WASHINGTON — The financial services sector has been sharing information on cyber threats despite potential legal ramifications, but passage of a cybersecurity bill still winding its way through Congress may put those handshake deals into writing and bolster cyber-defenses.
"We have been engaged in extensive information sharing, both public-private and private-private, but it's been a system at risk," said Charles Blauner, managing director and global head of information security at Citigroup, during an event sponsored by the Security Information Network here this week. "We are lucky in that it hasn't been tested in any really meaningful way … there haven't been any significant lawsuits or civil actions that have taken place based on information sharing up until now."
The Senate passed the Cybersecurity Information Sharing Act last month, which would make it easier for different entities to share information. It follows a similar bill that was passed by the House last spring. The two chambers still need to reconcile on a final bill before it becomes law.
Blauner said an information-sharing bill is a "step in the right direction" and that he hopes it will empower people to share more.
He also highlighted that the industry has already been moving in that direction. After the NASDAQ discovered it had a breach four years ago, it took months before useful indicators of cybercrime were shared. But following the JPMorgan Chase hack earlier this year, threat indicators were shared within days.
Blauner said while the initial instinct is to investigate and find the perpetrators, the industry has come to realize that the damage has already been done and "not sharing some of the threat indicators more broadly means there would be more victims."
Hackers also have had a leg up in that they regularly share information, Blauner said, and added that they "parse out some of the functions that go into conducting significant cyber operations."
Ronald Green, chief information security officer at MasterCard, speaking at the same event on Tuesday, said that many of the cyber-attacks are being conducted by a "finite group."
He said his group collected data this year from "every major breach where you see credit card numbers impacted" and did an analysis that found multiple agencies were often chasing the same people.
"What we could also see is that one agency is working the case in their own little cluster on one particular victim and another agency was working another case and that is on the same group and they didn't have the visibility that we have," Green said.
Green said while they couldn't share that information among the agencies, he was able to bring everyone together, explain to them what they were seeing and have them agree to share the information they had with each other.
"It actually worked pretty well," he said.