Clancy: Can the Markets Be Protected From Cyber Espionage?
When a cyber-attack on the European market for carbon credit trading last year resulted in the theft of 30 million euros and the closure of the EU Emissions Trading System for more than a week, it reinforced the serious threat posed by cyber-criminals to the integrity and stability of the financial sector. A recent study by the Treasury Department found that cyber-crime accounts for more revenue than international drug cartel income, running into the hundreds of billions of dollars annually
At a House Capital Markets Subcommittee hearing last week on cyber-threats to the capital markets, lawmakers heard a consistent message from the industry – collaboration and information sharing between the federal government and financial institutions must be enhanced to more effectively manage and mitigate cyber risk today. A critical step in that process involves restarting a successful but now-defunct pilot program that helped the industry thwart acts of cyber espionage.
This particular type of cyber-crime, if left unchecked, represents a significant danger to the long-term national and economic security of the United States or any nation targeted for attack. Cyber espionage is the 21st century version of the “spy vs. spy” activity that has occurred for millennia. However, it has expanded in recent years beyond attempts to steal national secrets to now include cyber theft of proprietary information from corporations or governments to gain an economic and competitive advantage over the commercial interests of that country.
The Department of Defense (DoD) and Department of Homeland Security (DHS) took steps to harden the sector’s defenses against these crimes in 2010 by establishing the Government Information Sharing Framework (GISF). It allowed for the sharing of advanced threat and attack data between the federal government and 16 financial services firms that were deemed capable of protecting highly sensitive information. The program was expanded over time to include the sharing of classified technical and analytical data on threat identification and mitigation techniques.
Under the GISF program, pilot participants gained access to a treasure trove of actionable information to search for similar threat activity in their own networks as well as contextual information to better understand the risk implications of various threats. In addition, firms could utilize previously unavailable quantifiable information to adjust assessments of cyber espionage.
Information sharing like that which occurred under the GISF program represented a critical line of defense in protecting against cyber espionage. The program drove innovative new initiatives in the industry and helped reshape the sector’s approach to assessing cyber espionage risks while prompting pilot firms, including my own organization, to revise best practices for managing threat information. It also spurred financial institutions to make significant additional investments in threat mitigation and detection capabilities that otherwise could not have been easily justified due to the lack of understanding of the risk to the sector.
Unfortunately, the program was in effect terminated in December 2011, cutting off the flow of valuable information at a time when threats to the sector are increasing. Over the past six months, several financial organizations have experienced threat activity from cyber-criminals first identified to the industry through GISF reporting.
It was heartening that several members of the Committee expressed interest in exploring ways to restart the program as well as expanding it to include a broader group of financial institutions to ensure the reach and impact of this type of reporting could scale to the depth and breadth of the financial sector.
As the sophistication and technological means of cyber-criminals increase, the financial industry and government need to move from a static, one-size-fits-all framework to a risk-based one that incorporates the dynamic nature of the threat landscape, the individual firms in the financial sector and the global nature of the capital markets.
While the public and private sectors have taken important steps forward in recent years to enhance collaboration, a greater degree of trust and information sharing is needed to ensure that all available resources are working in concert to protect and defend the financial sector from cyber-attack. There is already much progress to build on in this area, starting foremost with restarting and expanding the GISF program.
Mark Clancy is Managing Director and Corporate Information Security Officer for The Depository Trust & Clearing Corporation (DTCC), a non-commercial cooperative that serves as the critical infrastructure for U.S. capital markets and markets globally.