Protecting Banks That Share Threat InfoBITS President on the Need for Legislation
To encourage information sharing about cyberthreats, banking institutions need to be protected from liability through the enactment of new federal legislation, says Paul Smocer, president of BITS, the technology policy division of the Financial Services Roundtable.
See Also: Building the Modern SOC
"The biggest thing we're looking for is the concept of liability protection when it comes to good faith sharing of information," Smocer says an interview with Information Security Media Group [transcript below].
Smocer's comments came after President Obama met with banking executives at the White House recently to discuss cybersecurity strategies. The meeting, which Smocer attended, came on the heels of the National Institute of Technology's issuance of its preliminary version of a cybersecurity framework (see Obama, CEOs Meet on Cybersecurity Framework). The conversation centered on information sharing and protecting organizations that reveal attack and vulnerability information, Smocer says.
"If an organization's sharing information about an attack or an attacker ... and they're doing it to protect others both within and beyond their industry, that act should not result in them somehow bearing liability," Smocer says.
Instead, sharing of information in good faith should provide organizations strong liability protections and protection from disclosures under the Freedom of Information Act, he says.
During this interview, Smocer also discusses:
- The investment needed to enhance cybersecurity and information sharing;
- The role legislation should play in ensuring information sharing is protected;
- Why cyberintellingence sharing must become more of an accepted cross-industry practice.
At BITS, Smocer leads initiatives to enhance e-mail security and advance practices for identifying and validating online customers. BITS is the technology policy division of The Financial Services Roundtable, which was established to protect and promote the economic vitality and integrity of the United States financial system. Smocer joined the Roundtable in February 2008 as vice president of security. Before BITS, he focused on technology risk management at BNY Mellon and led information security at the former Mellon Financial Corp., where he previously served as the CISO and manager of the Technology Assurance Services Division. Smocer began his career at Mellon in 1974, when he joined its Information Technology Audit Group.
Presidential Meeting on Cybersecurity
TRACY KITTEN: President Obama recently met with key executives from IT, financial services and energy companies to talk about ways we can improve the security of the country's critical infrastructure. How unique was this meeting?
PAUL SMOCER: I think the meeting was unique in the sense that it shows the importance of the subject to the nation and the nation's critical infrastructure. But I don't think it was unique in the sense that this is the first time we have heard the administration speak to the subject. Obviously, it's a key subject for them. It's not the first time they have spoken with CEOs about its importance, and it's certainly not the first time that they've spoken with critical infrastructure industries about the importance. ... It continues to show this is an important issue for our country. ...
KITTEN: Who were some of the key executives present at this meeting, and what companies did they represent?
SMOCER: There were eight CEOs who were at the meeting. Three of them were from key financial services companies: MasterCard, Bank of America and Visa. The rest were from a combination of the defense industry, companies that deal with cyberintelligence and support, like Symantec and Intel. [It was] a pretty good representation from CEOs in the financial services industry with three out of eight. That probably speaks to the importance that we, as an industry, have put on cybersecurity and the fact that there's an expectation that, as an industry, this will continue to be an extremely important subject to us.
Catalyst for Meeting
KITTEN: What would you say was the catalyst for the president to call this meeting?
SMOCER: The immediate catalyst beyond just the importance of cybersecurity to the administration was the work that the administration has been able to complete to date, particularly with regard to the President's February executive order on this subject. NIST has been working very diligently on a fairly key part of that executive order, which is the cybersecurity framework, and on Oct. 22 released that framework in draft form. ... The expectation is that in February of 2014, the framework will be finalized. But I think the issuance of the draft of the framework was probably the key stimulus for this meeting - to talk with key critical infrastructure CEOs about the importance of the framework and how the various industries may support it going it forward.
KITTEN: What were some of the key topics to come out of this meeting for banking institutions?
SMOCER: It's the recognition that we as a financial industry have been very heavily involved in the development of the framework. We have been participating in all of the public forums that NIST has had with regard to the framework development and the concepts around [it]. We've actually been working a bit with the folks on it. If you recall, this is a voluntary framework. What [are] the incentives and how might we implement incentives for organizations to adopt the framework once it eventually becomes finalized?
I think most of the discussion was to make sure that there was an understanding about at least the direction of the framework. Was it moving in the right direction? Was it something that everyone could believe would advance the importance of cybersecurity and, more importantly, make us a more secure nation? Those were the key topics. Secondarily, there was some discussion ... of the need for additional legislative action with regard to cybersecurity, particularly with regard to information sharing. ...
Information Sharing and Privacy
KITTEN: Information sharing is an interesting topic and cyberintelligence has been a priority for the last year in the wake of these DDoS attacks that have been waged against leading banking institutions by the self-proclaimed hacktivist group al-Qassam Cyber Fighters. Is privacy an increasing issue for banking institutions, especially when it comes to information sharing outside of the financial services sector?
SMOCER: I'd probably answer that in a couple of different ways. I would answer first by saying privacy has always been a concern for financial institutions. Financial institutions ... take the responsibility very seriously for protecting private, non-public information about their customers that's mandated by regulation and law. But it's also just a fundamental tenant of the trust that financial institutions recognize their customers having them.
Having said that, as we go into this debate around information sharing and privacy, I think there's often some confusion about the kinds of information we're talking about sharing. We're not talking about sharing information about individuals. We're talking about sharing information particularly around the kinds of techniques, processes and software code that's used in these attacks so that everyone can understand both where the attacks are coming from and the nature of the attacks to be able to defend themselves more effectively.
Critical Infrastructure Concerns
KITTEN: What are some of the leading concerns there that revolved around some of these discussions related to critical infrastructure, as well as some of the cost that might be associated with these types of protections?
SMOCER: There's a recognition that security does require an investment obviously, but I think there's also a recognition that the lack of security comes with a cost too, the cost of cleaning up an infected environment. If you happen to be at a company [that] didn't have the right cybersecurity controls in place, [was] attacked and needed to clean that up, there's a cost with that too. As with most things, there's a growing recognition that the cost of prevention in the end is much less expensive than the cost of the eventual disease itself. I think there will be a recognition that there will be additional investment needed, but I think, particularly from a private sector perspective, prevention in the end will be a much less costly event then having to deal with the aftereffects of an attack.
Improvements to Information Sharing Policy
KITTEN: From BITS' perspective, what types of improvements would you like to see where public policies related to information sharing are concerned?
SMOCER: Fundamentally, the biggest thing that we're looking for is the concept of liability protection when it comes to good faith sharing of information. If an organization's sharing information about an attack or an attacker, and they're doing it truly believing that it involves a legitimate attack and they're doing it to protect others both within and beyond their industry, that act should not result in them somehow bearing liability either in front of the bar, in the private sector or through some retaliation from a government agency in some way. Fundamentally, sharing information in good faith should result in strong liability protection and, arguably, secondarily as well, protection from disclosure under FOIA [Freedom of Information Act] to make sure that the company sharing it is properly protected.
Role of Government
KITTEN: Could you explain how government should play a prominent role in ensuring that banks and credit unions have the cybersecurity support and protection that they need?
SMOCER: First, I would recognize that a number of the agencies are already very actively involved either directly if something occurs, or helping through the Treasury to help the industry more broadly. I do think there are some areas that were noted in the executive order where we would like to continue to see some expansion. The declassification of information from agencies so that it gets a broader airing would be something to continue to push on. We're in the information sharing space; not everything relies on people who have to be classified to get that information. That threat information can be disseminated a little more quickly if it's declassified.
But even in situations where it's classified, it would be very helpful for us to be able to find ways to move more quickly and effectively in getting the right people classified in at least critical infrastructure organizations, maybe by default. Barring some extraneous problem, by default the CEO, general counsel or the CIO of critical infrastructure organizations almost automatically get a classified status so that information can be shared with them effectively.
Generally we're seeing law enforcement and the security agencies effectively dealing with the industry, either to help try and prevent or to help react if something does in fact happen. But I think those two things I just mentioned - which I know are the administration's goals as well - would be very helpful.