Press Center

 Remarks By Deputy Secretary Sarah Bloom Raskin At The Clearing House Annual Conference


11/17/2015
Good morning. Thank you Greg for the introduction, and thank you to The Clearing House for inviting me to speak today at your annual conference.
 
Over the next two days you will explore several topics that are laced with policy significance: what are the components of a framework that shapes finance for the future; what is the public value of crypto currency and digital wallets; how do we imagine cross-border payment systems that embrace technological innovation so that they serve the financial needs of a country’s citizens when the country contains a limited financial infrastructure. And capping the conference, tomorrow’s luncheon panel will focus on malicious cyber actors: who are they, where do they come from, and what is their end game.
 
Indeed, your conference’s themes focus on opportunities and risks associated with innovation, technology, and globalization in banking and payments. And in harmony with these themes, I’d like to focus my remarks on a set of issues that is consuming much of my time and imagination, and that is cybersecurity and resiliency in the financial services sector.
 
The Internet has become a global platform for communication and socialization. It is also an engine driving innovation and economic growth. It is where Americans and the world communicate, socialize, and do business. It is where the financial sector engages in financial transactions, interacting with clients, customers, and counterparties.
 
For the youngest among us, these are obvious truths; life with the Internet has always been what life is. For the older among us, the transformation of commerce and finance is a sight to behold, and we may privately wonder about how the Internet is changing society.
 
But regardless of our age, for all its benefits and all its participants, the Internet has a dark side. It serves as a platform for illicit and menacing activity: for assaults on privacy and pilfering of sensitive, personal information; for theft of intellectual property, trade secrets, and confidential business information; and for fraud, extortion, and even the destruction of physical property.
 
Malicious cyberactivity has been thrust—loudly and destructively—onto the fabric of finance, our economy, our country, and the world. Banks—as the entry points and connecting nodes for the financial system as well as the holders of a treasure trove of high value customer data—are natural targets for bad actors. Equally attractive targets are wholesale and retail payment systems because these payment systems are the rails on which currency, debit and credit card, and other transfers of monetary value travel.
 
The more interconnected financial institutions are—through payment systems or third-party vendors processing transactions, providing cloud-computing services, or operating mobile banking solutions—the more the financial sector as a whole runs the risk of contagion. Much like water is drawn to cracks in a foundation, a weakness in any point of entry or link in the financial sector’s vast, complex interconnected system exposes individual financial institutions as well as threatens the United States’ financial stability and our country’s economic security.
 
And of course the sector’s interconnectedness does not end at U.S. borders. Globally active U.S. banks operate through dozens of material legal entities throughout the world, transferring resources, booking trades, and sharing service providers across jurisdictions. Clearing houses, securities settlement systems, exchanges, and payment systems are all enmeshed in global finance.
 
The businesses and operations and individuals and institutions that comprise our financial infrastructure are all connected, directly or indirectly and to varying degrees, to and through the Internet. By design, the Internet knows few sovereign borders, allowing users and attackers alike to freely cross from one country to another through communication and information technology systems.
 
            *          *          *          *          *          *          *          *          *          *          *          *         
 
Given this complexity and inter-connectedness, what exactly are we experiencing? What is the nature of the cyber threat and how is it different today than it was yesterday? How is the threat transforming over time?
 
The original intent of the Internet, back when it was designed, was to link various kinds of computer networks among trusted users at universities and the U.S. government.[1] In those early days, the biggest threat was the Internet’s reliability, not its security. Acts of cyber vandalism were relatively infrequent; their motive was primarily attention seeking.
 
But as the Internet became more reliable, it became increasingly a venue for commerce, and the cyber threat became an economic threat. Cyber-hacking motives morphed from being a way to gain attention to inflicting grave economic harm. Like the 20th century American outlaw, Willie Sutton, who replied, when asked why he robbed banks, “Because that’s where the money is;” the Internet became a way to plunder and pillage.
 
Case in point: last summer, U.S. criminal authorities and the Securities and Exchange Commission brought parallel actions against an international cybercrime ring that married the wizardry of computer hacking and the reach of the Internet with old-fashioned insider trading.[2] According to court filings, hackers from Ukraine broke into the networks of the newswire companies Business Wire, PR Newswire, and Marketwired.
 
Once inside those networks, the hackers stole as many as 150,000 pending press releases of public companies, containing information about financial performance, quarterly earnings, and potential mergers and acquisitions. Then, teaming up with a band of rogue traders from the United States, Russia, and other countries, the ring traded on the confidential, economically valuable information in the press releases before that information was made public.
 
This transnational enterprise was sophisticated, well organized, and brazen. Using spear phishing—where targeted emails from seemingly trusted sources were sent to newswire employees to trick them into downloading tainted software—the ring gained initial access to the newswires’ systems. These criminals also gained access through the cyber equivalent of brute force, deploying algorithms to systematically guess all possible passwords for targeted employees. Malicious computer code was then injected into the systems to delete evidence of the intrusion and further cover the tracks of the ring.
 
These cybercriminals also used the Internet to recruit and train a cadre of traders, even disseminating a video on how to access servers for pending press releases. For their part, the recruited traders provided the hackers with shopping lists of pending news releases that they wanted most. Over a five-year period, this criminal enterprise allegedly made more than $100 million in illicit gains, defrauding investors in dozens of U.S. public companies before their arrests.
 
Also in the last year were some other noteworthy disturbing and destructive attacks. The first: North Korea’s attack on Sony Pictures. Most of the public attention regarding the Sony attack focused on the Internet posting of unreleased movies in retaliation for the making of the movie The Interview, and the circulating of highly sensitive employee information and embarrassing emails of company executives. But the attack also involved the destruction of computers and systems, and the wiping out of data, that took Sony months to recover from.
 
Less noticed, but equally disturbing, was a digital assault on a German steel mill.[3] Much like the insider-trading ring, the attack began with spear phishing to trick plant employees into accessing booby-trapped malware. Once activated, the malware allowed hackers to steal computer login credentials from plant personnel. Remotely working their way from the office networks to plant production networks, the hackers ultimately gained access to systems controlling the mill’s manufacturing equipment.
 
The hackers’ malicious activity meant that when plant managers tried to shut down a blast furnace, those managers no longer had control of the on-off switch. Massive physical damage to the furnace ensued. In short, physical damage resulted from a single email.[4]
 
The financial loss attributable to each of these attacks is significant to be sure. And, while estimates vary dramatically of the annual cost of cybercrime to the United States and global economies, what we can be sure of is that the costs are real and increasing.[5] They begin with the disruption of operations and the associated loss of revenue; they also include expenses incurred to secure, reconfigure, and replace systems, and to appropriately notify customers, clients, and counterparties.
 
The non-financial costs are likely even greater: Loss of trust in institutions, eroding confidence in critical infrastructure; the vast and monumental loss of intellectual property and know-how; and the costs associated with responding to attempts to undermine our national and economic security.
 
            *          *          *          *          *          *          *          *          *          *          *          *
 
So, what do we do? Anyone immersed in cybersecurity challenges will tell you that this isn’t a problem amenable to a single solution. We cannot wait for kid wonders from Silicon Valley to devise a technology that will provide that single silver bullet: the one necessary to protect our financial infrastructure at its imagined borders, both in terms of thwarting entry of malware and in terms of the ability of that malware to exit with its stolen treasure without detection. As long as there are crown jewels to be had—and the financial highways and financial data available through the Internet are those crown jewels—there will be the need to assess and address threats and vulnerabilities.
 
As owners and operators of key portions of the financial sector, the responsibility for assessing and addressing many of these threats and vulnerabilities is yours. There have been no shortage of roadmaps to navigate the terrain.[6]
 
The point here is that this is not just a technological challenge. It is a challenge of changing human behavior; and it’s a challenge of changing governance and business and operational processes. Virtually every process you engage in needs to be reviewed and updated, enterprise-wide, from a cyber-resiliency perspective. This sounds daunting, but none of this is impossible.
 
Governments also have capabilities to identify and counter cyber threats and vulnerabilities, as well as to mitigate harm from malicious cyber actors and activities. This Administration has made cybersecurity and resiliency a top priority. Through law enforcement and diplomatic channels, the federal government has worked with international partners to respond to sustained cyberattacks and significant incidents that threaten the financial and other critical infrastructures. Through those same channels, we have strengthened our ability to combat cybercrime and cyber-enabled theft of trade secrets for commercial gain.
 
Earlier this year the President sent to Congress proposed cybersecurity legislation covering three fronts:
 
·  First: To better protect consumers whose sensitive, personal information has been compromised;
 
·  Second: To modernize the tools law enforcement uses to investigate and punish cyber misdeeds, such as criminalizing the sale of malware that creates compromised networks of computers (or botnets) and empowering courts to summarily shut down those compromised networks; and
 
·   Third: To promote increased sharing of timely, actionable cyber threats among private-sector entities and with government through limited liability protection while protecting individuals’ privacy and civil liberties.
 
In connection with this last goal of sharing cyber threat information, the Senate passed a bill last month, which is in the process of being reconciled with legislation passed earlier this year by the House. The Administration remains optimistic that the Senate and House can work together to quickly send cybersecurity information-sharing legislation to the President’s desk for signature.
 
As to Treasury specifically, we are the day-to-day federal interface and coordinator for the financial sector as it relates to cybersecurity and resiliency; and Secretary Lew and I have made both a key focus. We work with the Department of Homeland Security, financial regulators, and the law enforcement and intelligence communities in this effort. As many of you know from your institution’s own involvement, we are involved in a whole host of engagements.
 
Even without the passage of legislation, we are working with partners across the government and in the private sector to facilitate the sharing of cyber threat, vulnerability, and incident information. Treasury’s Cyber Intelligence Group monitors and analyzes cyber threat intelligence related to the financial sector and provides that information to the sector. The group’s mission is to increase the volume, timeliness, and quality of information shared between the government and the financial sector.
 
To increase speed and quality of reporting, Treasury—along with DHS, the FBI, and other government partners—is now sharing some key threat information in machine readable form. We are encouraging private-sector firms to implement automated capabilities to do the same.
 
We are also working with relevant partners in government and in the financial sector to boost our collective preparedness for cyber incidents. For example, over the past nine months, Treasury has completed three large-scale domestic cybersecurity exercises with the financial sector. Through these efforts, we tested communication and escalation processes for responding to and recovering from malware attacks.
 
Just last week, we completed a half-day table-top exercise with the United Kingdom. This event involved more than 100 participants from the financial sector and the U.S. and UK governments. Through this exercise, the group focused on better understanding the processes that exist to coordinate between our countries if a significant cyber incident were to simultaneously threaten both of our countries’ financial sectors.
 
            *          *          *          *          *          *          *          *          *          *          *          *
 
We have established strong, deep cybersecurity cooperation among the financial sectors and governments of the United States and United Kingdom. But bilateral relationships alone are not enough.
 
Again: The U.S. financial system is an integral part of the global financial system. Between 2000 and 2015, the foreign claims of large international banks tripled to over $27 trillion.[7] U.S. banks were a key driver and beneficiary of this integration: one-third of the revenue earned by the largest globally active U.S. banks comes from overseas.[8] And moving across borders each year are approximately $22 trillion in payments,[9] with Americans alone sending over $54 billion in remittances abroad in 2014.[10]
 
Given this interconnectivity, combined with—as I mentioned at the outset—the borderless reach of the Internet, the United States and the international community have a shared interest in understanding and mitigating cyber threats and vulnerabilities to the financial sector worldwide.
 
As such, earlier this year, the G-7 finance ministers and central bank governors launched a working group of cybersecurity experts for the financial sector. Individually, G-7 countries have already begun to address cybersecurity risks to their respective economies across multiple sectors.
 
This group’s mandate is to expand our understanding of cyber-related risks as they relate to the global financial sector and to take stock of national approaches to cybersecurity in the financial sector. I serve as co-chair of this group with the Bank of England.
 
            *          *          *          *          *          *          *          *          *          *          *          *
 
But even more needs to be done internationally. The Sony and steel mill attacks underscore that cyberspace provides unprecedented opportunity to engage in dangerous, damaging behavior. From basements and living rooms around the globe, attackers can not only steal but can also cause physical damage and attempt to intimidate and undermine the fundamental values and beliefs of others.
 
This much is clear: we are all currently vulnerable. But it is also clear that we will all be better off if we have a common, clear understanding of what kind of behavior is acceptable—and unacceptable—when participating in, and benefiting from, the global digital economy. Basic rules of international law apply to state actors online, just as they do offline. In addition, the international community would benefit from additional, voluntary norms of responsible state behavior in cyberspace: norms well understood by nations and private parties.
 
Over the weekend, G-20 leaders meeting in Turkey took a step in this direction by committing to a set of norms. These norms are not complex but they are fundamental; for example, states should affirm that they will not engage in cyber-enabled theft of intellectual property, trade secrets, or confidential business information for commercial gain; that they will not cause intentional damage to critical infrastructure or impair the use of that infrastructure to provide public services; and that they will help investigate, prosecute, and mitigate malicious cyber-enabled activity emanating from a country’s soil upon request and when consistent with applicable laws and obligations.[11]
 
This is part of the next frontier—developing a meaningful meeting of the minds across world players regarding what is appropriate behavior in cyberspace.
 
At the same time governments set out for the next frontier, I am convinced that there is more to do domestically and within financial institutions to strengthen our country’s own financial infrastructure. So let me end with the pragmatic—namely to identify three key things that each executive in this room can do at their own institutions that collectively will make a difference.
 
First: Ensure that cyber risk is part of your institution’s risk management framework and cybersecurity is embedded into your governance, control, and risk management systems. Why? Embedding cybersecurity into your business processes and activities, your control structures, and most importantly into your cultures can measurably increase the cybersecurity posture of your institution. When this occurs, cybersecurity will become part of your firm’s genetic code.
 
Second: Engage in basic cyber hygiene, those essential practices that bolster the security and resilience of computer networks and systems. Experts estimate that these are essential practices that can prevent up to 80 percent of all known incidents.[12]
 
For example: Require “multi-factor authentication”—in other words, multi-step identity checks—before allowing access to your networks, systems, and data. Restrict users with special, high-level access—known as privileged users—to only those absolutely necessary to run your business, operations, and systems. Mandate regular, systematic patching of your software, because the vast majority of cyber intrusions exploit known system weaknesses. And insist that your systems are scanned using indicators of intruders, such as rogue IP addresses or malware hashes.
 
Third: Press your institution to prepare a response and recovery playbook for significant cyber incidents. This playbook should be well-thought out and routinely tested; tested internally all the way up to the board and externally through exercises with the financial sector and the government. At a minimum, the playbook should describe who does what, when, and reports to whom when a cyber incident happens. The playbook should also cover topics such as when to call law enforcement, when to get executive management and the board involved, and when to notify customers, clients, and business partners. Update your playbook regularly to reflect the changing nature of cyber threats to your institution.
 
            *          *          *          *          *          *          *          *          *          *          *          *
 
I liken cybersecurity and resiliency to a journey into a new frontier. I am convinced that there are neither shortcuts, nor easy ways out as we move toward the new frontier. And it seems that we are at the beginning, not the end of our journey. There are challenges and obstacles ahead even though we have already accomplished quite a bit.
 
It’s when the risk and tasks posed by cybersecurity seem the greatest, that I’m reminded of the surpassing necessity of a well-functioning financial sector and a resilient financial infrastructure that works for all Americans and for the common good. This is work well worth the significant investment.
 
Thank you.
 
###


[1]           “NSF and the Birth of the Internet - Special Report,” National Science Foundation, http://www.nsf.gov/news/special_reports/nsf-net/textonly/60s.jsp.
[2]           Indictment, U.S. v. Turchynov et al., No. 2:15-cr-00390 (D.N.J. Aug. 6, 1015), Doc. 1; Indictment, U.S. v. Korchevsky et al., No. CR-15-381 (E.D.N.Y. Aug. 5, 2015) Doc. 1; Complaint, Securities and Exchange Commission v. Dubovoy et al., No. 2:15-cv06076 (D.N.J. Aug. 10, 2015), Doc. 1.
[3]           http://www.wired.com/2015/01/german-steel-mill-hack-destruction/
[4]               See, e.g. Die Lage der IT-Sicherheit in Deutschland 2014, Bundesamt für Sicherheit in der Informationstechnik (BSI), Nov. 2014; Robert Lee, Michael J. Assante, & Tim Conway, German Steel Mill Cyber Attack, SANS Industry Control Systems, Dec. 30, 2014, https://ics.sans.org/media/ICS-CPPE-case-Study-2-German-Steelworks_Facility.pdf (including assessment of attack and translation of relevant text from BSI report); Hack Attack Causes 'massive damage' at Steel Works, BBC News, Dec. 22, 2014, available at http://www.bbc.com/news/technology-30575104; Kim Zetter, A Cyberattack has Caused Confirmed Physical Damage for the Second Time Ever, WIRED, Jan. 8, 2015, available at http://www.wired.com/2015/01/german-steel-mill-hack-destruction/.
[5]           Center for Strategic and International Studies, Net Losses: Estimating the Global Cost of Cybercrime (June 2014) (study estimated annual cost of cybercrime to the global economy as likely to exceed $400 billion, and could range from $375 billion to $575 billion).
[6]           See e.g., National Institute of Standards and Technology, Framework for Improving Critical Infrastructure Cybersecurity, (Feb. 12, 2014), http://www.nist.gov/cyberframework/upload/cybersecurity-framework-021214-final.pdf; Federal Financial Institutions Examination Council, Cybersecurity Assessment Tool (June 2015), https://www.ffiec.gov/cyberassessmenttool.htm; see also Sarah Bloom Raskin, Deputy Sec’y of the U.S. Treasury, Cybersecurity for Banks: 10 Questions for Executives and their Boards, Remarks at the Texas Bankers’ Association Executive Leadership Cybersecurity Conference (Dec. 3, 2014), available at http://www.treasury.gov/press-center/press-releases/Pages/jl9711.aspx; Sarah Bloom Raskin, Deputy Sec’y of the U.S. Treasury, Cybersecurity for Banks Version 2.0: 10 Follow-up Questions for Executives and their Boards, Remarks at the American Bankers Association Summer Leadership Meeting (July 14, 2015), available at http://www.treasury.gov/press-center/press-releases/Pages/jl0112.aspx.
 
[7]           Bank for International Settlements, Consolidated Banking Statistics (immediate counterparty basis).
[8]           FR Y-9C Consolidated Financial Statements.
[10]          World Bank staff estimates based on IMF balance of payments data; http://data.worldbank.org/indicator/BM.TRF.PWKR.CD.DT.
[11]          Specifically, these additional voluntary cyber norms are: First, no country should conduct or knowingly support online activity that intentionally damages critical infrastructure or impairs the use of it to provide services to the public. Second, no country should conduct or knowingly support activity intended to prevent national computer security incident response teams from responding to cyber incidents, or use its own teams to enable online activity that is intended to do harm. Third, no country should conduct or knowingly support cyber-enabled theft of intellectual property, trade secrets, or other confidential business information with the intent of providing competitive advantages to its companies or commercial sectors. Fourth, every country should cooperate, consistent with its domestic law and international obligations, with requests for assistance from other states in mitigating malicious cyber activity emanating from its territory.
[12]          Press Release, The Center for Internet Security and Council on CyberSecurity Launch a Nationwide Campaign for Basic Cyber Hygiene in Support of NIST Framework Adoption (Apr. 3, 2014), http://www.counciloncybersecurity.org/press/1-the-center-for-internet-security-and-council-on-cybersecurity-launch-a-nationwide-campaign-for-basic-cyber-hygiene-in-support-of-nist-framework-adoption.
Bookmark and Share