The government and private industry have unveiled a plan for safeguarding the nation's infrastructure against electronic attack. Called The National Strategy to Secure Cyberspace, the plan was developed in response to an executive order by President Bush a year ago.
The plan, which was issued in draft form in September, addresses information security on five levels: home users and small business, large enterprises, sectors of the economy, national issues and global issues.
The financial services sector has been working closely with the U.S. Treasury on cyberspace since 1998, following the issuance of a presidential directive, PDD-63, which defined steps to be taken to thwart cyberattacks. One of them was the creation of sector-specific Information Sharing and Analysis Centers, or ISACs, which provide warnings of possible threats, computer viruses and software vulnerabilities.
The financial services sector was the first to establish an ISAC-in 1999, just one year after PDD-63. "Through FS/ISAC, we are sharing information about threats and vulnerabilities," said Rhonda MacLean, head of information security at Bank of America and sector coordinator for the financial services industry. The financial services sector is represented by principal industry groups, such as the American Bankers Association, Securities Industry Association, BITS, the FS/ISAC and the Independent Community Bankers Association.
FS/ISAC, MacLean said, "is a way for members to get an early warning. We have a way to get it out as not only a general CERT alert but as an alert to the financial services industry."
FS/ISAC receives data feeds from more than 100 sources, including the intrusion detection systems of several of its members. It analyzes this data around-the-clock to profile potential threats and vulnerabilities. This profiling, in turn, allows for an early warning capability via e-mail, fax and pager/phone.
The September 11 attacks focused new attention on the need to defend against all forms of attack. "We have seen an escalation of worrisome trends, both physical and electronic," said MacLean.
The Bush administration's principal contributions toward the protection of cyberspace are the proposed Department of Homeland Security and the Critical Infrastructure Protection Board, an interagency task force under whose aegis The National Strategy to Secure Cyberspace was developed.
The plan outlines a number of steps each industry sector needs to take to reduce the risk of cyberattacks: establishment of an ISAC; conducting a technology and R&D gap analysis in coordination with the Office of Science and Technology Policy; developing best practices for cybersecurity and guidelines for procuring secure IT products and services; creating information security awareness campaigns; and establishing mutual assistance programs for cybersecurity emergencies.
In addition to ISAC, the financial industry sector operates the BITS Product Certification Program, which creates security criteria for various software products. Banks and product vendors are working together to address security issues. "We need the vendors to build products with security in mind," MacLean said.
Other sector initiatives include a joint ABA-SIA program to protect customer data, deter money laundering and authenticate financial transactions; the setting of technical standards; and increasing the awareness of the need for protecting the infrastructure.
Financial institutions don't need to be sold on the value of cooperation, MacLean said. "The security of our systems is not a competitive issue. Each institution has an obligation, but it's also a shared responsibility. We're as strong as our weakest link."
September 11 exposed both the fragility of the infrastructure and its interdependence. The targets of the attacks-the World Trade Center and Pentagon-were "icons," said MacLean. Yet there was also significant collateral damage, such as the Verizon switching center in lower Manhattan. "An attack might not be targeted at you, but you might become a victim of collateral damage because of the interconnections."
The need for greater vigilance on cybersecurity was evident even before September 11. Both the Code Red and Nimda cyberattacks spread so fast that many victims didn't have a chance to respond in time. And the number of threats reported by CERT/CC, a nonprofit organization, soared to 2,437 in 2001 from 1,090 in 2000.
Technology alone doesn't guarantee security. Although 90 percent of respondents in a survey by the Computer Security Institute used antivirus software, 85 percent of them suffered damage due to a virus. Similarly, some 40 percent had their systems penetrated from outside the network, despite the presence of firewalls and intrusion detection systems.
The risk of a breach of security on a national level is real, noted the National Strategy report. "Potential adversaries have the intent, the tools of destruction are broadly available, and the vulnerabilities of the nation's systems are many and well known."
Threats can come in all shapes and sizes. "Threat agents in the virtual world can be categorized as the curious, the glory seekers, traditional criminals and the inadvertent," according to a progress report issued in May by the financial sector. Cyberterrorists have the same motivation as their counterparts in the physical world. "We look at anyone who wants to do malfeasance, whether they're terrorists, 'hacktivists,' or just plain-old criminals," said MacLean.
Threats are just as likely to come from inside an organization. "We're all vulnerable to internal threats," said MacLean. "Many breaches of security involve an insider." Hence the importance of screening prospective employees and other forms of internal security.
Cyberspace at Risk
# of THREATS