NEW YORK — Despite last year’s cybersecurity information sharing law, it will be ‘years’ at current rates of progress before the federal government is capable of receiving real time threat reports from the private sector, the CIO of a major financial institution said Monday.
“There is no excuse for attack technology working twice,” Marc Gordon, Executive Vice President and CIO of American Express told the president’s blue ribbon cybersecurity commission. “If I’m attacked today, I should be able to share that tomorrow. I will tell you that the pace at which things are moving [right now], we are years away from that.”
Gordon told the commission he had a hand in crafting the legislation that led to the Department of Homeland Security standing up their automated indicator sharing platform, but would like to see something more robust by way of a platform for the realtime sharing of cyberthreat information.
That call cuts against the grain of what DHS officials have publicly said since the AIS platform launched in March. John Felker, the director of the agency’s National Cybersecurity and Communications Integration Center said in April that DHS has yet to receive a good number of threats from the private sector.
Gordon was one of several cybersecurity professionals who testified at the second public meeting of the Commission on Enhancing National Cybersecurity, about the security of the financial services sector, calling for more of everything: information sharing, collaboration, research and development and the personnel needed to operate and maintain all of it.
If the U.S. government is to help protect the global financial market, commissioners heard in the city which is its symbol and its heartland, the feds are going to have to step it up on several fronts.
Greg Rattray, Head of Global Cyber Partnerships at JP Morgan Chase, told the commission on top of the threat sharing, he would like to see a focus on government “support capabilities” that are on par with the defense industrial base. He suggested working with infrastructure providers, email providers and groups like ICANN to drive down malicious activity.
“We would like to ensure government resources and attention to understanding and addressing the potential impact in public confidence in the market,” said Rattray, who served as the National Security Council’s director of cybersecurity from 2002 to 2005. “Some of this work is underway but we think this needs to be brought to a higher level.”
Another idea that experts said needed more attention is the financial tech world’s current obsession — the blockchain.
Jerry Cuomo, an IBM fellow who specializes in blockchain technologies, called on NIST to develop standards for blockchain interoperability, privacy and security. He said this research could push government agencies to become early adopters of blockchain technologies.
“Blockchain has inherent qualities that provide trust and security,” Cuomo said. “But to fulfill its purpose, core technology must further be developed using an open-source governance model to make it deployable on a grand scale.”
Cuomo touted the idea of a “permission blockchain” that would function like the digital ledger the current technology acts as, but would rely on cryptography and digital signatures to prove identity and manage access. Not only would this technology support a new wave of financial systems, but he says the system could also be used to share threat intelligence among security professionals.
“Today, for fear of being exposed, many financial services firms are reluctant to share information about cyber attacks,” Cuomo said. “However, with blockchain, they could confidentially share information in real time, that when combined with data from other companies, can be used to stop and quickly develop deterrence.”
Phil Venables, Managing Director and CISO at Goldman Sachs, told the commission that in order to act on that shared data, organizations need to push for better cybersecurity minds at all levels of businesses, not just inside IT departments.
“Our goal should be to design security architectures to reduce some of the complexities in our environment to make sure our environments are much more prepared to be defended,” Venables said. “We’ve got to recognize this is the job of all people in an organization, from business to risk management to engineers. We need security-minded people, not just security.”
The meeting comes at an interesting time for the financial sector. The industry is considered to be pretty quick to adapt cybersecurity protocols, standing up the first-ever Information Sharing and Analysis Center in 2014. However, it came to light earlier this month that $81 million was stolen from the country of Bangladesh’s account at the Federal Reserve Bank of New York. The theft ranks among the biggest cyber crimes ever.
The commission will take Monday’s testimony into account as it moves to create its report, which is due to President Obama by Dec. 1. Commission Chair Tom Donilon said prior to Monday’s meeting he expects the report to serve as a roadmap for the next administration’s cybersecurity priorities.
The commission’s next meeting will be held next month in California.