BITS, the U.S. financial industry's IT policy arm, has a new leader: Paul Smocer, an expert in email security and authentication.
Smocer is taking the lead of BITS at a time when financial services firms are responding to the emergence of new technologies -- including social networking, mobile computing and cloud computing -- while remaining under attack from ever-savvier cybercriminals. BITS is coordinating efforts by the U.S. banking industry to create new top-level domains -- such as .bank, .insure and .invest -- that would be restricted to financial services firms and could offer consumers extra protection from phishing, malware and other attacks.
We interviewed Smocer about the online threats and opportunities that he is most concerned about. Here are excerpts from the conversation:
What are the most pressing issues facing BITS over the next year?
We're focused on a handful of things. One is the public/private information sharing concept. As we have recognized the sophistication of what's going on in the cybercrime world, we also recognize that we need to coalesce around better sharing of information among financial institutions, among the various industry sectors, and with the government as well. We're in the middle of piloting an effort with the Treasury Department, [Department of Homeland Security] and its [Computer Emergency Readiness Team], where government resources come in and help do resiliency reviews of organizations.
We're doing a lot of work with regard to mobile financial services [and] what kind of security and controls are needed. We're also doing work with [the Internet Corporation for Assigned Names and Numbers] around new top-level domains. We're working with the [American Bankers Association] and other associations to look at creating some top-level domains that could serve to enhance the security and resiliency of financial institutions on the Internet.
What is the BITS position on the ICANN plan to adopt hundreds of new top-level domains like .bank?
It presents opportunities and challenges. Other trade associations are still tending to fight the whole idea, but we see it as an opportunity to build a more secure and resilient space on the Internet for financial services. I don't know how quickly there will be a lot of conversion of consumer services to these domains, but they certainly afford us the opportunity for b-to-b transactions. Financial institutions exchange a lot of information amongst themselves, and having a space that's more secure than the general dot-com space works to our advantage.
What does BITS think of the new DNS security standard -- DNSSEC -- which helps organizations to prevent DNS spoofing attacks?
DNSSEC is an important step forward and some new top-level domains do require it, including those domains that deal with financial institutions and financial transactions. I like to think that's a direct result of our efforts. We're also spearheading work in Web security for whatever top-level domain that we would apply for.
What new technologies are you most excited about having an impact on the financial services industry?
Mobile is certainly a channel that we see having a great future in terms of customer service, but we think it has to be done in an appropriately secure way. We just published a paper around social media, giving some guidance to the financial industry. We're also working on a better definition of the risks and controls that are necessary in the cloud computing space. There are strong economic enticements for companies to look at cloud computing, whether for software or storage. But, obviously, that has to be approached with some caution. When we look at new technologies with our members, the one thing we always want to retain is the trust in the financial system. We always look at risk management.
How do you foresee cloud computing evolving in the financial services industry?
I think honestly for a while we will see much more activity in the private cloud space ... because that is the safest place to be.
What risks do social media sites pose to financial services firms and how is BITS helping mitigate them?
We encourage companies to have all the right players participate in the development of the social media presence and social media policy, from the legal department to the ethics office to the HR department. It's not just about technology. Content is a big issue. You need to make sure that you have the ability to control who is posting content and they understand what content is good to post. From the perspective of the individual, you have to understand that it's another channel to introduce malicious software into the environment. But in many ways, social media is just an evolution. A lot of the policies and practices that apply to how you allow employees to use email and what you allow them to say and what they are allowed to export apply to social media.
Most of our members are very aware of the technical issues out there, IPv6 being one of them. We have been discussing the necessary risk and control considerations of a rollout of IPv6. We likewise have talked about that IPv6 is already in their environments whether or not they know it, so they need to take precautions. Right now, we're largely in an education and continuing to watch developments stage around IPv6.
What are the cybersecurity worries that keep you up at night?
One, how organized the cybercrime community is. Two, how quickly and how sophisticated that community moves. How many versions of the Conficker worm do we have? As people have responded to version 1 and blunted its impact, you see a move to version 2 and then version 3. There's the speed and sophistication. It all goes back to strong information-sharing between public and private organizations so that the good guys are as organized as the bad guys. My third worry is that the evolution of technology is happening so quickly. It just seems like the pace of change has become so rapid, that it's difficult to keep up with it and understand the implications of it.
What can CIOs in other industries learn from your experience at BITS with cybersecurity?
The first thing is to collaborate. In any industry, there are competitive issues, but there are also issues that are easy to collaborate around that benefit the industry as a whole and make the industry better. Maybe because the financial services industry has a history of trust, our members collaborate very effectively with each other around topics that they know are going to benefit everyone in the industry.
Secondly, we are in an ecosystem now that is not just about one industry vertical anymore. We exist in a system that has us all relying on each other. Mobile financial services involve telecom providers, Internet providers and technology providers. The idea of partnerships needs to extend beyond your own industry vertical. We all need to effectively share information with each other and work together.
The third thing is to be aware about not only your organization but about your customers. If you're focused on the ultimate protection of both your organization and your customers, that gives you the focus to continually try to strengthen the environment.