We're not doing this cyber thing right (starting with the fact that we keep calling it "cyber"). Our threats are changing quickly, and what was once the exclusive domain of organized crime and competitive intelligence is now closer to acts of war by nation-states, threatening our economy and infrastructure. The recent NotPetya attack attempted to create the perception that it was just another ransomware run at extorting businesses – but based on target selection and damage done, it’s now clear that the attack was designed to disrupt and destroy. Cisco is warning that our future will include more of the same.
The Department of Homeland Security has made progress in defining the infrastructure that is critical to our country’s quality of life and continuity of economic activity. The focus has necessarily been on private-sector businesses; however, efforts have been directed at the largest businesses doing the most critical things. In other words, the application of policy has not been consistently applied, but more in a prioritized way.
The finance sector has remained largely untouched by direct DHS intervention (as opposed to chemical manufacturing, for example), and there are two reasons for that. First, the Finance Sector took it upon itself to create an information sharing and analysis center (ISAC) that set the standard for all others. The FS-ISAC (wisely) engaged the federal government and did a deal: we’ll share information IF and ONLY IF the disclosures made under the umbrella of the ISAC does not result in a regulatory action. In other words, members share information that may indicate that regulatory requirements were not met, and that information may conflict with results from examinations on technical controls. In the FS-ISAC, that’s a tree falling in the forest, and that has made the sector better able to pivot on new threats.
The second reason is well-known to the financial sector: the number of audits, examinations, and assessments is a never-ending train of requests for documented controls. Along with shareholder pressure (for publicly-traded institutions) and customer expectations, banks have multiple sets of similar requirements that are routinely audited by third parties. The financial sector has all the drivers in the world – along with an information-sharing mechanism that allows the community to learn from its unfortunate peers.
On the face of it, this makes the sector look like the model for effectiveness, and it’s reasonably effective at handling organized crime and fraud. But nation-states are a different matter. Because the trend lines are shifting from criminal activity to asymmetric warfare, the sector is now a #1 target. Banks can’t function without public trust, and disrupting that trust – not theft of funds – is the objective of the adversary.
So where to from here? Why, more regulation of course! Banks are being advised to focus more on cyber risk, states are creating their own requirements and starting to regulate independently, the problem for banks (and the finance sector more generally) is about to become much more complex. Exacerbating the complexity, here comes the SEC, vendors are in scope, and controls must be routinely tested.
Many are looking at the finance sector as the model for doing it right – good intra-sector information sharing, abundant requirements, and third parties involved in keeping everyone truthful and accurate. But is that the answer for business generally? I’m a fan of market forces to achieve outcomes, and a believer in natural selection as a mitigating influence: if you don’t protect customer records or continuity of operations, you go out of business. Up to now that’s been OK, but when our adversary is a nation-state, business risk management becomes irrelevant. How much should a business spend to lower the likelihood of being collateral damage in an attack against the American economy at the hands of a North Korea? How many of those businesses can fail before the macro economy is impacted in a way that gets people into the streets?
Realistically, it’s not possible to regulate every business like the financial sector, and hopefully the sector is pushing back against so many similar control examinations. But the application of some regulatory guidance for all business is called for if we’re to weather the coming storm.