As Congress contemplates a controversial cybersecurity bill, a government official this week called for the nation’s financial institutions to help boost defenses against cyber threats and disruptions.
U.S. Treasury Secretary Jacob J. Lew asked the financial sector to use the cybersecurity framework set out by the Administration to secure their own systems and properly vet outside vendors. While voluntary, Lew said that the framework offers a way for private firms to collaborate with the government on improving defenses and installing global standards.
“The consequences of cyber incidents are serious,” Lew said. “When credit card data is stolen, it disturbs lives and damages consumer confidence. When trade secrets are robbed, it undercuts America’s businesses and undermines U.S. competitiveness. And successful attacks on our financial system would compromise market confidence, jeopardize the integrity of data, and pose a threat to financial stability.”
More work needs to be done beyond the development and implementation of the framework, he added. Lew called for Congress to pass “comprehensive legislation” to allow for more information sharing while protecting companies from liability and consumers’ privacy.
“As it stands, our laws do not do enough to foster information sharing and defend the public from digital threats. We need legislation with clear rules to encourage collaboration and provide important liability protection. It must be safe for companies to collaborate responsibly, without providing immunity for reckless, negligent or harmful behavior. And we need legislation that protects individual privacy and civil liberties, which are so essential to making the United States a free and open society. We appreciate the bipartisan interest in addressing this important issue, and the Administration will continue to work with key stakeholders on the various bills that are developing in Congress,” added Lew.
The Treasury has created the Cyber Intelligence Group (CIG), in order to share timely cybersecurity information for financial institutions to protect themselves, producing 23 updates to date containing cyber threat information. According to Lew, the Treasury has also been meeting with individual businesses to discuss their efforts to shore up the financial services infrastructure.
“Additionally, Treasury’s Deputy Secretary, Sarah Bloom Raskin, will begin a series of meetings with federal financial regulatory agencies and trade associations comprised of state financial regulatory agencies to reduce cybersecurity risks to the financial system,” said Lew. “She will be looking beyond traditional financial services to explore the regulatory, security, and inclusion aspects of financial technology.”
Also, this week, the Government Accountability Office (GAO) issued a report indicating that the Federal Deposit Insurance Corporation, the entity responsible for enforcing banking laws and insuring against the financial failure of banks and thrifts, has not done enough to implement information security controls despite the threats that exist.
“Compounding the growing number and types of threats are the deficiencies in security controls on the information systems at federal agencies, which have resulted in vulnerabilities in both financial and nonfinancial systems and information,” the GAO stated. “These deficiencies continue to place assets at risk of inadvertent or deliberate misuse, financial information at risk of unauthorized modification or destruction, and critical operations at risk of disruption.”
The 2002 Federal Information Security Management Act (FISMA) requires all federal agencies to develop and implement methods to secure the data they handle. While the FDIC has followed some of the requirements and uses controls to protect its financial system, the GAO said the controls are not consistently applied. For example, the FDIC could do more in authenticating the identities of users when handling sensitive data. The GAO suggested using complex passwords, disabling unused access accounts and restricting access to only the necessary segments. The report also indicated that the FDIC does not always adequately encrypt the confidential data being transmitted through its network.
“Given that federal agencies face an evolving array of cyber-based threats to information and information systems and that attackers have a variety of increasingly sophisticated attack techniques at their disposal, it is vitally important that FDIC address the remaining weaknesses in information security controls—both old and new—as part of its ongoing efforts to mitigate the risks from cyber attacks and to ensure the confidentiality, integrity, and availability of its financial and sensitive information,” said the GAO.