Defence in the fourth dimension
In the plenary room at Sibos 2017, and across other dedicated sessions, cybersecurity experts spoke in favour of a collective, comprehensive and multi-faceted approach
Last year’s first Big Issue Debate took a deep dive into the many challenges around cybersecurity and digitisation, both for the finance sector and the wider world.
Admiral Michelle Howard, commander of the US Naval Forces in Europe & Africa, defined the obligations of leadership in the rapidly changing landscape of the cyber domain. She outlined the evolving threat surface over the history of the US Navy, explaining how the range of potential threats had expanded from a single dimension (enemy ships) to account for attacks from above (enemy air forces) and below (enemy submarines). For Howard, cyber is the fourth dimension, with the potency of the threat magnified by its ability to move at the speed of light.
Howard also talked about the need to adopt and utilise technology and the importance of the ongoing arms race in the war against cybersecurity threats. “If we don’t understand how this domain works, that it’s going to be powerful, we will fail. You have to understand how to operate, how to embrace new technology and then you have to lead the way in its employment,” she said.
A coordinated response
Howard was joined by Rohan Amin, global chief information security officer at JP Morgan, and technologist and hacker Pablos Holman, for a debate that ranged across employee education, creating a culture of security, and how the industry can best move forward collectively to protect itself and its clients.
The accelerating digitisation of financial services and a flow of recent breaches – both within and beyond the industry – have put cybersecurity high on the agenda of banks’ customers, requiring a coordinated response from executives responsible for business and technology operations, said Amin.
“Trust today is about digital and cybersecurity. Customers expect that in all of the interactions they have with you, from the products and services being made available to them, to how you innovate,” said Amin. “It is important that the technology and the security teams are working closely with the business on the creation of new products and services, to make sure we are thinking about security from the very beginning, not something that we try to bolt on a little later. It must be inherent in the design.”
Effective defence requires an understanding of the nature of the threat. According to Holman, most cyber attackers are driven by economic opportunity, typically presented by weaknesses in authentication or coding, which are hard to eliminate for complex and multi-dimensional firms with large attack surfaces. “A bank or big company has to make sure they are not the low-lying fruit. If you’re being chased by a bear, you don’t have to able to run faster than the bear, you just have to be able to run faster than your friends,” said Holman, who is currently working on a number of projects at the Washington, US-based Intellectual Ventures Laboratory.
But banks know from experience that a hit to one damages trust in all. So many and deep are the interdependences in the financial services sector that protection of the entire ecosystem is central to the protection of individual institutions and their customers. “When you consider the business processes that are systematically important, such as wholesale payments, that’s not something that a single institution does on its own,” said Amin. “It is an ecosystem and it is really important that you get the ecosystem together.”
‘Loose tweets sink fleets’
For Howard, those institutions that think they’re faster than the bear have already tripped, and are likely to fall into the group that don’t yet realise they have been hacked. “One of the things we have learned is that it’s about the control of information, which can move very quickly. Everyone is connected,” she noted. “In WWI there was an expression: ‘Loose lips sink ships’. A few years ago, our folks updated it to: ‘Loose tweets sink fleets’.”
A comprehensive approach to cybersecurity should include detection, isolation and containment measures as well as prevention, panellists suggested. As Holman noted, anticipation of the cyber attacker’s next move is unlikely to be enough. “Attackers will always have more time and attention to waste on messing with your stuff than you do. You have to change your perspective from this notion of ensuring security in almost every environment. You can try, but you’re not going make things totally secure,” he insisted. “It’s not a security problem though; it’s a risk management problem.”
Banks should assume that they have been compromised, Holman added, and act accordingly. “If you set yourself up to manage the risk and manage the scenario when things go wrong, you will be vastly more resilient and in a much better position than if you try to make things totally secure,” he said.
Agreeing that an all-out focus on prevention of cybersecurity threats will most likely fail, Amin noted an increasing focus among banks on resilience and recovery. He said: “Sometimes we find that institutions have exclusively focused on preventive controls, but I think it is critically important that banks get comfortable with all aspects of what they’re going to have to deal with when an attack comes.”
Preparation, education, collaboration
Prevention many not be possible; preparation is. In the session, ‘Cybersecurity: Trends and implications in financial services’, JP Morgan’s global head of wholesale banking operations, Lester Owens, said that a proactive, holistic risk-based approach to cybersecurity has to include significant levels of client education, not just on cyberthreats, but covering both strategic and tactical responses. It must also include training and support for staff and collaboration with other banks.
According to Owens, measures introduced to support internal staff include the development of individual user profiles, implementation of software to prevent internal users from accessing fake websites, and use of fraud engine tools that allow for different types of anomaly detection.
JP Morgan also undertakes several types of cybersecurity testing in league with other banks and is participating in SWIFT’s Customer Security Programme (CSP), designed to support users in reinforcing their SWIFT-related infrastructure, help them prevent and detect fraud in their commercial relationships, and continuously share information and prepare against future cyber-threats. Owens said he found the programme very useful. “It allows you to take a step back and ask: what controls do we have in place that complement the CSP; and what can we improve on?” he said.
Information-sharing and implementing best practices will provide a key lynchpin in the future years, panellists observed. One cited example was the Financial Systemic Analysis & Resilience Center, set up last year by eight US banks, with support from government and industry partners, to collaborate on a scenario regarding a major bank being impacted by a cybersecurity incident, rendering it unable to execute payments. Six workstreams were formed – liquidity, customer strategy, operations, communications, governance, and indicators & warnings – to drive the most pressing issues.
Said Owens: “Collectively, we held a table-top exercise last week, which was very positive in driving dialogue forward. We will continue to drive the workstreams to implement a consistent approach across the industry.”
In ‘Are capital markets more secure than payments?’, panellists discussed whether the digitisation of data in the securities industry has created potential opportunities for cyber criminals. Although they concluded the securities industry is intrinsically different from the payments industry, the risks, and potential abuses of the system, are scarcely lower. As such, panellists agreed that data protection had to be a top priority.
Vuk Magdelinic, CEO of Overbond, a Toronto-based primary bond issuance platform, said that multi-counterparty access to a central hub could help prevent data leakage; essentially proposing an operational solution, rather than a preventative approach, such as monitoring multiple hubs. But for Yves Poullet, chief technology officer of Euroclear, collaboration should be regarded as the industry’s strongest weapon in the fight against cyber crime. “Collaboration is absolutely key,” he declared. “We’re not in a competition situation; it’s about the industry protecting itself against people who want to harm it.”
Echoing Holman, Poullet further suggested that the inherent complexity and interconnectedness of financial market participants and infrastructure operators meant that weak links are all but inevitable. As such, protection from cyber attacks depends on people as much as technology.
“Cybersecurity is not only an IT issue,” he said. “People are an absolutely essential component in protecting the company against cyber threats. Apart from firewalls, anti-virus software and other measures, companies are dependent upon their staff. Good social controls, access management and cyber awareness are key in the fight against cyber crime.”