In America’s economic-centric society, few threats draw greater fear than disruptive cyberattacks against the U.S. financial services sector. Cybercrime is increasingly viewed as a systemic risk, posing dangers of major financial and reputational damage coupled with the threat of widespread loss of consumer confidence.
Treasury Secretary Jack Lew agrees. In a July 17th address he framed the industry’s vulnerability this way: “Cyberattacks possess the power to cause catastrophic damage to the U.S. financial system.”
Greg Medcraft, chairman of global financial industry association International Organization of Securities Commissions (Iosco) takes Secretary Lew’s observation to another level. Medcraft places the issue in global perspective, predicting that the next big financial shock – or “black swan event” – will come from cyberspace.
Acknowledging this problem, U.S. Securities and Exchange Commission chairman Mary Jo White has classified cyber threats to the financial sector to be of “extraordinary and long-term seriousness” and announced plans for additional industry cyber resilience examinations.
White also gave a glimpse of the daunting task ahead for the industry, calling for the public and private sectors to be riveted, in lockstep, in addressing these threats.
In lockstep indeed. Getting such disparate institutions together on the same team is no small order given the atmosphere of mistrust that exists between government and the financial services sector.
Legislation compelling such cooperation provides one approach. Congress has worked on legislation that will protect industry from government intrusion, with the objective being that of improved sharing and transparency of cyberattack data.
Some industry observers, however, are pessimistic about the chances for a timely congressional fix, predicting legislation will not reach the president’s desk until a “major catastrophe” occurs.
So is a “lockstep” solution such as advanced by Chairwoman White a flight of fancy?
As if by divine providence, into this arena of battle strides a trim, confident figure in a crisp white dress uniform, brimming with youthful vigor and a determined air dedicated to a singular mission: safeguarding U.S. critical infrastructures from the risks of cyberattacks.
Navy Admiral Michael Rogers is the recently christened commander of the U.S. Army Cyber Command (USCYBERCOM) and director of the National Security Agency. Rogers holds the belief that cybersecurity is a “team sport” requiring true partnerships between the leaders of the defense and private sectors. The leaders are essential, he states without qualification, to drive the cultural changes that will allow such partnerships to thrive.
“There’s no one single group or entity that has all the answers, nor is there one single group or entity capable of executing the solutions that we need to do,” Rogers said during a recent presentation at the U.S. Chamber of Commerce.
In defining cybersecurity as the “ultimate team sport” involving not only USCYBERCOM but other government agencies such as DHS and the FBI as well as the private sector, Rogers may have given himself a job responsibility that is beyond reach.
Rogers acknowledges the private sector has real and legitimate concerns about the legal liabilities of partnering with the government. “We must remove or diminish those concerns, because we have got to get to, I believe, real-time automated machine-to-machine exchange of information.”
Mission Impossible, most would declare. But in spite of the obstacles, Rogers may have a fighting chance. In addition to his clear sense of mission and unfailing determination, he is the beneficiary of two unwitting teammates who may help advance his cause.
The first comes as a gift from cybercriminals in the form of accelerating levels of cyber breaches in all sectors of the economy. Buttressing these fears is a just-released Pew Research cybersecurity study which concludes that a major cyberattack causing widespread harm to the nation’s security and its ability to defend itself is in the offing within the next ten years.
In other words, the environment for U.S. cyberattacks and the attendant business risks which accompany them is going to darken as this decade continues unless changes are made.
The second gift comes compliments of the bureaucrats in Washington. Long leashed – and lashed – by overlapping, conflicting, and ever-changing cybersecurity rules, regulations, and penalties at both the national and state levels, the financial services industry has said enough is enough.
With memory of the JPMorgan cyber breach still fresh and its members eager for improved cybersecurity measures which also meet federal standards, the industry group Securities Industry and Financial Markets Association has called for an inter-agency government-led effort to help the industry achieve defined and measurable minimum cybersecurity standards.
In other words, government-industry cybersecurity collaboration.
Whether Adm. Michael Rogers can capitalize on these opportunities to pull together the teamwork necessary to shore up America’s cybersecurity is a game just begun.
But for certain, fans depending on the integrity and security of America’s financial services industry will be in the stands, rooting for coach Rogers to put the winning points on the board before the cybercriminal-run game clock runs out.
