BankThink

Time to Strengthen Our Collective Cyber Defenses

Right now, cyber-attackers in far-flung countries and here at home are scheming to steal money and data. They desire to wreak havoc on our nation's banks, power plants, hospitals and retail stores. Recent data breaches at retailers are a grave reminder that a cyber attack on one company can have ripple effects across the economy. We must collectively combat these threats, and the time to act is now. 

Although cyber threats target virtually every sector of our economy, financial institutions have experienced attacks for years – and they will certainly be targets for future attacks. Investing in cyber defenses and otherwise preparing for attacks has been a top priority for the financial services industry and, thankfully, no attack on a financial services company has caused major harm to the nation's financial system or a large number of customers.

In conceivable attack scenarios, however, financial markets and systems could be impaired. Electronic data could be destroyed; purchases for basic items like groceries or fuel could be interrupted. Online shopping and payment processing could become unavailable and more. The consequences to commerce, markets, consumers and investors would be hard to overstate.

Strengthening our collective cyber defenses requires a coordinated partnership which spans all levels of government and private industry, investments in technology, the passage of legislation that encourages better sharing of threat information and enhanced criminal penalties. 

Financial services companies already share threat information to a point. However, we are battling enemies that constantly evolve their techniques in an effort to stay one step ahead. Whether the attacker is a 17-year-old hacker in Russia selling malware to steal credit and debit card information, an organized crime ring or a state-sponsored threat from a hostile nation, companies need the ability to share information more efficiently, deeply and legally. The industry also needs key government partners to more effectively prepare for – if not thwart – attacks. Just as attackers often share techniques, entities under attack need to be able to share information and cooperate to protect our economy and customer privacy.

So why doesn't robust information sharing already occur? It is partly because companies can be held liable if they share threat information and the threat doesn't materialize or other problems with the shared information arise. This discourages companies from helping each other avoid attack. Federal legislation is needed to enhance cyber-threat information sharing so that good-faith responsive actions and information sharing will not trigger legal liability. 

Importantly, the legislation must also take great care to protect individual's private information. Congress should allow the appropriate declassification of certain intelligence and expedite the issuance of security clearances to appropriate individuals in the private sector who need to be in close communication with cyber counterparts in the government. The House has already passed a bill that would encourage information sharing and we hope the Senate will do the same.

Lastly, did you know that in the physical world, bank robbers face up to ten years in prison and a fine for stealing $1,000, but cyber-bank crime law does not apply until more than $5,000 has been stolen? We need to update our criminal laws so cyber-attackers are just as accountable as bank robbers. 

Recent attacks on retailers are just the latest warning sign that cyber-threats are growing. We must ensure defenses are strong and laws are in place to enable the private sector to protect its consumers and the integrity of the economy. The longer we wait to address cyber threats more aggressively, the more challenging the threats become. The time to act is now. 

Tim Pawlenty is the CEO of the Financial Services Roundtable. He is a former two-term Minnesota Governor and was a candidate for President.

For reprint and licensing requests for this article, click here.
Bank technology Law and regulation
MORE FROM AMERICAN BANKER