Panel urges cooperation on cybersecurity

Protecting financial institutions from cyberattacks requires increasing levels of cooperation between the government and the private sector, panelists said Tuesday at a conference called Homeland Security 2002: Establishing a Culture of Cooperation.

Many of the Washington, D.C., conference’s sessions emphasized such cooperation, which is being fostered by changing mindsets on both the government and private sides of the coin.

In the financial services world, the responsibility for keeping up with threats and the technologies that can help guard against them rests with the banks and investment houses, said Richard Marshall, deputy director of the Critical Infrastructure Assurance Office, one of 22 federal agencies that will soon become part of the U.S.’s new Department of Homeland Security.

“The scope of change, the pace of change is just too quick for government regulators to keep up with,” he said. “This has got to be a self-curing issue.”

The key for financial firms is business continuity, he said. The threat might be electronic, or it might be a physical attack or disaster. Either way, a firm must be sure that it can continue operating, protect its customers’ privacy and anticipate problems in time to prevent them.

Marshall’s agency is working on the finishing touches to the National Strategy to Secure Cyberspace,  a collection of “best practices” that business are invited — but not required — to follow in implementing security programs. The public comment period on the document closed last month, and Marshall said he expects President George W. Bush to approve it early next year. The draft is available here.

“We don’t pretend to know all the answers, but we believe that together we can help come up with some intelligent solutions,” he said. “And we realize that it’s not going to be government-down. It has to be ‘let’s join hands and work together.’ “

Financial services firms in general are ahead of other private-sector industries in securing their information, but they aren’t where they need to be, Marshall said. “You need to raise the security bar,” he said.

The technological challenges are formidable, said Dale Hazel, senior vice president of marketing at Convera, a software company that makes search products for businesses. Moreso than some other types of businesses, financial institutions store massive amounts of data, he said. Terabyte measurements are common, and he said he has seen some databases that exceed a petabyte, or 1,000 terabytes. Such mountains of information stretch the limits of system scalability, he said.

Meanwhile, companies don’t have a good handle on how to balance prudence with overzealousness, said J. Michael Gibbons, a former chief investigator of computer crime for the FBI, now a senior manager at consulting firm BearingPoint.

“Those of us in homeland security all just want to understand how much security is enough,” he said. “We want the truth, and the quest for the truth is the most difficult thing we face.”

Inside financial firms, executives see the wisdom of spending money on security, said Leigh Williams, senior vice president and chief privacy officer at Fidelity Investments Inc. His firm spends about $1 billion a year on technology, much of it security-focused, and believes that cost is worth the payback.

“We have for a long time expected a return on our business continuity efforts,” he said. “We do believe that before the September attacks, it made a lot of sense to invest very heavily in protecting the data and systems customers rely on. I don’t think that has changed at all in the last couple of years.”

What has changed, he said, is the firm’s approach to the problems. The vision has become much broader than it once was, he said.

“Before September of 2001, we approached security in a very fragmented way. We tended to split data security from physical (security),” he said. Since then, the firm has come to see both physical and cybersecurity as part of the same issue.

While Fidelity has unified its approach, the financial sector as a whole has done the same, according to Williams. Fidelity has integrated itself more closely with financial services firms, smaller banks and other institutions, he said.

“We’re operating more as an industry and less as a collection of firms,” he said. “And with that, industry is now better connected to government.”

Over the past couple of years, financial trade associations including the Securities Industry Association, the Investment Company Institute “and a dozen other trade associations” have consolidated their efforts to interact with government through a new group they formed called the Financial Services Sector Coordinating Council, he said. Meanwhile, government agencies and regulators have also been consolidating power.

“Instead of there being hundreds of us talking at once and getting nothing done, we’ve become much more tightly integrated,” said Williams of Fidelity.

Fidelity plans to sustain its high level of investment in security, he said. “It takes a pretty good bite out of our bottom line,” he said. “We do it because we think it will offer us some payback.”