The more of American society that links into the internet, the greater our exposure to people who don’t wish any of us well.
Speakers at the Government Relations Summit sponsored by the American Bankers Association noted how cyber risks have led to unprecedented, unusual collaboration and cooperation among private sector interests and public sector interests.
And, speakers indicated, America will need all that cooperation, and more, because the exposure continues to grow.
Beyond the obvious risk points
No longer are threats confined to the world of items that are seen as computers, like laptops and desktops. The internet of things has created a much broader front for cyber battle.
“Your Fitbit, your refrigerator, your pacemaker, your car are all now threat vectors,” said Michael Daniel, special assistant to the President and cybersecurity coordinator. “This has made the problem that much harder.”
Daniel said that “our adversaries have discovered that they can hold us at risk in cyber space in ways they can’t in any other environment.”
The good news—though not really good—is that many banks are not targets of intent, but targets of opportunity, according to Amias Gerety, acting Assistant Secretary for Financial Institutions at the Treasury Department.
“Many cyber incidents begin with low-tech entry,” said Gerety. Using automated means, various types of bad guys, be they criminals, terrorists, or hacktavists, troll for unsecured ways into systems. Woe to the bank who leaves an unlocked electronic “door” to be discovered by such opportunists.
As bad as the Sony Pictures break-in was a while back, said Gerety, the outage those systems experienced didn’t affect daily operations as much as a bank would be impacted. “Movies were still made,” said Gerety. On the banking front, however, “six weeks [down] is too long,” he said.
5 questions to ask
Moderator Doug Johnson, senior vice-president and senior advisor for risk management at ABA, asked his panelists for advice. Daniel, whose father is a banker, suggested bank management pose these question internally:
1. Do we know what information we have internally and do we know why it is important to have it?
2. Do we have in place the ability to tell if we’ve been attacked?
3. What kinds of protections do we have in place already? (Daniel said management must insist that tech staff explain this in plain language.)
4. What are the bank’s protocols if the bank has an incident?
5. How will the bank recover when an inevitable intrusion occurs?
“Asking those questions can drive incredible improvements in your cybersecurity,” said Daniel. However, he added it is important to understand that cyber security is going to be a long game.
“We didn’t get into this situation overnight,” said Daniel, “and we aren’t going to get out of it overnight.”
Gerety noted that something both the private and public sectors have found helpful are tabletop cyber disaster exercises that test the organization’s mettle against a theoretical disaster. More such tools are coming from government agencies and trade groups to help institutions prepare. Johnson said increasingly these are being tailored to the local level, to enable training closest to how an actual incident might occur.
One final point Daniel mentioned should help keep a fire under the issue in Washington: Cybercrime is not a partisan matter.
“Our adversaries don’t tend to care about our party affiliation when they hack us,” he said.