Sharing cyberthreat information is far from easy, but banks are adopting new tools to use strength in numbers to defend against attacks.
Greater involvement by banks in the nonprofit Financial Services-Information Sharing and Analysis Center — founded in 1999 — to communicate threats is a given in the current security environment. But effective sharing among such a large slice of companies (7,000 members are in the group), technological complexities and regulatory hurdles pose challenges.
Banks increasingly now are forming their own subgroups within the FS-ISAC — including one reportedly formed by the eight largest banks and several others — to focus sharing among cliques of peer institutions with common security concerns. Meanwhile, new technology offers hope of banks being able to communicate threats more efficiently to each other, and there is hope for better information-sharing between banks and the government.
"Generally speaking, there's a willingness to share [cyberthreat information among financial institutions]," said Jason Witty, chief information security officer at U.S. Bank. "There was a realization a long time ago that we don't compete on safety and soundness. Sharing threat data with each other so that it doesn't affect the other guy is really quite common."
Splinter Groups Are in Vogue
A working group with the likes of JPMorgan Chase and Bank of America to share internal security details might sound at first like a shadowy gathering.
But the new big-bank group, which was reported last week by the Wall Street Journal, is a natural outgrowth of work that's been going on for years. The league, which will also include Goldman Sachs, Bank of New York Mellon, Citigroup, Morgan Stanley, State Street and Wells Fargo, is the latest of a couple dozen such groups formed within FS-ISAC.
Splinter groups made up of institutions with things in common only make sense. For example, a big bank is going to have different security issues than a community bank or credit union, and likewise. The FS-ISAC subgroups share email distribution lists and form committees to focus on issues specific to their type of institution.
Witty said U.S. Bank is a member of several FS-ISAC subgroups. Meanwhile, a council of 3,500 smaller community banks and credit unions make up FS-ISAC's largest subgroup. Another group is made up of information security execs at the major exchanges. There's the payments process security council, which includes payment processors and credit card payment companies. Other groups bring together law firms and merchants.
"Having those communities of interest gives you more robust information sharing," Witty said. "You might want to consider a different family of controls if your peers are getting hit more with ransomware than DDoS attacks."
Exactly what will be shared in the new big-bank group, and through what channels, has not yet been decided, according to John Carlson, chief of staff at the FS-ISAC. He said the new peer group gives the largest institutions the chance to talk amongst themselves about issues unique to such complex firms, such as collaboration with government agencies and protecting critical infrastructure. (All eight banks declined requests for an interview, referring media to the FS-ISAC.)
"These firms want to work together more intensely, want to collaborate with the US government more," Carlson said.
The new big-bank group, which will likely be self-funded, appears ready to take sharing activities to the next level compared to other subgroups. This may include conducting war games or cybersecurity exercises that simulate an attack in a virtual environment. They're also thinking about creating their own cyberthreat sharing platform.
Not everyone can create their own splinter group within the FS-ISAC. There's an application process and subgroups must seek approval from FS-ISAC's board of directors. "We will do it if it makes sense, and fits within our mission and bylaws," Carlson said.
Working Out Technology Kinks
But the effectiveness of software in helping banks broadcast cyberthreat alerts to each other has also been a hurdle.
FS-ISAC members occasionally grumble that the time lag between when cyberattacks happen and when members get information about them is too long.
"Sometimes threats aren't recognized until after they've been dormant for some time and have come to light," noted Timothy Toohey, a partner at the Los Angeles law firm Greenberg Glusker. Then there's the process of gathering, preparing and sending the data back out. "There will always be some second-guessing of whether it's fast enough," he said.
Witty said this time delay is one of three common problems with the quality of information-sharing. The other two are a need for context — how much should you care about this information being shared — and dealing with a large volume of information being shared.
"If they were printed, what we get from the FS-ISAC on a daily basis would be four reams worth of paper," he said. "Luckily we're not printing it, and it's not coming in just as emails, files, or a portal you have to log into."
A new wrinkle offers hope. U.S. Bank and other institutions have begun using technology known as Soltra to generate machine-readable cyberthreat alerts that can automatically trigger actions in security software. This should dramatically cut the time lag from the time an attack is detected to the broadcasting of the details to others.
FS-ISAC began developing the Soltra platform with the Depository Trust & Clearing Corp. two years ago. It rewrites threat information in such a way that other software programs can read it, using standard data protocols called STIX and TAXII. A compatible software program could read Soltra's alerts as direct action triggers — for instance, a firewall could automatically block an IP address, without any human telling it to do so. For Soltra to work in a completely automated way, McAfee, Symantec, and all the other security vendors would have to start to speaking its language (STIX and TAXII).
U.S. Bank hasn't turned on this direct-action capability yet. "I don't think anyone has moved to do that — one computer says this is bad so another computer will fully react to that without a human," Witty said. "But that's where the next level of evolution is happening, once there's that concept of a highly trusted source paired up with a highly trustable indicator.
"That will be a dramatically different environment, because then it really would be seconds between the time that bank A gets hit with something and bank B is protected against it."
Sharing with Uncle Sam (and Vice Versa)
Bankers also have issues with the information-sharing process between the public and private sectors. Yet the Cybersecurity Information Sharing Act, which passed in December, should help.
One common complaint about cyberthreat data sharing is that banks share with the government more than the reverse.
However, Witty has seen government agencies increase the amount of information they provide to the private sector in the past few years. He noted that the Department of Homeland Security has adopted the STIX and TAXII protocols to use formats more suitable to sharing information with the private sector.
"There's the realization that the FBI needs to share more and quicker, and that's happening, so I think that's positive," he said. "The more it becomes a team sport, the easier it is on everyone."
When CISA came out, some people were concerned that the requirements to protect and redact personal data irrelevant to cybersecurity investigations were not strong enough, and that could lead to private information getting into the hands of the National Security Agency.
"Giving the government more information in any way, shape or form in an era where it's been revealed that they had access to excessive amounts of information will be controversial," Toohey said. "I understand why people were upset about it. I think the bill as written is meant to be privacy friendly. I think they struck the right balance there."
Carlson said banks don't share personally identifiable information in their cyberthreat reports through the FS-ISAC. "If we get it, we will strip it out," Carlson said. "We don't want to deal with PII. The CISA law is clear that if you're sharing with the government, you're not supposed to be sharing PII and if for some reason you accidentally did, they have a process within DHS where they will strip it out."
Editor at Large Penny Crosman welcomes feedback at email@example.com.