US banks test cyber defenses under Treasury direction
As global tensions rise over Ukraine, the fierce competitiveness of the US financial sector is giving way to a partnership based on the belief that a cyberattack against even a group of minor banks – or a third-party service provider – could jeopardize everyone in a highly connected system.
Some of the nation’s largest banks are now working with the Treasury Department, role-playing and sharing information they would have kept close in the past.
“You’re only as good as your weakest link,” said Ron O’Hanley, chief executive of State Street Corp, one of the largest fund managers and custodian banks in the United States. “Networks are made not only by what you do, but also by the suppliers you rely on, the counterparties you deal with, even the regulators you deal with,” he said in an interview.
As part of a broader move to strengthen defenses, Treasury officials late last month brought together executives from several major banks and practiced how they would contact and work together in a range of cyberattack scenarios. .
This simulation exercise, which has not previously been reported, included JPMorgan Chase & Co, Bank of America Corp and Morgan Stanley. It went through five hypothetical threat levels, ranging from minor assaults to a full-scale attack on several critical banks and payment systems.
“You can invest in defenses, but that aspect of repeated practice and continuous improvement is the key to responding to the next threat,” said JF Legault, global head of cybersecurity at JPMorgan Chase during a telephone interview.
Treasury officials also decided to declassify more information to put it in front of financial executives and to extend security clearance to more employees at major banks.
Russia’s invasion of Ukraine and subsequent sanctions against Moscow have upset a fragile balance of financial security. Governments adept at cyber warfare, such as China and Russia, were once seen as players in the global dollar asset market, which in effect prompted them to ignore financial infrastructure.
“What was different with Russia-Ukraine is that the potential threats were not only obvious, but you had a player that was known to be the best in the world in terms of cyber threats,” State Street’s O’Hanley said. . “We take all cyber threats seriously, but you start to think about it differently when it comes to a nation state and, especially in the context of armed conflict.”
The Treasury was also aware that the threat landscape was changing at the end of last year. As they planned the sanctions to be triggered in the event of an invasion of Ukraine, officials concluded that preparations for cyberattacks needed to be stepped up.
“Once we knew where we were going to land with some of the first sanctions plans by the end of 2021 and how severe they were going to be, we knew we had to update our incident response manuals and work with the sector to increase information. sharing,” Todd Conklin, adviser to Treasury No. 2 official Deputy Secretary Wally Adeyemo, said in an interview.
This is part of a steady expansion of a public-private partnership around responding to cyberattacks.
The Cybersecurity Infrastructure Security Agency, CISA, part of the Department of Homeland Security, was founded in 2018 as the lead agency for cyber protection. Nonetheless, Adeyemo said Treasury Secretary Janet Yellen told him on his first day to make cybersecurity a priority.
Adeyemo was inspired by past financial crises, which clearly showed how the interconnectedness of banks makes them vulnerable.
“Telling them ‘shield’ without providing additional support and information sharing isn’t that helpful,” Conklin said. “It’s about making sure that if something happens, we have a plan in place for a collective response.”
When a point in the financial system is attacked, information about the event should be sent through the network of companies, regulators and intelligence agencies as quickly as possible, officials said. Instead of hoarding information for competitive advantage and stifling any unfortunate development, companies need to think cooperatively, sharing intelligence. “It’s about sharing information as soon as possible to ensure that if there is an attack somewhere, you protect the rest of the system,” Adeyemo said.
The biggest banks have known this for a few years, but go further than in the past.
In 2016, the eight largest players, led by JPMorgan and Bank of America, formed the Analysis and Resilience Center for Systemic Risk (ARC), aimed at increasing collaboration in monitoring and protecting critical systems exposed to the Internet, with emphasis on -warning capabilities. It has since grown to include exchanges and clearinghouses as well as several major energy companies.
The group set up its headquarters just outside of Washington because bank executives wanted ARC to work closely with the government, according to Scott DePasquale, ARC president and CEO. A Treasury official co-chairs the group’s risk committee.
There is also a broader ARC counterpart, the Financial Services Information Sharing and Analysis Center, whose members include a wide range of companies from banks and insurers to fintechs, from more than 70 countries.
Concerns remain, particularly regarding third-party service providers.
In the 2020 SolarWinds attack, according to US officials, compromised software was used by Russian hackers to gain access to nearly 18,000 computer systems at more than 100 companies and nine federal government agencies, including the Treasury, the Homeland Security and the State Department. .
But targets don’t need to be so high profile to cause damage. In 2021, Kaseya, an American company that provides IT management and security software services – with a customer base that includes many small banks – found itself the target of a ransomware attack.
The issue, later blamed on Russia-based group REvil, was resolved within days and without a ransom payment. But it has forced officials to think about what would happen if thousands of small banks across the country were crippled, and to wonder how big an attack had to be before it caused a bigger run on bank deposits. and a broader liquidity crisis in the financial system.
“One of the reasons this community is ahead of the rest is that it is constantly probed by cybercriminals,” said James Andrew Lewis, director of the strategic technologies program at the Center for Strategic and International Studies in Washington.
“The top 20 banks – I’m pretty sure they’re a really tough target,” he added. “If you had to choose the bottom 20 financial institutions and even some of the plumbing service providers, I don’t know if I would be so confident.”
There are also concerns about the government itself. The Treasury and other agencies are not just regulatory supervisors. The Treasury issues US government debt and the Fed is a provider of interbank payments, and their systems are subject to attack.