HFSC on Global Perspectives on Cybersecurity
House Financial Services Subcommittee on Oversight and Investigations
“A Global Perspective on Cyber Threats”
Tuesday, June 16, 2015
Key Topics & Takeaways
- Information Sharing: Cilluffo stated that the Financial Services-Information Sharing and Analysis Center (FS-ISAC) “is the gold standard” of information sharing analysis, but needs to expand beyond the biggest financial institutions.
- Personally Identifiable Information: Bejtlich recommended that Social Security numbers (SSNs) be replaced with an alternate code so if it becomes public, “it does not matter.”
- Government Priorities: Madon stated that there needs to be a comprehensive information technology review across the federal government, and solutions have to be funded mandates to get IT systems “up to par.”
- Responding to Attacks: Cilluffo explained that adversaries need to be penalized to change their behaviors and that sanctions against cyber perpetrators will be tested soon.
Speakers
- Frank J. Cilluffo, Associate Vice President, The George Washington University; Director, Center for Cyber and Homeland Security; co-Director, Cyber Center for National and Economic Security
- Michael Madon, Board of Advisors Member, Center on Sanctions and Illicit Finance, Foundation for Defense of Democracies; Vice-President, Business Development, RedOwl Analytics
- Richard Bejtlich, Chief Security Strategist, FireEye, Inc.
Opening Statements
In his opening statement, Chairman Sean Duffy (R-Wis.) said the cyber environment today is “vastly different from past years” and there is a growing focus on protecting the cybersecurity of critical infrastructure. He added that cyber crimes are a “clear and present danger” to the U.S. and nearly every government agency has been a target of cyber attacks. Duffy stressed that the Office of Personnel Management (OPM) cyberattack should underscore the urgency of cyber security.
In his opening statement, Ranking Member Al Green (D-Texas) listed numerous high level attacks on businesses in 2014, to include Target, Neiman Marcus, Google and JPMorgan Chase, and stated that the annual average cost per company due to successful cyber attacks increased to $28 million in the financial services industry alone. He added that there are two kinds of “big” companies, “those who have been hacked and those who do not know they have been hacked.”
In his opening statement, Vice Chairman Michael Fitzpatrick (R-Pa.) said the threat of data breaches from state and non-state actors are “in every sector of the economy” and that “risks are great and systemic” to the financial system.
In her opening statement, Rep. Kyrsten Sinema (D-Ariz.) said the number of cyber attacks from state and non-state actors has increased and federal agencies continue to show shortcomings when it comes to their security controls.
Testimony
Frank Cilluffo, Associate Vice President at The George Washington University, Director of the Center for Cyber and Homeland Security and co-Director of the Cyber Center for National and Economic Security
In his testimony, Frank Cilluffo stated the U.S. faces a “dizzying array” of cyber treats from different actors and the financial services sector is “clearly in the crosshairs” as primary targets for cyber attacks and cyber crime. He noted that last week alone there were 30,000 cyber attacks on a major U.S. bank, which amounted to an attack every 34 seconds each day. Cilluffo continued that 22,000 of those attacks came from organized crime and 400 from nation-states.
Cilluffo stressed that while Wall Street has made “significant strides” in cybersecurity, “Main Street lags far behind.” He stated the major threat actors include nation-states, foreign terrorist organizations, criminal organizations and “hacktivists.” Cilluffo concluded that the U.S. government needs to provide the framework, parameters and tools needed for companies to protect themselves.
Michael Madon, Board of Advisors Member, Center on Sanctions and Illicit Finance, Foundation for Defense of Democracies and Vice-President, Business Development at RedOwl Analytics
In his testimony, Michael Madon said the increase in cyber attacks can be attributed to five threats: (1) nation-states, (2) cyber terrorists, (3) hacktivists, (4) organized crime, and (5) insider threats. He continued that information sharing between the private sector and the government “has been slow and not automated,” but noted that private sector groups collaborate to share information, specifically the Financial Services Information Sharing and Analysis Center (FS-ISAC) and Cyber Intelligence Group of the Treasury Department.
Madon stressed the need to enhance the safe harbor regime to encourage information sharing between financial institutions and to enhance Section 314(b) of the Patriot Act to allow financial institutions to share information without liability. Madon encouraged Congress to create legislation that would empower the Secretary of the Treasury to identify those sponsoring or allowing systems to be used in order to attack American financial institutions. He recommended a reward program for groups who are able to identify cyber hackers to authorities, similar to that of whistleblowers, and concluded that the Departments of Justice, Homeland Security and Treasury should consider issuing cyber warrants.
Richard Bejtlich, Chief Security Strategist of FireEye, Inc.
In his testimony, Richard Bejtlich stated the cyber discussion needs to be expanded to incorporate threats, vulnerabilities and consequences. He separated cyber scenarios into two categories: (1) chronic scenarios that happen over an extended period with impacts difficult to measure, and (2) acute scenarios that have immediate impacts and obvious damage. Bejtlich stated there has not been a combination of the two scenarios as of yet, and “hopefully that will remain the case.”
Bejtlich explained that the U.S. is dealing with three chronic scenarios from foreign nation-states: (1) actors who steal data from organizations to use in their domestic industries, (2) actors who steal data on American military and intelligence plans to benefit their own interests, and (3) actors who steal personally identifiable information (PII) and financial instruments to benefit national capabilities and fuel underground crime. He then listed two acute scenarios the U.S. faces: (1) attacks against critical infrastructure, and (2) disruption or destruction of virtual infrastructure. Bejtlich concluded that the types of PII that are stolen are “permanent data,” to include Social Security numbers (SSNs) that have no process to recover from.
Question and Answer
Offense vs. Defense
Duffy asked if there is a role for the private sector in offensive play versus simply defense. Madon stated there is a role and it starts with the “critical component” of information sharing. He continued that the financial sector wants to share information with the government but is worried about liability issues. Cilluffo added that proactive forensic collection “is key” and that “rules of the road” need to be defined so companies engaging in offensive measures do not break the law.
Green asked if there is technology available that can be used to offensively attack the source of the cyber attack without having actual attribution. Bejtlich stated the U.S. government has “unique attribution capabilities,” but that it is not the role of the private sector to “hack back.”
Rep. Bruce Poliquin (R-Maine) asked if staying on the offensive to protect homeland would include coordination with other nations. Cilluffo stated that it does, but “has not been done to the extent it needs to be done.” Madon recommended that companies find out what authorities they have to “hit back hard and publicly.” Bejtlich stated that he was unsure if the necessary resources to accomplish this are available.
Rep. Emanuel Cleaver (D-Mo.) asked what the response is once an entity realizes it is being hacked. Cilluffo explained that adversaries need to be penalized to change their behaviors and that sanctions against cyber perpetrators will be tested soon.
Rep. Joyce Beatty (D-Ohio) asked what financial institutions and regulators do to combat attacks to prevent the manipulation of financial data. Bejtlich stated the manipulation of data is the “top end of the problem” and the way to counter is to have a strategy that relies on detecting infiltration before the mission is complete. Madon added that insider threats are also an issue and that financial institutions “are experts at knowing their customer, but it is time to expand to know your employee.”
Beatty asked what tools are needed in the private sector to help themselves against cyber attacks. Cilluffo explained that the FS-ISAC “is the gold standard” of information sharing analysis, but it needs to expand beyond the biggest financial institutions.
Rep. Ann Wagner (R-Mo.) stated that the House has moved on information sharing through the Cyber Intelligence Sharing and Protection Act (CISPA) and through a voluntary basis within industry and government, and Madon added that the Safe Harbor needs to expand not just between the private sector and government, but within financial institutions without a liability threat. He continued that without this protection, the information will not be shared.
Personally Identifiable Information
Duffy asked if there is a “double risk” to Americans if financial institutions, hospitals and now the government are collecting PII. Madon replied that there is a double risk and that there should be a “true look” at whether information being held is necessary.
Rep. Juan Vargas (D-Calif.) asked what the protocol is when a SSN is stolen. Bejtlich stated that it is not known how to recover from the loss of a SSN and it is for this reason why SSNs need to be replaced with an alternate numerical code so if it becomes public, “it does not matter.”
Duffy then asked the panelists what top priorities Congress should have in order to protect and fight back against cyber attacks. Bejtlich said to find those in the cyber network and “kick them out,” and to get defenses in order so it is less likely the entity will be attacked. Madon stated they should explore strategies that worked in the past and use them as a template for the next aggressive cyber campaign, and to also consider the insider threat. Cilluffo stated that companies must ensure their members and staff are technologically savvy.
Rep. French Hill (R-Ark.) asked what risks there are with data maintenance systems within federal agencies. Madon replied that information technology (IT) systems in the federal government are “underfunded and under-resourced,” with true institutional challenges within the system. He added that there needs to be a comprehensive review across the federal government, and solutions have to be funded mandates to get IT systems “up to par.”
For more information on this hearing, please click here.
,Blog Tags:,Blog Categories:,Blog TrackBack:,Blog Pingback:No,Hearing Summaries Issues:Technology/High Frequency Trading,Hearing Summaries Agency:House Financial Services Committee,Publish Year:2015
House Financial Services Subcommittee on Oversight and Investigations
“A Global Perspective on Cyber Threats”
Tuesday, June 16, 2015
Key Topics & Takeaways
- Information Sharing: Cilluffo stated that the Financial Services-Information Sharing and Analysis Center (FS-ISAC) “is the gold standard” of information sharing analysis, but needs to expand beyond the biggest financial institutions.
- Personally Identifiable Information: Bejtlich recommended that Social Security numbers (SSNs) be replaced with an alternate code so if it becomes public, “it does not matter.”
- Government Priorities: Madon stated that there needs to be a comprehensive information technology review across the federal government, and solutions have to be funded mandates to get IT systems “up to par.”
- Responding to Attacks: Cilluffo explained that adversaries need to be penalized to change their behaviors and that sanctions against cyber perpetrators will be tested soon.
Speakers
- Frank J. Cilluffo, Associate Vice President, The George Washington University; Director, Center for Cyber and Homeland Security; co-Director, Cyber Center for National and Economic Security
- Michael Madon, Board of Advisors Member, Center on Sanctions and Illicit Finance, Foundation for Defense of Democracies; Vice-President, Business Development, RedOwl Analytics
- Richard Bejtlich, Chief Security Strategist, FireEye, Inc.
Opening Statements
In his opening statement, Chairman Sean Duffy (R-Wis.) said the cyber environment today is “vastly different from past years” and there is a growing focus on protecting the cybersecurity of critical infrastructure. He added that cyber crimes are a “clear and present danger” to the U.S. and nearly every government agency has been a target of cyber attacks. Duffy stressed that the Office of Personnel Management (OPM) cyberattack should underscore the urgency of cyber security.
In his opening statement, Ranking Member Al Green (D-Texas) listed numerous high level attacks on businesses in 2014, to include Target, Neiman Marcus, Google and JPMorgan Chase, and stated that the annual average cost per company due to successful cyber attacks increased to $28 million in the financial services industry alone. He added that there are two kinds of “big” companies, “those who have been hacked and those who do not know they have been hacked.”
In his opening statement, Vice Chairman Michael Fitzpatrick (R-Pa.) said the threat of data breaches from state and non-state actors are “in every sector of the economy” and that “risks are great and systemic” to the financial system.
In her opening statement, Rep. Kyrsten Sinema (D-Ariz.) said the number of cyber attacks from state and non-state actors has increased and federal agencies continue to show shortcomings when it comes to their security controls.
Testimony
Frank Cilluffo, Associate Vice President at The George Washington University, Director of the Center for Cyber and Homeland Security and co-Director of the Cyber Center for National and Economic Security
In his testimony, Frank Cilluffo stated the U.S. faces a “dizzying array” of cyber treats from different actors and the financial services sector is “clearly in the crosshairs” as primary targets for cyber attacks and cyber crime. He noted that last week alone there were 30,000 cyber attacks on a major U.S. bank, which amounted to an attack every 34 seconds each day. Cilluffo continued that 22,000 of those attacks came from organized crime and 400 from nation-states.
Cilluffo stressed that while Wall Street has made “significant strides” in cybersecurity, “Main Street lags far behind.” He stated the major threat actors include nation-states, foreign terrorist organizations, criminal organizations and “hacktivists.” Cilluffo concluded that the U.S. government needs to provide the framework, parameters and tools needed for companies to protect themselves.
Michael Madon, Board of Advisors Member, Center on Sanctions and Illicit Finance, Foundation for Defense of Democracies and Vice-President, Business Development at RedOwl Analytics
In his testimony, Michael Madon said the increase in cyber attacks can be attributed to five threats: (1) nation-states, (2) cyber terrorists, (3) hacktivists, (4) organized crime, and (5) insider threats. He continued that information sharing between the private sector and the government “has been slow and not automated,” but noted that private sector groups collaborate to share information, specifically the Financial Services Information Sharing and Analysis Center (FS-ISAC) and Cyber Intelligence Group of the Treasury Department.
Madon stressed the need to enhance the safe harbor regime to encourage information sharing between financial institutions and to enhance Section 314(b) of the Patriot Act to allow financial institutions to share information without liability. Madon encouraged Congress to create legislation that would empower the Secretary of the Treasury to identify those sponsoring or allowing systems to be used in order to attack American financial institutions. He recommended a reward program for groups who are able to identify cyber hackers to authorities, similar to that of whistleblowers, and concluded that the Departments of Justice, Homeland Security and Treasury should consider issuing cyber warrants.
Richard Bejtlich, Chief Security Strategist of FireEye, Inc.
In his testimony, Richard Bejtlich stated the cyber discussion needs to be expanded to incorporate threats, vulnerabilities and consequences. He separated cyber scenarios into two categories: (1) chronic scenarios that happen over an extended period with impacts difficult to measure, and (2) acute scenarios that have immediate impacts and obvious damage. Bejtlich stated there has not been a combination of the two scenarios as of yet, and “hopefully that will remain the case.”
Bejtlich explained that the U.S. is dealing with three chronic scenarios from foreign nation-states: (1) actors who steal data from organizations to use in their domestic industries, (2) actors who steal data on American military and intelligence plans to benefit their own interests, and (3) actors who steal personally identifiable information (PII) and financial instruments to benefit national capabilities and fuel underground crime. He then listed two acute scenarios the U.S. faces: (1) attacks against critical infrastructure, and (2) disruption or destruction of virtual infrastructure. Bejtlich concluded that the types of PII that are stolen are “permanent data,” to include Social Security numbers (SSNs) that have no process to recover from.
Question and Answer
Offense vs. Defense
Duffy asked if there is a role for the private sector in offensive play versus simply defense. Madon stated there is a role and it starts with the “critical component” of information sharing. He continued that the financial sector wants to share information with the government but is worried about liability issues. Cilluffo added that proactive forensic collection “is key” and that “rules of the road” need to be defined so companies engaging in offensive measures do not break the law.
Green asked if there is technology available that can be used to offensively attack the source of the cyber attack without having actual attribution. Bejtlich stated the U.S. government has “unique attribution capabilities,” but that it is not the role of the private sector to “hack back.”
Rep. Bruce Poliquin (R-Maine) asked if staying on the offensive to protect homeland would include coordination with other nations. Cilluffo stated that it does, but “has not been done to the extent it needs to be done.” Madon recommended that companies find out what authorities they have to “hit back hard and publicly.” Bejtlich stated that he was unsure if the necessary resources to accomplish this are available.
Rep. Emanuel Cleaver (D-Mo.) asked what the response is once an entity realizes it is being hacked. Cilluffo explained that adversaries need to be penalized to change their behaviors and that sanctions against cyber perpetrators will be tested soon.
Rep. Joyce Beatty (D-Ohio) asked what financial institutions and regulators do to combat attacks to prevent the manipulation of financial data. Bejtlich stated the manipulation of data is the “top end of the problem” and the way to counter is to have a strategy that relies on detecting infiltration before the mission is complete. Madon added that insider threats are also an issue and that financial institutions “are experts at knowing their customer, but it is time to expand to know your employee.”
Beatty asked what tools are needed in the private sector to help themselves against cyber attacks. Cilluffo explained that the FS-ISAC “is the gold standard” of information sharing analysis, but it needs to expand beyond the biggest financial institutions.
Rep. Ann Wagner (R-Mo.) stated that the House has moved on information sharing through the Cyber Intelligence Sharing and Protection Act (CISPA) and through a voluntary basis within industry and government, and Madon added that the Safe Harbor needs to expand not just between the private sector and government, but within financial institutions without a liability threat. He continued that without this protection, the information will not be shared.
Personally Identifiable Information
Duffy asked if there is a “double risk” to Americans if financial institutions, hospitals and now the government are collecting PII. Madon replied that there is a double risk and that there should be a “true look” at whether information being held is necessary.
Rep. Juan Vargas (D-Calif.) asked what the protocol is when a SSN is stolen. Bejtlich stated that it is not known how to recover from the loss of a SSN and it is for this reason why SSNs need to be replaced with an alternate numerical code so if it becomes public, “it does not matter.”
Duffy then asked the panelists what top priorities Congress should have in order to protect and fight back against cyber attacks. Bejtlich said to find those in the cyber network and “kick them out,” and to get defenses in order so it is less likely the entity will be attacked. Madon stated they should explore strategies that worked in the past and use them as a template for the next aggressive cyber campaign, and to also consider the insider threat. Cilluffo stated that companies must ensure their members and staff are technologically savvy.
Rep. French Hill (R-Ark.) asked what risks there are with data maintenance systems within federal agencies. Madon replied that information technology (IT) systems in the federal government are “underfunded and under-resourced,” with true institutional challenges within the system. He added that there needs to be a comprehensive review across the federal government, and solutions have to be funded mandates to get IT systems “up to par.”
For more information on this hearing, please click here.