Wall Street quietly testing cyber defenses under Treasury guidance


As global tensions rise over Ukraine, the fierce competitiveness of the US financial sector is giving way to a partnership built on the belief that a cyberattack against even a group of minor banks or a third-party service provider could put peril everyone in a highly connected system.

Some of the nation’s largest banks are now working with the Treasury Department, role-playing and sharing information they would have kept close in the past.

“You’re only as good as your weakest link,” said Ron O’Hanley, chief executive of State Street Corp., one of America’s largest fund managers and custodian banks. “Networks are made not only by what you do, but also by the suppliers you rely on, the counterparties you deal with, even the regulators you deal with,” he said in an interview.

As part of a broader move to strengthen defenses, Treasury officials late last month brought together executives from several major banks and practiced how they would contact and work together in a range of cyberattack scenarios. .

This simulation exercise, which has not previously been reported, included JPMorgan Chase & Co., Bank of America Corp. and Morgan Stanley. It went through five hypothetical threat levels, ranging from minor assaults to a full-scale attack on several critical banks and payment systems.

“You can invest in defenses, but that aspect of repeated practice and continuous improvement is the key to responding to the next threat,” said JF Legault, global head of cybersecurity at JPMorgan Chase during a telephone interview.

Treasury officials also moved to declassify more information to put it in front of financial executives and to extend security clearance to more employees at major banks.

Russia’s invasion of Ukraine and subsequent sanctions against Moscow have upset a fragile balance of financial security. Governments adept at cyber warfare, such as China and Russia, were once seen as players in the global market for dollar assets, which in effect prompted them to ignore financial infrastructure.

“What was different with Russia-Ukraine is that the potential threats were not only obvious, but you had a player that was known to be the best in the world in terms of cyber threats,” State Street’s O’Hanley said. . “We take all cyber threats seriously, but you start to think about it differently when it comes to a nation state and, especially in the context of armed conflict.”

The Treasury was also aware that the threat landscape was changing at the end of last year. As they planned the sanctions to be triggered in the event of an invasion of Ukraine, officials concluded that preparations for cyberattacks needed to be stepped up.

“Once we knew where we were going to land with some of the first sanctions plans by the end of 2021 and how severe they were going to be, we knew we had to update our incident response manuals and work with the sector to increase information. sharing,” Todd Conklin, adviser to the second Treasury official, Assistant Secretary Wally Adeyemo, said in an interview.

This is part of a steady expansion of a public-private partnership around responding to cyberattacks.

The Cybersecurity Infrastructure Security Agency, CISA, part of the Department of Homeland Security, was founded in 2018 as the lead agency for cyber protection. Nonetheless, Adeyemo said Treasury Secretary Janet Yellen told him on his first day to make cybersecurity a priority.

Adeyemo was inspired by past financial crises, which clearly showed how the interconnectedness of banks makes them vulnerable.

“Telling them ‘shield’ without providing additional support and information sharing isn’t that helpful,” Conklin said. “It’s about making sure that if something happens, we have a plan in place for a collective response.”

When a point in the financial system is attacked, information about the event should be sent through the network of companies, regulators and intelligence agencies as quickly as possible, officials said. Instead of hoarding information for competitive advantage and stifling any unfortunate development, companies need to think cooperatively, share information.

“It’s about sharing information as soon as possible to ensure that if there is an attack somewhere, you protect the rest of the system,” Adeyemo said.

The biggest banks have known this for a few years, but go further than in the past.

In 2016, the eight largest players, led by JPMorgan and Bank of America, formed the Analysis and Resilience Center for Systemic Risk (ARC), aiming to intensify collaboration in monitoring and protecting exposed critical systems. to the Internet, with an emphasis on -warning capabilities. It has since grown to include exchanges and clearinghouses as well as several major energy companies.

The group set up its headquarters just outside of Washington because bank executives wanted ARC to work closely with the government, according to Scott DePasquale, ARC president and CEO. A Treasury official co-chairs the group’s risk committee.

There is also a broader ARC counterpart, the Financial Services Information Sharing and Analysis Center, whose members include a wide range of companies from banks and insurers to fintechs, from more than 70 countries.

Concerns remain, particularly regarding third-party service providers.

In the 2020 SolarWinds attack, according to US officials, compromised software was used by Russian hackers to gain access to nearly 18,000 computer systems at more than 100 companies and nine federal government agencies, including the Treasury, the Homeland Security and the State Department. .

But targets don’t need to be so high profile to cause damage. In 2021, Kaseya, an American company that provides IT management and security software services, with a customer base that includes many small banks, found itself the target of a ransomware attack.

The issue, later blamed on Russia-based group REvil, was resolved within days and without a ransom payment. But it has forced officials to think about what would happen if thousands of small banks across the country were crippled, and to wonder how big an attack had to be before it caused a bigger run on bank deposits. and a broader liquidity crisis in the financial system.

“One of the reasons this community is ahead of the rest is that it is constantly probed by cybercriminals,” said James Andrew Lewis, director of the strategic technologies program at the Center for Strategic and International Studies in Washington.

“The top 20 banks – I’m pretty sure they’re a really tough target,” he added. “If you had to choose the bottom 20 financial institutions and even some of the plumbing service providers, I don’t know if I would be so confident.”

There are also concerns about the government itself. The Treasury and other agencies are not just regulatory supervisors. The Treasury issues US government debt and the Fed is a provider of interbank payments, and their systems are subject to attack.

After SolarWinds, the Treasury began to strengthen its own defenses. It has since invested significantly to modernize its IT, advance encryption technology and rebuild its entire messaging system, officials said. Russia’s preparation to invade Ukraine kicked the project into high gear, turning a three-year schedule into a six-month sprint.

For the coming fiscal year, the Treasury has requested a $135 million increase for department-wide investments in cybersecurity.

Staff fatigue has become a challenge. Like other employers, the Treasury has struggled somewhat to find and hire as many qualified IT professionals as it would like, and the pressure is only growing.

So far, Russia has not responded to the sanctions with a concerted attack on the United States, choosing instead to focus on businesses and government operations in Ukraine.

Adeyemo warns that the risks are always present.

“There are, every day, actors of all kinds trying to penetrate or try to take advantage of our financial system, or the regulatory system,” he said. “Regardless of what happened yesterday, we have to be just as vigilant as we were the day before.”

Reporting by Christopher Condon and Craig Torres for Bloomberg News.

Copyright 2022 Bloomberg. All rights reserved. This material may not be published, broadcast, rewritten or redistributed.


Comments are closed.