Banks, Gov't Struggle to Contain Growing Cyber Threat

WASHINGTON — Bankers, technology CEOs and President Obama are throwing everything they have at countering the threat of cyberattacks, but based on a White House summit Friday on the issue, it's far from clear that it will be enough.

In speeches and panel discussions, participants said the threat is getting worse as criminals become more adept and an increasing amount of private data becomes public as a result of hacks and data breaches.

"The first computer viruses hit personal computers in the early 1980s, and essentially, we've been in a cyber arms race ever since," President Obama said at a summit at Stanford University. "We design new defenses, and then hackers and criminals design new ways to penetrate them. Whether it's phishing or botnets, spyware or malware, and now ransomware, these attacks are getting more and more sophisticated every day."

Based on the discussions Friday, the defense against this growing threat breaks down into several different, sometimes interrelated, strategies.

Information sharing
The headline event of the summit was Obama's signing of an executive order helping the government and private sector to share more information about cyber threats. The order creates a new agency called the Cyber Threat Intelligence Integration Center that will provide analysis and facilitate information sharing between the private sector and the government.

Financial services executives hailed the move.

"Information sharing may be the single, highest-impact, lowest-cost and fastest way to implement capabilities that we have at hand as a nation to accelerate our overall defense from the many varied and increasing threats that we are facing every second," said Kenneth Chenault, the chief executive of American Express, during a panel discussion.

Bank of America CEO Brian Moynihan agreed, saying the government has a unique ability to take a comprehensive view of cyber threats and ward off attacks.

"They spent the money and have the authorities and powers and capabilities, and they see it across everyone so you have to have the government," Moynihan said.

He added that everyone has to have an understanding of their role in cyber defenses and work together inside the "tent."

"If everybody is in the tent, it is a comprehensive view and then you protect the people … who share the information to use it the right way. You then get that collaboration to do it the right way," Moynihan said.

Obama summed up the government's role saying, "the cyber world is sort of the wild, wild West. And to some degree, we're asked to be the sheriff."

Still, even Obama acknowledged that the executive order doesn't go far enough. The administration has been seeking legislation that would protect financial companies from legal liability for sharing certain information with the government.

Both Moynihan and Chenault emphasized that the legislation, which has stalled in Congress, is vitally needed.

"In order to incentivize greater industry sharing we need to pass legislation that provides liability protection for private sector sharing and channels government resources more effectively … This is critical to helping the private sector defend itself," said Chenault.

U.S. Bancorp CEO Richard Davis said banks have already created a financial services information sharing group in order to communicate threats to one another.

"This is the first time a banking contingent has laid down the gauntlets and said — wait a minute — we are not competing on this topic, we are working together," he said.

Kill the password
One common thread of the summit was the need to move beyond the password as a form of security.

"We have got to make cyberspace intrinsically more secure, replacing passwords with more secure technologies and enhancing consumer protections online," said Lisa Monaco, who advises Obama on counterterrorism.

Ajay Banga, CEO of MasterCard, said what he is hearing from customers is "stop making me try to remember things to prove I am who I am" and that the "the password is gone."

"Everything from biometrics to new technology that looks at the underlying heartbeat with a bracelet…that is where it is going," Banga said. "That takes away from remembering the password to converting to who you are."

Peter Hancock, American International Group's CEO, also said that it doesn't matter how secure your systems are, if someone is careless with their password it can lead to a data breach.

"It is the human error that is the problem," Hancock said.

Obama added that "it's just too easy for hackers to figure out usernames and passwords" and joked that one of his old passwords was "password."

The rise of tokenization
Several financial services and tech executives touted tokenization — a process that keeps card account data out of a merchants' system — making it far less vulnerable to data breaches. Apple Pay, the tech giant's new mobile payment system that lets consumers pay with their iPhones, relies on tokenization. It provides merchants with a "device account number" rather than credit card information.

During the summit, Apple CEO Tim Cook said that 2,000 banks have already signed up to allow their credit cards to be part of Apple Pay. He added that the federal government will begin accepting Apple Pay in places like national parks starting in September.

"We are working on initiatives with leading banks and networks to use the technology for benefit programs like social security and veterans pensions that serve citizens and both the state and federal level," Cook said.

The appeal of tokenization is simple, as it means consumers' card information is not widely available among retailers. Davis said banks are already looking past chip and PIN technology, which has become the industry standard, and is moving toward tokenization.

"The goal eventually would be to get past chip altogether and move next to token so the token would be used everywhere," Davis said.

"Think of it like Mr. Phelps on Mission Impossible where in 10 seconds this tape will self-destruct. You get one token per transaction and that thing goes across and transacts the item and everything else is gone forever and all of that information that was behind it is safe and not out in the open."

Executives also agreed that one thing banks and retailers have to keep in mind is preserving customer trust, which they said more hacks and data breaches could significantly undermine.

"Trust is really what holds us together and that's what holds our society together and what we are really talking about is trust," said American Express' Chenault.

Davis at U.S. Bank added that trust is a key role in its business model.

"[Trust] is ours to lose, though it is ours to protect," Davis said. "If we mess up that trust through this transition and find our way to not having guided them to think that we are always going to be there to protect them, we are going to lose them. ... If we don't protect that trust, it's game over."

For reprint and licensing requests for this article, click here.
Bank technology Biometrics Cyber security Data breaches Law and regulation
MORE FROM AMERICAN BANKER