A Blog by Jonathan Low


Jul 10, 2014

Rescue Me? Wall Street Trade Group Proposes Government Cyber War Council to Protect It From Hackers

Do as I do, not as I say? Wall Street has vociferously protested the imposition of 'burdensome' regulations which, it stoutly proclaims, stifle innovation, depress sales and eliminate jobs.

Libertarian and anti-government political candidates know that the financial services industry is one of the surest sources of funds for their campaigns because of the industry's abhorrence of government interference. The less government the better as far as they are concerned.

But, when it comes to all those Chinese army cyber warriors and Russian mobsters and Iranian jihadists and Nigerian scammers and homegrown income redistributors: why isnt the government doing more to protect our financial system? Including the electric grid, the better tables at Le Cirque and real estate in the Hamptons.

OK, the last two were gratuitous, but the Securities Industry and Financial Markets Association is proposing that the National Security Agency, the Department of Homeland Security and other members of the defense establishment do more to protect the American way of life, which is to say, the jobs and incomes of all those who make a living in the financial markets.

This would be amusing if it were not so serious - and difficult. When money was tangible it could be stored in physical locations like Fort Knox in Kentucky or six stories under the Sub-Treasury building in Lower Manhattan. But now it's just bits and bytes,  flickering images on a computer screen whose ephemeral essence belies its actual value. What should be protected first? Cables, software, servers, Bloomberg terminals? Who even owns them? And who's legally or financially responsible if something goes south? Cue the fingers pointing in every direction but their own.

The reality is that the government probably can and should do more. But with everyone trying to prove how prudent they are by cutting costs and moving their operations offshore or designing complex financial instruments so they dont have to pay taxes it's difficult to fund such initiatives. Apparently that's someone else's problem. JL

Carter Dougherty reports in Bloomberg:

An unusually frank and pessimistic view by the industry of its readiness for attacks wielded by nation-states or terrorist groups that aim to “destroy data and machines.” It says the concerns are “compounded by the dependence of financial institutions on the electric grid,”
Wall Street’s biggest trade group has proposed a government-industry cyber war council to stave off terrorist attacks that could trigger financial panic by temporarily wiping out account balances, according to an internal document.
The proposal by the Securities Industry and Financial Markets Association, known as Sifma, calls for a committee of executives and deputy-level representatives from at least eight U.S. agencies including the Treasury Department, the National Security Agency and the Department of Homeland Security, all led by a senior White House official.
The trade association also reveals in the document that Sifma has retained former NSA director Keith Alexander to “facilitate” the joint effort with the government. Alexander, in turn, has brought in Michael Chertoff, the former U.S. Secretary of Homeland Security, and his firm, Chertoff Group.
The document sketches an unusually frank and pessimistic view by the industry of its readiness for attacks wielded by nation-states or terrorist groups that aim to “destroy data and machines.” It says the concerns are “compounded by the dependence of financial institutions on the electric grid,” which is also vulnerable to physical and cyber attack.

‘Widespread Runs’

“The systemic consequences could well be devastating for the economy as the resulting loss of confidence in the security of individual and corporate savings and assets could trigger widespread runs on financial institutions that likely would extend well beyond the directly impacted banks, securities firms and asset managers,” Sifma wrote in the document, dated June 27.
Liz Pierce, a spokeswoman for Sifma, declined to comment on the document, adding that the group “is doing everything possible to help the industry prepare for and defend against cyberattacks.” Caitlin Hayden, spokeswoman for the White House National Security Council, declined to comment.
Alexander had been pitching Sifma and other bank trade associations to purchase his services through his new consulting firm, IronNet Cybersecurity Inc., for as much as $1 million per month, according to two people briefed on the talks.
He has made much the same argument to Sifma as the association is now making to the government about the emergence of new kinds of software assaults. For several months beginning in fall 2012, major U.S. bank websites were hit by what is known as distributed denial-of-service attacks, in which hackers flood systems with information to shut them down.

‘Effectively Defend’

The next wave of attacks “in the near-medium term” is likely to be more destructive and could result in “account balances and books and records being converted to zeros,” while recovering the lost information “would be difficult and slow,” according to the Sifma document.
“We are concerned that the industry may not have the capabilities that we would like to effectively defend against this newer form of potential attack, the capability that we would like to stop such an attack once commenced from spreading to other financial institutions, or the capability we would like of effectively recovering if an initial attack is followed by waves of follow-on attacks,” the document says.
Computer intrusions also have been a concern of regional and small banks. Camden Fine, president of the Independent Community Bankers of America, said today that an account-draining cyberattack is “a question of when.” He predicted the government would have to grapple with difficult questions including whether the Federal Deposit Insurance Corp. would cover any losses.

‘Train Wreck’

“When it does happen, the hue and cry will go up,” Fine wrote in an e-mail. “Who will be liable? What will the FDIC do? It is like watching a train wreck in the making and there is nothing you can do to stop it.”
The Sifma document, while noting that the coordination between industry and government on cyber threats has improved in recent years, said a joint council would produce a more focused response.
The government-industry group would develop plans for “much quicker, near real-time” dissemination of information from agencies to the private sector and ways to “actively defend the industry” if preparations for a cyber attack are discovered in advance. Sifma is also seeking “pre-discussed and mutually understood protocols” for the industry to request government help during and after an attack.

Pre-emptive Strike

Representative Alan Grayson, a Florida Democrat, said today he was concerned that industry members in such a joint group could improperly get involved in pre-emptive strikes against a person or state planning an assault on the U.S.
“This could in effect make the banks part of what would begin to look like a war council,” Grayson said in an e-mail. “Congress needs to keep an eye on what something like this could mean.”
In its proposal, Sifma also called for greater protection for the U.S. electricity grid, which it says is “vulnerable to physical destruction of transformers and other equipment in a small number of undefended substations.”
“The core problem is that if transformers and critical equipment were destroyed at these sites, it could take months to build the replacement equipment,” Sifma wrote.
The Senate Intelligence Committee plans today to take up a bipartisan bill -- sponsored by Senators Dianne Feinstein, a California Democrat, and Saxby Chambliss, a Georgia Republican - - aimed at improving private-sector cyber-defenses. The bill includes rules that would insulate banks from liability arising from sharing information for cybersecurity, addressing a point financial institutions have raised in the past.


Post a Comment