There was a moment here at the Pierre Hotel this morning when Jim Cramer asked U.S. Treasury Secretary Jack Lew whether China really deserved to be treated with the reverence shown by the Obama administration. “Are they really that strong?” Cramer asked. “Isn’t China something of a paper tiger?”
The question might have applied equally to Lew himself, because for much of his opening address at the Delivering Alpha conference, co-hosted by Institutional Investor and CNBC, he was at pains to stress the limits of the Obama administration’s ability to get things done. Here he was on inversion, the trend towards U.S. companies moving their operations abroad to take advantage of more hospitable taxation conditions: “We do not have the authority to address this inversion question. There are limits to what we can do without legislative action.” On hedge funds and the fear, much discussed but little understood, of more and more systemic financial risk being moved into the corners of the so-called “shadow banking” system, Lew said that “it is important to have voluntary standards for these institutions to observe” — but stopped short of suggesting those standards would ever be anything other than voluntary. And on the vulnerability of the financial system to technology-borne attack — the lead theme of his main address — he said cyber-security “should be the responsibility of all firms” and “it’s time for Congress to do more,” while giving little hint of what more is being done. Here he was, the thoughtful scholar-as-Treasury-Secretary, this Erasmus of Farragut North, and he had come bearing a message of firmly downbeat legislative expectations.
To be fair, the message wasn’t totally defeatist. Cyber-security is hardly an issue that excites the partisan passions in the same way that immigration reform, the Ex-Im Bank, the debt ceiling and sundry other wrangles do. There’s a bipartisan will to do something to bolster the financial system’s defences against cyber-attack; a bill on cyber information sharing, which will enable companies to share security threat information with the government, was recently approved by the Senate Intelligence Committee and is due to be debated on the floor of the House soon. But even though there is legislation in the pipeline to address cyber-security concerns, it’s not yet clear how effective it will be if passed. Most of the proposals put forward in Congress — there have been several to date — still place responsibility for cyber-security monitoring and prevention in the hands of individual companies; Lew acknowledged that banks, asset management firms and other large financial institutions will still, no matter what the result of legislation, “only be as strong as the defenses that third party providers,” chiefly the main telecommunication providers, “put in place,” and that any standards passed through legislation will be purely voluntary.
Large financial institutions are, of course, critical pieces of infrastructure whose operational security is a matter of significant public concern; hence the post-crisis regulatory process of designating certain big banks and insurance companies as “systemically important financial institutions.” But the critical problem, as Lew himself stated, is that in the arena of cyber-security, despite the widespread awareness that a technology attack on a large bank, say, could have a significant impact on the health of the financial system and even, potentially, national security, the incentives for institutions to cooperate with each other are slight. “Firms are reluctant to disclose cyber attacks” for reputational reasons, he said, while encouraging them to “do more to share information.” But beyond encouragement, what else, really, can government do?
The state of the technology used to monitor cyber-security threats is astonishingly archaic: Verizon’s in-house cyber risk group studied 65,000 discrete corporate security breaches, across different industries including finance, and found that on average, it was seven months between the point of breach and the victim finding out about the attack.
The financial industry is not getting any better at detecting cyber-security breaches; most of the technology to detect and repel attacks is modeled on the signature and pattern recognition tools used in anti-virus consumer software products developed in the 1990s. There is, in the view of industry analysts, a major innovation gap at play in the financial industry’s approach to cyber-security; telecommunications providers like Verizon, which provide cyber-security services to large banks, are working to develop more comprehensive strategies — combining both strategic pattern recognition technologies and short-term tactical data gathering efforts to get a better view of rogue IP addresses and domain names — to threat monitoring and detection. But a lot of the strength of third party security systems depends on the quality of information being fed to them by individual institutions. Without cross-industry cooperation, cyber-security efforts are likely to go nowhere.
Collective action to devise security standards has worked in other industries; the major credit card companies, for instance, came together in the early 2000s to formulate the Payment Card Industry standards on cardholder data, and the insurance industry has also developed universal standards on various points of common interest. But cooperation among the big beasts of Wall Street is notoriously difficult to achieve; the banks rarely, if ever, see a common interest. Lew’s address gave the sense that on cyber-security, the financial industry will not continue to be anything other than what it already is: a collection of self-interested agents unwilling to reveal any signs of vulnerability to each other, and over which government and the regulatory agencies, on complex cross-institutional issues, can exert only the lightest exhortatory touch.