The Treasury Department is leading an effort to extract lessons from last month's "Slammer worm" infestation, which temporarily hobbled Bank of America Corp.'s automated teller machine network and First Data Corp.'s processing system.
On Tuesday the Treasury's Financial and Banking Information Infrastructure Committee, which was created by executive order after the 9/11 terror strikes to address the vulnerabilities of the nation's financial system, met with other regulators and members of the private sector behind closed doors for a post-mortem of the Slammer worm, which infected computer servers worldwide, largely on Jan. 25, a Saturday.
Tuesday's roundtable discussion focused on "how information got passed around to the government and then from the government back to the private sector" during the Slammer worm attack, said Michael A. Dawson, deputy assistant secretary of the Office of Critical Infrastructure Protection, which oversees the infrastructure committee. He said the panel may or may not release its findings.
As of Thursday, Treasury had no comment on the outcome of the roundtable discussion.
Neither Bank of America nor First Data agreed to talk with American Banker about what they learned from the Slammer attack, which was triggered through the Microsoft Corp. operating system SQL Server 2000. But Mr. Dawson of the Treasury said the financial and technology companies working with his agency could "put aside competitive impulses to share information about a common threat."
The Slammer worm seems to have exposed the vulnerabilities of even the largest and most well-heeled financial companies. And as security breaches ranging from single cases of identity theft to wide-reaching hacking violations proliferate, there is pressure on banks and others to find an industrywide solution or, at the very least, protect their own hides.
Security experts agreed that it would take some kind of organizational force to unite the disparate regulatory bodies in the event of a widespread threat like the Slammer worm, and to act as a single buffer between those agencies and the private sector. They also expressed ambivalence about the ultimate authority of the Banking Information Infrastructure Committee - which acts as a sort of extension of the Homeland Security office - within the fiefdom of regulators.
Mr. Dawson said his office will coordinate with other regulators, the private sector, and Congress. "This is a collective enterprise," he said.
One of the infrastructure committee's objectives is to implement within the government an effective communications system whereby key regulators and policy leaders are alerted and can talk with one another during a crisis. It wants to ensure protocols are in place for disseminating information among the regulatory agencies, Mr. Dawson said.
One area he expects to focus on, he said, is "the financial sector's dependence on the telecom sector to do business." Though he would not elaborate, the infrastructure committee's Web site at (www.fbiic.gov/policies/TSP_policy.htm) discusses its development of policies that would clarify how priority would be given to certain institutions for restoration of telecommunications access in case of disaster. After 9/11, such preferential-type policies should prick up the ears of management at any financial services company, sources said.
Meanwhile, technology companies are touting ways the private sector can defend itself in case of cyberattack. And though banks have let go of pet initiatives like Web authentication and smart cards as part of the general IT pullback, they are paying more attention to network security software.
Jordan Klein, an analyst at UBS Warburg in New York, said network or "perimeter" security - virtual private networks, firewalls, antivirus protection, and intrusion detection programs - is the fastest-growing segment of the security market. Other types of initiatives, such as authentication tokens and encryption devices, are getting shorter shrift from management these days, he said - probably because they are tied to larger Web-infrastructure projects that were put on hold in the spending freeze.
"Post-9/11, senior management became much more aware of the risks associated with not having up-to-date technology to protect your network," Mr. Klein said. "I wouldn't say it drove a rash of new buying, but it made the sales process easier than before."
Before the attacks on the World Trade Center and the Pentagon, companies had to be shown why they needed network security. "You don't have to prove that anymore," Mr. Klein said.
According to UBS Warburg, security spending will command around 10% of total IT spending this year, more than double the estimate from five years ago. In 2002 the security market was $7 billion to $8 billion, Mr. Klein said. By 2006 it should exceed $13 billion.
Two vendors seeking their share of the spending are Silicon Defenseno Co. Inc. LLP, a private company in Eureka, Calif., started five years ago as a research unit of the Pentagon's Defense Advanced Research Projects Agency; and Internet Security Systems Inc., a Nasdaq-listed company based in Atlanta. Unlike other areas of IT, there is a real difference among network security vendors. In this case, Silicon Defense and Internet Security Systems, both of which have new products on the market, offer different solutions - not to mention different advice.
Stuart Staniford, the chief executive officer of Silicon Defense, said its CounterMalice software, introduced Monday, "assumes the worm gets in one way or another and prevents it from spreading on internal networks." CounterMalice, which costs $25,000 per device, parses a network into units and stops worms from moving from one to the next.
Worms - which, unlike viruses, reproduce automatically rather than through attachments or other user-initiated devices - "spread rapidly over the Internet, and then find various ways to tunnel past firewalls and spread inside the network," Mr. Staniford said.
As more members of the financial industry migrate their operations to the Internet to achieve the desirable end of channel integration, their networks become more exposed, he said. For example, the Bank of America/Slammer incident would seem to show the dangers of relying on the Internet, at least in part, to run an ATM network.
Mr. Staniford said financial companies should consider using private networks that are well afield of the Internet for core portions of their infrastructure. "The full dimensions of the risk" associated with the migration to the Internet "have not become clear yet," he said. "We haven't seen a worm designed specifically to cause serious harm to corporate America and, in particular, the financial industry. But the risk is increasing, particularly as we go to war."
Dan Ingevaldson, who heads the research and development group of Internet Security Systems, agreed that the worst-case scenario would be a worm attack that took advantage of some unknown network vulnerability. The Slammer worm, on the contrary, exploited a known vulnerability in Microsoft SQL servers.
Though a particularly insidious worm could go so far as to wipe out entire hard drives, the major danger is that worms generate so much traffic that entire networks simply crash. Financial companies are jeopardized as they risk "being taken offline," he said.
But Mr. Ingevaldson said he does not think resisting Internet-based operations is "feasible, realistic, or cost-effective." Network integration - the trend toward acquiring Internet protocols for telephone, e-mail servers, and other operations - still makes a great deal of sense, he said. "You have to connect the data somehow."
Last month his company came out with RealSecure SiteProtector, which Mr. Ingevaldson pitched as sophisticated and pragmatic. The product basically buys companies time in case of attack to implement patches (which affected institutions scrambled to do after Slammer). The company's platform partly works by installing frequent updates (to keep up with hackers) much like antivirus software.
"Patching remains the foremost problem in computer security right now," Mr. Ingevaldson said. "A lot of major companies are unable to patch - it's a big deal to have to patch 3,000 servers in two hours, because there's an emergency. Our strategy is aimed at that problem."
