Treasury's New Focus on Cyber-RisksLew's Speech Could Signal Policy Change
Treasury Secretary Jacob Lew this week took the precedent-setting step of publicly addressing what he referred to as the financial system's cybersecurity shortcomings. Lew's comments were noteworthy because they apparently mark the first time a member of the Treasury Department has directly addressed cyber-risks.
Lew's remarks about the need for banking institutions, retailers and all other parties involved in financial services to make cybersecurity, and cyberthreat information sharing, a top priority could signal a policy shift for the Treasury, says Tom Kellerman, chief cybersecurity officer at Trend Micro.
"This is the first time a Secretary of Treasury has made such a declaration," Kellermann says. "The regulators and bank examiners will now become much more proactive in their roles."
Point-of-sale attacks against major retailers, including Target Corp., Neiman Marcus and retail crafts store chain Michaels, illustrate why cyberthreat information sharing is needed to adequately protect the country's critical infrastructure, Lew noted during the Delivering Alpha conference hosted July 17 by cable news station CNBC and global financial magazine Institutional Investor.
"These incidents represent a direct threat to our economic and national security, perpetrated by state and non-state actors around the world, with growing intensity and increasing sophistication," he says. "Our cyberdefenses are not yet where they need to be."
A malicious cyber-actor could cause "catastrophic damage" to the U.S. financial system without directly attacking a banking institution, Lew says. Cybersecurity vulnerabilities to financial data may be exploited through vendors, suppliers and contractors, he adds.
"While companies have the primary responsibility to protect themselves from cyberthreats, government also has an important role in helping companies enhance their protections," he says. "It is a public responsibility to prosecute cybercriminals, hold state-sponsored attackers accountable, provide critical intelligence about specific threats and share best practices."
Is Government Involvement Practical?
But privacy attorney Ron Raether says the broad statements made by Lew about what can be done to solve the problems vexing information sharing won't likely translate well into tangible practices in the business world.
"The problem with the government being involved stems from enforcement actions by the FTC [Federal Trade Commission] and the state AGs [Attorneys General]," Raether says. "Should a company share an attack and disclose itself as a target for investigation? That's a question even more difficult, given the lack of standards and uncertainty, as to the 'reasonable standards' expected by these organizations."
The banking sector has expressed concerns about the adverse effect too much government and regulatory oversight could have on information sharing (see Over-Assessing Cybersecurity?).
"To make this [proposed cybersecurity] program effective, the government needs to create a safe harbor for participating companies," Raether says.
Attorney James Harris, who works as an IT security auditor for Austin, Texas-based Compliance Advisory Services LLC, notes: "As more and more companies announced data breaches ... it was inevitable that banking regulators would send out warnings to all financial institutions to be more vigilant. There is noticeable concern with smaller institutions, many of which do not have sufficient manpower, expertise and resources to combat the attack vectors that attackers employ.
"I would not be surprised if the regulators encourage financial institutions to employ additional safeguards. This goes hand-in-hand with the recent announcement of upcoming cyber-assessments by federal bank regulators."
TrendMicro's Kellermann says Lew's comments fall in line with what other regulatory bodies have been saying for the last several months about gaps in cybersecurity policies at banks and credit unions, especially smaller institutions.
"This issue has now been raised to the board level and CEO's office at all financial institutions," Kellermann says. "Trust and confidence must be improved through greater transparency on breaches. The safety and soundness of the financial sector is now dependent on cybersecurity as the threat from 'cyber-Dillinger' gangs grows."
In its annual report issued in June, the Financial Stability Oversight Council, which is chaired by the Secretary of the Treasury, for the first time since its establishment in 2010 provided recommendations for regulatory involvement in cyber-intelligence sharing (see FSOC: A Call For Cybersecurity Action).
In the report, the FSOC recommends that the Treasury Department work with banking regulators and other appropriate government agencies, such as the Federal Financial Institutions Examination Council, as well as private financial firms, to improve information sharing about cyber-threats and other risks facing the U.S. financial system.
"The vulnerabilities posed by cross-sector dependencies and interconnected systems across firms, markets, and service providers can lead to significant cybersecurity risks," the FSOC states. "These risks could impact economic security, demanding a coordinated and collaborative government-wide commitment and partnership with the private sector to promote infrastructure security and resilience."
Then, just weeks later, Tim Pawlenty, former two-term governor of Minnesota who's now CEO of the Financial Services Roundtable, said during a financial services cybersecurity forum in New York that information sharing between the government and financial services needed improvement.
"Cyber-attacks are waged by a range of attackers," Pawlenty says. "The House passed an information sharing bill in September. Now the Senate is looking at something similar" (see Cybersecurity Info Sharing Bill Draws Criticism).
Tim Pawlenty on why information-sharing legislation is needed.
Legislation should provide "clear rules" that will foster collaboration between the public and private sectors and provide important liability protection for companies to share information, Lew said this week.
"It is time for Congress to pass cyber legislation," he says. "Disclosing security breaches is often perceived as something that could harm a firm's reputation. This has made many businesses reluctant to reveal information about cyber-incidents. But this reluctance has to be put aside. There cannot be a code of either silence or secrecy about the steps necessary to protect our basic security. Sharing information is far too essential."
Though the White House seeks cyberthreat information-sharing legislation, it threatened last year a presidential veto of the House-passed Cyber Intelligence Sharing and Protection Act, saying the legislation didn't go far enough to protect civil liberties and offered liability protections too broad to businesses that share cyberthreat information (see White House Threatens CISPA Veto Again). The administration has yet to present its views on a similar bill before the Senate, the Cybersecurity Information Sharing Act.