Banks are at war: are we winning? [#SIBOS]

I just attended the big plenary debate here, talking about the cyber wars escalation and asking if banks are winning.  The panel was chaired by Ben Rooney, Co Editor in Chief, Informilo, and comprised a panel including: 

David Wagner, Digital Security, Entrust

James Kaplan, Principal, McKinsey

Kris Lovejoy, General Manager, IBM Security Services Division

Charles Blauner, Global Head of Information Security and Chair, Financial Services Sector Coordinating Council, Citi

This was an interactive session with audience voting talking about all aspects of preventing and fighting cybercrime.

One of the first votes was:

Where should the cyberdefence budget be spent?

Prevention – 61%

Detection – 20%

Reaction and recovery – 14%

Not sure – 4%

This was an interesting result, as I firmly agreed with the view of Charles Blauner, who said that was worrying.  Ten years ago, we were talking prevention.  Today, we should be talking about detection and response, as the ‘bad guys weaponry is better than ours’ (Charles Blauner, Citi).  We will get hacked.  We will get attacked.

Home Depot, Target and many of the other big breaches did not find out they had been breached themselves.  They were told by their customers.  Their failure was theretofore not in prevention, but in detection.  You need detection and response as much, if not more than, prevention.

When 1 out of 3 of us are infected with some form of malware, prevention is a bit like washing your hands to avoid MRSA.  Then the focus should move to where are the real threats?  How do you detect the difference between ebola and the common cold?

Equally, there is a reputational hit here, and what would the diminished trust with consumers mean thanks to coverage of breaches and losses?

So we should start with prevention and then work out how to detect and react is key. 

Then the question arises: How do you measure the ROI on security?

It’s not an ROI, it’s more about you either care about security or you don’t.  For example, in Charles Blauner’s case, “I don’t have to argue to get the money. I get the money I need.  My issue is how to prioritise where I spend it.  We do that by talking about the threats to our business – of which there are around 104 – and then work out which is the greatest and most material risks, and those are the ones that get the bulk of the money.

“In Citi,we have a team dedicated to the unknown unknowns.  They are a hunt team that are continually trying to sniff out anything that looks amiss. They won’t know why or what is amiss, but they are just trying to detect it.”

Kris from IBM puts it in the context of you are looking for the things that you shouldn’t normally see.

I wondered at this point about the balance between cybersecurity investment versus, for example, AML.  With sanctions fines running to billions of dollars, cybersecurity breaches are far smaller losses for banks , although they are far greater for the economy at large.  According to a report http://www.ft.com/cms/s/0/45bf9898-f3bf-11e2-942f-00144feabdc0 published by Washington-based Center for Strategic and International Studies (CSIS) last year -  “Estimating the Cost of Cybercrime and Cyber Espionage” – cybercrime costs around $300 billion a year to the global economy.

The panel then moved on to discuss: what role should regulators or other government agencies have in fighting cybercrime? with an audience vote:

20% - Coordination

10% - Regulation

8% - Reporting

57% - All of the above

5% -  None of the above

The industry does not need more regulation here, but more information sharing.  Governments have a lot of information sources that they can share with banks to highlight issues and exposures.

If anything, it may be more around regulations and standards that enforcers put upon the telecommunications and technology providers to ensure that these industries are tracking suspicious activities.  These industries serve us and it should not necessarily be the banking markets that are solely responsible for tracking cybercrime.  Surely, as telco’s and technology providers deliver the tools for these criminals, they should have a duty here as well.

Complexity introduces risk.

Privacy is another issue. 

We want privacy and security but they don’t go hand in hand.  For example, in  Finland, the government has made it impossible to share IP addresses, as that is now personally identifiable information.  So you cannot tell who is a bad actor in Finland, as they won’t allow access to the IP addresses for privacy purposes.  That’s a real issue.

In the EU we have this right to be forgotten law applied to Google (and likely to be Facebook), so that you can have anonymity on the net, and yet some banks think that this is also the wrong view.  This law means that, where there are criminals, banks would have to ask the EU citizen: can we come find out if you’re a criminal.  You’re not going to volunteer an answer to that, if you are one.

Singapore is different.  Singapore provides exclusions for information usage – e.g. for marketing or sales purposes – but allows a balance such that you can have the data when it’s being used for security purpose and making citizens safer.

That’s a balance the EU needs to consider.

One question asked if the audience felt it likely or unlikely that they would suffer cybercrime and, surprisingly, 70% of the audience think it’s very likely (44%) or likely (26%) that their institution will be a victim of cybercrime in the next year. 

I guess we need to define victim as, to me, it means a breach and I cannot imagine that 7 out of 10 bank cyberdefences are going to be breached in the next year (or am I too optimistic).

I remember that IBM said that the typical bank gets 111 million cyberattacks a year, of which 87 would be mission-critical http://thefinanser.co.uk/fsclub/2014/01/banks-legacy-liability-is-resolved-by-the-cloud, and that number is doubling year on year, so an attack is likely … but a breach?

Oh, maybe.

From Bloomberg four weeks ago  ...

Russian Hackers Said to Loot Gigabytes of Big Bank Data http://www.bloomberg.com/news/2014-08-28/russian-hackers-said-to-loot-gigabytes-of-big-bank-data

Russian hackers attacked JPMorgan Chase & Co. (and JPMorgan spends about $200 million each year to protect itself from cyber attacks) and at least four other banks this month in a coordinated assault that resulted in the loss of gigabytes of customer data, according to two people familiar with the investigation.

At least one of the banks has linked the breach to Russian state-sponsored hackers, said one of the people. The FBI is investigating whether the attack could have been in retaliation for U.S.-imposed sanctions on Russia, said the second person, who also asked not to be identified, citing the continuing investigation.

The attack led to the theft of account information that could be used to drain funds, according to a U.S. official and another person briefed by law enforcement who said the victims may have included European banks. Hackers also took sensitive information from employee computers.

Most thefts of financial information involve retailers or personal computers of consumers. Stealing data from big banks is rare, because they have elaborate firewalls and security systems.

Securing the Net

JPMorgan, the biggest U.S. bank, said today it took additional steps to safeguard sensitive and confidential information. The company will contact any customers that might have been affected, though it hasn’t seen unusual levels of fraud, Patricia Wexler, a spokeswoman for New York-based JPMorgan, said in an e-mail. She declined to give examples of the firm’s stepped-up security.

Russian Troops

The incidents occurred at a low point in relations between the U.S. and Russia. Russian troops continue to mass on the Ukrainian border even after U.S. and European nations have hurt the Russian economy with sanctions. Russia has a history of using criminals and other proxies to hit back at adversaries in cyberspace.

“The way the Russians do it, to the extent we can see into the process, is they encourage certain targets,” said James Lewis, director of the Strategic Technologies Program at the Center for Strategic and International Studies in Washington. “The Russians typically keep open the options to do something more, and the question now is what would trigger that and what would our response be.”

Investigators have determined that the attacks were routed through computers in Latin America and other regions via servers used by Russian hackers, according to people familiar with the probe.

Zero-Day Flaw

The hackers took advantage of a type of software flaw known as a zero-day in at least one of the bank’s websites, according to one of the people familiar with the investigation. They then plowed through layers of elaborate security to steal the data, which security specialists said appeared far beyond the capability of ordinary criminal hackers. Companies don’t know their systems have zero-day vulnerabilities, which hackers use to take remote command of a computer.

The sophistication of the attack and technical indicators extracted from the banks’ computers provide some evidence of a government link. Still, the trail is murky enough that cyber criminals from Russia or elsewhere in Eastern Europe could be behind the assaults. Other federal agencies, including the National Security Agency, are aiding the investigation, said another person familiar with the probe.

The Federal Bureau of Investigation is working with the U.S. Secret Service to determine the scope of “recently reported cyber attacks against several American financial institutions,” J. Peter Donald, a spokesman for the FBI in New York, said in a statement.

Increased Attacks

Attacks on the U.S. financial sector from Russia and Eastern Europe have jumped over the last several months, according to several cybersecurity experts. Companies and U.S. officials are examining the possibility that the uptick is related to the conflict over Russia’s behavior in Ukraine.

Authorities are looking for signs that the data stolen in the latest attack has been used to move money from accounts. No such activity had been spotted as of yesterday afternoon. The absence of fraud would lend support to the theory that the hack had a political motive, the government official said.

U.S. and European sanctions have altered the way banks are interacting with Russian entities, triggering the ire of Russian officials. In April, JPMorgan was singled out for criticism when it blocked a payment from a Russian embassy to the affiliate of a U.S.-sanctioned bank. Russia’s foreign ministry called the move by New York-based JPMorgan “illegal and absurd.” The U.S. bank was widely criticized by Russian commentators.

Sanctions Tightened

ISight Partners, a Dallas-based company that provides intelligence on cyber threats to some of the largest banks, recently warned clients of the potential for retaliatory attacks in cyberspace as sanctions tightened. Russia has used such attacks before. In conflicts with Estonia and Georgia, hackers crashed those countries’ communications systems and government websites.

“Russia has a policy of reactionary attacks in relation to political contexts,” said John Hultquist, a cybersecurity specialist at iSight who declined to comment on the bank hacks. “When it comes to countries outside their sphere of influence, those attacks would be more surreptitious.”

Losses Unclear

It couldn’t be determined whether this month’s data thefts resulted in any financial losses for consumers. The people familiar with the hacks didn’t specify whether the stolen information included credit-card numbers or other easily sold financial data.

JPMorgan Chief Executive Officer Jamie Dimon, 58, has warned shareholders in annual letters that hackers’ efforts to breach the bank’s computers were growing more frequent, sophisticated and dangerous. The bank expects to boost annual spending on cybersecurity by 25 percent to about $250 million by the end of the year from 2013 levels, he wrote in April.

“We’re making good progress on these and other efforts, but cyberattacks are growing every day in strength and velocity across the globe,” Dimon said in that letter. “It is going to be a continual and likely never-ending battle to stay ahead of it -- and, unfortunately, not every battle will be won.”

JPMorgan fell 35 cents to $59.24 in New York trading as of 1:45 p.m. The shares have risen 1.3 percent this year.

Banks must disclose when customer data is breached, a process that can take days or weeks. Companies often don’t immediately know what information was taken or who was affected. If a theft leads to losses, consumers have more protections than corporations.

Even if the U.S. government makes a direct link from the attacks to Russia, any U.S. reaction may be muted, said Lewis of CSIS. The threshold for a military response is either massive economic harm or potential loss of life, he said.

“You’ll see a continued effort to strengthen the defenses of the financial sector, but there is a general reluctance to do a tit-for-tat in cyberspace,” Lewis said.