By Martin Arnold for Financial Times
Most of the recent cyber attacks on the financial system could have been avoided relatively easily if the private sector and government institutions had taken basic security precautions, a senior US Treasury official has claimed.
Sarah Bloom Raskin, deputy Treasury secretary and a former Federal Reserve governor, said while the financial services industry was ahead of most other sectors in addressing the challenge of cyber security, it still had a long way to go to contain such a rapidly evolving threat.
“There are well-documented best practices out there that can be adopted,” said Ms Raskin, who has responsibility for cyber security. “There are low-hanging fruit. This isn’t extraordinarily challenging for a financial institution, or a government agency, that has financial data, to limit damage.”
Cyber security has shot to the top of the boardroom agenda for banks, particularly after one of the biggest bank robberies in history was carried out by cyber thieves on the Bangladesh central bank via the Swift payments system in February. The crooks made off with $81m that was on deposit at the US Federal Reserve.
JPMorgan Chase, the biggest American bank by assets, was the target of one of the highest-profile attacks against business two years ago when the personal details of 76m households — equivalent to almost two-thirds of the US — were compromised.
Speaking to the Financial Times in London on her way to a meeting of the G7 working group on cyber security in Berlin, Ms Raskin said: “There is a lot of confusion and the magnitude of the challenge is enormous. There have been a lot of attacks and there is a lot complexity to those attacks. We have far to go here. That is why we developed the G7 fundamental elements.”
Ms Raskin said the G7 meeting would examine three new areas:
● How to test and assess the cyber defences of the financial system;
● How to improve “cyber hygiene” at third party service providers to financial institutions;
● And how the interconnectedness of finance might expose it to attacks on other sectors, such as telecoms and energy.
Amount stolen by cyber thieves from the Bangladesh central bank
Ms Raskin said the US had seen attacks on electricity producers designed to hit the financial system. “We’ve seen attacks focused on power grids internationally,” she said. “If a power grid is taken out, that has an impact on the ability to clear payments.”
She listed three practical steps that would fix the vulnerabilities that have emerged as a “common thread” in many recent cyber attacks.
● First, she said companies should be quicker at implementing IT patches to fix system vulnerabilities.
● Second, she called for more widespread use of two-step verification and multi-factor authentication, saying “systems should not be so easy to log into”.
● Finally, she said companies should review and slim down their list of “privileged users” who can access systems without the usual authentication process.
Describing a vastly improved level of co-ordination between US financial institutions, their regulators and law-enforcement agencies, Ms Raskin said: “I believe the financial sector is ahead of other sectors. Why is that? Because that is where the money is. So they are on the front edges of dealing with the challenges.”
Ms Raskin said that ultimately the US government hoped to achieve an international agreement for governments to help each other pursue and shut down cyber criminals.
People simply don’t know what to do in this area. There have been a lot of attacks and there is a lot complexity to those attacks. We have far to go here
While some companies have called for governments to do more to shut down attackers at source, Ms Raskin said there was still plenty to be done to improve the industry’s defences. “We think the defensiveness is absolutely critical. The attacks that we have analysed to date have almost universally been preventable.
“You want the cost of doing these attacks to be ramped up so that the balance between cost and benefit isn’t so skewed. They can be very cheap to launch and very costly to defend. As we begin to defend more and more of them, fewer become successful, and as fewer become successful, the cost-benefit calculation changes.”
First appeared at FT