The Adversary Will Get In
The stakes are high when it comes to cyber-attacks. The new Northeast Ohio CyberConsortium, of which the Federal Reserve Bank of Cleveland is a founding member, is committed to helping companies better defend themselves through cross-sector information sharing.
When James B. Comey, the director of the FBI, was asked to identify which industries are at greatest risk of cyber-attacks, he didn’t hesitate to name the top: “Obviously the financial industry, because that’s where the money is,” Comey replied, speaking at the inaugural Cyber Security & Resiliency Conference in Cleveland, Ohio.
Carole S. Rendon, first assistant US attorney for the Northern District of Ohio, understands why he started there.
“Financial institutions have a tremendous amount of information about their clients, which in and of itself is incredibly valuable,” says Rendon. “But then, they also have everybody’s money. And so for the criminal, if you can get in and divert money from the bank, that is a huge windfall. For hacktivists, if you can shut down a bank with a denial-of-service attack,” making a resource or network unavailable to its intended users, “you can terrify the entire economy very quickly.”
This is precisely why Rendon says it’s important that the Federal Reserve Bank of Cleveland has been involved from the beginning in the formation of the new Northeast Ohio CyberConsortium.
Unlike some information-sharing centers that facilitate collaboration around cybersecurity in a narrower, sector-specific way, the Northeast Ohio CyberConsortium is purposely cross-sector, and its founders, which include Goodyear, the Cleveland Clinic, and the US Attorney’s Office for the Northern District of Ohio, which prosecutes criminal and civil matters across the 40 Ohio counties north of Columbus, reflect that cross-sector makeup.
One role the Federal Reserve Bank of Cleveland can play in the local consortium is that of facilitator, and it’s motivated to do so not just because the financial sector is at risk, notes William D. Fosnight, senior vice president and general counsel for the Bank.
“Obviously, confidence in your financial services is of paramount importance,” Fosnight begins. “Nobody wants to see money being stolen from within the financial system. Maybe equally as important, though, is we as the central bank are concerned about the economy, about economic growth. Cyber threats pose a real and serious problem for the economy if a company can lose all of its intellectual property in a matter of seconds.”
Globally, cyber-attacks cost businesses at least $315 billion over a 12-month span, according to a Grant Thornton survey released in September 2015.
In addition, Fosnight notes, it can take a long time for a business to recover from the reputational damage of a hack, and it’s sometimes only a matter of days before class-action lawsuits are filed against organizations that lose people’s information to criminals.
One aim of the new consortium is to eliminate the potential that one local company becomes aware of a new threat but doesn’t share that information with another down the street, organizers say. Instead, participants want face-to-face sharing of such information, as real-time as possible.
“What we’ve learned is that what hits us in financial services today is very likely to be applied against our friends in medical care,” said James Caulfield, an assistant vice president with the Federal Reserve Bank of Richmond who spoke on a panel about combating cyber intrusions. “It’s part of our DNA as security people to not necessarily share. We share war stories from 1 year ago, 2 years ago.”
But, Caulfield said, organizations need to share more with one another about what’s happening today. Rendon agrees.
“If we could have someone be the canary in the coal mine, they could warn everyone in our region, and the consortium could work to create a defense, could encircle our region with a level of protection that doesn’t exist in other parts of the country,” she says. “Cyber intrusions are happening every day across America. There is no sector of our nation and of our economy that is not affected.”
Cyber-attackers can be nation states, hacktivists, or insiders, both malicious and unintended. The threat they pose takes many forms, from malware to data exfiltration to distributed denial-of-service attacks.
FBI Director Comey’s identification of the financial sector as one of those facing the greatest risk likely comes as no surprise to those responsible for protecting banking assets against such attackers and such threats.
It was probably the year 2012 when the sophistication of cyber-attacks became clearer to the financial sector, according to Jason Tarnowski, an assistant vice president with the Cleveland Fed. Between 2012 and 2014, a number of distributed denial-of-service attacks became public knowledge, raising bankers’ awareness of offenders’ abilities and how quickly their tactics were evolving.
Following that, the Federal Reserve System and other financial sector regulators increased oversight of the cybersecurity efforts of the companies they regulate. Handbooks were updated and guidance letters and alerts published, all to illuminate the increasing risk, notes Tarnowski, who plays a role in establishing cybersecurity intelligence and incident management for the Federal Reserve System.
Some of the ways in which people bank today didn’t exist 5 years ago. Large and small institutions alike now own and operate websites. Electronic banking and electronic bill pay are increasingly prevalent. More mobile apps connect customers to the cash they deposit in banks.
And not only has banks’ collective web expanded, but so, too, has the constellation of vendors that bankers use to make it all a reality. There are more cooks in this kitchen today, and that creates risk.
From a regulatory vantage point, the concern is certainly not isolated to the impact of a cyber-attack on single institutions; there is a broader impact to mitigate, which is the impact on payment systems and financial stability.
“If you have a successful attack on the financial sector, that could jeopardize consumer confidence and overall financial stability,” Tarnowski explains. “Imagine not being able to get your money out of the bank.”
Institutions in the Fourth Federal Reserve District, which is the region the Cleveland Fed serves and comprises Ohio, western Pennsylvania, the northern panhandle of West Virginia, and eastern Kentucky, are building their budgets and expertise to protect themselves.
“If you talk to CEOs or their boards, they all recognize cybersecurity within their top 3 risks—if not their top risk,” Tarnowski says.
Those polling the industry’s people know it to be true: In mid-October, for example, a survey by Wolters Kluwer Financial Services revealed that 66 percent of respondents, when asked about escalated risk priorities for 2016, cited cybersecurity as their top concern. Conducted in August 2015, the survey generated 539 responses among banks, credit unions, and other lenders.
Though the risk of cyber-attacks may be shared, the approaches and needs for mitigating it are not.
“Each financial institution is different,” Tarnowski notes. “What works at one institution might not work at another. If you have a wholesale type of institution that doesn’t deal with [retail] customers, you’re not going to have the exposures that you’ll have with mobile banking and electronic banking. That looks a lot different than a retail-focused institution that’s dealing with a lot of customers.”
What’s important, he adds, is ensuring that a bank’s cyber-informed are embedded early when business decisions are being made. That way, the experts can vet the risks a product, strategy, or service carries and ensure that an institution’s operations center can monitor those risks.
It’s also important that companies undertake cyber-event exercises to ensure that those who bear responsibilities in the event of an attack know how to react, Tarnowski asserts.
The tone at the top of an organization is important to regulators, he adds. Do a company’s people, from the C-suite on down, understand the level of cyber risk and their responsibility for protecting the institution’s assets and customer information? Is the institution proactively engaged in threat intelligence and monitoring?
“The landscape is always changing, and the individuals who are perpetrating these events are very persistent and continue to refine their capabilities in carrying out these types of attacks,” Tarnowski says. “They [institutions] have to have intelligence coming in, they have to have their cyber operations center monitoring the risks affecting the institution, and they should have an inventory of their assets and data management systems so that they can take appropriate steps to address vulnerabilities.”
All of it requires banks to clear a hurdle that every sector faces: the reported scarcity of people with the cyber-related skill sets companies need. And it’s especially hard in districts such as the Cleveland Fed’s region, Tarnowski asserts, to compete for that talent with cities such as New York or Chicago.
Among the workforce-development frustrations shared by attendees of the Cyber Security & Resiliency Conference in October were limited cybersecurity curricula in the region and a need for people who think creatively about cybersecurity.
The timing of the conference and the consortium likely has a lot to do with the news of attacks on the likes of Anthem, Sony Pictures, and the Office of Personnel Management, Rendon notes.
“I’m not sure that people were as focused 5 years ago on the dangers that exist on the Internet as they are now,” she says.
If the conference’s more than 300 registrants provide any indication, people seem well aware of the dangers now. In fact, Dr. Toby Cosgrove, president and chief executive officer of the Cleveland Clinic, called cybersecurity “the most urgent security issue of our time.”
“They’re going to get in,” one speaker later said of cyber-attackers. “They’re going to get a beachhead. What you need to do is think about this in terms of a good baseball team. You don’t have the expectation [that the pitcher] will throw a perfect game. You can let people get on first base. You can walk somebody. Keeping their team from crossing the [home] plate is how you win the game.
“You want to be the ones who are resilient in this world,” the speaker said.
Sum and substance: Given the risk of cyber-attacks to both the financial sector and the broader economy, the Federal Reserve Bank of Cleveland is collaborating with other leading organizations to strengthen Northeast Ohio’s collective cybersecurity.
Fortify Your Organization
Grow what you know
- When an organization falls prey to a particular type of attack, ask yourself this: Are you vulnerable to the same type of attack?
- Bring your cybersecurity folks to the table to have conversations on an ongoing basis. Ask them to identify what policy changes they’d make to improve your firm’s cybersecurity.
Deepen your defenses
- Segregate your human resources information from your intellectual property information, and so on, so that if an attacker successfully infiltrates your system, said access doesn’t give her or him everything.
- Educate your employees about threats such as phishing. And practice good cyber hygiene: Encourage or require employees to keep passwords strong and to change them periodically, and urge them to restrict access to the equipment they use.
- Remember that what really matters is the data you possess. Too often, companies defend entryways and operating systems. Defend the data hackers want. Ask yourself this: Who and what touches my data now?
- Detect what’s unusual such as abnormal file transfers or an employee’s taking too much data from the server. A number of automated products can do this for you.
- Know that it’s not only your own defenses that you must safeguard, but also those of your third-party vendors. Make demands of your supply chain.
Don’t be frozen
- When you find the tendrils of a compromise or anomalies, hunt for who or what is behind them.
- Evolve. Hackers do, and so must you. High-level adversaries aren’t going to use the same tradecraft they used to exploit someone else in order to exploit you.
- Don’t bury breaches and other problems to protect your reputation or out of fear of law enforcement. Own it when you have an issue, and work with law enforcement so that the frequency of the prosecution of cyber-attackers improves. There has been too much reward and not enough risk to cyber-attackers.
Source: Cyber Security & Resiliency Conference participants and attendees