Banking on Cooperation: The U.S. Government and the Finance Industry Need to Work Together to Defend the Financial Sector from Cyber Threats
The private sector—which owns and operates the vast majority of U.S. critical infrastructure in cyberspace—and the U.S. government are in lockstep that cyber threats to critical infrastructure have national-security consequences. What more, they agree that both must do more to defend critical infrastructure in cyberspace. On Sept. 20, JPMorgan Chase CEO Jamie Dimon told CNBC that “cyber” represents the biggest threat to the global financial system.
Published by The Lawfare Institute
in Cooperation With
The private sector—which owns and operates the vast majority of U.S. critical infrastructure in cyberspace—and the U.S. government are in lockstep that cyber threats to critical infrastructure have national-security consequences. What more, they agree that both must do more to defend critical infrastructure in cyberspace. On Sept. 20, JPMorgan Chase CEO Jamie Dimon told CNBC that “cyber” represents the biggest threat to the global financial system. But as Dimon sounded the alarm, the Pentagon’s 2018 cyber strategy summary put the ball at least partly in his industry’s court, stating that the private sector is “on the frontlines of nation-state competition in cyberspace.” The Defense Department should build and enhance partnerships with the private sector to defend forward against strategic cyber threats. The Trump administration’s 2018 National Cyber Strategy was consistent with the Pentagon summary, defining a joint “responsibility to secure the Nation’s critical infrastructure and manage its cybersecurity risk … shared by the private sector and the Federal Government.”
But despite steps in the right direction, U.S. critical infrastructure, particularly the financial system, remains vulnerable to cyber attacks perpetrated by foreign threat actors with strategic, rather than criminal or economic, motivations. The U.S. government protects the financial system from physical threats, but American banks rely on and invest in their own network defense to protect against large-scale cyber attacks with national security consequences, such as those that could threaten financial stability or cause cascading effects that imperil the global financial system.
In a Carnegie working paper, I propose that the U.S. government and key actors in the financial sector collaborate at the operational level to defend against major cyber threats. If implemented, the recommendations could be replicated across other critical sectors of the economy, taking into account their unique and specific risk and threat profiles, defensive requirements, and regulatory and compliance regimes.
A program of operational collaboration between the U.S. government and key financial sector actors should contain five elements:
- sector-specific foreign intelligence collection institutionalized in the National Intelligence Priorities Framework (NIPF);
- side-by-side analytic collaboration and real-time data sharing between U.S. government and financial sector analysts;
- joint development of playbooks;
- routine exercising of playbooks; and
- deepening organizational connective tissue between the government and the sector.
Reliable intelligence is essential to composing an accurate picture of the threat environment. However, both private-sector and government intelligence analysts lack a complete understanding of their adversaries. Open-source intelligence analysts in the private-sector lack the full range of authorities and capabilities to collect adequate foreign intelligence to defend their networks. Government intelligence agencies lack deep subject-matter expertise about the assets and systems at risk and the nature of the threat environment facing an industry, like financial.
Two remedies might address this intelligence gap.
First, the U.S. government should prioritize foreign-intelligence collection against finance-specific threats. But because expertise about the financial system within in the industry outpaces that of the government, the financial sector should be formally incorporated into every step of the intelligence cycle. For example, banks could help the intelligence community develop indicators and warnings of threats. Absent such collaboration, there is a strong chance that U.S. government intelligence collection against foreign threats will be rudderless.
Second, there should be deeper and more routinized intelligence collaboration across classification lines between government and financial sector analysts. The likelihood of getting security clearances for all of the finance industry’s threat analysts is slim to none, but that shouldn’t stand in the way of collaboration with cleared personnel in the intelligence community. This collaboration should move beyond existing information-sharing initiatives to include side-by-side analytic collaboration and real-time data sharing. The dearth of cleared individuals in appropriate positions—like chief information-security officers, threat intelligence leads, and some threat analysts—within the financial sector should be remedied to support this effort.
However, intelligence collaboration would solve only one aspect of this problem. Beyond reforms in intelligence collection and analysis, U.S. government agencies, including the Departments of Homeland Security, Defense, and the Treasury, as well as the intelligence community, should work together to develop playbooks for combating cyber threats to the financial industry and define the resources necessary to implement them. These plans should address how the government and private sector will operate together both during predefined crises as well as when business is running as usual. The planning should clarify currently ambiguous roles and responsibilities both within and between sectors. For example, playbooks could define clear thresholds for different categories of action and response—for instance, identifying the conditions under which U.S. Cyber Command’s capabilities could be employed outside the United States during a systemic cyber attack against the financial sector—and the legal authorities, resources, and task organization necessary to carry out such a response.
The government and private sector should routinely practice the plans they develop. Playbooks will only be useful and remain current if they are regularly exercised. The results of exercises should inform and improve intelligence collection, drive capability development, and refine the playbooks.
Finally, operational collaboration between the financial sector and government will require strengthening the organizational and institutional connections between the private sector and the government. In the finance industry, the Financial Systemic Analysis & Resilience Center (FSARC), established in 2016 by the CEOs of eight major U.S. financial institutions to enhance collaboration with the government and develop early-warning capabilities, is the natural hub for coordinating and liaising between industry and the government.
On the government side, the Department of Homeland Security is the natural hub to coordinate the federal government’s overall role in this effort. At the DHS Cybersecurity Summit in July, Vice President Mike Pence called for legislation to create a new agency, the Cybersecurity and Infrastructure Security Agency, within DHS to act as a “central hub for cybersecurity.”
But the success finance-government collaboration requires buy-in from and good relations between stakeholders across the national-security apparatus and the private sector. Therefore, rather than creating a new agency within DHS that could have a preponderant role over other stakeholders, my paper recommends the creation of a DHS program office for financial-sector critical infrastructure. The program office would coordinate the overall effort, including synchronizing government intelligence collection, organizing the relationship between the FSARC and the government, and leading the playbook-development process. A DHS program office would also create a knowledge base within the government that is sensitive to the unique needs that confront the financial sector. From a Pentagon perspective, reorienting several operational teams and planning staff within U.S. Cyber Command around sector-specific defense would support the development of sector-specific expertise within the Pentagon and would also be consistent with the new “defend forward” strategy.
The reality is that U.S. adversaries have already demonstrated a capability and willingness to target the American economy in cyberspace to achieve strategic objectives. Failure to adequately reorient around, reorganize for, and resource this problem risks leaving the U.S. unprepared to address the next cyber attack on the financial sector.
Erica Borghard’s paper “Protecting Financial Institutions Against Cyber Threats: A National Security Issue” is part of the paper series ‘Cybersecurity and the Financial System’ published by the Cyber Policy Initiative at the Carnegie Endowment for International Peace.