Scrambling For More Security

At the same time the federal government is levying billion dollar fines on banks for mortgage dealings that preceded the Great Recession, banks are facing sophisticated cyberattacks from Russia that may cost billions more. It is not clear that banks can move swiftly enough to escape Russian cyber-piracy.  So far, they have been slow to recognize they’ve been attacked and even slower to halt the damage.  They are trying hard to change their vulnerability, but it will take much more than fresh antivirus software and their behind-schedule move to chip and pin charge cards. A hundred billion here, a hundred billion there – pretty soon consumers should get nervous.

In the summer of 2014, a half dozen large US banks were victims of a cyberattack from Russia. The malware evidently stole some data, but it did not try hard to conceal itself.  It just sat waiting further instructions from its source. The attack looked more like a state-sponsored warning associated with the West’s sanctions on Russia.  When it wants to, Russia can exert thorough control as it did throughout Ukraine’s government systems. Russia is not the only attacker of the financial system. Five years ago, the pace for suspected financial system attacks was 5 per month, but today it is 575 per month.

Banks need a harder shell, better detection and sharpened reaction time. Employees are often the unsuspecting window through which sophisticated attackers enter. The banks are spending at twice last year’s pace to tighten security by plugging any holes they can. Some are using Palerra to track employees snooping in cloud places they should not be. A group of 16 large banks are using Soltra to share attack information among themselves — in seconds instead of the typical 7 hours. And FireEye is popular with government and corporations for detecting and acting against attacks. Banks are not too early with these measures because Europol has recent intelligence that Russia-based tech-gangs are planning a truly massive hit on a financial institution.

Some US software for companies has been adopted so widely that it dominates the marketplace for those functions. While that is laudable, it also creates vulnerability in that hackers need devise just one successful attack against a piece of software in order to compromise most companies. If there were more software diversity, hackers would be less efficient. The Department of Defense complains about this, but there appears to be no short term fix. Doubtless there is a place for better and more encryption in transmission and storage of data. We might have been further ahead with encryption had the NSA not co-opted RSA, the one-time encryption software leader.

Better monitoring, coordination and faster notice to trusted banks is helpful, but our financial system would be far more secure if it could borrow from the skillset of the US Intelligence community. The US financial system has always been acknowledged as a critical infrastructure and it is used as an instrument of foreign policy in many instances (e.g. financial sanctions). A deeper alliance between banks and the US intelligence community would make some people queasy, but since one of the private sector’s attackers appears to be Russia, deeper cooperation seems entirely justified and in the national interest.

Some safeguards would be needed. This subject merits more thought… perhaps less talk.

Alan Daley is a retired businessman who writes for The American Consumer Institute Center for Citizen Research