President Obama’s recent extraction of a pledge from Chinese leader Xi Jinping that neither government would conduct or continue economic espionage in cyberspace, while important, still comes up far short of addressing the significant and growing global concerns about the potential for a 9/11-style cyberattack on critical financial sectors.
Now more than ever, dramatically increased cyberthreats to the financial and business sector call for laws governing cyberthreat information sharing between the government and industry — before it’s too late.
Author James Michener once wrote, “We are never prepared for what we expect.” Cyberattacks involving data breaches, destructive software and attempts to disable critical segments of the financial sector worldwide have been dramatically increasing. This is not new news — alarm bells have been ringing.
In a statement before the Senate Select Committee on Intelligence outlining the worldwide threat assessment of the U.S. intelligence community, the U.S. Director of National Intelligence reported in early 2011 that there has been a major increase in malicious cyber activity targeting U.S. computers and networks, including more than triple the volume of malicious software attacks since 2009.
Similarly, a 2011 U.S. Government Accountability Office report entitled Critical Infrastructure Protection reported that threats to financial institutions have included increased attacks from a variety of sources, including criminal groups, hackers, disgruntled employees, foreign governments engaged in espionage and information warfare and terrorist groups.
Furthermore, the media has reported that these cyberattacks have included, among other things:
- Attempts by cybercriminals to use online banking and payment systems to transfer money from financial institutions to their own accounts.
- Government and terrorist attacks designed to disrupt or disable key parts of the financial sector and probe infrastructure weaknesses.
- Data breaches of confidential customer data used to cause reputational and financial harm.
- Data breaches of confidential customer data used for extortion.
Cyberattacks involving data breaches, destructive software and attempts to disable critical segments of the financial sector worldwide have been dramatically increasing.
U.S. financial regulators are increasingly recognizing the threats of cyberattacks, with one senior regulator characterizing it as “the biggest system risk we have facing us.” The Financial Stability Oversight Counsel recently warned that the U.S. financial system is “highly dependent on” often interconnected information technology systems that create — and thus, enhance — the risk of a single cyber incident impacting many institutions simultaneously, with malicious actions infiltrating internal systems and infrastructure in ways that may be hard to detect.
Given the real and rising threats of cyberattacks against major financial institutions, and the potential for significant impact on the global economy, financial regulation and law enforcement have not only heightened their scrutiny of cybersecurity programs, but are increasingly adopting new laws, regulations and policies that focus on cyber resilience and threat response. The U.S., for example, has in recent years issued hundreds of cybersecurity regulatory guidance documents related to the banking and finance sector.
These cyberattack concerns extend to the U.S. government itself, with Senator Mark Warner (D-VA) recently co-sponsoring the RECOVER Act, in response to the fact that the federal government has been recently subjected to various cyberattacks compromising the personal data of 21.5 million federal workers, including OPM’s recent disclosure that the fingerprints of 5.6 million government employees had been stolen in these data hacks.
Notably, Presidential Executive Order 13691, issued by President Obama on February 13, 2015, characterizes cyberthreats as a “national emergency” and calls for increased cooperation and information sharing on such threats within both the government and private sector, as well as enhanced cyber resilience standards. Executive Order 13691 encourages — but does not require — information sharing. Legislation establishing a legal and procedural framework for cyberthreat information sharing is viewed by many as a necessary next step.
In response to recent cyberattacks on Sony, JPMorgan Chase, Home Depot, Target and other major companies, important legislative efforts are already underway to require information sharing on cyberthreats. The U.S. House of Representatives recently voted on a bipartisan basis 307-116 to approve the Protecting Cyber Networks Act. Similarly, S. 754, the proposed Cybersecurity Information Sharing Act of 2015, was recently reconciled with the House bill and passed by the Senate on a bipartisan basis, with a 74-21 vote.
Companies are likely to raise competitive concerns about pooling cyberthreat information in their industry. Also, the possibility of government turf battles is reminiscent of pre-9/11 “compartmentalization” of important threat information dispersed among various agencies.
Thus, these concerns, while important, can be resolved, consistent with protecting privacy and competitive concerns, and certainly pale in comparison to the potential threats presented. Both the private sector and government will benefit from a shared database of threat assessment information.
The ability to analyze trends and data in a comprehensive cyberthreat information database will help both government and private sector to be in a far better position “connect the dots” and, thus, take steps to address and prevent cyberthreats. As with terrorist threat information — notably, also a potential source of current cyberattacks — post-9/11 legislation has provided for information sharing among critical agencies; the same can be done for cyberthreat information sharing.
The results of a cyberattack that would potentially cripple critical financial sector infrastructure and businesses cannot be underestimated.
Interestingly enough, financial institutions already are generally required to file a SAR (suspicious activity report) with the U.S. Department of Treasury’s FinCEN office, and with their primary regulatory agency, regarding any reasonable suspicion of illegal cyberhacking or data breach activity — which certainly includes data breaching and cyberattacks. To expand this type of reporting to other segments of the critical business sector is important.
The Senate bill’s provisions provide immunity from lawsuits by consumers and shareholders for companies sharing information, and will help to encourage information sharing. The real question is whether voluntary information sharing will ultimately prove to be enough. The results of a cyberattack that would potentially cripple critical financial sector infrastructure and businesses cannot be underestimated, and could result in catastrophic effect on the U.S. and global economies.
This potential threat requires strong and decisive legislative action soon to put private sector companies and the U.S. government in a position to share potential cyberthreat information in order to protect our country and the global economy.