Banks Say Efforts to Bolster U.S. Cyber Defenses Should Complement Industry Practices

The nation's biggest banks have a message for the government on efforts to bolster cybersecurity protections: We're already facing plenty of standards.

Owners of financial networks already are subject to a series of laws and regulations that govern their efforts to safeguard their networks against unauthorized intrusions, the Financial Services Sector Coordinating Council said in comments filed Tuesday with the National Institute of Standards and Technology.

Efforts by NIST to fortify the nation's cyber defenses should augment current efforts by the financial industry, according to JPMorgan Chase (JPM), Bank of America (BAC), Citigroup (NYSE:C), Wells Fargo (WFC), Fannie Mae, MasterCard (MA), PayPal, Visa (NYSE:V) and roughly 45 other companies, exchanges, coordinating groups and trade associations that signed on to the council's comments.

The council was among dozens of commenters who weighed in by Tuesday's deadline from NIST for input on digital security risks and practices for addressing them. Commenters included companies that serve the financial industry's information technology needs, including PricewaterhouseCoopers, Microsoft (MSFT), Verizon (VZ), Cisco (CSCO) and Mandiant, a digital security firm.

An order issued by President Obama in February gives the government eight months to delineate a preliminary framework that addresses risks to the nation's energy grid, financial networks and other critical infrastructure. Congress also is expected to take up legislation that aims to bolster the nation's cyber defenses.

The effort follows a series of cyberattacks since September that have slowed online sites and inconvenienced customers of at least 13 financial institutions, some of which have been struck repeatedly. JPMorgan, Bank of America, Citigroup and Wells Fargo all have weathered the onslaughts.

In February, Mandiant reported that hackers backed by the Chinese military have stolen business secrets from hundreds of companies in the U.S. and abroad.

In a letter to the NIST, Charles Blauner, the council's chairman, said the financial industry, "working in close cooperation with federal banking, law enforcement and other agencies, has a long history of facing cyber threats and, in response, has developed strong data security controls, protocols, procedures and business standards."

"Accordingly, FSSCC urges NIST to heed the significant work that U.S. financial services institutions and their regulatory agencies have done to ensure that its cybersecurity framework does not impede the on-going, well-functioning public and private sector partnerships that the financial services industry has developed," Blauner added.

The comments themselves address a series of 33 questions by NIST that cover current risk management practices, standards and guidelines, and specific industry practices. The institute asked companies to detail what they see as challenges in improving digital security practices, how commenters define cybersecurity risk, and the extent to which firms incorporate such risks into companywide management.

The council said its members maintain a series of controls, techniques and practices for managing cybersecurity across their institutions. Though approaches vary, most members situate functions that manage cyber risks in varied information security, technology or operations departments that have varied connections to members' chief executives or boards of directors.

Standards that govern cybersecurity come from the Federal Financial Institutions Examination Council, the Sarbanes-Oxley Act and the Gramm-Leach-Bliley Act, as well as a patchwork of federal and state laws, regulations and domestic and international standards that govern activities ranging from securing data to responding to disasters.

As for interdependences, the communications and energy industries are "uniquely critical" to financial firms' ability to function, according to the counsel. And outages on those sectors' systems "can create a cascading outage effect to other critical infrastructure sectors," the council wrote.

Whatever framework NIST proposes should adapt for the rapidly evolving nature of cyber threats, which "may shift faster than the assessment, policy, standards and remediation can adapt," according to the commenters.

The council said a successfully designed framework would "harmonize existing standards" while mapping it to risks and threats would help too. "However, no approach will be useful unless it has developed clear and actionable frameworks, standards and guidelines," the council added.

Boosting awareness of consumers and financial firm employees about the need to secure confidential information also matters, according to the group. "Without this knowledge, individuals may unknowingly be aiding in a cyberattack," the group said.

The group added that some network security services may be more efficient if implemented by Internet providers that serve multiple institutions rather than by individual companies. 

PricewaterhouseCoopers echoed some of the banks' points. The financial services, healthcare and utilities industries might be concerned with "the threat of having multiple, overlapping regulatory requirements," PwC wrote in comments filed Monday. "We observed in the financial industry in particular that a sector-specific approach would probably allow for the consideration of the nuances of each sector's legal and regulatory requirements."

The accounting and consulting firm also noted the industry's dependence on telecommunications and energy infrastructure. "For example, if the New York Stock Exchange had telecommunication issues, no trades could be executed outside of the market itself, which could bring down the entire financial industry and cause significant financial impact around the world," PwC said.

PwC called for legislation that creates tax breaks for investments in cybersecurity and limits liability under antitrust laws to firms that share information about breaches. "Financial incentives will lead to a greater chance for [executive-level] attention and more widespread adoption," PwC said.

The firm says the market may "place a premium" on doing business with financial firms consumers perceive as being able to safeguard their accounts.

Verizon also called on the government to consider industry practices that may be in place. "These standards and practices reflect a significant investment in time and resources by the private sector to not only develop them, but implement them, where appropriate. NIST should leverage these efforts for its framework," the company wrote in comments filed Monday.

The communications company also said the framework should be flexible because owners of critical infrastructure need to be able to take "whatever measures may be necessary" to deter particular cyber threats. Evolving technologies and "new tactics deployed by the cyber criminals all have significant ramifications for industry countermeasures," Verizon wrote.

Cisco also says the framework needs to be flexible. "The greatest challenges in developing a cross-sector framework will be finding something that works and maintains flexibility, agility, and innovation across different types of infrastructure, architectures, and business models - while at the same time recognizing and respecting the significant differences between and within the different sectors," the networking company wrote in comments filed Friday.

For its part, Microsoft is recommending that NIST convene a working group of representatives from the Departments of Homeland Security and Defense, and the banking and finance, defense, IT and communications industries, that would focus "on how to advance development of detection and containment" with respect to critical systems. "The persistence and evolving skill sets of determined attackers, combined with sophisticated threat vectors, greatly complicate detection," Microsoft wrote in comments filed Sunday.

Microsoft suggests six principles the company says should serve as the basis for the framework: that the framework be risk-based, that it focused on outcomes, that it prioritize threats, that it be capable of adoption by the largest possible group of owners of critical infrastructure, that it respect privacy and civil liberties and that it integrate international standards.

Comments from Mandiant recommend that, above all, the framework needs to promote the sharing of information about cyber threats. The firm notes that two-thirds of the breaches it responds to are detected by the government, not the companies targeted. "That means that a majority of the companies we assist had no idea they had been compromised until law enforcement or a business partner notified them."

The firm also says the framework should support companies that feed lessons learned from cyber threats back into their processes for detecting others. "Any framework that is going to be useful against persistent adversaries needs to reflect the idea of incident response as a consistent process rather than an isolated one, and any new frameworks developed should reflect this characteristic of successful organizations," Mandiant wrote.