Regulation is not the answer. That’s what the CISO of Regions Bank, Michele B. Cantley repeatedly responded with when asked what the government can do to improve the financial sector’s current security climate in a hearing hosted by the House Financial Services Subcommittee on Capital Markets and Government Sponsored Enterprises this morning.
Mark Graff, Vice President of the NASDAQ OMX Group, painted a fairly stark picture of the financial sector’s reality. All the systems represented by the witnesses in this hearing, he said, are under attack all the time on some level. The large institutions with more staff, he claimed, are less susceptible to sophisticated attacks, while small and local institutions are at a greater disadvantage against such attacks.
Graff believes that the real area of need where the government can help large institutions lies in the compilation and analysis of the massive influx of threat data that passes through their systems on a daily basis.
The direst analysis of the financial sector’s security situation was given by James R. Woodhill of YourMoneyIsNotSafeInTheBank.org.
“I am appearing before you today because your money is not safe in the bank,” he said, somewhat predictably. “It is not safe for American churches, school districts, public libraries or small businesses. Not if they use online banking. Not if they run Microsoft Windows.”
Beyond these, the general consensus among the hearing’s witnesses was that the government needs to do more to enable the sharing of information between public and private entities. Cantley stressed the importance of sharing threat information as quickly as possible, but she also stressed a need to share such information safely. She even suggested the government grant an exemption from the Freedom of Information Act to the financial sector in order to enable and encourage such sharing of threat data.
They also called on the government to do a better job of rapidly sharing information regarding known software vulnerabilities that put the industry at risk. Known international cybercriminals are finding havens abroad, and a number of the witnesses called on the government to do a better job of pressuring foreign governments into prosecuting these individuals.
Errol Weiss, the Director of the Cyber Intelligence Center at Citi went as far as to say that participation in the global economy should be hinged upon a nation’s willingness to cooperate in the fight against cybercrime.
When prompted by members of the committee, the witnesses also cited advanced and highly sophisticated malware, particularly that which is supported by foreign governments and quasi-nation states as another serious problem for the industry.
Cantley told the subcommittee that internet service providers need to do a better job of dropping malicious traffic before it finds its way to the end-user. Weiss commented that supply chain and communication represent an obvious security softspot and called on the vendors to provide more secure software and products as wells as better and more easily deployable security solutions.
When asked about the Cyber Information Sharing and Protection act, better known as CISPA, witnesses said the industry supports any improvements to public private info sharing and thinks that CISPA could be helpful in addressing information sharing needs.
In addition to Cantley, Graff Weiss and Woodhill, witnesses included Mark G. Clancy, managing director and CISO of The Depository Trust & Clearing Corporation and BITS president, Paul Smocer. You can find links to their expanded statements here.
You can watch the hearing in its entirety on C-SPAN.