersecurity breaches or infiltrations amounted to about $213 million per year, or roughly two basis points of the overall industry’s revenue. That’s completely manageable, and banks manage it just fine. But the aggregate losses from a severe attack — such as the disruption of a data server or some other third-party vendor, a large-scale ransomware attack, or widespread data theft — could cost the industry billions.

WOLFE: So attacks on a cloud based provider, for example, could have more of an impact than just an outage. So a ransomware file sharing, cloud based provider can be the most severe type of event that we should be thinking. So that was another good learning from that. But also just starting to size the types of the dollar figures that could be involved in these kinds of events.

HELTMAN: Wolfe’s group found that when those big cyber events happen, a bigger share of the total losses fall on larger banks, which makes sense. But they also found that those events were more likely to have a material impact on smaller banks’ bottom lines, and by extension a negative impact on their credit rating. And part of the reason for that is because large banks are also more likely to have those low-frequency, high-cost cyberattacks covered by cyber insurance.

WOLFE: The bigger banks come to contribute more to the overall model loss estimate, which isn't surprising. But you're right, their ability to absorb that is probably better. And the other interesting thing that comes out of this is just the use of cyber risk insurance. And there is a difference in how bigger banks use it versus smaller banks. So the larger banks, you know, what we found — and this is somewhat, you know, the data isn't is robust on this, so this is more of a smaller sample or a subset of the universe — but what we found was, larger banks are more likely to protect what we'd say against low frequency, the high severity tail events. So they'll pay a higher deductible, whereas smaller banks tend to have, you know, lower deductibles. But they're, they're trying to guard against, you know, more frequent, less severe cyber, and so I think that's a very, that was an interesting finding to us in terms of just how banks use cyber risk insurance.

HELTMAN: Analyses like these rely on the presumption that the severity and frequency of cyberattacks is known, or at least quantifiable — the potential for a phishing email is high and it happens every day, whereas the potential for a very disruptive, concentrated attack is very low. It’s like with other kinds of operational risk modeling — the possibility of rain is high, the possibility of a category 5 hurricane is relatively low. But hackers — be they common thieves or nation-state actors — are adaptive and increasingly well-resourced, and have every incentive to coordinate more disruptive attacks if it will fulfill their objective. In other words, a hurricane isn’t trying to get more severe so that it can shut down a bank, but hackers might be.

MARK STAMFORD: The fundamental principle still remains the same, right? Which is, attackers make money by busting your business, right? So therefore, their motivation is to keep adapting as fast as they can — quicker than you can to what's coming down the pike, because that's how they're going to make bank, right?

HELTMAN: That’s Mark Stamford.

STAMFORD: I'm Mark Stamford. I'm the CEO and founder of Occamsec. So I have been doing Information Security officially and unofficially, since the age of 11, which was a long time ago. There's still a lot of phishing attacks, right? But you're seeing lots of other things coming up. I mean, ransomware as a service is the new thing that's being pushed, it's been around for a while, it's just just been picked up now that it's actually going on. You've seen attacks against things like, you know, VMware ESX, that kind of stuff. iOS is starting to get a few few cracks, right? There was the Nols malware that came out and they fix that up, what else is going on there? So the bad guys are really flexible, right? They know that we're working from home, and we're moving around, and they see where the opportunities are in that. So I think it really is that the attack space has grown. We can't keep up with that. If my job is to break your attack surface to make money, I'm going to keep up with it. Because my profit motive is to do that.

HELTMAN: And the expansion of working from home has made it all the more possible for big, centralized service providers that serve big portions of the internet, including but not limited to banks, to get infiltrated. And the consequences of that infiltration could be significant.

STAMFORD: The internet interconnectivity between everyone is making these large attacks easier, and making them more profitable, right. I mean, ultimately, if we stick with AWS, which I'm picking on for no other reason, that gets really big.

HELTMAN: That’s Amazon Web Services, which commands about a third of the cloud computing market.

STAMFORD: If you could compromise AWS, you will compromise thousands of organizations, right? So it makes sense for me to go for those targets, right? And then if you look at a company like Solarwinds, that financially was kind of sailing the rough seas a bit, right? If I'm an attacker, I'm going to say to myself, these guys probably aren't spending what they should spend on security. So there's probably some weaknesses. They're all right targets, right? So we are seeing an acceleration in breaches, because it's becoming more and more complex. And I think that the good guys just can't just can't keep up, right? It's just … it's just becoming a more and more impossible problem.

HELTMAN: So if this is a big problem, is it a problem with a policy solution? Is there a bill that Congress could pass that might make this problem better, or at least reduce the costs or probability of such an extreme downside risk?

BENDA: Cyber is really difficult, because there's no silver bullet. You know, you've got to do all the regular blocking and tackling of having good ... you know, I don't know necessarily like the word "cyber hygiene," but it's, you know, it's an appropriate reason people use it. So you've got to have that in place. I think, you know, what the financial sector would really like is better information sharing in a more timely manner and in a more open manner with the government to allow them to mitigate threats in real time.

HELTMAN: The federal approach to cybersecurity is pretty decentralized — most front-line cyber concerns are addressed by primary regulators, so bank regulators oversee banks’ cyber defenses, the Environmental Protection Agency oversees water and wastewater infrastructure, the electricity grid is overseen by the Department of Energy, so on and so forth. Each of those sectors have coordinating councils between regulators and the industries they oversee whose purpose is to facilitate information sharing. But Benda said that information sharing in this arrangement is something of a one-way street.

BENDA: A lot of times banks will provide information then they don't hear anything back. And so it's, it's, you know, they have a lot of information and they try and share it amongst others with FSISAC, the Financial Services Information Sharing and Analysis Center, but you know, they don't have the resources that obviously the U.S. government has and knows these threats that are coming down and I still think there is a there's a challenge we have that the government treats you know, this information as classified and doesn't recognize it's great that they might have that information, but they're not the target. You know, a bank is the target, you know, people, you know, consumers money is the target. And if they don't share those threat information in a timely manner that allows, you know, financial institutions to take action against it, you know, they're not doing anyone any good.

HELTMAN: And while there aren’t any big cybersecurity bills tearing through Congress at the moment, there is a bit more awareness of the issue and more interest in dealing with uncontentious cyber issues than there was just a few years ago.

TAYLOR: I do think a lot has changed since the podcast in a way that is certainly meaningful from a legislative and regulatory standpoint.

HELTMAN: That’s Nathan Taylor again, from the beginning of the episode.

TAYLOR: I was always sort of the eternal pessimist on Congress actually doing something either on data breach or privacy. And, you know, I still tend to be pessimistic as it relates to something of a generally applicable nature, right, like a law that applies to everyone. That's broad, but I do think that Solarwinds supply chain concerns and colonial pipeline were significant events, right? Like, we used to always sort of spit ball and wonder, you know, well, what would it take for Congress to actually act? And I think when we spoke last, you know, my view is, you really have to have some type of mainstream impacts on the country, right, like, you know, not not a data breach involving SSN, but, you know, you need the power the lights to go off, or, you know, some type of very significant event and, you know, in colonial pipeline, sure, it had some impacts on gas prices for a few days in the northeast. But it wasn't exactly a national impact. But I think Congress's concerns with Solarwinds and the colonial pipeline, I think, were significant enough that, you know, if I was a betting man, I would actually bet that we get some type of narrowly tailored legislation this year that's probably added to a defense authorization bill or an Intel bill, right? You know, one of the omnibus thousand-page bills. I think we will probably get one or two different types of actual legislation that's relevant to these areas. And if, and candidly, we might get both.

HELTMAN: The first kind of legislation that Taylor said could make its way through Congress this year is a reporting requirement for cybersecurity breaches or incidents in industries deemed to be critical infrastructure, such as finance, water, energy, transportation, that kind of thing. The other is some new legislative language to counter ransomware.

TAYLOR: This may be the less ... the least likely of the two, but there's still a legitimate possibility that I think we get some type of ransomware legislation that could do a number of things, one of which is require a company to do due diligence and contact law enforcement before paying, you know, for example, trying to find a key before paying as distinct from a prohibition on paying but impose some type of due diligence obligations, and then separately, just a a general kind of reporting obligation if ransom is paid, and that would be directly responsive to Colonial pipeline. And, you know, some of the Congressional concerns about you know, the the federal government didn't know and and that bill, I are that type of legislation, I think will probably be generally applicable, not focused just on critical infrastructure, but applied to the economy generally, probably be some type of exception for small businesses. But if I think we are, I think it will likely happen. I think we're closer to actual legislation, even though it would be narrowly targeted, like I described, right, it wouldn't be an omnibus data security bill or a data breach bill. I think we're closer than we've ever been.

HELTMAN: But while those changes are popular and may very well pass, it won’t necessarily change the fundamental dynamic of cybersecurity: hackers are predators and banks are prey. And that is unlikely to change any time soon.

STAMFORD: The problem I see with policy is it's always responding to the last issue, right? I mean, it's the same issue with warfare, right? There was talk about right, you're always fighting the last war. This is what happened last time. Let's make sure it doesn't happen again. But your adversary has moved on. Right. So they're not going to do what he did last time. I think the problem tends to come about because a lot of the folks making the rules in government, they don't really know how these private sector organizations work. Right. So, I mean, I've sat on some of these conversations, and it's just like, well, they can just do this and do this. And it's like, well, they really can't and the reason why they have this Windows XP machine doing what it does is because it just works. So there's no need to change it right? So I think that we could try to sort of set a baseline like this is the minimum of what you have to do, right? But the minimum needs to be fairly substantial, right. And the problem again, is, you know, as we've seen time and time again, any standard like that will be lobbied down to a lower standard.

VECCI: Post-ransomware, whatever attacks are going to be are going to be based on data — I almost said data-based, but that can be kind of confusing. And they're going to be based on data and they're going to be, and attackers are like water, they're going to flow to the path of least resistance. Ransomware attacks a dataset or files that are naturally chaotic, in places you don't expect, more valuable than you think, often wide open and often unmonitored. So smart banks, I think, should be looking at where their data is going. Is it, you know — it's probably going into a Cloud repository, and how is it being used and by who? And, you know, ransomware — the thing about ransomware is an attacker can use any technique from phishing to brute force to supply chain hacks like Solarwinds as a beachhead to get access to encrypt and exfiltrate data. Well, if an attacker is going to go after data, a smart bank would look and think, okay, where is my data going? And what is the path of least resistance for an attacker? Part of the challenge has been, I think, for a lot of organizations, they see their data going into ostensibly more secure locations, they feel like if it's in cloud repositories, suddenly it's going to be more secure, which is a little insane, because putting something in the cloud is like saying, I'm gonna put it in somebody else's internet connected computer, and that's certainly going to keep it secure, right? Well, no. But they're assuming that a lot of their data that has been on legacy systems is just going to go away and isn't going to represent any risk anymore, when in fact, it might represent even more. Banks like to minimize risk. And the fastest and most effective way to minimize risk is to delete the data.

TAYLOR: Whether it's the critical infrastructure bill, or the ransomware bill, both are focused on reporting events, as distinct from actually imposing security obligations. And that's a critical distinction, right? Like, yes, Congress is closer than they've ever been before probably on certain types of legislation. But let's bear in mind, these are, Hey, you got to let the federal government know if you have one of these types of events, not Hey, you have to do X, Y and Z to secure your pipeline. A cyber event can have very different impacts, depending on who the target is, and what they hit, and even cyber events look very different within a single company, depending on what's hit. Every single business in America has technology systems and is connected to the internet. And what that means is, every single business in America is a potential target. When you think about events like Solarwinds, and that event, which ... It is frightening what mischief can occur from the well-resourced and badly intentioned actor. You know, what, what they can pull off ... it is frightening.