Amit Yoran, the cybersecurity czar at the U.S. Department of Homeland Security, gives financial companies credit where it’s due: “The financial services sector has invested significantly in computer security infrastructure and has greater protections” than other industries, he declares.But that’s not enough. According to Yoran, the financial industry remains at “significant risk,” and its state of preparedness relative to other sectors only points up how far corporate America as a whole has to go to protect itself.
Yoran’s greatest financial-related concern is for transaction systems. Though money and securities are increasingly digital and, thanks to data encryption techniques, difficult to hack, the infrastructure over which they flow -- massive computer arrays and telecommunications networks -- remains vulnerable to physical as well as cyberspace attacks.
“To look in our systems and say we’re safe or not is flawed logic,” asserts Yoran. “Security is a process, not a snapshot.”
For banks, the process began in the late 1990s, after the Clinton administration officially designated financial services a critical infrastructure for national security. Financial companies shored up their defenses against emerging technological threats like computer viruses and cyber-terrorism. Trade groups organized committees that set standards for business continuity planning, disseminated warnings on network vulnerabilities and forged liaisons with government agencies to keep abreast of policy changes. The industry’s flawless Y2K computer upgrade and its ability to withstand the September 11, 2001, terrorist attacks -- albeit with a raft of “lessons learned” toward doing better next time -- were evidence of a resiliency that had been all too lacking in other key sectors (witness the August 14 power blackout in the northeastern U.S.).
The financial industry’s approach has historical roots, explains Rhonda MacLean, director of corporate information security at Bank of America Corp. and chairman of the Financial Services Sector Coordinating Council, a consultative body for both the public and private sectors formed in June 2002. Security and risk management have been integral to banking “since the days of Jesse James,” says MacLean. “In many cases, other sectors are retrofitting, and that always takes longer and means the amount of investment is far greater.”
Yoran, a former executive of Internet security company Symantec Corp. who became director of the DHS National Cyber Security Division in September, wants other industries to pick up the pace through groups similar to MacLean’s FSSCC. His frustration was evident in a speech he gave at the National Cyber Security Summit in Santa Clara, California, in December. In what he terms “a very strong call to action,” Yoran threatened technology executives with legislation if they didn’t step up their cybersecurity efforts.
Not that the U.S. government itself is beyond reproach. In a December report the House Government Reform Subcommittee on Technology, Information Policy, Intergovernmental Relations and the Census gave the government an overall grade of D on cybersecurity. Eight of 24 agencies studied received failing grades -- among them the year-old Department of Homeland Security. Yoran’s two predecessors -- former National Security Council counterterrorism chief Richard Clarke and Howard Schmidt, a onetime Microsoft Corp. executive who is now EBay’s chief information security officer -- resigned, but not because of security concerns. (The job’s status, which had once been at the White House level, had fallen several notches.)
“We need to be very honest with ourselves that [the government’s] current performance is that poor,” admits Yoran. Then again, it’s not in his nature to declare any technology totally secure. “The biggest vulnerability is an approach that doesn’t treat cybersecurity as a process,” he says.
That’s a message Yoran hopes the financial services industry will help spread.
