Thank you for having me here today at the inauguration of the Cambridge Cyber Summit. Congratulations to the Aspen Institute, MIT, and CNBC for launching this event and bringing together such a strong group of leaders from across government, academia, and industry to discuss the cyber threats to America’s security and prosperity, and how we can combat and reduce these threats through technological innovation.
In this esteemed university of technology and innovation, let’s begin with a decidedly non-technologist: that would be Shakespeare.
The dominant theme of many Shakespeare plays is how miscommunication, accidental or deliberate, thwarts our best-laid plans. Friar Lawrence's ingenious scheme to reunite the star-crossed lovers in Romeo and Juliet turns tragic when his letters to poor Romeo go astray and Romeo kills himself in despair believing that Juliet is dead when she is just drugged and fast asleep. In Twelfth Night, Malvolio receives a fake but cleverly compelling letter planted by Sir Toby Belch and his other foes leading him to believe wrongly that Lady Olivia actually fancies him. The results are disastrous for him.
In almost all the plays, the proximate cause of the downfall of leading characters is faulty or altered data.
Now, we might think that the advent of the Internet would prevent the kind of heartache these characters endure with data distortion and information breakdown. Today Romeo and Juliet would email or text when apart, and no one would be sending handwritten notes to a lover by horseback over long distances. The foppish would-be snob Malvolio could avoid humiliation by running a mysteriously found letter through plagiarism software and handwriting analysis to determine the true author.
However, just as certain old communication problems were solved in cyberspace, new ones were created, like identity theft, a problem Shakespeare would have loved given the numerous cases of mistaken identification, cross-dressing and impostor disguise in his plays.
The new era creates vast new opportunities for espionage, snooping, eavesdropping, and theft of intellectual property, all Shakespearean ideas put on steroids in the Internet age.
That's where you come in and why I'm so happy to be with you today. But now to the technology challenge relevant to our Shakespeare opening: how technology is relevant to the cyber security and resiliency of the financial services sector.
However, just as certain old communication problems were solved in cyberspace, new ones were created, like identity theft, a problem Shakespeare would have loved given the numerous cases of mistaken identification, cross-dressing and impostor disguise in his plays.
The new era creates vast new opportunities for espionage, snooping, eavesdropping, and theft of intellectual property, all Shakespearean ideas put on steroids in the Internet age.
That's where you come in and why I'm so happy to be with you today. But now to the technology challenge relevant to our Shakespeare opening: how technology is relevant to the cyber security and resiliency of the financial services sector.
For the past several years, I have been leading efforts at the Treasury Department to enhance the cybersecurity and resiliency of the financial sector. It is indisputable that the cyber threats we face are persistent, increasingly pernicious, and consistently morphing. These threats pose risk to our financial lives and indeed our nation’s prosperity.
When I started leading our efforts, the attacks we saw were primarily nuisances in the nature of DDOS attacks that shut down bank websites for a period of time. They were akin to losing power due to a downed power line in your neighborhood.
However, what were nuisance attacks on the periphery of a bank’s customer-facing website have now evolved into attacks that threaten actual customer information, the foundation of a customer’s relationship with their financial institutions, and their underlying trust. The nature of the attacks we see today target customer information—such attacks have the explicit goal of misappropriating customer information and personal data. We are now seeing spear phishing attacks, ransomware attacks, the stealing of log-in credentials—all methods targeted with the purpose of penetrating the peripheral moats of institutions and getting right to the crown jewel information—to the treasure chests so to speak. The stakes for individuals, institutions, and governments—certainly high in 2014 when only DDOS attacks were the norm and I began this work—today are even higher.
Overcoming these significant cybersecurity challenges is within the realm of the possible. We are organized around a comprehensive national strategy that involves coordinated efforts among law enforcement, the intelligence community, homeland security, and the vast financial sector itself. The work of enhancing our financial security and resiliency is underway. Indeed, the President’s Cybersecurity National Action Plan recognizes the role of technological innovation itself as a means of defending our nation’s critical infrastructures—like our energy systems and our telecommunication systems—but also defending our nation’s critical financial infrastructure.
This is what I want to discuss today: how we together make our critical financial infrastructure and our virtual financial lives more secure by harnessing the full potential of technological innovation.
To do this I want to talk about some of the recent developments we have seen around financial innovation, multifactor identification and authentication, and blockchain technology, and connect these developments to the vulnerabilities stemming from the practical realities of human behavior and user error.
For a long time, most so-called innovations in finance were euphemistically associated with exotic, but ultimately toxic, derivatives and other financial instruments like “CDO squared.” So when I use the word “innovation” in the context of finance, I want to use it at its most constructive. Financial innovation embodies the act of introducing new approaches to strengthen our financial system so that it can better serve people. Using this definition of financial innovation, the financial infrastructure of our country—like so much of our critical infrastructure in the United States—remains ripe for exponential innovation that not only enriches the lives of consumers but makes our entire economy more secure.
Interdependence and interconnectivity
Financial transactions are intangible. Because of this intangibility, the Internet becomes a logical platform from which to engage in activities like depositing paychecks, applying for mortgages, splitting bills at a restaurant, investing in the stock market, and checking your credit score.
But the Internet is an accidental enabler of new financial products and services. It was built with several goals in mind. It was built to be adaptable, and to allow communication despite outages. It was also built to be decentralized and cost effective.[1] Built-in security was not a design goal for the Internet. When it was conceived, it was not contemplated that the Internet would serve as a backbone for the financial system. As a result, in our virtual financial lives, we have more options to be connected, to conduct our financial transactions more cheaply, more quickly, and more conveniently; but we can also be less secure.
Trust in the financial system
So let’s look at what’s at stake in terms of security: the design of financial products implicates nothing less than the public’s trust in the financial system. Disruptions and depletions of such trust in the financial products, services, and institutions that comprise our financial system—as we saw most vividly in the crisis eight years ago—can have profound implications for our sense of trust, which effects our daily lives and our well-being.
When trust in particular financial products, services, and institutions begins to weaken, we experience an insecurity in our financial lives that can be damaging. When such trust is eroded on a much larger scale and includes more than individual and isolated institutions, or products, or services, the economic disruptions are more irreversible.
Consider this recent attack:
Operating in countries where we have limited legal and diplomatic reach, beginning by at least 2013, a criminal syndicate retained technology experts who developed malicious software (or malware). Using the malware, this criminal syndicate, together with these technology experts, infiltrated and initially gained dormant control of not just one computer, but an army of personal computers and web servers—ultimately over a million worldwide, some of which were located here in the United States.
After seizing control, the criminal syndicate activated command of the zombie computer network – known as a botnet – and used it to capture bank account numbers, passwords, and other details necessary to log into online banking accounts from around the world. Once logged in, the criminal syndicate stole customer funds by initiating unauthorized wire transfers from customer accounts to the criminal syndicates’ accounts. Before being stopped, that botnet—along with ransomware developed by the criminals and their cohorts—had caused more than $100 million in losses.
The challenge
In other words: in order to enhance trust, we need a secure information technology architecture underpinning our financial products, services, and institutions. Let’s consider the recent incidents involving the SWIFT messaging network as another example. The SWIFT messaging network connects 11,000 financial institutions across the globe. Those institutions use the SWIFT system to send and receive essential details for the transfer of money: details like the transfer amount, the identity of the sender, and the identity of the receiver. Attacks perpetrated through the SWIFT messaging network strike at the core of international economic activity. Earlier this year, cyber actors masquerading as authorized users accessed the SWIFT messaging network and attempted to steal $1 billion from Bangladesh Bank, reportedly walking away with $81 million.
According to SWIFT, the cyber attackers used a three-pronged approach.[2] First, they infiltrated the victim bank to obtain the bank’s credentials to access the SWIFT network. Then, they infected that bank’s systems with malicious software (or malware), enabling them to monitor the bank’s account activity and strike at opportune times—like when account balances were high or when bank employees were on vacation. Finally, they inserted additional malware to circumvent the bank’s system controls that were in place to monitor its transactions. This malware intercepted and altered confirmations of transactions sent by SWIFT to the bank, impairing the bank’s ability to detect the theft.
Common-sense ways exist to reduce the probability and severity of incidents like this fraudulent misuse of the SWIFT network. Though offensive responses have their role, for attacks like the ones against SWIFT, defensive responses can be singularly effective. They include smart practices, like enhanced access controls and identity verification, and the segregation of critical systems. They also include imposing baseline protections at endpoints. Enhanced monitoring and anomalous pattern detection during the payment process can also help, as does transaction reporting sent through means separate from the primary system. Banks and other firms that conduct large volumes of payments have algorithms and methods to monitor and detect illicit transfers that violate economic sanctions or anti-money laundering restrictions. These algorithms and methods should also be used to detect anomalous transfers that do not match up with a bank’s transaction history—creating automated ways to alert employees of potential cyber intrusions.
These common sense approaches should be widely adopted. But optimally, from the perspective of system design, we would create our financial products and services at the outset so as to strengthen their security and resilience. If we embed optimal design features at the outset of our creations, building in lessons learned from previous cyber breaches, we could move away from the creation of a patchwork of stop-gap measures and new technology solutions layered on top of legacy systems. Such a bolt-on, ad-hoc approach risks gumming up our financial superhighways by adding complexity.
Reducing complexity and increasing cybersecurity
Let’s pause on complexity: this complexity in the systems and networks that underlie our financial products, services, and institutions shows up in legacy systems with out-of-date hardware and software. Consider that since the 1980s the number of banks in the United States has decreased significantly.[3] But instead of using this consolidation as an opportunity to streamline their systems architecture, many banks have continued to operate separate legacy systems, jerry-rigging those systems together only when absolutely necessary and then moving on to the next merger or acquisition.
What are the implications of this kind of complexity for cybersecurity? Newer systems layered in improvised ways on top of legacy systems magnify the potential attack surface, creating potential blind spots and vulnerabilities in system seams, nooks, and crannies, which adversaries can exploit.[4] Again: potential exploitation has the effect of undermining trust in financial products, services, and institutions.
Our ultimate objective should be to reinforce the public’s trust in the resiliency of the financial product, service, or institution and its ability to perform financial functions—from deposit-taking to trading, and payments to custody.
Tackling human risk: the user experience
How do we meet this collective objective? We start by addressing the risks that human users present in the financial services sector. You see, the challenge may not be as purely technological as we think. Potential intrusions and security compromises start with human errors and actions. Shakespeare teaches us this. We also learn this by binge-watching episodes of the Netflix series “Limitless.” This is the story of an ordinary but irresistible guy named Brian takes a pill that allows him to solve all these mysteries for the FBI. When he takes the pill, his mind unblocks everything he already experienced and he is able to know almost everything. He figures out solutions to new problems, but based on what he already experienced at some earlier point in his life. That's the key, and that's what makes this Netflix series so enlightening. We already have in our existing experiences the behavioral data we need to solve our problem. It’s just that we have forgotten the role of the human in technology.
In short, we can improve the design of our cybersecurity protections by analyzing what we know. The fact of the matter is that customers prefer 24/7 availability, tailored products, and fast response times. Customers also historically demand easy, frictionless access to online sites and accounts. But the instinct to prioritize ease and speed in our technologies can have the result of driving security solutions to be secondary, an afterthought. When security solutions are an afterthought instead of a core design principle, security does not receive the appropriate level of investment, leading to vulnerabilities that undermine confidence in the platform or firm. For example, to streamline the user experience, financial institutions have relied on security questions to verify user identity, instead of potentially more cumbersome multifactor authentication processes that involve, for example, texting confirmation codes to mobile devices.
Widespread social media use provides answers to common security questions; a person’s Facebook page can tell you their birthday, the name of their first pet, or their high school. Publicly available information—like our children’s names and birthdays, mother’s maiden name, and college mascots—provide rich sources from which to guess passwords and security answers. And the series of large-scale data thefts that have occurred over the past several years make deducing passwords or security answers even easier because they are available in different places.
Firms need to develop better solutions, taking into account user behavior. For example, consider how system design is evolving to deal with the authentication challenge presented by stolen or easily compromised passwords: the next generation of online identity verification looks to combine what customers know and have, with what they do, or behavioral biometrics. Left or right handedness, how quickly and confidently a user types, the way she moves her mouse—along with hundreds of other subtle things a user does—combine to form that user’s profile of unique and measurable patterns of human activities. These oh-so-human attributes are less hackable than pieces of our identities like social security numbers, birthdays and first pet’s names. Linking users’ unique profiles to their login credential allows for continuous and dynamic verification of identity while they are inside a network. If an abrupt change in a user’s profile occurs, the system would automatically force that user through additional security steps and alert the security team. When combined with multifactor authentication, this dynamic approach to authentication addresses the later stages of a cyber incident, after the attacker has entered and is attempting to move laterally around a network. It can also streamline architecture by allowing for the removal of less effective methods.
Tackling human risk: the back-end system
Another way to reduce the risks that human users present is to improve back-end systems. To this end, there has been an emerging focus on blockchain technology. Also known as distributed ledger technology, blockchain provides a shared digital record of ownership and asset transfer that firms can use for executing, clearing, and settling transactions. For consumers, these systems could be accessible and cheaper, reconciling ledgers and settling transactions faster, and more accurately than our current systems.
These systems can also offer significant security and resiliency benefits if cybersecurity is built in from the ground-up. Distributed ledgers can be decentralized, meaning all users can have a copy of who holds what asset, and they can use consensus algorithms to validate transactions. As a result, they can make it much harder for attackers to tamper with financial records. For example, it would no longer be effective for an attacker to change the records at a single master database, since every user would also have a master copy. To the extent intrusions do occur at individual users, these systems could also incorporate artificial intelligence to detect anomalies in behavior patterns and data transmissions. This could protect customers from the types of cyber fraud perpetrated using the SWIFT system. Notably, the technology could build security into the hardware and encrypt transactions from the start.
Conclusion
As we develop new financial products and services, and replace legacy systems and explore potential uses for blockchain technology, for predictive analytics, and for other innovations, cybersecurity must be a core design principle, embedded in all financial functions, products, and services—end to end. We cannot sacrifice security, because without it we suffer.
The people leading these efforts—technologists, engineers, heads of business and government,—should inform their approach with their human sensibilities around what security, trust, and confidence mean. We lead human lives that inform what it is to feel secure, to trust in the technologies we create. Our financial system has a vast number of component parts: the banks, the payment systems, the government watchdogs, the financial educators, the retirement and other financial products—and all the chips and bits that make these component parts work. But, at the end of the day we must make sure that when this financial infrastructure is reconfigured and reimagined, that it contains the intangible glue upon which our financial system’s functions are most dependent: and that is trust. Trust cannot be forgotten when we build and enhance this financial infrastructure, which is so critical for our virtual well-being and our economic well-being and our national security. When all is said and done, we design it to work for us.
[1] David Clark, “The Design Philosophy of the DARPA Internet Protocols,” (August 1988), accessible at http://ccr.sigcomm.org/archive/1995/jan95/ccr-9501-clark.pdf.
[2] See SWIFT CEO Gottfried Leibbrandt, remarks at 14th annual European Financial Services Conference, Brussels (May 24, 2016), accessible at https://www.swift.com/insights/press-releases/gottfried-leibbrandt-on-cyber-security-and-innovation; BAE Systems Threat Research Blog, “Two Bytes to $951M” (April 25, 2016), accessible at http://baesystemsai.blogspot.co.uk/2016/04/two-bytes-to-951m.html.
[3] Nicola Cetorelli, James McAndrews, and James Traina, “Evolution in Bank Complexity,” FRBNY Economic Policy Review (December 2014), accessible at https://www.newyorkfed.org/medialibrary/media/research/epr/2014/1412cet2.pdf.
[4] For discussion on complexity and attack surface, see, e.g., testimony by Dr. Ron Ross to the Commission on Enhancing National Cybersecurity (August 23, 2016) accessible at https://www.nist.gov/sites/default/files/documents/2016/08/25/august23_panelist_statements.pdf.