Why the Financial Industry is Looking to Establish a Cyber War Council

Social Media.jpgIn another interesting shift in the cybersecurity landscape, the Securities Industry and Financial Markets Association (SIFMA) is proposing the formation of a government-industry cyber war council.  The committee of financial executives and deputy-level government officials from U.S. agencies including the Department of Homeland Security, National Security Agency, and the Treasury Department would work to protect major financial institutions from terrorist attacks seeking to cause devastation to the economy by undermining confidence and disrupting national banking operations.


The proposal outlines a reasonable plan to increase visibility to threats, establish better private-government cooperation, and bring in closer the leading protection and enforcement agencies to safeguard banking from cyber threats.  But why now?


Traditionally Wall Street has preferred to operate with greater independence and a lighter hand when it comes to regulation, oversight, and government involvement.  What is precipitating this shift in the financial sector? 

Several elements are coming together to fuel and motivate financial institutions to think differently on cybersecurity issues and “circle the wagons” for better protection.

Cybersecurity risks continue to build.  More capable threats coupled with more users, devices, and sensitive data coming online amplifies current inherent risks.  Although this evolution is just a continuing trend, the risks are reaching a point where impacts are becoming significant and the costs of security are sapping resources which could be used instead for revenue generating opportunities. 

State sponsored and terror organizations are rising to new levels of capabilities.  Both would likely look to manipulate financial sectors of target economies.  These emerging threat agents represent highly motivated and in many cases well-funded and technically savvy attackers.  This serious threat is a relatively new development which has emerged in the past 2-3 years but is here to stay. 

Banks are becoming more concerned with the recent risk of public backlash to compromises.  Liability increases, calls for government regulations, oversight inquiries, and greater damages are being seen in the industry.  In addition to greater response costs to incidents, customers are taking a more personal position for breaches in trust for their financial service providers.  This has an impact on satisfaction, customer retention, and has even influenced the exit of executives.  In the past year, the public has shifted levels of emphasis from mild vocal concern to expressing discontent with their wallets.

The traditional attacks, which the financial community have been managing well for some time, such as account theft, fraud, money laundering, and denial-of-service attacks are being augmented with new types of potentially caustic entanglements.  Economic terror attacks seek to undermine faith in financial instruments and can be triggered by long lasting denial-of-service attacks or by massive theft of individual and corporate assets.  Privacy breaches may take a turn for the worse as public exposures might begin to show how users spend their money and which political groups they support.  Evil Robin-Hood attacks are maniacal in creating severe dissatisfaction of the institution by transferring assets to entities which are emotionally very undesirable to the customer.  It is one thing to be informed your account was hacked, $100 was stolen, and you will be reimbursed.  It is another thing to know your stolen $100 was transferred to an organization who for example harms puppies or any other personally despicable cause.  In such a greatly amplified reputation attack, the reimbursement alone is no longer a satisfactory resolution to the customer and the focus is placed on how their financial institution and themselves by proxy, could be indirectly supporting through a lack of security, despicable activities with their assets.  All of these new maneuvers could be cause for liability costs, push customers away permanently, and/or force government intervention.  As these emerge in the next few years, the finance industry may yearn for the more simple days of security.

Wall Street’s motivation to support the Cyber War Council initiative is a vertical test case.  If the financial community can effectively reduce the risks of loss, enhance their liability position, stave off more regulatory hurdles, and preserve customer loyalty, then I suspect we will see a similar stratagem play out in other verticals like healthcare, energy, transportation, agriculture, transportation, and perhaps even defense industries.  This will be of great interest to all the Critical Infrastructure sectors in the short and medium term, and potentially to high technology manufacturing who are concerned with supply chain risks.  The upcoming bill, probably the first of many, will include rules to insulate banks from the liability arising from sharing cybersecurity data.  It is a foundational step necessary for a realistic partnership in staving off potentially catastrophic attacks to the financial sector.  Time will tell if the Cyber War Council concept can be established to make a real difference. 

Twitter: @Matt_Rosenquist    

IT Peer Network: My Previous Posts

LinkedIn: http://linkedin.com/in/matthewrosenquist

My Blog: Information Security Strategy

Published on Categories Archive
Matthew Rosenquist

About Matthew Rosenquist

Matthew Rosenquist is a Cybersecurity Strategist for Intel Corp and benefits from 20+ years in the field of security. He specializes in strategy, measuring value, and developing cost effective capabilities and organizations which deliver optimal levels of security. Matthew helped with the formation of the Intel Security Group, an industry leading organization bringing together security across hardware, firmware, software and services. An outspoken advocate of cybersecurity, he strives to advance the industry and his guidance can be heard at conferences, and found in whitepapers, articles, and blogs.