Posted by John Ginovsky in Making Sense Of It All
All of a sudden, it seems, cybersecurity is all over the news.
President Obama mentioned it in his state of the union address. It bears repeating here:
"America must also face the rapidly growing threat from cyber attacks. Now, we know hackers steal people's identities and infiltrate private emails. We know foreign countries and companies swipe our corporate secrets. Now our enemies are also seeking the ability to sabotage our power grid, our financial institutions, our air traffic control systems. We cannot look back years from now and wonder why we did nothing in the face of real threats to our security and our economy.
"And that's why, earlier today, I signed a new executive order that will strengthen our cyber defenses by increasing information sharing, and developing standards to protect our national security, our jobs, and our privacy."
More on this in a bit. Also last week on the nightly news came a report from the cybersecurity firm Mandiant that it says links a specific cyber-hacking group directly to China's army headquarters.
"It is time to acknowledge the threat is originating from China, and we wanted to do our part to arm and prepare security professionals to combat the threat effectively," says Dan McWhorter, managing director, Threat Intelligence, at this private company.
It's all extremely fascinating. Real techno-spy stuff, yet still required to be taken seriously. From a banker's point of view, however, there's a risk of straying from the real, practical point.
As reported in a recent issue of ABA Banking Journal, "Whoever is doing it, however, it really doesn't matter from the financial institution's point of view," says ABA's Doug Johnson, vice president of risk management policy. "From the standpoint of [banks] trying to protect their systems and their customers, it's really less important to attribute the attack than it is to really know what the attack looks like. That's [basically] the agreement we made for information sharing with the government at this point. It's government's job, particularly law enforcement, to try to address the perpetrators of these attacks. The bank's job is to protect the systems."
That's the key for banks in this matter: information sharing in order to protect the systems.
In fact, that's been the key for several years now, as evidenced in the banking industry's participation in the Financial Services Information Sharing and Analysis Center, with which ABA is a partner.
What seems to be different now, though, is the height of the profile to which information sharing has attained.
Obama said it in his speech-"information sharing"-and that's the main thrust of the executive order he signed. Clearly stated in the first section of that order, under "Policy," is this concluding sentence: "We can achieve these goals through a partnership with the owners and operators of critical infrastructure to improve cybersecurity information sharing and collaboratively develop and implement risk-based standards."
In an indirect way, it's also implied in Mandiant's report. The company could have kept all of its intelligence to itself and its clients, but instead saw fit to release it to the world. To share its information. And, indeed, the fallout from that report certainly has started a conversation among the general media that previously was mainly confined to specialized publications and audiences.
Nothing, though, reaches the consciousness of a country than a presidential proclamation. ABA President and CEO Frank Keating, in fact, said in a statement the next day that the executive order "provides important direction to the public sector on the need to share information associated with threats to our critical infrastructures."
He added: "Banks and other financial services companies have made cybersecurity a top priority. We have invested an enormous amount of time, energy, and money to put in place the highest level of security among critical sectors, and we are subject to the most stringent regulatory requirements. We look forward to continuing to work with the administration and Congress toward our mutual goal of protecting our nation's critical assets."
Other interested parties also have weighed in on this.
"It is important for organizations to understand that this is a framework to help foster intelligence sharing and establish best practices," says Jose Granado, principal and security practice leader at Ernst & Young LLP. "Organizations and industries across the board will need to think about what and how to implement in the most effective manner while considering financial and/or organizational constraints."
Joram Borenstein, of NICE Actimize, says: "About the president's direction on cybersecurity and regarding financial institutions-cooperation is key. Cooperation within industries, across industries, across national borders, with the U.S. intelligence community, and private-public partnerships."
To be sure, there is no end to evidence that confirm today's cyberworld is ripe for cyber attacks. Here are just two issued this month:
· Deloitte Tech Trends found that 28% of the 1,749 business professionals it polled said their organizations were the victims of at least one cyber attack in the past year. Nine percent said they had multiple attacks, and 17% said they were not confident their organizations could even detect an attack.
"Cybersecurity may sound technical in nature, but at its core it is a business issue," says Kieran Norton, principal at Deloitte & Touche LLP. "Any company's competitive position and financial health may be at stake. Business and technology leaders need to engage in effective dialog about what the business values most, how the company can drive a competitive advantage, and which information and other digital assets are the most sensitive,"
· Trustwave, an ABA endorsed company that specializes in cloud-based compliance and information security solutions, combed its own files of data breach investigations through 2012. It concludes that the retail industry is now the top target for cybercriminals, making up 45% of the company's investigations. Mobile malware increased 400%.
(As a footnote, and troubling in and of itself: Out of 3 million user passwords analyzed, half are still easily guessed, including the infamous "Password1," which often meets the minimum standard for acceptable passwords.)
"Cyber attacks are increasing with little sign of abatement," says Chris Christiansen, Trustwave vice president. "Every business contains valuable information about themselves and/or their partners, channels, suppliers, and customers. By learning from other people's experiences...enterprises can build stronger and more responsive security programs that protect their businesses, employees, partners, suppliers, and customers."
It will be a while before we see how and to what extent the president's executive order beefs up the public-private system of information sharing. The order gives the executive agencies 120 days just to establish procedures for a voluntary information sharing program.
What's important now is the fact that "information sharing" and "cybersecurity" have become part of the collective culture in this country, at least for the moment. Hopefully, their tenets-and warning-will endure.
Sources for this article include:
About the AuthorJohn Ginovsky is contributing editor of ABA Banking Journal and editor of the publication's TechTopics e-newsletter. For more than two decades he has written about the commercial banking industry. In particular, he's specialized in the technological side of banking and how it relates to the actual business of banking. He previously was senior editor for Community Banker magazine (which merged with ABA Banking Journal) and was a staff writer for ABA's Bankers News. You can email him at email@example.com