[Senate Hearing 113-583]
[From the U.S. Government Publishing Office]
S. Hrg. 113-583
CYBERSECURITY: ENHANCING COORDINATION TO PROTECT THE FINANCIAL SECTOR
=======================================================================
HEARING
before the
COMMITTEE ON
BANKING,HOUSING,AND URBAN AFFAIRS
UNITED STATES SENATE
ONE HUNDRED THIRTEENTH CONGRESS
SECOND SESSION
ON
EXAMINING THE COORDINATION AND INFORMATION SHARING BETWEEN THE
FINANCIAL SERVICES INDUSTRY AND THE SECRET SERVICE, DEPARTMENT OF
HOMELAND SECURITY, FEDERAL BUREAU OF INVESTIGATION, THE TREASURY
DEPARTMENT, THE FEDERAL FINANCIAL INSTITUTIONS EXAMINATION COUNCIL,
FEDERAL REGULATORY AGENCIES, AND LAW ENFORCEMENT IN IDENTIFYING,
MONITORING, AND RESPONDING TO CYBERTHREATS
__________
DECEMBER 10, 2014
__________
Printed for the use of the Committee on Banking, Housing, and Urban
Affairs
[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]
Available at: http: //www.fdsys.gov/
______
U.S. GOVERNMENT PUBLISHING OFFICE
93-566 PDF WASHINGTON : 2016
-----------------------------------------------------------------------
For sale by the Superintendent of Documents, U.S. Government Publishing
Office Internet: bookstore.gpo.gov Phone: toll free (866) 512-1800;
DC area (202) 512-1800 Fax: (202) 512-2104 Mail: Stop IDCC,
Washington, DC 20402-0001
COMMITTEE ON BANKING, HOUSING, AND URBAN AFFAIRS
TIM JOHNSON, South Dakota, Chairman
JACK REED, Rhode Island MIKE CRAPO, Idaho
CHARLES E. SCHUMER, New York RICHARD C. SHELBY, Alabama
ROBERT MENENDEZ, New Jersey BOB CORKER, Tennessee
SHERROD BROWN, Ohio DAVID VITTER, Louisiana
JON TESTER, Montana MIKE JOHANNS, Nebraska
MARK R. WARNER, Virginia PATRICK J. TOOMEY, Pennsylvania
JEFF MERKLEY, Oregon MARK KIRK, Illinois
KAY HAGAN, North Carolina JERRY MORAN, Kansas
JOE MANCHIN III, West Virginia TOM COBURN, Oklahoma
ELIZABETH WARREN, Massachusetts DEAN HELLER, Nevada
HEIDI HEITKAMP, North Dakota
Charles Yi, Staff Director
Gregg Richard, Republican Staff Director
Laura Swanson, Deputy Staff Director
Jeanette Quick, Counsel
Phil Rudd, Legislative Assistant
Greg Dean, Republican Chief Counsel
Jared Sawyer, Republican Counsel
Travis Hill, Republican Counsel
Dawn Ratliff, Chief Clerk
Troy Cornell, Hearing Clerk
Shelvin Simmons, IT Director
Jason T. Parker, GPO Detailee
Jim Crowell, Editor
(ii)
C O N T E N T S
----------
WEDNESDAY, DECEMBER 10, 2014
Page
Opening statement of Chairman Johnson............................ 1
Opening statements, comments, or prepared statements of:
Senator Crapo................................................ 2
WITNESSES
Brian Peretti, Director for the Office of Critical Infrastructure
Protection and Compliance Policy, Department of the Treasury... 4
Prepared statement........................................... 26
Responses to written questions of:
Senator Crapo............................................ 48
Senator Menendez......................................... 49
Senator Warner........................................... 51
Phyllis Schneck, Deputy Under Secretary for Cybersecurity and
Communications, National Protection and Programs Directorate,
Department of Homeland Security................................ 6
Prepared statement........................................... 29
Responses to written questions of:
Senator Crapo............................................ 53
Senator Menendez......................................... 58
Senator Warner........................................... 59
Valerie Abend, Senior Critical Infrastructure Officer, Office of
the Comptroller of the Currency................................ 8
Prepared statement........................................... 33
Responses to written questions of:
Senator Crapo............................................ 64
Senator Menendez......................................... 66
Senator Warner........................................... 70
William Noonan, Deputy Special Agent in Charge, Cyber Operations
Branch, Criminal Investigative Division, Secret Service........ 10
Prepared statement........................................... 39
Responses to written questions of:
Senator Crapo............................................ 75
Senator Warner........................................... 76
Joseph M. Demarest, Jr., Assistant Director, Cyber Division,
Federal Bureau of Investigation, Department of Justice......... 11
Prepared statement........................................... 41
Additional Material Supplied for the Record
Letter to Agencies submitted by Chairman Johnson and Senator
Crapo.......................................................... 79
Letter of response submitted by Joint Agencies................... 81
Letter of response submitted by the Department of the Treasury... 83
Letter of response submitted by Federal Deposit Insurance
Corporation.................................................... 85
Letter of response submitted by the National Credit Union
Administration................................................. 91
Letter of response submitted by the Board of Governors of the
Federal Reserve System......................................... 97
Letter of response submitted by the Office of the Comptroller of
the Currency................................................... 102
Letter to the Conference of State Bank Supervisors submitted by
Chairman Johnson and Senator Crapo............................. 109
Letter of response submitted by the Conference of State Bank
Supervisors.................................................... 111
(iii)
Statement submitted by the National Association of Federal Credit
Unions......................................................... 121
Statement submitted by the Securities Industry and Financial
Markets
Association.................................................... 123
Statement submitted by the Independent Community Bankers of
America........................................................ 130
Protecting Merchant Point of Sale Systems During the Holiday
Season......................................................... 132
CYBERSECURITY: ENHANCING COORDINATION TO PROTECT THE FINANCIAL SECTOR
----------
WEDNESDAY, DECEMBER 10, 2014
U.S. Senate,
Committee on Banking, Housing, and Urban Affairs,
Washington, DC.
The Committee met at 10:04 a.m., in room SD-538, Dirksen
Senate Office Building, Hon. Tim Johnson, Chairman of the
Committee, presiding.
OPENING STATEMENT OF CHAIRMAN TIM JOHNSON
Chairman Johnson. I call this hearing to order.
For my last hearing as Banking Committee Chairman, I am
focusing on an issue that will require action in the next
Congress and beyond. Responsible management of cyber-risks by
financial institutions is important for consumer protection,
financial stability, privacy, and national security. Not only
are financial institutions frequent targets of cybercrime, they
are uniquely interconnected with major sectors of the economy.
Cyber attacks may cause damage to the financial system without
directly attacking a bank, including through third-party
providers.
Earlier this year, I held a hearing on the role of
financial regulators in ensuring that institutions protect
consumer information. Since then, we have seen one of the
biggest data breaches in history at JPMorgan. We must ensure
that consumers have confidence in the financial system and that
hard work is done by industry and Government together to
prevent data breaches before they occur and respond quickly and
in coordination when breaches do occur.
However, data breach is only one piece of the cybersecurity
puzzle. That is why Ranking Member Crapo and I asked Federal
and State banking regulators and Treasury to provide
information about each agency's protection of our financial
system from cyber attacks. I am entering each agency's response
into the record and I expect that regulators continue vigilance
on cybersecurity.
Safeguarding cyberspace has become increasingly complex as
our lives become more entwined with technology. Technological
innovation in financial services, such as mobile payments,
peer-to-peer lending, and cloud computing can facilitate
improvements in the consumer experience and economic growth.
However, these innovations highlight the crucial need for sound
cybersecurity policy, as many of these products are outside of
the regulated financial sector.
I have asked today's witnesses to discuss each of their
roles in responding to cyberthreats and how to improve
information sharing. Law enforcement, the intelligence
community, Treasury, and financial regulators each may have
different missions, but in addressing cybersecurity concerns,
they all must be united in what some call a whole Government
approach. I look forward to hearing more about cross-sector
risks to the financial system, challenges facing small
financial institutions, and how effective your partnerships
with the private sector have been in improving cybersecurity
practices.
Cybersecurity is one of the most important issues facing
the financial system. I urge all of the witnesses today, as
well as policymakers in the next Congress, to act quickly to
address cybersecurity concerns.
Before I turn to Ranking Member Crapo for the last time, I
want to say one more time to him and his staff, thank you for
being such good partners as we sought to run our Committee in a
civil, bipartisan way. To my other colleagues on this
Committee, it has been a pleasure working with all of you over
the many years.
I now turn to Senator Crapo for his opening statement.
STATEMENT OF SENATOR MIKE CRAPO
Senator Crapo. Thank you, Mr. Chairman, and I appreciate
your kind remarks. I share the same feelings that you have
indicated with regard to not only our work together, but our
staff, and I have developed great friendships with all of you.
I appreciate that.
This morning, we are holding what may be the final Banking
Committee hearing that will be chaired by you, and I just have
to reiterate what a pleasure it has been to work with you. You
and I do have a great working relationship and it has been a
privilege to serve with you in the past in a number of
contexts, but in this Congress as Chairman and Ranking Member,
and I wish you the best of luck in the future.
Chairman Johnson. Thank you.
Senator Crapo. Today, we have gathered to discuss
cybersecurity in the financial sector. A ``60 Minutes'' segment
that aired last week called 2014 the Year of the Data Breach.
One recent study estimated that 60 percent of companies overall
have experienced a breach in the last 2 years. This includes a
number of high-profile breaches in which hackers have stolen
personal and financial information from millions of consumers.
These breaches can result in frustrating experiences for
consumers, including obtaining new credit or debit cards,
monitoring accounts for fraudulent activity, and the disruption
of preauthorized payments. Additionally, financial
institutions, especially community banks and credit unions,
face significant costs in reissuing cards and covering losses.
The financial sector itself is also a primary target for
hackers, because, as some have pointed out, that is where the
money is. The largest banks are under constant attack, every
day, and spent hundreds of millions of dollars per year on
cyber defense.
What many may not realize is that the cost of defending
against cyber attacks is remarkably disproportionate compared
to the cost of attacking. Hackers can purchase tools to exploit
vulnerabilities for just a few hundred dollars, while firms
must spend upwards of a million dollars or more to defend
against specific cyber attacks. The costs and burdens on
smaller financial institutions to defend against attacks can be
enormous.
JPMorgan Chase, the Nation's largest bank by assets, was
attacked this summer when hackers stole personal information
from 76 million households and seven million small businesses.
While this is certainly concerning, I am encouraged that
despite spending weeks inside JPMorgan's system, the criminals
reportedly were unable to steal any financial account
information.
Maintaining a strong perimeter defense is one essential
component of cybersecurity. Minimizing damage if hackers get
inside is another.
The impact of a major cyber attack against our financial
system would be dire. In the words of Secretary Lew, successful
attacks on our financial system would compromise market
confidence, jeopardize the integrity of the data, and pose a
threat to financial security.
Many of your agencies have made cybersecurity a priority
and I applaud you for that. In addition, the financial industry
has devoted substantial resources to protecting its information
systems and is widely viewed as one of the most advanced
sectors in terms of prioritizing cybersecurity. Today, I hope
to learn more about how the Federal Government is partnering
with industry to ensure that our financial system is protected
from cyberthreats. What is the Government's process for
obtaining threat information and delivering it to the private
sector? How can we improve this process to get the information
where it needs to go more quickly?
It is good that cybersecurity is getting attention from so
many different agencies and offices and working groups. While
positive steps are being taken, we must be sure that the
process has not become so complicated that it slows down the
outflow of information and hinders coordination. Law
enforcement, the Departments of Treasury and Homeland Security,
and intelligence community, and banking regulators must all
work together effectively to maximize the speed of information
sharing and to minimize the risk of damage from cyber attacks.
I hope to learn, also, about the work being done by the
FFIEC's Cybersecurity Working Group and how that will inform
exam procedures and policies moving forward.
Thank you, Mr. Chairman, for holding this hearing, and I
look forward to hearing the testimony of each of our witnesses
today.
Chairman Johnson. Thank you, Senator Crapo.
Are there any other Members who would like to give a brief
opening statement?
[No response.]
Chairman Johnson. I would like to remind my colleagues that
the record will be open for the next 7 days for additional
statements and any other materials you would like to submit.
Now, I will introduce our witnesses. Brian Peretti is
Director for the Office of Critical Infrastructure Protection
and compliance Policy at the U.S. Department of the Treasury.
Phyllis Schneck is Deputy Under Secretary for Cybersecurity
and Communications for the National Protection and Programs
Directorate at the Department of Homeland Security.
Valerie Abend is the Senior Critical Infrastructure Officer
for the Office of the Comptroller of the Currency.
William Noonan is Deputy Special Agent in Charge of the
Cyber Operations Branch of the Secret Service's Criminal
Investigative Division.
Joseph Demarest, Jr., is Assistant Director of the Cyber
Division at the Federal Bureau of Investigation.
I would like to ask the witnesses to please keep your
remarks to 5 minutes. Your full written statements will be
included in the hearing record.
Mr. Peretti, you may begin your testimony.
STATEMENT OF BRIAN PERETTI, DIRECTOR FOR THE OFFICE OF CRITICAL
INFRASTRUCTURE PROTECTION AND COMPLIANCE POLICY, DEPARTMENT OF
THE TREASURY
Mr. Peretti. Chairman Johnson, Ranking Member Crapo, and
distinguished Members of the Committee, it is my pleasure to
appear before you today to discuss cybersecurity of the
financial sector. As Director of Treasury's Office of Critical
Infrastructure Protection and Compliance Policy, my role is to
support the security and resiliency of the critical virtual and
physical infrastructures that enable financial sector
operations. Cybersecurity has been a central focus of our
office for several years.
Before I begin, I would like to thank the Committee for
focusing attention on this critical issue. At all levels,
Government and the financial sector have taken significant
steps in recent years to enhance information sharing of
processes, improve baseline security at firms, and develop and
test processes for responding to and recovering from incidents.
More work is needed, however, and discussions like this can
help advance the whole-of-Nation-collaborative effort that is
needed to respond to these very complex challenges.
Helping to protect financial sector critical infrastructure
from physical and virtual threats is an integral component of
Treasury's leadership in financial affairs domestically and
globally. Presidential Policy Directive 21 was created in 2013
to advance a national unity of effort to strengthen and
maintain secure, functioning, and resilient critical
infrastructure. This Directive reaffirms Treasury's role as the
sector-specific agency for financial services, recognizing its
financial services expertise and the value of its day to day
engagement with financial institutions in building and
enhancing security and resiliency partnerships.
PPD-21, along with the President's 2013 Executive Order on
cybersecurity, forms the basis for Treasury's mission to
protect critical infrastructure from cyber incidents. This work
depends on strong partnerships with others in Government and
industry. To focus our work, we collaborate closely with other
Government agencies and the private sector. To coordinate with
Government, we chair the Financial and Banking Information
Infrastructure Committee, a committee of 18 Federal and State
regulators, and participate in interagency discussions chaired
by the White House. To coordinate with the sector, we work with
the Financial Services Sector Coordinating Council, which
brings together private-sector institutions, trade
associations, and individual firms to discuss security and
resiliency policy.
Now that I have described who we work with, I would like to
spend the remainder of my time today talking specifically about
the substantial outcomes of our work.
First, I would like to highlight our work to promote
cybersecurity information sharing. Sharing technical and
strategic information about cyber instances and threats is one
of the most effective tools that the Government has to support
the mitigation of cyber instances and improve the operational
resilience of the financial sector. In order to ensure that the
sector receives the best information from all Government
sources, Treasury works closely with other agencies to identify
and declassify information that may be of use to private-sector
firms. To this end, I have established a team within my office,
the Financial Sector Cyber Intelligence Group, which works with
the interagency and private-sector partners to provide timely
and actionable information, including threat indicators, to the
financial services sector.
The financial services sector has invested significant
resources in developing robust information-sharing mechanisms,
primarily through the FS-ISAC. This information sharing and
analysis center is a model for what can be accomplished by the
private sector, and we in Government should look further to
encourage the growth of the FS-ISAC and ISACs in other sectors.
The President's Executive Order 13636 called for NIST to
develop a framework that would reduce cyber-risks to critical
infrastructure. Treasury has worked closely with the financial
sector regarding how this sector could provide input into the
framework. Today, the NIST Cybersecurity Framework is a
voluntary blueprint that firms of all sizes can use to
evaluate, maintain, and improve the resilience of their
computer systems and reduce cyber-risk.
Treasury continues to encourage financial service firms to
utilize the framework, including by holding business partners,
suppliers, and customers accountable to the risk management
approach. In particular, efforts by SIFMA by develop auditable
standards of the framework may be beneficial in supporting
broad adoption of best practices.
Finally, to improve incident management, Treasury believes
the roles and responsibilities for different entities must be
more clearly defined and regularly tested and refined. In order
to prepare for cybersecurity instances, Government agencies and
private-sector entities must work together to develop and
refine response protocols that clearly delineate roles and
responsibilities.
Similarly, exercises are necessary to improve incident
plans and develop muscle memory in the organizations with the
personnel responsible for managing the incidences. Treasury has
partnered with DHS and the FSSCC to develop an exercise program
focused on the financial services sector. The first joint
exercise in this program was held yesterday. By continuing to
hold these exercises and smaller drills along the way, we can
collectively hone preparedness and continually improve response
mechanisms.
In conclusion, while significant progress has been made to
improve financial sector cybersecurity, we know there is more
work to be done. We continue to hold ongoing discussions with
our Government and private-sector partners to identify and
build a more secure and resilient financial sector. As these
efforts progress, we will work with senior policymakers to
determine the best course of action to address these issues as
they are identified.
I thank you for focusing on this issue and will be happy to
take your questions.
Chairman Johnson. Thank you.
Dr. Schneck, please proceed with your testimony.
STATEMENT OF PHYLLIS SCHNECK, DEPUTY UNDER SECRETARY FOR
CYBERSECURITY AND COMMUNICATIONS, NATIONAL PROTECTION AND
PROGRAMS DIRECTORATE, DEPARTMENT OF HOMELAND SECURITY
Ms. Schneck. Good morning, Chairman Johnson, Ranking Member
Crapo, and distinguished Members of the Committee. I am very
pleased to be here today to talk with you about the role of DHS
in cybersecurity, the way we work with these critical issues
with the financial sector.
Secretary Johnson always reminds us that cybersecurity is a
part of homeland security, and we are fortunate within the
Department of Homeland Security to not only have where I am,
with the National Protection and Programs Directorate, a non-
law enforcement piece focused on the protection and resilience
of critical infrastructure, which includes cybersecurity and
communications, but also law enforcement with Homeland Security
Investigations as well as the U.S. Secret Service, some of the
finest law enforcement investigators on the planet for
financial crimes.
So, I speak with you today from the National Protection and
Programs Directorate on the non-law enforcement side and the
role that we play. If you look at our National Cybersecurity
and Communications Integration Center, which I will call the
NCCIC, that is the core of cyber awareness, information coming
in from victims, from partners, from vendors, from all of our
interagency partners, whether it is the FBI, the intelligence
community, from our in-house law enforcement, from Secret
Service, from Homeland Security Investigations, all of our
private-sector partners, all the State and local.
Twenty-four-seven, all this information is coming in. We
see something, say something. Just like the aviation industry,
we learn from every event, whether people go out and help
somebody stay online, we learn from that and it protects
everybody else, or whether the programs we have to protect the
Government in, as you said, perimeter defense, those collect
data with the full collaboration with privacy and civil
liberties. We collect as much data as we are allowed to
understand, just as weather forecasters do, what we need to do
to have information propagated ahead to protect the next
victim. We do that for Government and private sector, as our
programs look at perimeter defense for Government agencies as
well as internal, and we are also able to protect private
sector with Government data.
We also house the United States Computer Emergency
Readiness Team, or the U.S.-CERT, people that get on airplanes
to keep people online, fix and respond. Our role is to respond
and mitigate cyberthreat, make sure people stay online, whether
it is systems that keep the lights on, the water running, or
cyber systems in general. We also have the Industrial Control
System CERT housed in Idaho Falls which looks at those very
control systems that do keep physical infrastructure alive. So,
those electronic systems that can be breached and are being
targeted, keeping those online.
If we look at what is important here, it is speed. Our
adversary enjoys an agility that we do not have. My background
is in high-performance computing and cryptography, but also
really looking at how you build intelligence and situational
awareness, and it was my job at my previous company, a large
cyber provider, to do the information sharing and to lead for
the company when we shared information with Government and law
enforcement. And, I learned there this is a very complex issue
and what we can do to help build resilience and help change the
profit model for the adversary and make that much smaller, make
this not worth their time, is to mitigate faster. This is about
speed.
And, the way we can balance that is if the NCCIC and our
ability to respond as a Government, as a whole of Government,
if you use the civilian non-law enforcement side to ingest the
cyber activity, as we are doing, and the first place to report,
we can then begin the mitigation while people work with their
lawyers to figure out how to work with law enforcement. They
are equally important. We must prosecute bad guys, but we also
have to make sure that we do not waste time in the middle with
the lawyers on the law enforcement side so the companies can
work with them and have that understood. We have to make sure
we are already mitigating in real time.
So, the financial sector has done a lot of work to help us
use real time, as they call it, or machine time protocols,
faster than the attacks, to help networks be smarter about what
is coming to them. Those can already be working while law
enforcement is then deciding how they want to prosecute the
case, because we want that civilian non-law enforcement
reporting. Then we fan out all the data to the Secret Service,
Homeland Security Investigation, FBI, intelligence community,
and vendor partners that sit within the NCCIC.
But, we have already started the mitigation, and it is this
very speed that the FISMA modernization will help us to
achieve, as well, helping us to clarify in statute the
authority that we have to defend these networks and ensure that
that, again, that mitigation has already started. And, I do
thank the Senate for passing a version of this bill that could
help us get there.
I also want to point out what is important in our vision is
the situational awareness, understand what is happening right
now in cybersecurity, collect that data, work with private-
sector partners, work with the financial sector, leverage the
great work that this sector has build in trust, in automated
machine-to-machine communication, in getting to the bottom of
legal issues so that we can all talk and, again, enjoy the
agility that usually the adversary only enjoys and enable this
to work cross-sector. And, to do that, we also have to get to
the small to medium business and use that Executive Order 13636
and our voluntary framework to enable best practices in
cybersecurity to then enable all of this information sharing to
get to those companies, as well, so that we can learn from
them.
In conclusion, we need to continue the great work that the
financial sector has done such a tremendous job on with us as a
whole of Government, and I look forward to more partnership and
to any questions you may ask.
Chairman Johnson. Thank you.
Ms. Abend, please proceed with your testimony.
STATEMENT OF VALERIE ABEND, SENIOR CRITICAL INFRASTRUCTURE
OFFICER, OFFICE OF THE COMPTROLLER OF THE CURRENCY
Ms. Abend. Chairman Johnson, Ranking Member Crapo, and
Members of the Committee, I am pleased to be here today to
discuss the important issue of cybersecurity and what the OCC
and the Federal Financial Institutions Examination Council has
been doing to address cyberthreats and vulnerabilities. These
efforts include information sharing for the benefit of the
banking industry, regulatory community, and the financial
system overall.
But, first, I want to thank Chairman Johnson for his many
years of leadership in the financial services arena and wishing
him well in his future endeavors.
There are few issues more important to the OCC and to our
country's economic and national security than the risks posed
to financial institutions by cyber attacks. We live in a world
of rapidly evolving technology in which consumers store
information in the cloud, pay bills with their computers, and
use their cell phones to make purchases at the mall. However,
these conveniences have also introduced new vulnerabilities
into the financial system, making it more difficult to protect
financial institutions and customer information from cyber
attacks.
As risks evolve, financial institutions must adapt. Our job
as regulators is to ensure that institutions we supervise do
everything possible to identify and manage vulnerabilities to
these cyberthreats and our ability to response.
To meet that objective, the OCC's supervisory framework
includes ongoing monitoring and information sharing with other
regulators, Government agencies, and banks regarding emerging
threats and changes to the risk landscape. It also includes
development and continual refinement of standards and guidance
that set forth our expectations as to how banks should
safeguard their systems and their customers' information,
including at their third-party service providers.
To complement these efforts, we are committed to
maintaining a cadre of highly trained IT examiners. While all
OCC examiners receive training on information technology risk
management, we also cultivate examiners with specialized skills
and experience to focus on the evolving information security
and other technology risks in bank operations. Our examiners
assess bank compliance with our supervisory expectations to
ensure that they are appropriately managing risk, and when
necessary, directing them to take corrective action.
Comptroller of the Currency Tom Curry chairs the FFIEC, and
one of the Council's top priorities is to strengthen the
resilience of regulated institutions to cyber attacks. Under
the Comptroller's leadership, the FFIEC created the
Cybersecurity and Critical Infrastructure Working Group. The
Working Group helps the FFIEC members collaborate on cyber-
related examination policy, training programs, coordination of
responses to cybersecurity incidents, and information sharing
and awareness efforts.
The Working Group has been quite active since its
inception. In addition to sponsoring awareness and training
webinars, it has drafted statements advising financial
institutions about the variety of specific threats and
vulnerabilities, including the Heartbleed and Shellshock
vulnerabilities and attacks on ATMs.
The FFIEC, on behalf of its members, also recommended that
all institutions join the Financial Services Information
Sharing and Analysis Center, a public-private partnership which
provides information about current threats and vulnerabilities.
A major initiative of the Working Group was to pilot a
cybersecurity examination work program at more than 500
community institutions. This cybersecurity assessment evaluated
the operating environment for each institution and assessed its
overall level of preparedness. The results of the assessment
will help FFIEC members make informed decisions about how they
prioritize actions to enhance the effectiveness of
cybersecurity-related supervisory programs, guidance, and
examiner training. The results are summarized in a General
Observations document that provides observations and questions
that banks, boards of directors, and CEOs should consider when
assessing their cybersecurity preparedness.
The Comptroller has emphasized the importance of
communication, collaboration, cooperation in all aspects of our
mission, but nowhere is communication and collaboration more
important than in the realm of cybersecurity, where the threats
transcend agency jurisdictions and industry boundaries. The OCC
is an active member of several information-sharing bodies. We
also recognize the importance of maintaining relationships with
law enforcement and intelligence communities to share
information through open lines of communication. We use
information-sharing forums, relationships with Government
agencies, and information from our exams to inform our
supervision.
Finally, the recent breaches at large retailers highlight
the need for improved cybersecurity for merchants. When
breaches occur in merchant systems, we believe that merchants
should contribute to efforts to make affected consumers whole
so that banks, particularly community institutions, do not
disproportionately shoulder the cost. Additionally, financial
institutions share dependencies with other sectors, such as
telecommunications and energy, and as such, we support efforts
to ensure commensurate standards for those important critical
infrastructures.
In closing, we are committed to refining our supervisory
processes and to participating in a range of information-
sharing forums to keep abreast of and respond to cyberthreats.
Combating threats and protecting our economic security requires
the Government and industry to work together for the good of
consumers, the industry, and the entire financial services
sector.
Thank you, and I would be happy to answer your questions.
Chairman Johnson. Thank you.
Mr. Noonan, please proceed with your testimony.
STATEMENT OF WILLIAM NOONAN, DEPUTY SPECIAL AGENT IN CHARGE,
CYBER OPERATIONS BRANCH, CRIMINAL INVESTIGATIVE DIVISION,
SECRET SERVICE
Mr. Noonan. Good morning, Chairman Johnson, Ranking Member
Crapo, and distinguished Members of the Committee. Thank you
for the opportunity to testify with interagency partners
regarding the ongoing threat of cybercrime to our Nation's
financial services sector.
Chairman Johnson, while the Secret Service has only
testified a handful of times before this Committee in recent
years, we all appreciate the work you have done on behalf of
American consumers and the financial services industry. We wish
you the best in retirement.
The founding mission of the Secret Service is to protect
our Nation's financial payment system from malicious activity.
As it has evolved from paper to plastic to now digital
information, so, too, has the Secret Service's investigative
mission. Today, financial transactions of all types depend
heavily on information technology. As such, criminals motivated
by greed have adapted their methods and are increasingly using
cyberspace to exploit these systems to engage in fraud and
other illegal activities.
The wealth accrued by the world's most skillful
cybercriminals is staggering. Some have become
multimillionaires through their criminal endeavors and are not
stopping there. Cyber investigative programs are being outpaced
by criminals who reinvest their illicit proceeds to support
their malicious cyber activity.
Despite substantial investments in cybersecurity by our
leading financial institutions, we continue to see many fall
victim to cybercriminals. In considering all the high-profile
cyber incidents over the last year, it is clear that defense
alone is inadequate. Proactive law enforcement investigations
are essential in Combating these threats.
The Secret Service has observed transnational
cybercriminals who, over the past 10 years, have grown into
highly capable adversaries. They command botnets consisting of
millions of computers. They routinely compromise highly secure
computer networks. And, they accomplish increasingly profitable
operations. Last year, we witnessed an unlimited ATM cash-out
operation that was unprecedented in scope. The operation
involved a cybercriminal organization which stole $40 million
in less than 11 hours through a synchronized effort executed
across 24 countries. Rich off the money they have stolen from
Americans, our Nation faces increasing risk that sophisticated
cybercriminals may coordinate their unique skill sets and apply
their combined expertise to conduct cyber attacks against our
critical infrastructure.
Achieving a different outcome drives our work at the Secret
Service. We focus on proactively investigating the most capable
cybercriminals. To defeat these transnational groups, we target
their criminal infrastructure and leaders. For example, last
year, the Secret Service shut down the digital currency
platform Liberty Reserve for allegedly running a $6 billion
money laundering scheme. Prior to its shutdown, the currency
had more than 5.5 million user accounts and approximately 55
million transactions. The founder of Liberty Reserve, Arthur
Budovsky, was extradited from Spain to the United States in
October. Mr. Budovsky is among seven individuals charged in the
indictment. Four other codefendants pled guilty and are
awaiting sentencing.
In addition, this past year, the Secret Service worked with
a key law enforcement partner to apprehend one of the primary
masterminds alleged to be behind a series of unlimited ATM
cash-out operations, including the one I previously mentioned.
Since his arrest, there has not been another successful
operation of this kind. These arrests prove that transnational
cybercriminals are not beyond the reach of U.S. law
enforcement. Over the past 5 years, the Secret Service arrested
nearly 6,000 cybercriminals and prevented nearly $12 billion in
potential fraud losses.
The Secret Service actively shares information to disrupt
cybercriminal schemes. This year, as a result of information
discovered through just one of our ongoing cybercrime
investigations, we notified over 200 U.S. organizations of
cybercriminal activity targeting their networks. These include
retailers, financial institutions, Government agencies, IT
companies, health care providers, and military agencies.
Our work does not stop with victim notification. The Secret
Service also widely shares actionable cybersecurity information
through our close partnerships with the Department of Treasury,
the Department of Justice, and DHS's National Cybersecurity and
Communications Integration Center. This is in addition to our
work with industry groups like the FS-ISAC, Financial Services
Roundtable, and the Business Executives for National Security.
Through the dedicated efforts of our special agents, our
Electronic Crimes Task Forces, and our public and private-
sector partners, the Secret Service will continue its efforts
to counter the growing threat posed by cybercriminals.
Thank you for the opportunity to testify on this important
topic, and I look forward to your questions.
Chairman Johnson. Thank you.
Mr. Demarest, please proceed with your testimony.
STATEMENT OF JOSEPH M. DEMAREST, JR., ASSISTANT DIRECTOR, CYBER
DIVISION, FEDERAL BUREAU OF INVESTIGATION, DEPARTMENT OF
JUSTICE
Mr. Demarest. Last, but certainly not least, the FBI.
[Laughter.]
Mr. Demarest. Good morning, Ranking Member Crapo and
distinguished Members of the Committee. And to Chairman
Johnson, I, and we in the FBI, thank you, sir, for your long
and distinguished service to the American people. Thank you,
sir.
I am honored to appear before you today to discuss
cyberthreats facing our Nation, their relation to the financial
sector, and the efforts the FBI is taking to identify, pursue,
and defeat those threats. In the course of my testimony this
morning, I hope to give you a sense of the extent to which
today's cyber actors pose new and increasingly complex threats
to our country and to the financial sector specifically, a
threat that challenges traditional models of law enforcement
and the intelligence communities. Today's cyber actors, from
Nation-States to criminal groups and individuals, find
themselves virtually unconstrained by time, distance, and
physical location.
I would like to start with a brief overview of the Cyber
Division of the FBI. In general, our mission falls into three
separate but primary buckets. First, we identify the cyber
actors perpetrating the harm and the role of cybercrime and
cyber espionage. This is often the most difficult step, as
cyberthreats use various methods to attempt to hide virtually
in plain sight.
Second, we pursue these actors, tracking their activity
both online and off. We utilize collaborative partnerships
across the Federal Government, with international partners, and
certainly with industry, along with our unique combination of
national security and law enforcement authorities to gather
intelligence about the tactics, techniques, and procedures of
these actors. In short, we find these threat actors by using a
variety of cutting-edge techniques to locate them no matter
where they are on the planet.
Last, with the aid of partnerships and our unique
authorities, we defeat the cyber adversaries through a full
range of methods, from prosecution to disruption, here and
abroad.
As the Members of this Committee are aware, the threat from
cyber actors continue to advance in sophistication. I would
like to spend the rest of my brief testimony highlighting a few
of the ways the FBI, along with our partners here in Government
and in organizations like the Securities Industry and Financial
Markets Association, SIFMA, the Financial Services Sector
Coordinating Council, FSSCC, the Financial Services Information
Sharing and Analysis Center, FS-ISAC, and the Financial
Services Roundtable are collaborating with each other and with
the private sector to protect the Nation and the financial
sector, in particular, from cyberthreats.
Specifically, I would like to talk about botnets and the
criminal underground which harness the power of enormous webs
of computers for malicious purposes and the FBI's efforts to
address them through Operation Clean Slate.
As I speak, since 2001, estimates place the total damages
caused by botnets at more than $9 billion in losses to U.S.
victims and over $110 billion in losses worldwide to date.
Approximately 500 million computers are infected globally per
year, translating to 18 victims per second. Botnets are
continually used to attack the financial sector through
``denial of service'' attacks, or DDoS attacks, and the FBI has
been deeply involved in keeping such attacks from inflicting
lasting damage.
Beginning in September of 2012, for example, actors
launched powerful DDoS attacks from a botnet to target major
U.S. banking institutions. From March 2013 through July 2014,
the FBI conducted approximately 36 classified threat briefings
regarding the attacks on private-sector financial institutions
and Government agencies, including DHS, Department of Treasury,
the FDIC, and the Federal Reserve. The initial classified
briefing held in March 2013 was attended by over 300 chief
information security officers. This type of outreach is now the
norm for us. We share by rule, not exception. Based on imminent
threats to the financial sector in early 2014, the FBI provided
classified threat briefings in March, April, and July to a
total of 145 financial institutions.
Further, the FBI worked closely with DHS to issue a Joint
Indicator Bulletin, or Bulletins, or JIBs, as they are
affectionately called internally, to the U.S. banks, which
included thousands of IP addresses that participated in the
attacks. Throughout this campaign, the FBI held significant
outreach efforts to brief bank net defenders through a series
of classified briefings. These briefings, conducted by FBI,
DHS, and Treasury representatives, provided the bank security
personnel the context of the DDoS threat and enabled the banks
to share best practices with their peers in real time.
To further assist with network defense of botnets, the FBI
created a document called the FBI Liaison Alert System Message,
or FLAS. Through this system, the FBI releases high-confidence
data to the private sector with indicators and alerts related
to computer intrusions and DDoS attacks. From April of 2013
through July of this year, the FBI disseminated 34 FLAS
messages, about 20 of which dealt with threats directly focused
on the financial sector. The FBI disseminated, among other
information, indicators for approximately 115,000 compromised
systems in these messages.
We at the FBI, in short, are doing everything in our power
to keep pace with the threat against the financial sector and
our Nation. Our agents, computer scientists and analysts, and
professional staff are all working hard to outpace the threats
on a daily basis by identifying, pursuing, and defeating our
adversaries wherever they may be in the world. The FBI and our
partners throughout the Government have all made significant
progress in recent years in collaborating within the cyber
domain and we look forward to working with the Committee and
Congress in protecting our Nation from these evolving threats.
I thank you again for this opportunity and I look forward
to your questions. Thank you.
Chairman Johnson. Thank you all for your testimony. I will
now ask the clerk to put 5 minutes on the clock for each
Member.
Director Schneck, we have heard that cyber attacks often
have impacts on more than one critical infrastructure sector.
What is DHS doing to facilitate information sharing and best
practices among sectors? Are there other sectors that are
particularly important to coordinate with the financial
services sector?
Ms. Schneck. Thank you, sir, and I also regret that my
first time talking to you in this forum is my last, but thank
you----
Chairman Johnson. Yes.
Ms. Schneck. So, a great question. One of the reasons, I
believe, that we exist in our NCCIC, that National
Cybersecurity Coordination, Communication, Integration Center,
is really to look at how we take these attack attempts and how
we take the data that we see and we take the actual attacks and
make sure that not only we respond and mitigate quickly, but
that we share that information out across sectors, because we
are all connected. If we had to figure out whether finance was
more important than electricity or water or gas, we would have
a hard time doing that because they are all so interdependent,
and you also add a complexity that a lot of the signaling
systems, the electronics that control circuits opening and
closing to make, literally, decisions--whether water comes out
of a valve or nuclear or electric--all of that is, in many
cases, the same equipment across the sectors.
We work very hard through our Industrial Control Systems
CERT and our regular computer emergency response teams and our
interagency partners, our internal partners, everybody, and all
of the trusted private-sector relationships to gather data and
science and technology to understand two things. One is, how do
we bring information in faster, and how do we analyze it, make
real actionable intelligence out of it, and how do we push it
out faster.
So, bringing it in comes from trust and then automated
mechanisms, so people and machines. When machines see something
wrong behaviorally, they tell us, and this is all designed with
privacy and civil liberties baked in. The other piece is with
people, and as we work closely with sectors such as financial
industry as well as electric and water and all of the others, I
think the finance sector, and I gave credit earlier, is very
important, because they had set a standard of the level of
trusted relationship going back 15 years. They have been
leaders in this.
The Financial Services ISAC, Information Sharing and
Analysis Center, that was mentioned earlier has taken great
strides in providing ways, free of charge, for others in the
private sector and Government to attach their software,
whatever they may be using, to protocols or ways that we can
protect other sectors and other companies with information that
we know in the NCCIC. So, if we keep all the information and
analyze it and look at trends, just as weather forecasters do,
our job now is to get it out as quickly as possible so that our
networks are resilient, and without having seen it before, a
piece of the network can understand a behavior that is wrong,
just like your body's immune system recognizes a cold that you
may not have had before. And, working with our interagency
partners and working with trust and advancements with the
financial sector and others, we make other sectors stronger.
There are many sectors that are looking at this, as well as
State and local and small to medium businesses, leveraging
outreach from the cybersecurity framework. And, we have
launched at DHS the C-Cubed VP. It is an acronym, of course,
but it is the cyber--Critical Infrastructure Cybersecurity
Community Voluntary Program, and that is a long name for we
reach out to everybody that will listen to our best practices,
that will go to our Web site and see how to judge your
resilience, and that will take the information that we have,
either ingest it by machine in real time, or by one of the
reports that my colleagues have mentioned, or by simply calling
us up saying that they need help, because the adversary moves
quickly and with an agility we do not have.
Chairman Johnson. Thank you.
Ms. Abend, you are Chair of the FFIEC Cybersecurity Working
Group. Third-party vendors may pose cybersecurity risks to
financial institutions, particularly smaller institutions. What
actions are the FFIEC members taking to supervise third-party
service providers?
Ms. Abend. Technology service providers serve an important
role to our institutions, particularly in terms of the largest
ones that provide core banking and other critical services to a
large number of financial institutions, including community
institutions. And, as such, the FFIEC publishes guidance that
our examiners use to oversee these institutions, including
guidance specifically on the oversight of technology service
providers. We use some of our most talented specialized IT
examiners at the OCC to supervise these entities jointly with
other banking regulatory authorities.
Chairman Johnson. Mr. Noonan and Mr. Demarest, last year
around the holidays, we learned that one of the country's
largest retailers experienced a massive data breach after
Thanksgiving. What changes and improvements have been made
since last year to protect consumers during the holiday season,
and how do you pursue cybercriminals, and would you
characterize your investigations as proactive or reactive? Mr.
Noonan, let us start with you.
Mr. Noonan. Yes, sir. Thank you. The Secret Service's
approach to going after cybercriminals today is a proactive
approach. As we dive into our criminal investigations, we
utilize a number of different methods. We look at undercover
operations. We have criminal sources. We have confidential
informants. And, we are also able to look at the criminals'
infrastructure and their communications. And, in doing so, we
are able to see potentially where other victims are and make
notifications to those companies.
So, in many of today's data breaches that are out there,
our notifications are being made to those companies of their
potential data breach by law enforcement, by the Secret
Service. As a result of that, we work closely with those
companies and we are able to draw out important evidence and
tactics and trends that the criminal adversaries are using
against the victim company. When we do do that, we take that
information and we share that across the industry.
So, just this past year, we increased the amount of
information that we have put out. Actually, we put out, I think
it was eight malware initial finding reports, which are new or
different strains of malware, which we put out to industry to
better help them in their defenses. In addition to that, we put
out seven different industry notices that went out to the whole
of industry, and we use that--we take that information, and we
are not just putting that out, but our partners at the NCCIC
are helping us in disseminating that information out to the
whole of Government, out to the rest of industry, and in doing
so, we are helping to fortify and protect industry.
Just this November, on November 7, the FS-ISAC along with
the Retail Cyber Intelligence Sharing Center and the Secret
Service put out a document to help the retailers on how to
better protect themselves with the types of crimes that we saw
over the past year--point of sale terminal, information theft
that were happening through infiltration of different networks.
And, it is a pretty robust product that we put out and I would
be willing to share it for the record after the hearing.
Chairman Johnson. Mr. Demarest.
Mr. Demarest. Yes. In exactly the same very proactive or
shifting toward a proactive stance, beyond our similar hair
styles, Bill and I are very closely fused together today----
[Laughter.]
Mr. Demarest. ----yet, you would find--and we talk about
major hacks of some of the retailers, too--we are finding great
benefit. And, as Bill mentioned, we each do a great job in that
proactive stance where we are using undercover operations,
source operations, or human operations, current tactical
coverages. But, we in the FBI are able also to bring to that
the national security authorities. We are able to bring in what
we are collecting and working with the intelligence community
that may have overlap. Some of our actors, as you know, may
serve by day on their own, but may be cooperating with a
certain Government Nation or a Nation-State by evening.
So, from that standpoint--and, what we provide is, on joint
matters or separate, is providing those industries or at least
the targeted sector retail threat indicators. If they are
focused or they are for some reason not following the target of
either a Nation-State or criminal actors, that information is
provided in near real time to the targeted company.
Chairman Johnson. Senator Crapo.
Senator Crapo. Thank you very much, Mr. Chairman.
Mr. Noonan and Mr. Demarest, one question I have is, as
your law enforcement agencies in the course of an investigation
obtain data that is helpful for the victims of the data breach,
it is often important to share this among institutions, as you
have indicated, so that other potential victims are alerted and
become able to protect themselves. But, is there not an issue,
also, with regard to whether in the process of sharing this
data the bad actors are notified that they are being
investigated or alerted to the possibility that they are about
to get caught?
Mr. Noonan. So, I think it is more important for us in law
enforcement, obviously, to share information with the
infrastructure we are talking about. Yes, sir, there is always
a risk of the actors finding out about an investigation. But, I
think it is more important for us together in law enforcement
to make that notification to industry to be able to better
prevent the occurrence from happening, or to stop the bleeding,
if you will.
So, take for example Target. Notification was made to
Target in a rather quick period of time, and I think the
exposure on Target was only 2 weeks. Had that exposure gone out
longer and we not made a notification to the industry, and then
within 5 days of us working with Target, we took those
industry, the indicators, and we pushed it out to the whole of
industry.
So, I believe law enforcement's approach of going out and
making notification, working with potential victim companies,
is a critical part of the equation in what needs to be done to
prevent further instances of data breach and others.
Mr. Demarest. Fully concur. Cost-benefit analysis. So, once
we do that, we look at what we are doing, those indicators that
may potentially compromise current collection. We feel more
strongly about sharing that information and closing down those
avenues of the actors. The actors, Ranking Member Crapo, you do
accurately point out they do a lot of research online, so they
find these products that are posted by us, DHS, I will say some
of the managed cybersecurity firms' products, the research
products that are also done. They will do research on those and
then change their tactics. But, the idea is to frustrate those
adversaries, have them cost more in the way of time, resources,
and energy to actually devise ways to circumvent what we put in
place to block them.
Senator Crapo. Thank you.
And, Mr. Peretti and Dr. Schneck, the FS-ISAC and the DTCC
recently launched a new information-sharing platform called
Soltra Edge, which automates information sharing to send out
threat information at, as you have said, machine speed rather
than human speed. And, as I understand it, Soltra uses the STIX
language and the TAXII distribution method, which are protocols
developed through DHS-funded projects. As the industry moves
forward with automated information sharing, are Treasury and
DHS able and ready to send and receive information at the same
speed and in the same format as industry?
Mr. Peretti. So, as we are moving forward--as industry is
rolling out these programs--we are developing our systems to
mirror that. So, while we are not at the stage yet to be able
to share our information, we are formatting our information in
that method and we expect to be able to do that as soon as the
private sector is able to receive it.
Senator Crapo. Do you want to add anything, Dr. Schneck?
Ms. Schneck. I do. This is one of the most exciting things,
I think, to happen to cybersecurity and information sharing.
STIX is a way of shipping information and TAXII is a way of--
STIX is a language, if you will, what fields are we sending,
and TAXII is a way to do it, and Soltra is kind of like a user
interface. And, Treasury and the financial sector and the FS-
ISAC in particular built this so that anybody can use it, which
all of a sudden hooks all of the entities we need to protect
with an opportunity to send and receive information. So, the
wider your aperture in understanding what is happening in
cyber, the better you can understand how you can form a
behavior and an analysis of that that might hurt you. So, we
are learning as we protect, and this is one enabler.
The other thing on which we are working with Treasury is
cyber insurance as a potential building--and the exploration of
a potential market to incentivize even the smallest companies
to budget for cybersecurity.
Senator Crapo. Well, thank you.
Let me just--I just have a few seconds left, but let me
follow up on that. We have had a lot of discussion here in your
testimony and in our questions about the flow of information
and making sure that we communicate at machine speed and so
forth, but what information are we talking about? What is it
that you just described as such an exciting development that we
are able to see being transferred and communicated at machine
speed?
Ms. Schneck. If I may, I will use an example in botnets
that was raised a moment ago by law enforcement. Botnets are
the ability for the adversary to lease hundreds of thousands of
machines to just throw traffic at a network that is not
expecting it and literally take them offline.
What we can do with this now is understand, because we see
a whole world that we are protecting and being connective
through the efforts of the DHS programs and EINSTEIN and
continuous diagnostics and mitigation across the Government,
enhanced cybersecurity services will use that information to
protect the private sector and now the automation will connect
us to everybody else, if you will. We can use that intelligence
to start to understand which machines are generating this
traffic.
And, this is the world I come from in the private sector.
This can happen in seconds. We can then provide the addresses
of those machines to the ISPs, as an example, and stop the
traffic from getting to the organizations that they were
targeted to hurt. And, that is just one example, and my saying
in that in-house is months to milliseconds.
So, before, and we still do this through trusted
relationships with the Secret Service and Homeland Security
Investigations and the FBI, we call the ISPs and give them the
addresses now, or we email them. As this takes on, the machines
will automatically know to block it.
Senator Crapo. Thank you.
Mr. Peretti. And, if I can just add on to that for 1
second; and what we do is ask the industry in conferences and
meetings, what kind of information they need to be able to
better defend their systems. So, instead of us providing
information to them that may not be actionable based upon the
systems they use, we go out and actually ask them, what kind of
information they need. Usually, what they are asking for is IP
addresses and malware hashes that they can then run through
their systems to see if there are any intrusions or malicious
activity going on. So, that is the type of information we are
going to keep providing and that dynamic feedback loop between
us and industry is really helping to refine the information and
the delivery of resources that is more actionable to them to
help the network defenders to protect themselves.
Senator Crapo. Thank you.
Chairman Johnson. Senator Warren.
Senator Warren. Thank you, Mr. Chairman, and since this is
likely our last hearing of the year, I want to say to Chairman
Johnson and to Ranking Member Crapo, thank you for the very
engaged, very open way that you have run this Committee and
given us an opportunity to explore so many issues. It has
really been terrific. And, I also want to say on Chairman
Johnson's retirement that your leadership has always been
knowledgeable, thoughtful, principled, and it has been a great
honor to serve with you, sir, so thank you.
I want to talk about safety and soundness. In January 2011,
Federal Reserve Governor Tarullo gave a speech on regulating
systemic risk in our financial institutions and how problems in
one financial firm can create risks for overall financial
stability. And, I was thinking about an example of two banks,
JPMorgan and New York Mellon, settle all triparty repurchase
agreements in the market. One-point-six trillion dollars' worth
of securities are funded by triparty repos every day. If a
cyber attack disrupted the ability of either of those banks to
allocate collateral, it could have devastating consequences for
securities firms, for money market, mutual funds, major banks,
even the liquidity of the United States Treasury.
Now, Ms. Abend, this strikes me as a classic safety and
soundness issue. The OCC's safety and soundness analysis
requires you to investigate how sensitive banks are to systemic
market risk and how exposed each individual institution is to
market risk given particular products and services that it
offers. Then OCC regulators give the institution a ranking
signifying whether it has adequately addressed each of the
risks that are identified.
So, I want to know whether systemic risk from cybersecurity
is taken into account in the ranking, and second, whether firms
that are not prepared are determined, as determined by the OCC,
to have failed to satisfy the safety and soundness guidelines
are then treated.
Ms. Abend. Cybersecurity has been a top priority for the
OCC, particularly over the last couple of years.
Senator Warren. No, I appreciate that. You have made that
clear.
Ms. Abend. And, in that process, we do look at the risk
profile of our institutions. As part of the cybersecurity risk
assessment, we actually looked at various aspects of their
cybersecurity inherent risk profile, which includes
technologies that they use, the products and services that they
offer, and the connections that they have. And, as part of our
OCC examination process, we do assign some of our most talented
IT examiners to be resident on-site at our largest
institutions.
Senator Warren. No, I understand that, but the question I
was asking is whether or not you take this into account in
ranking the institutions and then holding them accountable as
part of your safety and soundness analysis.
Ms. Abend. We do see cybersecurity as a safety and
soundness issue and we do look at the risk profile of those
institutions----
Senator Warren. And you put it into the ranking?
Ms. Abend. I am not actually the expert who conducts that
part of the ranking policy, but, what I can say is that we do
have a risk-based analysis as to how we determine the risks of
our institutions and the level of resources that they get on-
site as resident exams.
Senator Warren. Well, as we all know here, a future cyber
attack could paralyze the financial sector with devastating
consequences for our economy. No two crises are alike. We want
to be out in front on this, and I would really like to know
that the OCC is using this as part of their ranking.
Let me ask about another issue. When we talk about cyber
attacks that affect our financial institutions, we should
remember it is not just the institutions themselves who are at
risk. There is a whole chain of organizations. We have talked a
little bit about this. There are lots of individuals,
institutions that present vulnerabilities, from the merchants
to the acquirers to the payments processors and even to the
employees. Forbes reported yesterday that 71 percent of
employees in a new survey report having access to data they
should not see. But, my point is that each and every one of
these links in the chain of commerce means millions of people,
potentially, are exposed to financial fraud and theft.
Last year's breach at Target, which we have talked about a
little bit today, made this abundantly clear. We now know that
criminals used one of Target's vendors to breach Target's
system by using malware to capture credit card and debit card
information. In this case, there was a single point of failure,
one vendor who had computers that were authorized to submit
billing information to Target, that created a breach that
affected the entire chain.
So, Mr. Peretti, how is Treasury monitoring the other
entities along the chain, from the retail merchants, to the
third-party data processors and software providers, all the way
down the line before it gets to the banks, to ensure that they
are making the necessary investments in cybersecurity?
Mr. Peretti. So, what Treasury has been doing has been
communicating with financial firms to be able to highlight this
risk within the system, to be able to make sure that they are
paying attention not only to their own internal systems, but to
also all their vendors. One of the ways we have been doing that
is to really publicize in this cybersecurity framework, which
is a framework to be able to, first, be able to identify how
you are doing cybersecurity within your own organization, but
then we have been asking firms to be able to use this
potentially as a way to be able to look at their outside
vendors. Are there----
Senator Warren. I am sorry. So, your monitoring of the
chain is limited to telling the financial institutions to take
a look at the chain? Is that what you are saying?
Mr. Peretti. So, the financial firm's decisions are based
upon a risk model in which they look at that. They are able to
select their vendors based upon the products and services that
they need to be able to deliver the services to their
customers. And, so, we try----
Senator Warren. I think that meant yes. Is that what you
were saying?
Mr. Peretti. What we try to do is deliver the information
to them so that they can make appropriate risk management
determinations as opposed to telling them which vendors they
should or should not use.
Senator Warren. Oh, I am not talking about telling them
which vendors to use. What I am just trying to understand is
the process by which you are monitoring--the risk comes in all
the way up and down the chain----
Mr. Peretti. Yes.
Senator Warren. ----and we obviously know that now. So, the
question I was asking about is whether you have any direct
monitoring of any part of the chain, and what I think I am
hearing you say is you are just telling the financial
institutions to be sure to monitor.
Mr. Peretti. So, Treasury is not a financial regulator.
Senator Warren. I understand that.
Mr. Peretti. We have 17 Federal and State financial
regulators out there. What we do is provide information to them
so that as they do their examination process, that could be
incorporated into their examination procedures going forward.
So, we do not go out and monitor or survey any of those folks.
That is not our role within the sector. We provide that
information to the regulators to be able to then use that
information within their examination process.
Senator Warren. Well, I am over my time, but if I can ask
just one more question, just a little bit here. Dr. Schneck,
how much risk do retailers pose, and particularly small
retailers, particularly those who do not have the resources for
sophisticated cyber defense?
Ms. Schneck. So, thank you. That is a great point, and I
would ask to expand it to small to medium business in general.
Senator Warren. Fair enough. Yes. Expand.
Ms. Schneck. So, we think there is a lot of risk, and that
is part of why, as Mr. Peretti was mentioning, we do leverage
this cybersecurity framework, because it was developed by
industry and Government, by scientists from industry with NIST
and with DHS, and we use those best practices to bring the
discussion of cybersecurity as a risk equation, because most
small to medium businesses, at least the last year with whom I
have spoken, did not really look at cybersecurity as a main
part of their risk equation and we are trying very hard to
change that with these massive outreach programs. I have
actually gone out West and talked to venture capitalists who
start the smallest companies with the best technologies and ask
them how they could invest tens of millions of dollars in
intellectual property and not think about how to protect it.
So, we are trying to change the paradigm of how we focus on
cybersecurity and make it part of how every entity in that
chain looks at their risk so that the information that Mr.
Peretti gets is more accurate, and we are using these outreach
programs as a way to do that, and we are trying to incentivize
using cybersecurity with tools such as developing a market for
cyber insurance and working closely with Treasury on that.
Other areas look at grants, or how do we protect reputation
forward, but really making security part of the culture, making
it good to share information about a breach, because your
experience is very common and can protect a lot of others and
that is the kind of intelligence and galvanization that we as a
country and community need to do to help Government and
industry tackle this and change the profit model for the
criminals.
Senator Warren. Well, good. Well, I very much appreciate
that you are trying to shift the paradigm here. I understand
the focus on the banks and why that is so important, but we
have got to harden our security up and down the line, and I
think that we cannot just make this about the banks. It has got
to be the whole chain here. So, thank you very much, and thank
you, Mr. Chairman.
Chairman Johnson. Senator Schumer.
Senator Schumer. Well, thank you, Mr. Chairman, and first,
I would be remiss if not to acknowledge, I guess this will be
the last hearing, unless we have to have one on TRIA or
something--I hope not----
[Laughter.]
Senator Schumer. ----that you will be chairing the Banking
Committee. So, I just wanted to take this opportunity to
personally say how much you will be missed. You have been a
great voice of reason, a steady tiller on this Committee, and
we have done great things under your fair and independent
chairmanship, and, of course, we have become close friends.
Last night, I got to say a few words, of course, about you at
our departing dinner. But, I just want to wish you and Barbara
all the best.
And, to my good friend, Mike Crapo, I guess this is your
last hearing, we hope, as Ranking Member. I imagine you are
moving on to bigger and better things.
Senator Crapo. We are going to see.
[Laughter.]
Senator Schumer. But, I want to wish you well. And, just
like Tim, you have been fair and open and a wonderful person to
work with, so thank you.
Now, I have a couple of--first, to the matter at hand,
whether it is terrorists looking to cause us harm by wreaking
havoc on cyber infrastructure, illicit goods being sold over
the Internet, or sophisticated criminals hacking into systems
of our financial and retail institutions, cybersecurity has
never been more important to our safety and economy, and I
think it is finally beginning to come into the public
consciousness.
A couple of years ago, when a number of chairs here
attempted to do a cybersecurity bill, there was resistance from
industry. They did not want to share information about
breaches. It was sort of like, I thought, almost some of these
industry leaders objecting, it was sort of when Churchill asked
them to turn out the lights. He asked Britain to turn out the
lights during the Battle of Britain. Some people said, ``No, I
do not want to.'' I think those days are over. I think that the
business community, broadly put, understands the danger here
and is far more willing to cooperate than before. And, it is
going to become a worse problem before it becomes better, I am
afraid.
So, I have a few questions. First, to any of you, is
business much more willing to cooperate, to share information
about breaches and all these kinds of things than they were a
year or two ago? Mr. Peretti.
Mr. Peretti. Thank you for that question. We have seen a
large change within industry to be able to be more forthcoming
and open with sharing this information. They understand that
the key for this is not only to share the information with law
enforcement and the Government, but also with other parties.
Senator Schumer. Right.
Mr. Peretti. This really came about during the DDoS attacks
that started to occur back in 2012 in which financial firms saw
that they were being attacked, and instead of keeping that
information to themselves, they actively shared it with other
financial institutions who would potentially be the next one to
be attacked.
Senator Schumer. And, are they willing to share it with law
enforcement and the people at Treasury, Homeland Security? Do
you all agree they are much more willing to share information
now than before? Does anyone disagree with that?
Mr. Demarest. We agree, yes, Senator Schumer. Yes, from the
FBI, and I am sure Secret Service will echo the same, and DHS.
We find them much more open today to sharing and getting
involved earlier for purposes of whether they want to take
something to prosecution or criminal or for national security
purposes----
Senator Schumer. Right.
Mr. Demarest. ----to better defend the Nation.
Senator Schumer. Sure.
Mr. Demarest. So, we find them sharing much more readily.
Senator Schumer. Well, I hope this will yield next year an
ability to pass some real legislation here. We need
legislation. It has been stymied, in part because of the
business reluctance of required sharing of information, and I
just hope we will overcome that.
My next question, I think most of us were shocked at the
sophistication of the breach on Sony. I know that is not a
financial firm, but could happen, and my question was broader
than just Sony. Fingers are pointing to North Korea. Now, I do
not know what information you folks have about that, but my
general question is, it is sort of surprising that a country
like North Korea, which is sophisticated in a few areas but not
very sophisticated in most, would have such an amazing ability
to turn a large company into a knot.
How many other countries have this kind of ability? How
serious is country attacks, cybersecurity not so much on
Government facilities, but on--which we have to worry about
seriously, I am very worried about those--but on other private
entities, whether they be in financial, where they could
disrupt an economy, or retail, disrupt retail, power, whatever
else. Could somebody give me a little analysis there about how
serious country threats are?
I think we have all been--our awareness of that has been
heightened because of the supposed attack by North Korea. I do
not know what level of proof you can give on that yet, or want
to, but I am just asking about the country sophistication in
doing this, not just U.S., Russia, China, which we hear about
all the time, but next level countries.
Mr. Demarest. Senator Schumer, I will start. So, I will not
touch on the attribution piece because we are still working
very, very hard at that.
Senator Schumer. Right. I understand.
Mr. Demarest. I will say it is a model of cooperation with
Sony, Sony executives, in how this is brought about. The event
occurred, and within hours, you find teams from the FBI and the
interagency actually on ground and working with Sony and their
managed cybersecurity provider, for Mandiant.
The level of sophistication is extremely high, and we can
tell based on our investigative efforts to date, organized and
certainly persistent. So--and when we talk about, you know,
generally speaking, about Nation-States that have this
capability, you could pick the top three or four off the top of
your head that have the ability when we talk about computer
network attack capability, and one predominately out of the
Middle East that we are also very concerned about.
Senator Schumer. Yes.
Mr. Demarest. So, generally speaking, it is of concern,
because in speaking with, I will say, with Sony and,
separately, their managed cybersecurity provider, the malware
that was used would have slipped, it probably would have gotten
past 90 percent of the net defenses that are out there today in
private industry, and I would challenge to even say Government.
Senator Schumer. Wow. Does every--so, I know you mentioned
a big Middle East country, which I would assume is Iran, and
you do not have to comment. But, what I was asking, is there a
next level of countries that have almost as sophisticated a
level, an ability to attack as U.S., China, Russia, Iran?
Mr. Demarest. So----
Senator Schumer. Because, that was frightening. I think it
was frightening to people, the specter that it might have been
North Korea that did this, and said, Lord knows, anyone can do
this.
Mr. Demarest. We have watched countries over the past 2\1/
2\, 3 years actually evolve and develop greater capability and
skill.
Senator Schumer. So, this is becoming more and more of a
problem, and I imagine, and this is Dr. Schneck more than
anything else, it is a geopolitical problem as well as an
economic problem.
Ms. Schneck. I think it is an everything problem. This is--
and I am going to take this from a slightly different angle----
Senator Schumer. Sure.
Ms. Schneck. ----from a non-law enforcement angle. In our
world, in the National Cybersecurity and Communications
Integration Center, and for DHS, the non-law enforcement piece,
to protect----
Senator Schumer. Yes.
Ms. Schneck. ----everyone and our stakeholders, it--
attribution is almost a distraction. For us, it is how do we
understand--malware is simply a set of instructions that have
the ability to allow me to execute my will on your machine,
which means I turn your lights out, I kill your machine, I take
your business down, whatever I want, or I sit there and watch
what you do and send it out back home and learn what you are
doing and resell it.
What I worry about and what our team worries about is that
the increasing sophistication is available to anyone. It is
really not about what country or what about--it is about, how
can they acquire it. It is for sale in the underground. You can
get sophisticated sets of instructions that will do this, and
it is very much like what I will call the antibiotic resistant
strain. The better we get, and we have to get better, but the
better the adversaries get----
Senator Schumer. Yes.
Ms. Schneck. And that is why my push for speed, because the
one thing they cannot do is behaviorally make the Internet
stronger.
Senator Schumer. In some ways, it is a little like nuclear
weapons. You not only worry that these countries can make them,
but who they sell them to, which might not be a country.
Ms. Schneck. Correct.
Mr. Noonan. Senator Schumer----
Senator Schumer. Does anyone--just one final question, with
your indulgence, Mr. Chairman, since I am the last one here--
and I will call on you, Mr. Noonan--but, does anyone doubt the
need for stronger legislation on this, aside from all the good
efforts that you are doing? Raise your hand if you think we
need legislation of some sort. Everybody. Let the record show
all hands were raised.
[Laughter.]
Senator Schumer. You have the last word, Mr. Noonan.
Mr. Noonan. I am sorry. Your comments about Nation-State
actors. I think with the FBI and the Secret Service and the
experience that we have together on going after a number of the
different sophisticated criminal groups, Dr. Schneck mentioned
how some of this information and some of these tactics are
available at the criminal underground level, too. Just this
year, we discovered a criminal tool that was available to the
criminal underground for the simple price of $3,000 which could
DDoS many, many different companies, many different countries,
if you will, at a huge, huge rate. I think it was 36 gigs of
DDoS power it would do for a simple $3,000 for sale on the
criminal underground. So, the complex criminal actors that we
are looking at that are doing a lot of these intrusions have
the skills and the sophistication that far exceed a number of
different Nation-States, too. So, the criminal threat is a
significant threat and it is scary about how much of that
technology exists today, just for sale on the criminal
underground.
Mr. Demarest. Senator Schumer, we could make you a hacker
in 30 minutes, based on the tools that are currently available
in the underground----
Senator Schumer. I refuse the offer.
[Laughter.]
Mr. Demarest. Let the record reflect.
Senator Schumer. I want to show you the phone I use, just
in case. You may want to revise your remarks here.
[Laughter.]
Senator Schumer. Thank you, Mr. Chairman.
Chairman Johnson. Thank you.
Does Senator Warren or Senator Schumer have a follow-up?
Senator Schumer. No, thank you.
Chairman Johnson. I want to thank our witnesses for
testifying today and for all their work on this important
issue.
This hearing is adjourned.
[Whereupon, at 11:18 a.m., the hearing was adjourned.]
[Prepared statements, responses to written questions, and
additional material supplied for the record follow:]
PREPARED STATEMENT OF BRIAN PERETTI
Director for the Office of Critical Infrastructure Protection and
Compliance Policy, Department of the Treasury
December 10, 2014
Chairman Johnson, Ranking Member Crapo, and distinguished Members
of the Committee, it is a pleasure to appear before you today to
discuss the cybersecurity of the financial sector. As Director of
Treasury's Office of Critical Infrastructure Protection and Compliance
Policy (OCIP), my role is to support the security and resiliency of the
critical virtual and physical infrastructure that enables financial
sector operations, and cybersecurity has been a central focus of our
office for several years.
Over this time, I've seen cybersecurity questions that were once
thought of as a ``back office'' information technology issue now take
center stage among senior Government leaders, business executives, and
the Nation as a whole. I believe this shift reflects the increasingly
sophisticated and persistent nature of the cyberthreat, which most
would say is among the most pressing operational risks that financial
institutions face today.
Before I begin, I would like to thank the Committee for focusing
attention on this critical issue. At all levels, Government and the
financial sector have taken significant steps in recent years to
enhance information-sharing processes, improve baseline security at
firms, and develop and test processes for responding to and recovering
from incidents. More work is needed, however, and discussions like this
can help advance the whole-of-Nation, collaborative effort that is
needed to respond to these very complex challenges.
History of Treasury's Role
Helping to protect financial sector critical infrastructure from
physical and virtual threats is an integral component of Treasury's
leadership in financial affairs domestically and globally.
In recent decades, and specifically since the publication of
Presidential Decision Directive (PDD) 63 in 1998, Treasury has served
as the lead Executive Branch agency liaison with the financial sector
for national and homeland security purposes, supporting a national
effort to assure the security of the United States' critical
infrastructure. Since the early days of this effort, we have recognized
that this work absolutely cannot be done without strong collaboration
with the private sector, who, as you know, own and operate the bulk of
the infrastructure we are discussing. Along these lines, one of
Treasury's early efforts in this space was to support the creation and
development of the Financial Services Information Sharing and Analysis
Center (FS-ISAC) in 1999, which continues to be an important focal
point for cross sector collaboration on these issues. Following the
attacks of September 11, Treasury established OCIP, was made chair of
the newly formed Financial and Banking Information Infrastructure
Committee (FBIIC), and engaged again with industry and Government
partners to encourage the establishment of the Financial Services
Sector Coordinating Council for Critical Infrastructure Protection and
Homeland Security (FSSCC), which brings together private-sector
institutions and organizations to discuss security policy.
Of course the Federal Government sought to reorganize its efforts
to protect critical infrastructure as a whole following 9/11. This
included the creation of the Department of Homeland Security (DHS) and
its central role in supporting critical infrastructure protection
across sectors.
In 2003 Homeland Security Presidential Directive 7 (HSPD-7),
superseded PDD-63 and further established Treasury's role as sector
liaison by naming Treasury the Sector Specific Agency (SSA) for the
banking and finance sector.
Presidential Policy Directive (PPD-21), which revoked HSPD-7, was
published in 2013 to advance a national unity of effort to strengthen
and maintain secure, functioning, and resilient critical
infrastructure. PPD-21 reaffirmed Treasury's role, recognizing its
sector expertise and day-to-day engagement in building and reinforcing
the security and resiliency partnership between the public and private
sectors.
At the same time that PPD-21 was published, the President issued
Executive Order (EO) 13636, which was focused specifically on
cybersecurity. EO 13636 sought to specifically address the growing
cyberthreat to critical infrastructure by enhancing partnership with
the owners and operators of critical infrastructure to improve
cybersecurity information sharing and collaboratively develop and
implement risk-based standards.
In response to PPD-21 and EO 13636, the Treasury has continued to
expand its focus on increasing the security and resiliency of the
financial services sector. Cybersecurity now ranks as one of Treasury's
top priorities.
Building Partnerships To Reduce Risk
We at Treasury have found it necessary to coordinate closely with
other Government agencies and the private sector in order to keep pace
with the growing volume and sophistication of cyber attacks.
In addition to routine one-on-one communications with Federal and
State financial regulators at the staff- and principal-levels, Treasury
coordinates financial sector cybersecurity efforts through the FBIIC.
This committee of Federal and State financial regulators meets monthly.
\1\ Meeting agenda topics range from removing information-sharing
impediments and enhancing incident response planning, to discussing
best practices for cybersecurity policies, procedures, and controls.
Between meetings, staff work to advance key initiatives, share details
of new cyber incidents, and disseminate actionable information about
those incidents to financial institutions.
---------------------------------------------------------------------------
\1\ The 18 committee members include representatives from
Treasury, the Federal banking regulators, the Federal market
regulators, and associations representing State banking, insurance, and
securities regulators.
---------------------------------------------------------------------------
Given recent threats and incidents, and to sharpen the attention of
the financial regulators on cybersecurity, last summer, under the
leadership of Secretary Lew and Deputy Secretary Bloom Raskin, FBIIC
launched regular principal-level meetings of the committee. While
staff-level meetings focus on operational and tactical issues, the
principal-level meetings concentrate on strategic, policy-level issues
around cybersecurity and other critical infrastructure matters.
Additionally, Treasury appreciates its collaboration with the
Federal Financial Institutions Examination Council (FFIEC), through
which Federal banking and credit union agencies coordinate and share
information, and looks forward to continuing to work closely with the
FFIEC on cybersecurity and other issues.
To coordinate policy development and shared situational awareness,
Treasury leadership and staff regularly meet with officials of other
cabinet departments, law enforcement organizations, and the
intelligence community, including the Department of Homeland Security,
Federal Bureau of Investigation, the United States Secret Service, and
the National Security Agency. These meetings take place in bilateral
settings as well as various group meetings, including the National
Security Council Staff led Cyber Interagency Policy Council (IPC).
Our coordination with the private sector primarily takes place
through the FSSCC and the FS-ISAC and regional coalitions. Additional
coordination occurs through individual institutions as well as trade
organizations such as the Financial Services Roundtable's BITS
division, the American Bankers Association, the Clearing House, the
Securities Industry and Financial Markets Association (SIFMA), Credit
Union National Association, the National Association of Federal Credit
Unions, and the Independent Community Bankers of America.
Collaborative efforts to respond to cyber-risk also depend on
strong partnership between the public and private sectors.
Our coordination efforts between the public and private sector on
financial sector cybersecurity efforts focus on three areas:
Facilitating the sharing of timely, actionable information
regarding cyberthreats and incidents with a view toward
limiting attacks and stopping contagion across systems,
networks, and institutions;
Assisting with effective, prompt response and recovery from
cyber incidents to reassure the public and protect public and
private assets; and
Promoting best practices around cybersecurity controls that
help operators of financial systems prevent attacks from
succeeding and help minimize the damage from any successful
attacks.
Information Sharing
Sharing technical and strategic information about cyber incidents
and threats is one of the most effective tools that the Government has
to support the mitigation of cyber incidents and improve the
operational resiliency of the financial sector.
Sharing cybersecurity information is critical to enhance firms'
ability to protect their networks and systems from malicious cyber
activity, limit the impact of cyber incidents that have already
occurred, and establish shared awareness of cyberthreats so Government
and the private sector can respond rapidly to significant incidents.
The primary challenges that currently exist in information sharing
are related to growing the network of institutions and Government
agencies that contribute to collective information sharing, increasing
the speed of sharing and processing of cyberthreat information,
improving the value of information by contributing more information
derived from classified sources to private-sector companies, and
addressing legal concerns of private-sector companies that inhibit them
from engaging in robust information sharing.
The financial sector has invested significant resources in
developing robust information-sharing mechanisms, primarily through the
FS-ISAC. This Information Sharing and Analysis Center is a model for
what can be accomplished by the private sector, and we in the
Government should look to further encourage the growth of the FS-ISAC
and ISACs in other sectors.
We commend Tom Curry for his leadership and note the FFIEC's
recommendation from last month that all firms consider participating in
the FS-ISAC. Treasury supports firms' consideration of participation in
such information-sharing organizations. The FS-ISAC has seen a
tremendous surge in membership over the last year. Affirmative support
by the financial regulators will support further growth of such
important institutions.
In order to improve the speed of information sharing, and therefore
its effectiveness, Treasury supports the FS-ISAC's move towards
automated information sharing through the adoption of Structured Threat
Information eXpression (STIX) and Trusted Automated eXchange of
Indicator Information (TAXII). These information-sharing protocols, on
which DHS has been a leader, minimize the lag between discovered
threats and deployed defenses.
In order to ensure that the sector is receiving the best possible
information from all Government sources, Treasury works closely with
other agencies to identify and declassify information that may be of
use to private-sector firms. To this end, I have established a team
within my office, the Financial Services Cyber Intelligence Group
(CIG), which works with interagency and private-sector partners to
provide timely and actionable information, including threat indicators,
to the financial services sector. Treasury supports the efforts set
forth under section 4 of EO 13636. DHS's National Cybersecurity and
Communications Integration Center deserves a special commendation for
its continuing work in facilitating the efficient and beneficial
exchange of information between Government agencies and the private
sector.
Treasury also recognizes that Federal financial regulators have
unique authorities and relationships with financial institutions. To
capitalize on this, Treasury encourages efforts by the financial
regulators to develop strategies for regulatory agencies to utilize
unique relationships and authorities to improve information sharing and
enhance situational awareness.
Incident Management
To improve incident management, Treasury believes that roles and
responsibilities for different entities must be more clearly defined
and regularly tested and refined. In order to best prepare for
cybersecurity incidents, Government agencies and private-sector
entities must work together to develop response protocols that clearly
delineates roles and responsibilities.
Within the financial sector, Treasury has worked closely to support
the development of sectorwide response protocols, including the FS-
ISAC's all-hazards response plan and the FSSCC's cyber-response
framework. Additionally, protocols must be developed by individual
private firms and coordinated across sectors.
And these protocols must be integrated and regularly updated to
maintain relevance and effectiveness. They must also take into account
interconnections across sectors and be inclusive of all relevant
critical infrastructure.
Similarly, exercises are necessary to improve incident response
plans and develop ``muscle memory'' in the organizations and with the
personnel responsible for managing incident response. Treasury has
partnered with DHS and the FSSCC to develop an exercise program focused
on the financial services sector. The first joint exercise in this
program was held yesterday. By continuing to hold these exercises, and
smaller drills along the way, we can collectively hone our preparedness
and continuously improve our response mechanisms.
Best Practices
And finally, the Federal Government can play a unique role in
working with industry to support the use and development of standards,
guidelines, and best practices on cybersecurity, ensuring that these
practices are up-to-date and enable technical innovation. President
Obama's EO 13636 called for NIST to develop a framework that would
reduce cyber-risks to critical infrastructure. Treasury has worked
closely with the financial sector regarding how the sector could
provide input into the Framework. Over the 12-month period from the
issuance of the EO to the roll out of the Framework for Improving
Critical Infrastructure Cybersecurity (NIST Cybersecurity Framework),
the financial sector sent representatives to each of the five NIST
workshops, met with NIST and Treasury to discuss sector specific
considerations, and provided comment letters on the draft document.
Without this time commitment and sharing of knowledge by the financial
sector and all of the members from other sectors, interested
organizations and the public who devoted time to this subject, the NIST
Cybersecurity Framework would not have been completed so successfully.
As it exists today, the NIST Cybersecurity Framework, is a
voluntary blueprint that firms of all sizes can use to evaluate,
maintain, and improve the resiliency of their computer systems and
reduce cyber-risk. Treasury continues to encourage financial services
firms to utilize the Framework, including by holding business partners,
suppliers, and customers accountable to its risk management approach.
In particular, efforts by SIFMA to develop auditable standards of the
Framework may be beneficial in supporting broad adoption of best
practices.
Likewise, recent efforts by financial regulators to promote
consistent adoption of best practices across the sector are
encouraging. The SEC recently promoted the use of the NIST
Cybersecurity Framework and other related NIST standards in the
guidance to its final Regulation Systems Compliance and Integrity (Reg
SCI). Such consistency is important to promoting shared understanding
of cybersecurity risk management and broad adoption of best practices.
Conclusion
While significant progress has been made to improve financial
sector cybersecurity, we know that there is more work to be done. We
continue to hold ongoing discussions with our Government and private-
sector partners to identify and build a more secure and resilient
financial sector. As these efforts progress, we will work with senior
policymakers to determine the best courses of action to address the
issues that are identified.
I thank you for focusing on this issue and would be happy to take
your questions.
______
PREPARED STATEMENT OF PHYLLIS SCHNECK
Deputy Under Secretary for Cybersecurity and Communications, National
Protection and Programs Directorate, Department of Homeland Security
December 10, 2014
Introduction
Chairman Johnson, Ranking Member Crapo, and distinguished Members
of the Committee, I am pleased to appear today to discuss the work of
the Department of Homeland Security (DHS) National Protection and
Programs Directorate (NPPD) to address persistent and emerging
cyberthreats to the U.S. homeland.
On February 12, 2013, the President signed Executive Order (EO)
13636, Improving Critical Infrastructure Cybersecurity and Presidential
Policy Directive (PPD) 21, Critical Infrastructure Security and
Resilience. These set out steps to strengthen the security and
resilience of the Nation's critical infrastructure. They reflect the
increasing importance of integrating cybersecurity efforts with
traditional critical infrastructure protection. The President
highlighted the importance of Government's role in encouraging
innovation and economic prosperity while promoting safety, security,
business confidentiality, privacy, and civil liberties. DHS partners
closely with owners and operators to improve cybersecurity information
sharing and encourage implementation of risk-based standards in order
to meet the President's objectives.
In my testimony today, I would like to highlight how DHS helps
secure cyber infrastructure and then discuss a few specific examples
where we prevented and responded to a variety of cybersecurity
challenges.
DHS Cybersecurity Role
Based on our statutory and policy requirements, DHS undertakes
three broad areas of responsibility in cybersecurity: (1) we coordinate
the national protection, prevention, mitigation, response and recovery
in the event of significant cyber and communications incidents; (2) we
disseminate domestic cyberthreat and vulnerability analyses across
critical infrastructure sectors; (3) we investigate cybercrime that
falls under DHS's jurisdiction.
DHS components actively involved in cybersecurity include NPPD, the
United States Secret Service, the U.S. Coast Guard, U.S. Customs and
Border Protection, Immigration and Customs Enforcement, the DHS Office
of the Chief Information Officer, the DHS Science and Technology
Directorate, and the DHS Office of Intelligence and Analysis (I&A),
among others. In all of its activities, DHS coordinates its
cybersecurity efforts with governmental, private sector, and
international partners.
The DHS National Cybersecurity & Communications Integration Center
(NCCIC) is a 24-7 cyber situational awareness and incident response and
management center that serves as a centralized location for the
coordination and integration of operational elements involved in
cybersecurity and communications reliability. NCCIC partners include
all Federal departments and agencies; State, local, tribal, and
territorial Governments (SLTT); the private sector; and international
entities. The Center provides greater situational awareness of
cybersecurity and communications, and takes actions to address
vulnerabilities, intrusions, and incidents, including mitigation,
information-sharing, and recovery.
The NCCIC is composed of the United States Computer Emergency
Readiness Team (U.S.-CERT), the Industrial Control System Cyber
Emergency Response Team (ICS-CERT), the National Coordination Center
for Communications (NCC), and an Operations and Integration Team. NCCIC
operations are currently conducted from three States: Virginia, Idaho,
and Florida. During the first 11 months of 2014, the NCCIC has had
108,734 incidents reported to the center, issued over 11,514 actionable
cyber alerts, and had over 219,805 partners subscribe to our
cyberthreat warning sharing initiative. NCCIC teams have also detected
over 87,797 vulnerabilities and directly aided in the mitigation of
near 53,624 unique challenges.
Enhancing the Security of Cyber Infrastructure
The NCCIC actively collaborates with public and private-sector
partners every day, including responding to and mitigating the impacts
of attempted disruptions to the Nation's critical cyber and
communications networks. DHS also directly supports Federal civilian
departments and agencies in developing capabilities that will improve
their own cybersecurity postures. Through the Continuous Diagnostics
and Mitigation (CDM) program, led by the NPPD Federal Network
Resilience Branch, DHS enables Federal agencies to more readily
identify network security issues, including unauthorized and unmanaged
hardware and software; known vulnerabilities; weak configuration
settings; and potential insider attacks. Agencies can then prioritize
mitigation of these issues based upon potential consequences or
likelihood of exploitation by adversaries. The CDM program provides
diagnostic sensors, tools, and dashboards that provide situational
awareness to individual agencies and at a summary Federal level.
Memoranda of Agreement between Government entities and DHS to provide
the CDM program's services encompass network security protection for
over 97 percent of all Federal civilian personnel.
The National Cybersecurity Protection System (NCPS) complements
these efforts. A key component of NCPS is referred to as EINSTEIN, an
integrated intrusion detection, analysis, information sharing, and
intrusion-prevention system. EINSTEIN utilizes hardware, software, and
other components to support DHS's protection of Federal civilian agency
networks. The program will expand intrusion prevention, information
sharing, and cyber analytic capabilities at Federal agencies. EINSTEIN
3 Accelerated (E3A) gives DHS an active role in defending ``.gov''
network traffic. At this time, E3A provides Domain Name System and/or
email protection services to 33 departments and agencies. It reduces
threat vectors available to actors seeking to infiltrate, control, or
harm Federal networks.
Securing the Homeland Against Persistent and Emerging Cyberthreats
Cyber intrusions into critical infrastructure and Government
networks are serious and sophisticated threats. The complexity of
emerging threat capabilities, the inextricable link between the
physical and cyber domains, and the diversity of cyber actors present
challenges to DHS and our customers. As the private sector owns and
operates over 85 percent of the Nation's critical infrastructure,
information sharing and capability development partnership becomes
especially critical between the public and private sectors.
Financial Sector Distributed Denial of Service (DDoS) Attacks
The continued stability of the U.S. financial sector is often
discussed as an area of concern, as U.S. banks are consistent targets
of cyber attacks. There have been increasingly powerful DDoS incidents
impacting leading U.S. banking institutions in 2012 and 2013 and some
high-profile media coverage of financial sector cybersecurity issues in
2014. U.S.-CERT has a distinct role in responding to a DDoS: to
disseminate victim notifications to United States Federal Agencies,
Critical Infrastructure Partners, International CERTs, and U.S.-based
Internet Service Providers.
U.S.-CERT has provided technical data and assistance, including
identifying 600,000 DDoS related IP addresses and supporting contextual
information about the source of the attacks, the identity of the
attacker, or other associated details. This information helps financial
institutions and their information technology security service
providers improve defensive capabilities. In addition to sharing with
relevant private-sector entities, U.S.-CERT provided this information
to over 120 international partners, many of whom contributed to our
mitigation efforts. U.S.-CERT, along with the FBI and other interagency
partners, also deployed to affected entities on-site technical
assistance, or ``boots on the ground.'' U.S.-CERT works with Federal
civilian agencies to ensure that no USG systems are vulnerable to take-
over as a part of a botnet, since botnets are a tool that
cybercriminals use to deflect attribution in DDoS attacks.
During these attacks, our I&A partners bolstered long-term,
consistent threat engagements with the Department of Treasury and
private-sector partners in the Financial Services Sector. I&A analysts
presented sector-specific unclassified briefings on the relevant threat
intelligence, including at the annual Financial Services Information
Sharing and Analysis Center (FS-ISAC) conference, alongside the Office
of the National Counterintelligence Executive and the U.S. Secret
Service. At the request of the Treasury and the Financial and Banking
Information Infrastructure Committee (FBIIC), I&A analysts provided
classified briefings on the malicious cyberthreat actors to cleared
individuals and groups from several financial regulators, including the
Federal Deposit Insurance Corporation (FDIC), Securities and Exchange
Commission (SEC), and the Federal Reserve Board (FRB). Additionally our
Science and Technology organization coordinates priority R&D programs
in collaboration with the Financial Services Sector Coordinating
Council.
Point of Sale Compromises
On December 19, 2013, a major retailer publicly announced it had
experienced unauthorized access to payment card data from the
retailer's U.S. stores. The information involved in this incident
included customer names, credit and debit card numbers, and the cards'
expiration dates and card verification value security codes. The value
security codes are three or four digit numbers that are usually on the
back of the card. Separately, another retailer also reported a malware
incident involving its Point of Sale (POS) system on January 11, 2014,
that resulted in the apparent compromise of credit card and payment
information.
In response to this activity, NCCIC/U.S.-CERT analyzed the malware
identified by the Secret Service as well as other relevant technical
data and used those findings, in part, to create two information-
sharing products. The first product, which is publicly available and
can be found on U.S.-CERT's Web site, provides a nontechnical overview
of risks to POS systems, along with recommendations for how businesses
and individuals can better protect themselves and mitigate their losses
in the event an incident has already occurred. The second product
provides more detailed technical analysis and mitigation
recommendations, and has been securely shared with industry partners to
enable their protection efforts. NCCIC's goal is always to share
information as broadly as possible, including by producing products
tailored to specific audiences.
These efforts ensured that actionable details associated with a
major cyber incident were shared with the private sector partners who
needed the information in order to protect themselves and their
customers quickly and accurately, while also providing individuals with
practical recommendations for mitigating the risk associated with the
compromise of their personal information. NCCIC especially benefited
from close coordination with the private-sector Financial Services
Information Sharing and Analysis Center during this response.
Preparing for the Next Cyber Incident
DHS is taking a number of proactive measures to strengthen its
partnerships with the financial sector and increase shared
understanding of one another's capabilities and cybersecurity response
plans and procedures. These efforts include regularly exercising
incident response procedures together with interagency and private-
sector representatives; working collaboratively with financial sector
representatives to clarify and streamline processes when requesting
technical assistance from the Government; identifying barriers to
information sharing and ways to reduce those barriers; and implementing
automated information sharing between the financial services sector and
Government by expanding the use of Structured Threat Information
eXpression (STIX) and Trusted Automated eXchange of Indicator
Information (TAXII) programs, a free method for machine-to-machine
sharing of cyberthreat indicators.
Also of significant note is our vision and direction moving forward
to create broad situational awareness of cyberthreats and disseminate
warning information ahead of malicious attacks. We recognize the need
to change the profit model in cybercrime by making networks more
resilient and less appealing and rewarding for adversarial attack or
intrusion. Just as the human body achieves resilience by fighting new
viruses with biological mechanisms that recognize when the body is
under attack, DHS is enabling similar mechanisms for networks using
mathematical trend analysis of cyber events. We collect the data needed
for this from the Government agencies that we protect, with full
collaboration from our privacy and civil liberties experts, and are
creating a cyber ``Weather Map,'' to help visualize and inform current
cyber conditions. The concept comprises the ability to view the current
state of cybersecurity, just as a traditional weather map provides a
view of current weather. Our goal is for networks and connected devices
to know when to reject incoming traffic or even refuse to execute
specific computer instructions because they are recognized as harmful
due to their current behavior, even if the exact computer ``disease''
has not been seen before. This will help to create that resilience to
deter many cyberthreat actors.
DHS also recognizes that effective incident response requires
plenty of practice and close cooperation across Government and with the
private sector. To prepare for and ensure effective cooperation during
a significant event, DHS, in close coordination with the Department of
the Treasury, private-sector representatives, financial sector
regulatory bodies and other Federal Government partners, has instituted
an exercise program to periodically test processes and procedures for
responding to a significant cyber incident impacting the financial
sector. The exercises help clarify roles and responsibilities, identify
gaps in response plans and capabilities, and assist with developing
plans to address those gaps. The exercises result in valuable lessons
learned and will help improve existing processes and procedures and
result in more effective cooperation during an actual incident.
DHS Cybersecurity Authorities
We continue to seek legislation that clarifies and strengthens DHS
responsibilities and allows us to respond quickly to vulnerabilities
like Heartbleed, a vulnerability in the popular Open SSL cryptographic
software library. Legislative action is vital to ensuring the
Department has the tools it needs to carry out its mission. DHS had to
go ``door to door'' securing authorization from Federal entities to
exercise our authority in responding to Heartbleed. We urge Congress to
continue efforts to modernize the Federal Information Security
Management Act to reflect the existing DHS role in agencies' Federal
network information security policies; clarify existing operational
responsibilities for DHS in cybersecurity by authorizing the NCCIC; and
provide DHS with hiring and other workforce authorities.
Conclusion
DHS will continue to work with our public and private partners to
create collaborative solutions to improve cybersecurity, particularly
those that reduce the likelihood of the highest-consequence
cybersecurity incidents. We work around the clock to ensure that the
peace and security of the American way of life will not be interrupted
by degradation of systems or by opportunist, enemy, or terrorist
actors. Each incarnation of threat has some unique traits, and
mitigation requires agility and layered security. Cybersecurity is a
process of risk management in a time of constrained resources, and we
must ensure that our efforts achieve the highest level of security as
efficiently as possible.
DHS represents an integral piece of the national work in
cybersecurity: we are building a foundation of voluntary partnerships
with private owners of critical infrastructure and Government partners
working together to safeguard stability. While securing cyberspace has
been identified as a core DHS mission since the 2010 Quadrennial
Homeland Security Review, the Department's view of cybersecurity has
evolved to include a more holistic emphasis on critical infrastructure
which takes into account risks across the board.
The Department stands to be the core of integration and joint
analysis, by machines and by humans, of global cyber behavior, trends,
malware analysis and the powerful combination of data that only we can
correlate due to our unique role protecting civilian Government systems
with data that often only the private sector gathers. We are working to
further enable the NCCIC to receive information at ``machine speed.''
\1\ This capability will begin to enable networks to be more self-
healing, as they use mathematics and analytics to better recognize and
block threats before they reach their targets, thus deflating the
profit model of cyber adversaries and taking botnet response from hours
to seconds in some cases.
---------------------------------------------------------------------------
\1\ Automatically sending and receiving cyber information as it is
consumed and augmented based on current threat conditions, creating a
process of automated learning that emulates a human immune system and
gets smarter as it is exposed to new threats.
---------------------------------------------------------------------------
DHS forms a crucial underpinning for ensuring the ongoing
protection of our infrastructures, services and way of life. We look
forward to continuing the conversation and continuing to serve the
American goals of peace and stability, and we rely upon your continued
support.
______
PREPARED STATEMENT OF VALERIE ABEND
Senior Critical Infrastructure Officer, Office of the Comptroller of
the Currency
December 10, 2014
Chairman Johnson, Ranking Member Crapo, and Members of the
Committee, thank you for the opportunity to appear before you today to
discuss the important issue of cybersecurity, including our efforts to
address cyberthreats and vulnerabilities and coordinate information
sharing for the benefit of the banking industry, regulatory community,
and the financial system overall. There are few issues more important
to the OCC and to our country's economic and national security than the
risks posed by cyber attacks.
---------------------------------------------------------------------------
Statement Required by 12 U.S.C. �250: The views expressed herein
are those of the Office of the Comptroller of the Currency and do not
necessarily represent the views of the President.
---------------------------------------------------------------------------
My name is Valerie Abend, and I serve as the OCC's Senior Critical
Infrastructure Officer. In collaboration with the agency's supervisory
divisions, I lead the agency's cybersecurity and resilience efforts for
the national banks and Federal savings institutions (referred to
collectively as banks) that we supervise. I also currently chair the
Federal Financial Institutions Examination Council's (FFIEC)
Cybersecurity and Critical Infrastructure Working Group (CCIWG). I have
more than 20 years of private and public sector experience in the
cybersecurity and critical infrastructure fields. My testimony today
will discuss the cybersecurity initiatives the OCC and the FFIEC have
taken, the avenues in place to share cybersecurity information, and
recommendations where legislation may be helpful to enhance information
sharing among financial institutions.
Background
We live in a world of rapidly changing technology that impacts
financial institutions both in terms of the products and services they
offer and the risks that they face. We are long past the time when
retail payments occur through face-to-face cash transactions or with
paper checks. Instead, consumers increasingly use their cellphones to
deposit checks, pay bills, and make purchases at the mall. For most
consumers, electronic-based payment mechanisms and electronic banking
are a routine part of life, and they may not give much thought to what
goes on behind the scenes to provide the speed, convenience, and
security in our payment and settlement systems today. What they may not
know is the vast amount of information technology that institutions
necessarily rely upon to make this convenience possible. To continue to
improve efficiency and offer new products and services, institutions
are rapidly adopting new information technology. From connecting
personal devices such as tablets and phones to their networks and
launching new mobile banking applications, to using cloud computing,
banks are adopting new technologies and establishing new connections.
Collectively, this dependence on technology and the data that financial
institutions create along with the funds they maintain and transmit
every day make financial institutions attractive targets for hackers.
Unfortunately, new vulnerabilities in both hardware and software are
identified daily, making it difficult to protect systems from cyber
attacks.
Furthermore, networks that serve the financial industry are global,
which means hackers can target banks and other systems from almost
anywhere in the world. Financial institutions today face threats from
insiders and individuals acting alone, and from international networks
of well-organized Nation-States, criminals, and so-called
``hacktivists'' who use cyber attacks to raise awareness and support
for their political or social causes.
As the risks evolve, financial institutions must continue to
prepare for cyber attacks and how they will identify, mitigate, and
respond to them--and regulators must take steps to ensure that they do
so.
OCC Supervisory Framework and Initiatives
The OCC's supervisory framework is built around four key elements.
The first is the OCC's ongoing monitoring and information sharing with
other regulators, Government agencies, and banks with respect to
emerging threats and changes to the risk landscape. The second is the
OCC's development and continual refinement of standards and guidance
that set forth supervisory expectations as to how banks and third-party
service providers can best safeguard bank and bank customer
information. The third key component is the agency's communication of
these supervisory expectations to examiners and bank management through
training and other forms of communication. The final component of the
framework is the implementation of policy through on-site examination
of banks and critical third-party service providers to assess their
compliance with our supervisory expectations to ensure that they are
appropriately managing risks, and when necessary, directing them to
take corrective action. Each of these elements is described below.
Ongoing Monitoring, Assessment, and Information Sharing
Ongoing monitoring and timely information sharing across the
financial sector regarding cybersecurity issues including threats,
vulnerabilities and risk mitigation tactics, is a crucial component of
our efforts. The OCC conveys risk management practices to banks,
including strategies to identify, prevent, mitigate and respond to
attacks. During and following a cyber attack, the OCC plays an
important role in evaluating the impacts from the attack to determine
if they pose a material risk to bank systems and bank customer
information. At the same time, the OCC evaluates whether the
institutions involved are taking appropriate and timely corrective
action.
We encourage banks and service providers to participate with
regulators in forums to learn about specific cyberthreats in a timely
manner. For example, the OCC is a member of both the Financial and
Banking Information Infrastructure Committee (FBIIC) and the Financial
Services Information Sharing and Analysis Center (FS-ISAC), which are
among the financial sector's public-private partnerships that provide
information regarding cyberthreats and various means to improve the
security and resilience of the financial sector.
OCC examiners also maintain ongoing communication with the banks
they supervise. This includes information related to pervasive
vulnerabilities and incidents that may cause significant disruption to
systems, facilities, or business processes at the bank, its operating
subsidiary or affiliate, or at a third-party service provider.
Examiners monitor the bank's response to incidents and to reports on
threats and vulnerabilities and assess the level of impact and risk to
customers, business operations, as well as any systemwide or downstream
effects.
The OCC uses a number of mechanisms, based on the nature of the
threat or vulnerability and the immediacy of potential impact, to
communicate information that may pose a material risk to the banks we
supervise. This includes providing examiners with instructions and
messages to use in contacting bank management on specific wide-scale
vulnerabilities and threats, the risks these may pose to the bank, and
actions the bank should take to prevent, detect, and respond to a
threat or vulnerability.
Supervisory Standards and Guidance
The banking sector is highly regulated and has been subject to
stringent information security requirements for decades. The OCC has
the authority to require the banks we regulate and their service
providers to protect their own systems and bank customer data and to
require banks to take steps to identify, prevent, and mitigate identity
theft.
For example, following the 1999 enactment of the Gramm-Leach-Bliley
Act, the OCC, in conjunction with the Federal Deposit Insurance
Corporation (FDIC), the Board of Governors of the Federal Reserve
System (FRB), and the National Credit Union Administration (NCUA),
published enforceable information security guidelines that set forth
standards for administrative, technical, and physical safeguards that
financial institutions must have to ensure the security and
confidentiality of customer information. These interagency guidelines
require banks to develop and implement formal information security
programs that are tailored to a bank's assessment of the risks it
faces, including internal and external threats to customer information
and any method used to access, collect, store, use, transmit, protect,
or dispose of the information. Given the evolving threat and technology
environment, the guidelines require a bank's information security
program to be dynamic--to continually adapt to address new threats,
changes in technology, and new business arrangements. Since banks often
depend upon service providers to conduct critical banking activities,
the guidelines also address how banks must manage the risks associated
with their service providers.
In addition, pursuant to section 114 of the FACT Act, the OCC, FRB,
FDIC, NCUA, and the Federal Trade Commission, issued regulations in
2007 titled ``Identity Theft Red Flags and Address Discrepancies''.
These rules require each financial institution and creditor to develop
and implement a formal identity theft prevention program that includes
policies and procedures for detecting, preventing, and mitigating
identity theft in connection with account openings and existing
accounts. A bank's program must include policies and procedures to
identify, detect, and respond to relevant indicators of identity theft,
and must be updated periodically to reflect changes in risks to
customers and to the institution from identity theft.
Over the years, the OCC on its own, and through the FFIEC, also has
published guidance and handbooks that make clear our expectations about
acceptable risk management processes and procedures for safeguarding
information and managing information technology (IT) risks. This
guidance addresses broad subjects such as information security,
business continuity planning, and outsourcing technology services. It
also focuses on specific areas of risks, such as authentication of
users in an Internet banking environment and effective software patch
management. As noted below, this guidance is reviewed continually and
updated to take into account evolving risks.
Examiner Training and Communicating Expectations
All entry-level OCC examiners receive training on information
technology risk management within their first 3 years of employment. In
addition, the OCC has examiners who specialize in IT. These examiners
have specialized skills and experience to focus on information security
and other technology risks inherent in bank operations. To help these
specialists maintain their skills and knowledge, the OCC has an
advanced IT training program. This is further augmented through
webinars, in-person meetings, and formal and informal networking
groups. When the OCC issues new guidance or updates existing guidance,
we incorporate it into our training and develop communications so that
our examiners can effectively implement these changes through the
examination process.
Additionally, the OCC has taken steps to raise awareness of banks
about the risks posed by cyberthreats and vulnerabilities and to inform
them of changes to supervisory expectations. This includes highlighting
cybersecurity as an important operational risk that banks must pay
close attention to through our public Semi-Annual Risk Perspective
reports, releasing bulletins to the industry on topics such as
distributed denial of service attacks, and hosting webinars, outreach
meetings and roundtable discussions.
On-Site Examinations
As part of their ongoing supervision, OCC examiners assess the
adequacy of the controls that protect customer information, and bank
systems and information. The OCC and the other Federal banking
regulators also conduct joint examinations of major technology service
providers that provide critical services to the banking sector.
Due to the complexity of the largest national banks, the OCC has
resident IT examiners on-site who perform ongoing supervision of the
banks' IT policies, procedures, and practices. OCC examiners also
perform on-site IT examinations at smaller banks every 12 to 18 months
as part of their regular exam. Examiners also follow up on identified
concerns or emerging cyber-risks during quarterly communications with
the banks they supervise, or on a more frequent basis depending on the
nature of the concern or risk. The OCC uses information from bank
examinations to inform our policies, training, and exam procedures. For
example, through our exams, the OCC identified increasing risks and the
need for additional guidance for banks on how to manage the complex
risks posed by critical third-party relationships. As a result, in
2013, the OCC updated its Third-Party Relationship Risk Management
Guidance, which incorporates important expectations for banks to
evaluate their third parties' information security, incident response,
and management of information systems, as well as the servicers'
ability to assess, monitor, and mitigate risks posed by its
subcontractors.
FFIEC Initiatives
The Comptroller currently chairs the FFIEC, an interagency body
comprised of the principals of the five Federal banking regulatory
agencies--the OCC, the FRB, the FDIC, the NCUA, and the Consumer
Financial Protection Bureau (CFPB)--and the FFIEC's State Liaison
Committee. The FFIEC is empowered to prescribe uniform principles,
standards, and report forms to promote uniformity in the supervision of
financial institutions. One of the Council's top priorities is to
strengthen institutions' resilience to cyber attacks. Last year, the
Comptroller called for--and the Council members concurred in--the
creation of the CCIWG to enhance communication among the FFIEC members
and to build on existing efforts to strengthen the activities of other
interagency and private-sector groups with respect to cybersecurity.
The CCIWG serves as a liaison between the members of the FFIEC and
the intelligence community, law enforcement, and the Department of
Homeland Security (DHS) on issues related to cybersecurity and the
protection of critical infrastructure. The working group is empowered
to help the FFIEC members collaborate in establishing cyber-related
examination policy, developing training programs, coordinating
responses to cybersecurity incidents, and managing information-sharing
efforts.
The working group has been quite active since its inception.
Through its coordination and information sharing with intelligence, law
enforcement, DHS, and the Department of the Treasury, the group has
drafted several statements to institutions advising firms about the
threats posed by ATM cashout schemes, distributed denial of service
attacks, and widespread vulnerabilities such as Heartbleed and
Shellshock.
One major initiative that the working group launched this summer
was the Cybersecurity Assessment, which involved the pilot of a new
cybersecurity examination work program at more than 500 diverse
community institutions supervised by the OCC, FRB, FDIC, NCUA, and
State regulatory agencies. The Cybersecurity Assessment evaluated the
complexity of each institution's operating environment, focusing on
such factors as the types of connections employed, products and
services offered, and technologies used. It also assessed each
institution's overall cybersecurity preparedness, with a focus on the
following key areas: Risk Management and Oversight, Threat Intelligence
and Collaboration, Cybersecurity Controls, External Dependency
Management, and Cyber Incident Management and Resilience. The results
of the assessment are instructive and will help FFIEC members make
informed decisions about how they identify and prioritize actions to
enhance the effectiveness of cybersecurity-related supervisory
programs, guidance, and examiner training.
Preliminary findings that members agreed would be beneficial to
share with institutions were released as General Observations and are
available on the FFIEC's Web site. \1\ This document highlights some
high-level observations and provides questions that boards of directors
and chief executive officers (CEOs) of financial institutions should
consider when assessing their cybersecurity preparedness. For example,
the document encourages institutions to routinely discuss cybersecurity
issues in board and senior management meetings to help the financial
institution set the tone from the top and build a strong security
culture. It also encourages institutions to clearly define roles and
responsibilities and assign accountability to identify, assess, and
manage cybersecurity risks across the financial institution. While the
institutions' leadership is responsible for cybersecurity risk
management, employees are typically the first line of defense. As such,
the FFIEC also encourages institutions to keep their training programs
current and provide them more frequently.
---------------------------------------------------------------------------
\1\ The FFIEC Cybersecurity Assessment, General Observations
document can be accessed at http://www.ffiec.gov/press/PDF/
FFIEC_Cybersecurity_Assessment_Observations.pdf.
---------------------------------------------------------------------------
Additionally, the document emphasizes that management should
monitor and maintain sufficient awareness of cybersecurity threats and
vulnerabilities to help ensure that financial institutions can evaluate
and respond to emerging risks. To help build this capability, the FFIEC
on behalf of its members issued the statement recommending that
institutions of all sizes participate in the FS-ISAC to better
understand the risks posed to their institution and to support their
risk management program.
Institutions in the pilot assessment implement controls to impede
unauthorized access to their systems and have tools in place to detect
previously identified attacks. The General Observations document
stresses that institutions should review and adjust controls when
making changes to their IT environment, routinely scan networks for
vulnerabilities and anomalous activity, test systems for potential
exposure to cyber attacks, and remediate issues when identified.
Similarly, the document highlights the importance of identifying the
connections an institution has with third-party service providers and
ensuring formal controls are in place to secure the ways these
providers transmit, access, and store data.
Finally, while we found that institutions have procedures for
notifying customers, regulators, and law enforcement when incidents
affect sensitive customer information, the document emphasizes that
institutions should strengthen their ability to address breaches that
may occur by establishing and routinely testing incident response plans
throughout the institution. This would include incorporating cyber
attack scenarios into business continuity plans and programs.
In addition to the Cybersecurity Assessment, the CCIWG has made
strides in increasing financial institutions and examiners' awareness
of cyberthreats and vulnerabilities and the actions that management can
take to mitigate these risks. During the past year, the working group
led a webinar, ``Executive Leadership of Cybersecurity'' for which over
5,000 community institution CEOs registered, and conducted Web-based
trainings for over a thousand examiners on cybersecurity issues. Last
month, concurrent with the release of the General Observations
document, the FFIEC, on behalf of its members, released the
Cybersecurity Threat and Vulnerability Monitoring and Sharing
Statement. \2\ The statement reiterated members' expectations that
management monitor and maintain sufficient awareness of cybersecurity
threat and vulnerability information in order to evaluate risk and
respond accordingly. In addition, it reinforced the need for all
institutions and their critical technology service providers to have
appropriate methods for monitoring, sharing, and responding to threat
and vulnerability information. In addition to recommending institutions
to join FS-ISAC, the statement also listed additional Government
resources that are able to assist financial institutions with
identifying and responding to cyber attacks.
---------------------------------------------------------------------------
\2\ The FFIEC Cybersecurity Threat and Vulnerability Monitoring
and Sharing Statement can be accessed at http://www.ffiec.gov/press/
PDF/FFIEC_Cybersecurity_Statement.pdf.
---------------------------------------------------------------------------
Cross Sector Cybersecurity Dependencies and Information Sharing
As noted earlier, ensuring appropriate information sharing is an
essential component of the OCC's cybersecurity efforts. The OCC uses
information-sharing forums, relationships with Government agencies, and
the supervision process to acquire information on potential and
confirmed cyberthreats and attacks.
As a member of the FS-ISAC and through our work with the Treasury
Department, we receive significant alerts that provide information
related to cyberthreats, attacks, and vulnerabilities. We also
recognize the importance of maintaining relationships with the law
enforcement and intelligence communities to share information and keep
lines of communication open. The OCC is an active member of the FBIIC,
created to improve coordination and communications among a broad array
of financial regulators, and chaired by the Treasury Department. These
efforts include monthly staff-level meetings and periodic meetings with
agency principals. In addition, we attend classified briefings for
FBIIC and support the collaborative initiatives of this sectorwide
partnership.
The Financial Stability Oversight Council (FSOC) also provides a
mechanism to promote collaborative efforts on a range of issues,
including cybersecurity issues, and has set forth specific
recommendations to advance cybersecurity efforts. The creation of the
CCIWG, and some of its activities are directly responsive to the FSOC's
recommendations. In its 2014 annual report, FSOC recommended that the
Treasury Department continue to work with regulators, other appropriate
Government agencies, and private-sector financial entities to develop
the ability to leverage insights from across the Government and other
sources to inform oversight of the financial sector and to assist
institutions, market utilities, and service providers that may be
targeted by cyber attacks. The FFIEC's aforementioned issuances are
prime examples of responses to these recommendations. The FSOC also
recommended that financial regulators continue their efforts to assess
cyber-related vulnerabilities facing their regulated entities, identify
gaps in oversight that may need to be addressed, and inform and raise
awareness of cyberthreats and attacks. As discussed earlier, the
FFIEC's Cybersecurity Assessment responds to these recommendations.
The OCC and other banking agencies have a robust process for
issuing standards and guidance and supervising the financial sector
through our examinations. However, the resiliency of the financial
sector is also dependent on other critical sectors, including the
telecommunications and energy sectors, which do not operate under a
comprehensive supervisory regime like financial institutions. The OCC
strongly supports efforts to ensure other sectors have commensurate
standards and improved transparency as it relates to the cybersecurity
preparedness for these other sectors. In addition, the financial
services industry and retailers have interdependencies. We have seen a
number of attacks on large retailers in which credit card and other
information from millions of consumers was compromised. In response,
financial institutions compensate customers for fraudulent charges and
replace credit and debit cards, and monitor account activity for fraud
at significant cost. This is not easy for any bank, but the burden
falls especially heavily upon community institutions. At a cost of $5
or more per card plus fraud related charges, the costs can escalate
quickly. We would support efforts to even the playing field between
banks and merchants to ensure that both contribute to efforts to make
affected consumers whole.
The Treasury Department, as our Sector Specific Agency, has been
leading efforts to work more closely with the Government agencies
responsible for overseeing these other sectors. The OCC supports these
efforts and hopes they lead to more in-depth interactions between the
financial sector and other sectors with which it closely interacts. For
our part, the OCC is a member of a newly formed Cybersecurity Forum for
Independent and Executive Branch Agencies. The Forum's objectives are
to enhance communication, identify lessons learned, and develop a
common understanding of cybersecurity activities through the sharing of
best practices and exploring approaches to enhance cybersecurity
protections.
Recommendations for Congressional Consideration
As we work to safeguard our financial system, we note some areas
where Congressional action is necessary to provide parity among the
parties impacted in cyber breaches that adversely affect consumers and
to facilitate additional information sharing within the banking
industry.
Parity for Retailers
The recent breaches at large retailers highlight the need for
improved cybersecurity for merchants. Enhanced cybersecurity should
apply to all industries where customer information is at risk. There
should be consistent protections across all industries for securing
financial transactions, customer information, and systems. Further,
these protections should include appropriate responses to breaches when
they do occur. As mentioned previously, when breaches occur in merchant
systems, merchants should contribute to efforts to make affected
consumers whole.
Industry Information Sharing
The OCC believes the existing statutory framework could be improved
to encourage information sharing about cyber attacks among
institutions. We believe that amending the USA PATRIOT Act by creating
a safe harbor to facilitate and promote the timely sharing of
information among financial institutions concerning cybersecurity
threats, cyber attacks, and data breaches would create incentives for
enhanced information sharing, which would result in increased awareness
of potential threats within the banking industry.
Other Legislative Proposals
The OCC has reviewed a number of legislative proposals that are
pending in Congress to promote and facilitate information sharing
concerning cyberthreats and attacks among Government agencies. The OCC
generally supports such legislative initiatives. However, in the case
of cyberthreat information involving banks, the bills we have reviewed
do not require or encourage the DHS, the Department of Justice, or
other Government agencies to share this information with the
appropriate Federal banking agency. The Federal banking agencies need
cyberthreat information involving banks to ensure the safety and
soundness of both individual banks and the broader financial system.
Accordingly, we believe that legislative proposals designed to improve
and promote cyberthreat information sharing among Government agencies
should require other Government agencies to share information related
to banks with the Federal banking agencies.
In addition, most legislative proposals designed to promote and
facilitate cyberthreat information sharing provide that the information
shared may not be used for regulatory purposes. This provision could
impede our ability to issue cybersecurity guidance or regulations, or
to take action to correct deficiencies in cybersecurity risk
management.
Conclusion
We have high expectations for our supervised entities in the area
of cybersecurity. Financial institutions of all types and sizes must
remain vigilant to protect against and mitigate cyber breaches, and we
at the OCC will continue to support banks in this effort. To ensure we
stay on top of the evolving threats to the financial services industry,
the OCC is committed to refining our supervisory processes on an
ongoing basis and to participating in public-private partnerships to
help keep abreast of and respond to emerging threats.
The Comptroller has emphasized the importance of communication,
collaboration, and cooperation in all aspects of our mission. Nowhere
is such communication and collaboration more important than in the
realm of cybersecurity, where the threat transcends agency
jurisdictions and industry boundaries. Combatting cyberthreats and
protecting our economic security requires the Government and industry
to work together for the good of consumers, the industry, and the
entire financial services sector.
______
PREPARED STATEMENT OF WILLIAM NOONAN
Deputy Special Agent in Charge, Cyber Operations Branch, Criminal
Investigative Division, Secret Service
December 10, 2014
Good morning Chairman Johnson, Ranking Member Crapo, and
distinguished Members of the Committee. Thank you for the opportunity
to testify on the ongoing challenge of cybercrime impacting our
Nation's financial system. The U.S. Secret Service (Secret Service) has
decades of experience investigating large-scale criminal cyber
intrusions, in addition to other crimes that impact our Nation's
financial payment systems. Based on this investigative experience, I
hope to provide this Committee insight into the continued trend of
transnational cybercriminals targeting our Nation's financial system
for their illicit gain.
The Role of the Secret Service
The Secret Service was founded in 1865 to protect the U.S.
financial system from the counterfeiting of our national currency. As
the Nation's financial system evolved from paper to plastic to
electronic transactions, so too has the Secret Service's investigative
mission. Today, our modern financial system depends heavily on
information technology for convenience and efficiency. Accordingly,
criminals have adapted their methods and are increasingly using
cyberspace to exploit our Nation's financial payment system by engaging
in fraud and other illicit activities. This is not a new trend;
criminals have been committing cyber enabled financial crimes since at
least 1970. \1\
---------------------------------------------------------------------------
\1\ Beginning in 1970, and over the course of 3 years, the chief
teller at the Park Avenue branch of New York's Union Dime Savings Bank
manipulated the account information on the bank's computer system to
embezzle over $1.5 million from hundreds of customer accounts. This
early example of cybercrime not only illustrates the long history of
cybercrime, but the difficulty companies have in identifying and
stopping cybercriminals in a timely manner--a trend that continues
today.
---------------------------------------------------------------------------
Congress established 18 U.S.C. ��1029-1030 as part of the
Comprehensive Crime Control Act of 1984 \2\ and explicitly assigned the
Secret Service authority to investigate these criminal violations. \3\
These statutes first established as specific Federal crimes
unauthorized access to computers \4\ and the fraudulent use, or
trafficking of, access devices \5\--defined as any piece of information
or tangible item that is a means of account access that can be used to
obtain money, goods, services, or other thing of value. \6\
---------------------------------------------------------------------------
\2\ Pub. L. 98-473, ��1602(a) and 2102(a), 98 Stat. 1837, 2183 and
2190.
\3\ 18 U.S.C. ��1029(d) and 1030(d)(1).
\4\ 18 U.S.C. �1030.
\5\ 18 U.S.C. �1029.
\6\ 18 U.S.C. �1029(e)(1).
---------------------------------------------------------------------------
Secret Service investigations have resulted in the arrest and
successful prosecution of cybercriminals involved in the largest known
data breaches, including those of TJ Maxx, Dave and Buster's, Heartland
Payment Systems, and others. Over the past 5 years Secret Service
cybercrime investigations have resulted in over 5,940 arrests,
associated with approximately $1.53 billion in fraud losses and the
prevention of over $11.71 billion in potential fraud losses. Through
our work with our partners at the U.S. Department of Justice (DOJ), in
particular local U.S. Attorney's Offices, the Computer Crime and
Intellectual Property Section (CCIPS), the International Organized
Crime Intelligence and Operations Center (IOC-2), the Federal Bureau of
Investigations (FBI) and others, we will continue to bring major
cybercriminals to justice.
The Transnational Cybercrime Threat
Advances in computer technology and greater access to personally
identifiable information (PII) via the Internet have created online
marketplaces for transnational cybercriminals to share stolen
information and criminal methodologies. As a result, the Secret Service
has observed a marked increase in the quality, quantity, and complexity
of cybercrimes targeting private industry and critical infrastructure.
These crimes include network intrusions, hacking attacks, malicious
software, and account takeovers leading to significant data breaches
affecting every sector of the world economy. The recently reported
payment card data breaches are examples of the decade-long trend of
major data breaches perpetrated by transnational cybercriminals who are
intent on targeting our Nation's financial payment system for their
illicit gain.
The growing collaboration amongst cybercriminals allows them to
compartmentalize their operations, greatly increasing the
sophistication of their criminal endeavors as they develop expert
specialization. These specialties raise both the complexity of
investigating these cases, as well as the level of potential harm to
companies and individuals. For example, illicit underground cybercrime
marketplaces allow criminals to buy, sell, and trade malicious
software, access to sensitive networks, spamming services, payment card
data, PII, bank account information, brokerage account information,
hacking services, and counterfeit identity documents. These illicit
digital marketplaces vary in size, with some of the more popular sites
boasting membership of approximately 80,000 users. These digital
marketplaces often use various digital currencies, and cybercriminals
have made extensive use of digital currencies to pay for criminal goods
and services or launder illicit proceeds.
Secret Service Strategy for Combating This Threat
The Secret Service proactively investigates cybercrime using a
variety of investigative means to infiltrate these transnational
cybercriminal groups. As a result of these proactive investigations,
the Secret Service is often the first to learn of planned or ongoing
data breaches and is quick to notify financial institutions and the
victim companies with actionable information to mitigate the damage
from the data breach and terminate the criminal's unauthorized access
to their networks. One of the most poorly understood facts regarding
data breaches is that it is rarely the victim company that first
discovers the criminal's unauthorized access to their network; rather
it is law enforcement, financial institutions, or other third parties
that identify and notify the likely victim company of the data breach.
A trusted relationship with the victim is essential for confirming
the crime, remediating the situation, beginning a criminal
investigation, and collecting evidence. The Secret Service's growing
global network of 37 Electronic Crimes Task Forces (ECTF), located
within our field offices, are essential for building and maintaining
these trusted relationships, along with the Secret Service's commitment
to protecting victim privacy. The Secret Service routinely discovers
data breaches through our proactive investigations and notifies victim
companies with actionable information. For example, as a result of
information discovered this year through just one of our ongoing
cybercrime investigations, the Secret Service notified hundreds of U.S.
entities of cybercriminal activity targeting their organizations.
Additionally, as the Secret Service investigates cybercrime, we
discover current criminal methods and share this cybersecurity
information broadly to enable other organizations to secure their
networks. The Secret Service does this through contributing to leading
industry annual reports such as the Verizon Data Breach Investigations
Report and the Trustwave Global Security Report, and through more
immediate reports, including joint Malware Initial Findings Reports
(MIFRs).
This year, UPS Stores Inc. used information published in a joint
report by the Secret Service, National Cybersecurity and Communications
Integration Center, United States Computer Emergency Readiness Team
(NCCIC/U.S.-CERT), and the Financial Services Information Sharing and
Analysis Center (FS-ISAC) on the Back-Off malware to protect itself and
its customers from cybercriminal activity. \7\ The information in this
report was derived from a Secret Service investigation of a network
intrusion at a small retailer in Syracuse, New York. The Secret Service
publicly shared actionable cybersecurity information derived from this
investigation to help numerous other organizations while still
safeguarding sensitive information. As a result, UPS Stores, Inc. was
able to identify 51 stores in 24 States that had been impacted, and
then were able to contain and mitigate this cyber incident before it
developed into a major data breach. \8\
---------------------------------------------------------------------------
\7\ See http://www.us-cert.gov/security-publications/Backoff-
Point-Sale-Malware.
\8\ See UPS Store's press release available at http://
www.theupsstore.com/about/media-room/Pages/The-ups-store-notifies-
customers.aspx.
---------------------------------------------------------------------------
As we share cybersecurity information discovered in the course of
our criminal investigation, we also continue our investigation in order
to apprehend and bring to justice those involved. Due to the inherent
challenges in investigating transnational crime, particularly the lack
of cooperation of some countries with law enforcement investigations,
it can take years to finally apprehend the top tier criminals
responsible. For example, even after a 2011 indictment, Secret Service
agents were not able to arrest Roman Seleznev of Vladivostok, Russia,
in an international law enforcement operation until just recently. Mr.
Seleznev has been charged in Seattle in a 40-count superseding
indictment for allegedly being involved in the theft and sale of
financial information of millions of customers. Seleznev is also
charged in a separate indictment with participating in a racketeer
influenced corrupt organization (RICO) and conspiracy related to
possession of counterfeit and unauthorized access devices. \9\ This
investigation was lead by the Secret Service's Seattle Electronic
Crimes Task Force.
---------------------------------------------------------------------------
\9\ See http://www.justice.gov/usao/waw/press/2014/October/
seleznev.html.
---------------------------------------------------------------------------
In another case, the Secret Service, as part of a joint
investigation with U.S. Immigration and Customs Enforcement's Homeland
Security Investigations (HSI) and the Global Illicit Financial Team,
hosted by IRS-Criminal Investigations, shut down the digital currency
provider Liberty Reserve, which was allegedly widely used by criminals
worldwide to store, transfer, and launder the proceeds of a variety of
illicit activities. Liberty Reserve had more than one million users,
who conducted approximately 55 million transactions through its system
totaling more than $6 billion in funds. The alleged founder of Liberty
Reserve, Arthur Budovsky, was recently extradited from Spain to the
United States. Mr. Budovsky is among seven individuals charged in the
indictment. Four codefendants--Vladimir Kats, Azzeddine el Amine, Mark
Marmilev, and Maxim Chukharev--have pleaded guilty and await
sentencing. Charges against Liberty Reserve and two individual
defendants, who have not been apprehended, remain pending. This
investigation was lead by the Secret Service's New York Electronic
Crimes Task Force.
Legislative Action To Combat Data Breaches
While there is no single solution to prevent data breaches of U.S.
customer information, legislative action could help to improve the
Nation's cybersecurity, reduce regulatory costs on U.S. companies, and
strengthen law enforcement's ability to conduct effective
investigations. The Administration has proposed various pieces of
cybersecurity legislation, including law enforcement provisions related
to computer security, and continues to urge Congress to pass
legislation that will strengthen Government and private-sector
cybersecurity capabilities. In particular, we urge Congress to act on
legislation that will allow us to keep pace with the rapidly evolving
threats of cybercrime. \10\
---------------------------------------------------------------------------
\10\ This proposal is available at: http://www.whitehouse.gov/omb/
legislative_letters/.
---------------------------------------------------------------------------
Conclusion
The Secret Service is committed to continuing to safeguard the
Nation's financial payment systems by defeating cybercriminal
organizations. Responding to the growth in these types of crimes, and
the level of sophistication these criminals employ, requires
significant resources and substantial collaboration among law
enforcement and its public and private-sector partners. Accordingly,
the Secret Service dedicates significant resources to improving
investigative techniques, providing training for law enforcement
partners, and sharing information on cyberthreats. The Secret Service
will continue to coordinate and collaborate with other Government
agencies and the private sector as we develop new methods to combating
cybercrime. Thank you for your continued commitment to protecting our
Nation's financial system from cybercrime.
______
PREPARED STATEMENT OF JOSEPH M. DEMAREST, JR.
Assistant Director, Cyber Division, Federal Bureau of Investigation,
Department of Justice
December 10, 2014
Good morning Chairman Johnson, Ranking Member Crapo, and the
distinguished Members of this Committee. I am honored to appear before
you today to discuss the cyberthreats facing our Nation, their relation
to the financial sector, and the efforts the FBI is taking to identify,
pursue, and defeat those threats.
In the course of my brief testimony, I hope to give you a sense of
the extent to which today's cyber actors pose new and increasingly
complex threats to our country and to the financial sector--a threat
that challenges the traditional models of the law enforcement and
intelligence communities, where threat actors were previously confined
by time, distance, and physical location. Instead, today's cyber
actors, from Nation-States to criminal groups and individuals, find
themselves virtually unrestricted in their targets sets and their
ambitions, launching attacks from all over the world at literally the
speed of light. Today, I hope to convey the many ways that we at the
FBI are doing everything in our power to protect the Nation, and the
financial sector in particular, from these threats.
Cyberthreats Against the Financial Sector: Trends and Implications
Before describing the current cyberthreatscape, I'd like to give a
brief overview of the FBI Cyber Division, our mission, and how we
target the cyber adversaries that threaten this country on a daily
basis. In general, the FBI's mission falls into three separate buckets:
first, we identify the cyber actors perpetrating harm. In the world of
cybercrime and cyber espionage, this is often the most difficult step,
as cyberthreats may hide in plain sight, using various methods to
obfuscate their presence, location, and activities. Second, we pursue
these actors, tracking their activity both online and off. To this end,
we utilize collaborative partnerships across the Federal Government,
with international partners and with industry, along with our unique
combination of national security and law enforcement authorities, to
gather intelligence about the tactics, techniques and procedures of
these actors. In short, we find these threat actors and we watch them,
gathering intelligence and understanding the motives and the conduct of
our adversaries. Lastly, with the aid of partnerships and our unique
authorities, we defeat cyber adversaries through a full range of
methods, including--most importantly, arresting and prosecuting those
responsible. The FBI focuses foremost on intelligence led, threat-
focused cyber operations which our personnel, analysts, computer
scientists, and agents in the field help us achieve every day.
As the Members of this Committee are aware, the range of actors who
threaten our interests is as complex as it is varied. We face cyber
terrorists, who aim to use our reliance upon and use of digital systems
to advance their political or ideological goals. We face Nation-States,
who aim to use the cyber world to conduct espionage, to make
preparations for war, and who may even carry out acts of war through
cyber means. We face ideology-driven criminals, who may use methods
such as denial of service attacks, known as ``DDoS'' attacks, to
further their own ideology or social cause. We face insider threats,
whose legitimate access to sensitive information may be used for
various illicit ends. Lastly, we face financially motivated groups and
individuals, who use a range of methods to enrich themselves at others'
expense--and it is this group that I will focus upon most specifically
today, though each and every group I just listed may, at times, view
the financial sector as a prime target.
As the Members of the Committee are also aware, the threat from
cyber actors--specifically cybercriminals--continues to garner an
increasing share of the media spotlight and continues to advance in
sophistication. Recent high-profile attacks, such as those on eBay,
Sony, JPMorgan Chase, and others, highlight vulnerabilities in some of
our Nation's largest companies. Regarding the threats to the financial
sector in particular, such threats range in complexity, and we continue
to work closely with the Secret Service, DHS, and other partners across
the Government. Point of sale thefts, also known as ``POS'' scams, for
example, are not new, but continue to pose serious threats to the
financial services industry. According to Verizon's 2014 Data Breach
Investigations Report, the physical installation of a ``skimmer'' on an
ATM, gas pump, or POS terminal to read credit card data has targeted
ATMs with an overwhelming specificity--87 percent of skimming attacks
in 2013, for example, were on ATMs. Retail POS scams, where attackers
compromise the computers and servers that run POS applications with the
intention of capturing payment data, comprise an additional level of
sophistication, and can take weeks or even months to be discovered,
little less mitigated. The high-profile attack on Target provides one
of the more sophisticated examples of retail POS scams, in which,
according to open source reporting, 40 million credit card numbers and
another 70 million customer records were stolen. Such attacks are not
unique to Target--additional data breaches have been reported at Neiman
Marcus, Michaels, and P.F. Chang's, among many others.
Vulnerabilities in mobile banking pose another new and highly
sophisticated danger, as mobile banking vulnerabilities may exist on
mobile devices that are not patched, and malware can be developed to
specifically target the use of mobile devices. One example of this type
of vulnerability is the Zeus-in-the-Middle malware, a mobile version of
the GameOver Zeus malware, which itself was one of the most
sophisticated types of malware the FBI ever attempted to disrupt.
GameOver Zeus was designed to steel banking credentials that criminals
could then use to initiate or redirect wire transfers to overseas bank
accounts. All told, the malware infected over 1 million computers
worldwide and caused over $100 million in estimated losses. Zeus-in-
the-Middle has not caused the same level of damage or losses as
GameOver Zeus, but its very existence illustrates the risk posed to
mobile platforms, where devices can be infected by malicious apps or
via spear phishing emails, and which can then enable cybercriminals to
utilize the banking credentials of targeted users on a grand scale.
Current open source reporting suggests that Android OS devices remain a
prime target for mobile malware--according to the 2014 Cisco Annual
Security Report, for example, 99 percent of mobile malware in 2013
targeted the Android platform.
Botnets, which can harness the power of an enormous web of
computers for malicious purposes, continue to evolve as well. As I
speak, estimates place the total damages caused by botnets at more than
$9 billion in losses to U.S. victims and over $110 billion in losses
worldwide. Approximately 500 million computers are infected globally
per year--translating to 18 victims per second. As botnets become more
sophisticated, our techniques must evolve to keep pace. The FBI and our
partners may take down one botnet, for example, but coders may alter
code and rebuild their bots in fairly short order. The power and scale
of botnets is particularly worth noting, as botnets have been used to
attack the financial sector through DDoS attacks, and the FBI has been
deeply involved in preventing such attacks and in keeping such attacks
from inflicting lasting damage. Beginning in September 2012, for
example, actors launched powerful DDoS attacks from a botnet, combining
the bandwidth of numerous web servers to target major U.S. banking
institutions. The FBI worked closely with Department of Homeland
Security (DHS) to issue Joint Indicator Bulletins (JIBs) to the U.S.
banks, which included thousands of IP addresses that participated in
the attacks. The U.S. banks used the IP addresses to better mitigate
future incidents, thus helping to ensure their business operations
could proceed with less interruption of service to their customers. The
JIBs helped reduce the resources available for the threat actors to
carry out future DDoS operations and demonstrated the effectiveness of
FBI outreach to industry. Throughout this campaign, the FBI held
significant outreach efforts to brief bank net-defenders through a
series of classified briefs. These briefs, conducted by FBI, DHS, and
Treasury representatives, provided bank security personnel the context
of the DDoS threat and enabled the banks to share best-practices with
their peers in real time.
From March 2013 to July 2014, the FBI provided approximately 36
classified threat briefings regarding the DDoS attacks to private-
sector financial institutions and governmental agencies, including DHS,
Department of Treasury, the Federal Deposit Insurance Corporation, and
the Federal Reserve System. The initial classified briefing, held on
March 19, 2013, was attended by over 300 chief information security
officers via secure video teleconference from 33 FBI field offices.
This type of outreach is far from irregular--based on imminent threats
to the financial sector in early 2014, the FBI provided classified
threat briefings in March, April, and July 2014 to a total of 145
financial institutions.
We at the FBI, in short, are doing everything in our power to keep
pace with the evolving threat against the financial sector. We further
our law enforcement mission when we collaborate within the Government
and across the private sector to prosecute and protect our Nation and
industries from the devastating consequences of cyber attacks.
Coordination and Information Sharing Across the Government
The FBI and our partners throughout the Government have all made
significant progress in recent years in collaborating within the cyber
domain--and our progress hasn't just been limited domestically, but has
occurred at international levels as well. A decade ago, for example, if
an FBI agent tracked an Internet Protocol (IP) address to a criminal
investigation, and if that IP address was located in a foreign country,
this meant the effective end of the investigation. Since that time,
however, the FBI has placed cyber specialists in key international
locations to facilitate the investigation of cybercrimes affecting the
U.S. Recognizing the value of cyber specialists working with key
international partners, the FBI Cyber Division stood up a team known as
the Operational Coordination Unit's Extraterritorial Operations group
to focus on supporting, coordinating, and providing oversight of
international cyber national security and criminal intrusion
investigations One prime example of the importance of collaboration and
coordination is the recent take down of Silk Road 2.0. Beginning in
late December 2013, Blake Benthall, also known by the online handle
``Defcon,'' secretly owned and operated an underground Web site known
as Silk Road 2.0--one of the most extensive, sophisticated, and widely
used criminal marketplaces ever created on the Internet. The Web site
operated on the Tor network, a special network of computers distributed
around the world and designed to conceal the IP addresses of the
computers that access the network, thereby masking the identities of
the network's users. Silk Road 2.0 launched in November 2013 after its
predecessor was shut down by law enforcement. Since its launch in 2013,
Silk Road 2.0 has been used by thousands of illicit actors to
distribute hundreds of kilograms of illegal drugs and other
illegitimate goods and services to buyers throughout the world, as well
as to launder millions of dollars generated by these unlawful
transactions. As of September 2014, Silk Road 2.0 was generating sales
of at least approximately $8 million per month and had approximately
150,000 active users. The very existence of Silk Road 2.0 highlights
the core concern I'm here to address today: cybercriminals now operate
far outside the traditional bounds that confined criminals in past
decades, selling banking credentials by the thousands and placing
malware on the market for the purposes of DDoS attacks, to cite just
two examples of illicit activities that target the financial sector.
Whereas last century's bank robbers used an automobile to steal from a
handful of banks in a few States in one day--a novel development for
the time--today's bank robbers can use the Internet to steal money from
thousands of banks across the world in a few hours, all without ever
leaving their basement.
Thanks to our coordinated efforts, however, criminal marketplaces
like Silk Road 2.0 cannot and will not last for long. The investigation
into Silk Road 2.0 was conducted jointly by the FBI and the DHS's
Immigration and Customs Enforcement's Homeland Security Investigations
(ICE-HSI), illustrating the critical nature of cooperation and
information sharing in today's cyber investigations--no Government
agency, no matter how competent its agents and experts, can operate
successfully on its own. We capitalize on our distinct roles and
responsibilities within the Government to address and prevent
cybercrime. Over the course of the investigation into Silk Road 2.0, an
HSI agent acting in an undercover capacity successfully infiltrated the
support staff involved in the administration of the Silk Road 2.0 Web
site and was given access to private, restricted areas of the site
reserved for Benthall and his administrative staff. By doing so, the
HSI agent was able to interact directly with Benthall throughout his
operation of the Web site.
On November 7, 2014, the U.S. Government seized the Silk Road 2.0
Web site in the largest law enforcement action to date against criminal
Web sites operating on the Tor network. Benthall was arrested and
charged with one count of conspiring to commit narcotics trafficking
(carrying a maximum sentence of life in prison and a mandatory minimum
sentence of 10 years in prison), one count of conspiring to commit
computer hacking (carrying a maximum sentence of 5 years in prison),
one count of conspiring to traffic in fraudulent identification
documents (carrying a maximum sentence of 15 years in prison), and one
count of money laundering conspiracy (carrying a maximum sentence of 20
years in prison). The investigation was a key success for the FBI, for
ICE-HSI, and for the U.S. Government as a whole--and a key illustration
of the importance of collaboration and cooperation.
Another example of the importance of collaboration and cooperation,
both inside and outside of Government, is the vital work the National
Cyber Investigative Joint Task Force (NCIJTF) performs on a daily
basis. Mandated by the President in 2008, the NCIJTF serves as national
focal point for coordinating, integrating, and sharing pertinent
information related to cyberthreat investigations among 19 Federal
agencies. The FBI aims to strengthen and solidify the NCIJTF as the
cybersecurity center for coordinating cyberthreat investigations and
disruption operations. The NCIJTF involves senior personnel from key
agencies, including deputy directors from the National Security Agency,
the Department of Homeland Security, the Central Intelligence Agency,
the U.S. Secret Service, and U.S. Cyber Command. Reinforcing the role
of the NCIJTF on cross-Government cyberthreat information sharing and
coordination is a key priority for the FBI.
Lastly, the FBI is working to strengthen local and national
information sharing and collaboration efforts in support of network
defense, intelligence operations, and disruption operations. And I
cannot make the following statement frequently enough: the private
sector is an essential partner if we are to succeed in defeating the
cyberthreat our Nation confronts. I will discuss in more detail some of
our collaboration efforts with the private sector shortly.
Current FBI Efforts To Combat Cyberthreats
The FBI is engaged in a host of efforts to combat cyberthreats,
from efforts focused on threat identification and sharing inside and
outside of Government, to our internal emphasis on developing and
retaining new talent and changing the way we operate to evolve with the
cyberthreat. I would like to take this opportunity to highlight a few
of the ways we at the FBI are confronting this threat head on.
FBI Liaison Alert System
As I alluded to earlier in my testimony, the threat of botnets
provides a good example of how the FBI is proactively working with
industry partners to combat cyberthreats. To further assist with
network defense and mitigation of botnets, the FBI created a document
called the FBI Liaison Alert System message, or FLASH. Through the
system, the FBI releases high confidence data to the private sector
with indicators and alerts related to computer intrusions and DDoS
attacks. From April 2013 to July 2014, the FBI disseminated 34 FLASH
messages, about 20 of which dealt with threats against the financial
sector. The FBI disseminated, among other information, indicators for
approximately 115,000 compromised systems in these FLASH messages.
These declassified, technical indicators, associated with intrusions,
are meant to enable industry partners to be on the lookout for and
defend their infrastructure from nefarious traffic on their networks.
The FBI provided these FLASH messages to key partners across
affected critical infrastructure sectors, to include: Tier 1 and 2
Internet Service Providers (ISPs), Domain Name Server (DNS) root server
operators, top-level domain (TLD) operators, and Five Eyes partners.
When the FBI receives credible information regarding a threat to U.S.
critical infrastructure, FBI coordinates with DHS to discuss and
deconflict victim notification and mitigation strategies, at times
involving other agencies, such as the Department of Treasury, as well.
Guardian Victim Analysis Unit
The FBI's Guardian Victim Analysis Unit (GVAU) is a direct response
to the President's 2013 Executive Order 13636, which called for
increases in the volume, timeliness, and quality of cyberthreat
information shared with U.S. private-sector entities so that these
entities may better defend themselves against cyberthreats. To help aid
these entities and to enhance private-sector information-sharing
efforts, the FBI established Cyber Guardian, a series of applications
that enables actors in and outside of Government to share threat
information. One Cyber Guardian application is available on a Secret
enclave, and two applications known as eGuardian and iGuardian/
InfraGard--both operating at the unclassified level--are available to
State, Local, Tribal, and Territorial (SLTT) entities, and to the
private sector, respectively. The Cyber Guardian applications provide a
means for the FBI to rapidly disseminate reports on cyberthreat
activity, in addition to a platform for coordination and deconfliction
of cyberthreat information.
The Internet Crime Complaint Center
Established in 2000, the Internet Crime Complaint Center (IC3) is a
partnership between the FBI and the National White Collar Crime Center
meant to serve as a vehicle to receive, develop, and refer criminal
complaints regarding the rapidly expanding arena of cybercrime. During
its infancy, the IC3 received approximately 2,000 victim complaints per
month. Now the IC3 receives approximately 800 complaints a day, with
over 244,000 complaints received to date for the 2014 calendar year. In
2013, the IC3 received 262,813 consumer complaints with losses in
excess of $781 million. The IC3 database currently houses more than
3.15 million consumer complaints dating back to its inception in 2000.
The Domestic Security Alliance Council
The Domestic Security Alliance Council (DSAC) is a strategic
partnership between the U.S. Government and U.S. private industry,
formed with the goal of increasing security by enhancing communications
and promoting the timely and effective exchange of security information
among its constituents. The DSAC advances the FBI's mission of
preventing, detecting, and deterring criminal acts by facilitating
strong, enduring relationships among its private industry members, FBI
headquarters divisions, FBI field offices, DHS headquarters, DHS fusion
centers, and other Federal Government entities.
The National Cyber-Forensics and Training Alliance
The National Cyber-Forensics and Training Alliance (NCFTA) is
composed of representatives of industry, academia, and the FBI, all
working together to collaborate on combating cybercrime. The NCFTA
provides a unique environment for information sharing between law
enforcement, private industry, and academia. The NCFTA is a nonprofit
group whose members include ISPs, banks, retailers, and a whole host of
other industry representatives, along with law enforcement and
academia, with a mission to identify cyberthreats and share information
for mitigation and neutralization purposes. The NCFTA provides a one-
of-a-kind opportunity for subject matter experts to address global
cyberthreats such as botnets, spam, and malware. Because of its
nonprofit status, the group can share information in a neutral
environment, develop a strategic understanding of the threat, and work
to address cyberthreats collaboratively.
National Industry Partnership Unit
The FBI established an entity known as the National Industry
Partnership Unit to develop partnerships through the InfraGard program
between the FBI and private sector, academic, and other public
entities, to support the FBI's investigative programs. Established in
the Cleveland field office in 1996, InfraGard was initially a local
effort to gain support from the information technology industry and
academia for the FBI's investigative efforts in the cyber arena.
InfraGard soon expanded to other FBI field offices, and in 2003 the
Cyber Division assumed responsibility for the program. InfraGard and
the FBI have developed a relationship of trust and credibility in the
exchange of information concerning various terrorism, intelligence,
criminal, and security matters. InfraGard members gain access to
information that enables them to protect their assets and in turn give
information to the Government that facilitates its responsibilities in
preventing and addressing terrorism and other crimes. This relationship
supports information sharing at both the national and local levels,
with the aim of increasing the level of information and reporting
between InfraGard members and the FBI on matters related to
counterterrorism, cybercrime, and other major crime programs.
Charting the Cyber Future
The future cyberthreatscape will certainly be complex--based on
recent advances in the sophistication of our adversaries, both State
and non-State, it is hard to imagine what this threatscape will look
like 10 or even 20 years down the road. Nevertheless, we in the FBI
pride ourselves on being a forward looking organization, and adapting
to the challenges we face. The FBI Cyber Division--our agents, computer
scientists, analysts, and personnel--are all working hard to outpace
such threats on a daily basis, identifying, pursuing, and defeating our
adversaries, wherever in the world they might be.
There are, however, a number of ways that Congress might seek to
aid us in our efforts. In particular, I would like to enumerate three
concerns that new legislation or amendments to existing legislation
could address that would strengthen our ability to combat cyberthreats,
as follows:
Updating the Computer Fraud and Abuse Act. The Computer
Fraud and Abuse Act (CFAA) constitutes the primary Federal law
against hacking, protecting the public against criminals who
hack into computers to steal information, install malicious
software, and delete files. The CFAA was first enacted in 1986,
at a time when the problem of cybercrime was still in its
infancy. Over the years, a series of measured, modest changes
have been made to the CFAA to reflect new technologies and
means of committing crimes and to equip law enforcement with
the tools to respond to changing threats. The CFAA has not been
amended since 2008, however, and the intervening years have
again created the need for the enactment of modest, incremental
changes. The Administration has proposed several such revisions
to keep Federal criminal law up-to-date with rapidly evolving
technologies.
Cyberthreats adapt and evolve at the speed of light, and we need
laws on the books that reflect the most current means by which
cyber actors are committing crimes. Updating the CFAA to
reflect these changes would help strengthen our ability to
punish, and therefore to deter, the crimes we seek to prevent.
Data Breach Notifications. We believe there is a strong
need for a uniform Federal standard holding certain types of
businesses accountable for data breaches and theft of
electronic personally identifiable information. Businesses
should, for example, be required to provide prompt notice to
consumers in the wake of a certain cyber attacks. Such a
standard would not only hold businesses accountable for
breaches, but would also assist in FBI and other law
enforcement efforts to identify, pursue, and defeat the
perpetrators of cyber attacks.
Information Sharing. Although the Government and the
private sector already share cyberthreat information on a daily
basis, legislation can enhance the value and benefit of these
information-sharing relationships. The Government and the
private sector both have critical and unique insights into the
cyberthreats we face, and sharing these insights is necessary
to enhance our mutual understanding of the threat. Similarly,
the operational collaboration required to identify cyberthreat
indicators and to mitigate intrusions requires the exact type
of sharing we seek in the first place. As such, the FBI
supports legislation that would establish a clear framework for
sharing and reduce risk in the process, in addition to
providing strong and straightforward safeguards for the privacy
and civil liberties of Americans. U.S. citizens must have
confidence that threat information is being shared
appropriately, and we in the law enforcement and intelligence
communities must be as transparent as possible. We also want to
ensure that all the relevant Federal partners receive the
information in real time.
The bottom line, however, is that current levels of information
sharing are insufficient to address the cyberthreats we face,
specifically with regards to the financial sector. The U.S. is
currently facing sophisticated, well-resourced adversaries, and minimum
security requirements are needed to harden our critical infrastructure
networks. The Government and private sector should collaborate to
develop these requirements, and we believe that legislation would help
to further these ends. There area host of statutory and regulatory
restrictions as well that provide narrowly tailored liability
protections for appropriate cyber information sharing. Further, there
are a number of regulatory and statutory concerns that private actors
may express when it comes to sharing cyberthreat information with the
Government, and new legislation can and should be crafted to address
these concerns. The events of the last year, and the continuing high-
profile cyber attacks on major American companies, should serve to
highlight the need for new engagement against cyberthreats on every
level possible.
In the absence of the passage of cybersecurity legislation,
however, the Administration is taking steps in the right direction to
ensure that we can share information, in a practical and meaningful
way. One such step is Executive Order (EO) 13636, entitled ``Improving
Critical Infrastructure Cybersecurity'' and which I addressed briefly
earlier, signed by the President in February 2013 and designed to
provide critical infrastructure owners and operators with assistance to
address cyberthreats and manage risks. The EO calls for the Government
to collaborate more closely with industry by sharing information about
cyberthreats and jointly developing a framework of cybersecurity
standards and best practices. One of the EO's main goals is to improve
Government information sharing with critical infrastructure owners and
operators regarding cyberthreats, including attack signatures and other
technical data. The FBI would, however, welcome more active engagement
from Congress on these matters. Although the EO is a step in the right
direction, robust cybersecurity legislation is still needed. As
partners across the Government and private sector have explored the
ways we can operate, under existing laws, to implement the requirements
of the EO, we are well positioned to have a more informed dialogue with
Congress, and to improve our ability to address cyberthreats.
Conclusion
In conclusion, Mr. Chairman, the FBI is focusing our resources,
expanding our presence at the local, national and international levels,
and engaging in cooperation with the private sector and
intergovernmental collaboration. As the Committee knows well, we face
considerable challenges in our efforts to combat cybercrime, and yet we
remain optimistic that by identifying, pursuing, arresting and
prosecuting these offenders we will defeat our cyber adversaries and
continue to succeed in neutralizing these threats. My colleagues at the
FBI and I look forward to working with the Committee and with Congress
in protecting our Nation from the evolving threat posed by cyber
actors. Thank you again for the opportunity to appear before you today.
I would be happy to answer any questions you may have.
RESPONSES TO WRITTEN QUESTIONS OF SENATOR CRAPO
FROM BRIAN PERETTI
Q.1. Fast, efficient sharing of actionable cyberthreat
information between law enforcement, the intelligence
community, and industry is a vitally important component of
protecting information systems. While we have seen significant
progress over the past couple years in the timeliness and
quality of information sharing, there is still room for
improvement. Please describe, first, what steps are being taken
at your agency or Department to improve the information-sharing
process and more quickly disseminate actionable information to
those who need it.
A.1. As the Sector Specific Agency for the Financial Sector,
Treasury encourages private sector membership in the Financial
Sector Information Sharing and Analysis Center (FS-ISAC). FS-
ISAC membership has increased significantly over the past year
and Treasury expects this trend to continue. As any ISAC is
only as valuable as the information shared within it, Treasury
also promotes and encourages individual private sector firms to
actively share information through the organization. Increasing
the number of private sector firms that actively share
information within the FS-ISAC is a key goal for improving
information sharing.
Treasury has created an information sharing and analysis
unit, known as the Financial Sector Cyber Intelligence Group
(CIG) to increase information sharing across the financial
services industry. The CIG is a section within Treasury's
Office of Critical Infrastructure Protection and Compliance
Policy that focuses on cybersecurity information sharing with
the financial sector. Its purpose is to increase the volume,
timeliness and quality of cyberthreat information shared
between the Government and the financial services sector as
called for under Executive Order 13636 on Improving Critical
Infrastructure Cybersecurity and Presidential Policy Directive
21 on Critical Infrastructure Security and Resilience, which
designates Treasury as the Sector Specific Agency for the
Financial Services Sector. The CIG was established in response
to a need identified by the financial sector for the Government
to have a focal point for sharing cyberthreat-related
information with the sector.
The CIG identifies and analyzes all-source intelligence on
cyberthreats to the financial sector; shares timely, actionable
information that alerts the sector to threats and enables
firms' prevention and mitigation efforts; and solicits feedback
and information requirements from the sector. It produces
threat and mitigation bulletins, called CIG Circulars; responds
to Requests for Information from the financial sector about
specific issues of concern to them; delivers classified
briefings to appropriately cleared financial sector
representatives; and encourages the sharing of information on
specific threats to financial institutions. The CIG has a
representative at the Department of Homeland Security's (DHS)
National Cybersecurity and Communications Integration Center
(NCCIC) and Treasury will support any new national initiative
aimed at integrating cyberthreat intelligence efforts. The CIG
is currently developing tools, systems, and processes to
automate information sharing. Once these mechanisms are in
place, the CIG will be able to share cyberthreat indicators
with the financial sector in a machine readable format.
Q.2. Second, what obstacles or constraints delay the
dissemination of such information?
A.2. Treasury engages frequently with individual financial
institutions, industry groups, and interagency partners to
understand, assess, and improve upon cybersecurity information
sharing. Cybersecurity information sharing has improved in
recent years, and we believe it is critically important that
industry and Government continuously work together to improve
the quality and timeliness of such information.
Generally, we see future work in improving information
sharing processes focusing on:
Sharing information from Government to industry,
from industry to Government, and between individual
companies within industry, including through working to
address industry concerns over liability, regulatory
use of information, and possible release of information
through FOIA and other sunshine requirements; and
Working with interagency and private sector
partners to leverage DHS's STIX/TAXII protocol to
automate information sharing processes. STIX/TAXII
facilitates cyberthreat indicator sharing in a machine
readable format.
Q.3. Financial institutions generally do a very good job
sharing information with each other, but there is much less
information sharing that occurs with other sectors. Because
companies in different sectors can often be victims of the same
attacks, robust cross-sector coordination is a key piece of the
cybersecurity effort. What are some of the steps Treasury has
taken or plans to take to promote better cross-sector
coordination and information sharing?
A.3. Treasury recognizes that the financial sector is
critically dependent on services provided by other sectors,
including the energy, telecommunications, and information
technology sectors. For this reason, we are working closely
with the financial sector and our interagency partners to build
processes for effectively sharing information across sectors.
These efforts include working with the Department of Energy to
promote the sharing of best practices across sectors, planning
and participating in cross sector cybersecurity exercises, and
sharing and receiving information from DHS's NCCIC, which
serves as a focal point for cross-sector sharing among
Government and private sector entities.
------
RESPONSES TO WRITTEN QUESTIONS OF
SENATOR MENENDEZ FROM BRIAN PERETTI
Q.1. As you know, Federal financial regulators have supervisory
authority with respect to the cybersecurity efforts of
regulated financial institutions. For example, the Gramm-Leach-
Bliley Act requires financial institutions to safeguard
consumers' personal information. But today's financial system
extends far beyond regulated financial institutions--in the
consumer payments area alone, for example, it extends to
payment networks, merchants, and third-party payment
processors, to name a few.
Aside from the Federal Trade Commission's Section 5
authority to guard consumers against unfair, deceptive, or
abusive practices, there seems to be a critical gap in the
standards and attention that apply to parts of the system
beyond financial institutions. In last year's data breach at
Target, for example, a third-party vendor's credentials were
used to infiltrate a retailer's system, resulting in the theft
of consumer financial information.
How do you see the role of the Department of Homeland
Security and other Federal Government actors in protecting
against cybersecurity risks to the financial system more
broadly, beyond just regulated institutions that are supervised
by financial regulators?
A.1. Treasury communicates directly with financial institutions
and other financial services sector organizations and works
with other agencies and private sector groups to leverage
communication channels in order to emphasize the importance of
risk and vulnerability defenses within the whole system so that
institutions can make appropriate risk management decisions.
Paying attention to the whole risk picture requires attention
to internal systems as well as vendor systems and services.
Treasury has been widely promoting the value of using the
National Institute of Standards and Technology (NIST)
Cybersecurity Framework to not only promote cybersecurity
internally; but also for financial institutions to use this
framework as a way to assess their entire supply chain,
including third-party vendors. Treasury provides cyberthreat
and best practices information to Federal and State financial
regulators so that regulators can use this information to
inform their supervisory oversight and incorporate this
information into their examination procedures going forward.
Treasury worked with regulators through the Financial Stability
Oversight Council (FSOC) to identify cybersecurity as a key
operational risk in its 2014 report, but remains concerned
about regulators' limited ability to provide oversight of third
party suppliers.
Q.2. What tools do DHS and other Federal Government actors have
to address risks to parts of the financial system outside of
regulated institutions, such as payment networks, other than
through financial regulators' supervision of regulated
institutions' relationships with third-party vendors?
A.2. Treasury partners with Financial and Banking Information
Infrastructure Committee (FBIIC) member agencies to address
risks to parts of the financial system outside of regulated
institutions. Treasury continues to encourage financial
services firms to utilize the NIST Cybersecurity Framework,
which includes holding business partners, suppliers, and
customers accountable to its risk management approach. In
particular, efforts by the Securities Industry and Financial
Markets Association (SIFMA) to develop auditable standards of
the Framework may be beneficial in supporting broad adoption of
best practices across the supply chain.
Treasury works closely with other agencies to identify and
provide information that may be of use to private sector firms,
and shares this information through FS-ISAC. Many of the
financial sector technology service providers are members of
FS-ISAC. Treasury encourages the sharing of information with
other third-party service providers across sectors as
appropriate.
Treasury also chairs the Committee on Foreign Investments
in the United States (CFIUS). CFIUS reviews business
transactions that could result in control of a U.S. business by
a foreign owned or controlled entity to determine the effect of
such transactions on national security, including increased
risk to parts of the financial sector outside of regulated
institutions such as third party hardware or software vendors.
Q.3. Are there additional tools that would be helpful to have?
A.3. Treasury supports cyber legislation to increase
information sharing that: facilitates cybersecurity information
sharing between the Government and the private sector, as well
as among private sector companies; incentivizes the adoption of
best practices and standards for critical infrastructure
protection by complementing the process set forth under the
Executive Order; gives law enforcement the tools to fight crime
in the digital age; updates Federal agency network security
laws, and codifies DHS's cybersecurity responsibilities;
creates a national data breach reporting requirement;
incorporates appropriate privacy and civil liberties
safeguards; reinforces the appropriate roles of civilian and
intelligence agencies; and, includes targeted liability
protections.
------
RESPONSES TO WRITTEN QUESTIONS OF SENATOR WARNER
FROM BRIAN PERETTI
Q.1. In responding to all questions below (in every category),
please respond as if a ``data security breach'' is the
``unauthorized access to, or acquisition from, a system
operated or maintained by a financial institution or other
entity within the financial services industry, or an agent,
affiliated organization or service provider to that financial
institution or other financial services entity, that
compromises the protection, security, integrity,
confidentiality, or privacy of any customer financial
information that is itself personally identifiable or that may
be associated with personally identifiable information of a
customer.''
How many data security breaches of systems operated or
maintained by a financial institution or other entity within
the financial services industry--whether such breach has been
publicly reported or not--is your Government department or
agency aware occurred during 2013 or 2014? In responding to
this question, please note the following request for an
explanation:
If your response to the forgoing question is that you do
not have knowledge of any such data security breaches
whatsoever, please indicate why your department or agency is
not aware of any breaches given the public reports of multiple
breaches within the industry in 2013 or 2014.
Additionally, if your department or agency has knowledge of
such data security breaches that includes nonpublic
information, and your answer will indicate that your are
subject to a confidentiality obligation that prohibits your
answering this question completely, please indicate which
specific Federal law or other rule prohibits you from
testifying to the Committee about this information on data
security breaches of which your department or agency has
knowledge.
A.1. Treasury does not investigate data security breaches,
track data security breach investigation statistics, or have
authority to compel financial institutions to report
information associated with data breaches. For this reason, we
do not maintain a database of data security breach incidents.
Instead, our efforts are focused on engaging with cybersecurity
and law enforcement partners, independent regulators, and the
sector itself to share information related to the technical
details of a broad range of cyber incidents to reduce the risk
of these incidents occurring elsewhere.
Q.2. Of those data security breaches at financial institutions
and/or other entities within the financial services industry
which your department or agency is aware occurred in 2013 or
2014, please indicate:
Approximately how many financial services customers--
whether individuals or organizations--you estimate were
affected by each of those data security breaches.
How many data security breaches resulted in individual
customer notices mailed, emailed, or otherwise personally
delivered to affected customers by the financial institution or
other financial services entity?
How many data security breaches resulted in some form of
public notice by the financial institution or other financial
services entity? (In response to this subquestion, please
indicate for each data security breach if notice was made to
major media outlets in the geographic region served by the
institution or entity, and/or if the notice resulted from media
reports following a public regulatory filing.)
How many data security breaches have never resulted in any
form of individual customer notices mailed, emailed, or
otherwise personally delivered to affected customers by the
financial institution or other financial services entity?
A.2. Treasury does not investigate data security breaches,
track data security breach investigation statistics, or have
authority to compel financial institutions to report
information associated with data breaches. For this reason, we
do not maintain a database of data security breach incidents.
Instead, our efforts are focused on engaging with cybersecurity
and law enforcement partners, independent regulators, and the
sector itself to share information related to the technical
details of a broad range of cyber incidents to reduce the risk
of these incidents occurring elsewhere.
Q.3. Of those data security breaches which you are aware
occurred in 2014, and for which no individual customer notice
was given by the financial institution or other financial
services entity, has your department or agency investigated the
circumstances of the breach and considered taking any action to
require or encourage individual customer notice of the same by
such institution or entity?
A.3. Treasury does not investigate data security breaches,
track data security breach investigation statistics, or have
authority to compel financial institutions to report
information associated with data breaches. For this reason, we
do not maintain a database of data security breach incidents.
Instead, our efforts are focused on engaging with cybersecurity
and law enforcement partners, independent regulators, and the
sector itself to share information related to the technical
details of a broad range of cyber incidents to reduce the risk
of these incidents occurring elsewhere.
Q.4. Has your department or agency ever engaged in any
enforcement action against a financial institution or other
entity within the financial services industry for failure to
individually notify affected customers of a data security
breach suffered by that entity?
A.4. No. Treasury does not have authority to take enforcement
action in this regard.
Q.5. Has your department or agency ever assessed any civil
penalty or fine against a financial institution or other entity
within the financial services industry for failure to
individually notify affected customers of a data security
breach suffered by that entity?
A.5. No. Treasury does not have authority to take enforcement
action in this regard.
Q.6. If the answer to either question 4 or 5 is yes, please
specify the specific date of the department or agency action,
the type of action taken, the entity which was subject to the
action, and the amount of any penalty or fine that was
assessed. If the answer to either question is no, please
indicate the reason why your department or agency has not.
A.6. Treasury does not have authority to take enforcement
action in this regard.
------
RESPONSES TO WRITTEN QUESTIONS OF SENATOR CRAPO
FROM PHYLLIS SCHNECK
Q.1. Fast, efficient sharing of actionable cyberthreat
information between law enforcement, the intelligence
community, and industry is a vitally important component of
protecting information systems. While we have seen significant
progress over the past couple years in the timeliness and
quality of information sharing, there is still room for
improvement. Please describe, first, what steps are being taken
at your agency or Department to improve the information-sharing
process and more quickly disseminate actionable information to
those who need it.
A.1. The Department of Homeland Security (DHS) has made
significant progress during the last 18 months to improve
information sharing. Congress recognized this good work last
year when it unanimously passed a law recognizing the National
Cybersecurity and Communications Integration Center's (NCCIC)
central role to coordinate and serve as an interface for
cybersecurity information across the Government and private
sector. In January 2015, the President announced a legislative
proposal that builds on this significant action taken by
Congress. The Administration's 2015 legislative proposal
encourages the private sector to share appropriate cyberthreat
indicators with the NCCIC by providing targeted liability
protection for companies that share threat indicator
information. The proposal aims to increase the speed, quality,
and frequency of existing information sharing between the
Government and private-sector entities, to better protect
against the shared threat of cyber attacks.
We are actively working to maximize to the fullest extent
possible the near-real-time dissemination of all relevant and
actionable cyberthreat indicators among the private sector and
Federal Departments for the purpose of network defense, while
incorporating all appropriate privacy protections. We continue
to make progress as Congress addresses key information-sharing
constraints such as industries' concerns over liability
protections.
DHS has a number of programs and initiatives dedicated to
forging and maintaining the public and private-sector trust-
relationships that enable meaningful information sharing
including: partnerships with critical infrastructure owners and
operators to ensure cohesive cybersecurity efforts; the
Critical Infrastructure Cyber Community Voluntary Program (C3
Voluntary Program) offering cybersecurity resources to private
and public-sector entities through DHS who voluntarily commit
to the cybersecurity framework created as a result of Executive
Order 13636; the sharing of sensitive indicators that support
intrusion prevention measures through Enhanced Cybersecurity
Services (ECS); as well as ongoing collaboration with the
private sector through the NCCIC, DHS's 24/7 center for
cybersecurity incident response, prevention and mitigation.
DHS is increasing the speed of indicator information
sharing through the implementation of the Structured Threat
Information eXpression (STIX) protocol and the Trusted
Automated Exchange of Indicator Information (TAXII) a transport
protocol. These protocols provide a structured framework for
information sharing and dissemination that enables the analysis
of full-spectrum cyberthreat information; a common language in
which to share cyberthreat information across organizations and
products; and a common set of services and messages that can be
implemented to share information. TAXII and STIX are intended
for use by Government and industry Computer Security Incident
Response Teams to enable timely and secure threat information
sharing. All threat sharing models, including hub-and-spoke,
peer-to-peer, and source-subscriber, can take advantage of the
standardization offered by TAXII and STIX. These protocols are
in operational use today among several Information Sharing and
Analysis Centers, within the Cyber Information Sharing and
Collaboration Program (CISCP), and are being implemented across
the NCCIC enterprise.
CISCP, which began in January 2012, established a
systematic approach to cyberthreat information sharing and
collaboration between critical infrastructure owners and
operators across all critical infrastructure sectors. Partners
who have signed the CISCP Cooperative Research and Development
Agreement share unclassified, actionable, timely threat
indicator data to enhance the protection of themselves and in
many cases their customers and constituents. Important analytic
collaboration meetings are held monthly at the unclassified
level and quarterly at the classified secret level among CISCP
partners.
With respect to cyberthreat intelligence, DHS's Office of
Intelligence & Analysis (I&A) conducts cyberthreat intelligence
outreach and engagements with key critical infrastructure
sectors at the broadest level possible, with an emphasis on
providing unclassified cyberthreat intelligence to increase
owner and operator awareness and encourage them to make use of
associated indicator data in their protection systems. I&A
provides tailored analysis of cyberthreat activity to various
private sector, State and local, and Federal partners to
develop a common baseline understanding of cyberthreats and
enable decision makers to protect, prevent, and mitigate
against cyberthreats.
DHS developed the C3 Voluntary Program to assist critical
infrastructure in their adoption of the National Institute of
Standards and Technology's Cybersecurity Framework, and to
extend a range of cybersecurity resources to critical
infrastructure including, among other things, information-
sharing opportunities.
The ECS program is a voluntary information-sharing program
that assists critical infrastructure owners and operators to
improve protection of their systems from unauthorized access,
exploitation, or data exfiltration. ECS consists of the
operational processes and security oversight required to share
sensitive and classified cyberthreat information with qualified
Commercial Service Providers (CSP) that will enable them to
better protect their customers who are critical infrastructure
entities. The ECS program develops threat ``indicators'' with
this information and provides CSPs with those indicators of
active, malicious cybersecurity activity. CSPs may use these
threat indicators to provide approved cybersecurity services to
critical infrastructure entities.
Q.2. Second, what obstacles or constraints delay the
dissemination of such information?
A.2. We believe that carefully updating laws to facilitate
cybersecurity information sharing is one of several legislative
changes essential to protect individuals' privacy and improve
the Nation's cybersecurity. Such legislation should, among
other things, provide for appropriate sharing with targeted
liability protections.
The Administration's updated legislative proposal promotes
better cybersecurity information sharing between the private
sector and Government, and it enhances collaboration and
information sharing amongst the private sector. Specifically,
the proposal encourages the private sector to share appropriate
cyberthreat information with the DHS NCCIC, and with private-
sector developed and operated Information Sharing and Analysis
Organizations (ISAOs), by providing targeted liability
protection for companies that share information with these
entities. Once information is received, the DHS NCCIC will then
share it in as close to real-time as practicable with relevant
Federal agencies and relevant ISAOs. It does not provide
protection for individual private-sector entities sharing
directly with one another.
The proposed legislation also encourages the formation of
these ISAOs. The Administration's proposal would also safeguard
Americans' personal privacy by requiring private entities to
comply with certain privacy restrictions such as removing
unnecessary personal information and taking measures to protect
any personal information that must be shared in order to
qualify for liability protection. The proposal further requires
the Department of Homeland Security and the Attorney General,
in consultation with the Privacy and Civil Liberties Oversight
Board, the Director of the Office of Management and Budget, and
others, to develop receipt, retention, use, and disclosure
guidelines for the Federal Government. Finally, the
Administration intends this proposal to complement and not to
limit existing effective relationships between Government and
the private sector. These existing relationships between law
enforcement and other Federal agencies are critical to the
cybersecurity mission.
Q.3. On November 14, 2014, the DHS Office of Inspector General
released a report that made some criticisms of DHS's
cybersecurity efforts. The report found insufficient staffing
at National Cybersecurity and Communications Integration Center
(NCCIC) and the Office of Intelligence and Analysis, and
insufficient technical training of staffers. The report also
stated that DHS faces continuing challenges in sharing cyber
incident information with Federal operations centers and
coordinating effective responses. There have also been other
reports of low staff morale and high staff turnover at key
positions. Please discuss these problems in more detail and
explain what the Department is doing to address them.
Specifically, please explain what DHS is doing to ensure that
information is being shared as quickly and efficiently as
possible.
A.3. In regards to the specific recommendations mentioned in
the November 2014 Office of Inspector General (OIG) report,
NPPD has done the following: OIG-14-02, DHS Efforts To
Coordinate the Activities of Federal Cyber Operations Centers.
Recommendation #2: Collaborate with the Department
of Defense (DOD) and National Institute of Standards
and Technology (NIST) to develop a standard set of
incident categories to ensure seamless information
sharing between all Federal cyber operations centers.
The United States Computer Emergency Readiness Team
(U.S.-CERT) published the Revised Guidelines on October
1, 2014, and OIG closed this recommendation in October
7, 2014.
Recommendation #4: Collaborate with I&A management
to increase the number of its analysts available for
continuous coverage at the NCCIC to provide more
intelligence and analysis to all sectors. I&A did not
receive the budget to increase the number of analysts
for continuous coverage. It is uncertain when I&A will
be able to increase the number of its analysts
available for continuous coverage at the NCCIC. Due to
uncertainty surrounding future budget years, the OIG
closed this recommendation on January 7, 2015.
DHS's Office of Intelligence and Analysis is a key partner
in NCCIC activities, providing tailored all-source cyberthreat
intelligence and warning to NCCIC components and public and
private critical infrastructure stakeholders to prioritize risk
analysis and mitigation.
Within the NCCIC, the U.S. Computer Emergency Readiness
Team (U.S.-CERT) provides response support and defense against
cyber attacks for Federal civilian agency networks as well as
private-sector partners upon request. U.S.-CERT collaborates
and shares information with State and local government,
industry, and international partners, consistent with rigorous
privacy, confidentiality, and civil liberties guidelines, to
address cyberthreats and develop effective security responses.
In fiscal year (FY) 2014, U.S.-CERT processed approximately
55,523 cyber incidents involving Federal agencies, critical
infrastructure, and our industry partners. In addition, U.S.-
CERT issued 7,655 actionable cyber alerts in FY2014 that were
used by private sector and Government agencies to protect their
systems.
The Department's Industrial Control Systems Cyber Emergency
Response Team (ICS-CERT) responded to 240 incidents in FY2014
while completing 75 on-site assistance visits for response and
recovery for significant private-sector cyber incidents. DHS
also empowers owners and operators through a cyber self-
evaluation tool, which was downloaded by more than 4,800 users
in FY2014. ICS-CERT also trained more than 640 professionals in
the Industrial Control Systems security industry.
Successful response to dynamic cyberthreats requires
leveraging sector specific agencies (SSAs), homeland security,
law enforcement, and military authorities and capabilities,
which respectively promote sector resilience, domestic
preparedness, criminal deterrence and investigation, and
national defense. DHS, DOD, and the Department of Justice
(DOJ), each play a key role in responding to cybersecurity
incidents that pose a risk to the United States. In addition to
the aforementioned responsibilities of our Department, SSAs
like the Treasury Department develop and implement sector
specific plans unique to respective sectors through a
coordinated effort involving public and private-sector
partners. DOJ is the lead Federal department responsible for
the investigation, attribution, disruption, and prosecution of
cybercrimes, while DOD is responsible for securing national
security and military systems as well as gathering foreign
cyberthreat information and defending the Nation from attacks
in cyberspace. DHS supports our partners in many ways. For
example, the United States Coast Guard as an Armed Force has
partnered with U.S. Cyber Command and U.S. Strategic Command to
conduct military cyberspace operations.
While each agency operates within the parameters of its
authorities, the U.S. Government's response to cyber incidents
of consequence is coordinated among these three agencies.
Synchronization among SSAs, DHS, DOJ, and DOD not only ensures
that whole of Government capabilities are brought to bear
against cyberthreats, but also improves Government's ability to
share timely and actionable cybersecurity information among a
variety of partners, including the private sector.
Q.4. Please explain what DHS is doing to better train and
retain key employees?
A.4. The recently passed Border Patrol Agent Pay Act of 2014
and Cybersecurity Workforce Assessment Act both contain
provisions that require DHS to assess its current cybersecurity
needs and workforce and to plan for the future. As part of the
requirements of the two bills, DHS must inventory cybersecurity
positions, attach workforce codes corresponding to the National
Initiative for Cybersecurity Education (NICE) Framework,
identify critical needs and develop a plan for achieving those.
Using those workforce codes, DHS will be better-positioned to
identify associated training needs and opportunities specific
to employees' roles in the Department. The recent legislation
also allows for hiring authorities for cybersecurity positions,
and provides authority to set pay scale and incentives for
certain cybersecurity positions.
------
RESPONSES TO WRITTEN QUESTIONS OF
SENATOR MENENDEZ FROM PHYLLIS SCHNECK
Q.1. As you know, Federal financial regulators have supervisory
authority with respect to the cybersecurity efforts of
regulated financial institutions. For example, the Gramm-Leach-
Bliley Act requires financial institutions to safeguard
consumers' personal information. But today's financial system
extends far beyond regulated financial institutions--in the
consumer payments area alone, for example, it extends to
payment networks, merchants, and third-party payment
processors, to name a few.
Aside from the Federal Trade Commission's Section 5
authority to guard consumers against unfair, deceptive, or
abusive practices, there seems to be a critical gap in the
standards and attention that apply to parts of the system
beyond financial institutions. In last year's data breach at
Target, for example, a third-party vendor's credentials were
used to infiltrate a retailer's system, resulting in the theft
of consumer financial information.
How do you see the role of the Department of Homeland
Security and other Federal Government actors in protecting
against cybersecurity risks to the financial system more
broadly, beyond just regulated institutions that are supervised
by financial regulators?
A.1. Addressing cybersecurity risks involves a range of policy
tools and approaches, including voluntary assistance in
implementing effective cybersecurity measures, and threat
reduction through criminal investigations or other means. DHS
plays a leading role through the National Protection and
Programs Directorate which provides support through
cybersecurity information-sharing programs and direct technical
assistance when appropriate and requested, and the Secret
Service and Immigration and Customs Enforcement conduct
criminal investigations.
DHS strengthens the cybersecurity of the financial sector
through voluntary measures by working in partnership with the
Financial Services Information Sharing and Analysis Center, the
Treasury Department, and private industry. USSS is a leader in
investigating cybercrime across a variety of industries and
partners closely with DOJ to apprehend and prosecute these
criminals. The Federal Trade Commission, Consumer Financial
Protection Bureau, Securities and Exchange Commission, and
other entities with relevant regulatory authorities, enforce
their regulations as they relate to cybersecurity consistent
with their authorities. While coordinated action is important,
this needs to be balanced with the need to foster private-
sector cooperation by maintaining some distinction and
separation between regulatory, criminal law enforcement, and
cybersecurity protection assistance.
Q.2. What tools do DHS and other Federal Government actors have
to address risks to parts of the financial system outside of
regulated institutions, such as payment networks, other than
through financial regulators' supervision of regulated
institutions' relationships with third-party vendors?
A.2. DHS performs a leading role in both aiding industry in
implementing effective cybersecurity protections and reducing
the cybercrime risks they face through effective criminal
investigations. DHS works with a range of public and private
partners to execute its role in addressing cybersecurity risks.
As it relates specifically to payment systems, most of the
relevant cybersecurity requirements are developed by the
Payment Card Industry (PCI) Security Council and enforced
through contracts between financial institutions, payment
processors, and retailers. The United States Secret Service
works with the PCI Security Council and private industry to
inform the development of these and other security standards
based upon current trends in cybercrime activity. This private-
sector driven cybersecurity standards system has proven to be
highly adaptive to changes in technology, as well as to changes
in cybercriminal techniques, and provide effective incentives
for changes to security standards. On January 1, 2015, version
3.0 of the PCI Data Security Standards replaced version 2.0 to
become the new standard.
Q.3. Are there additional tools that would be helpful to have?
A.3. DHS is focused on performing its role in providing
voluntary cybersecurity assistance to private companies and
conducting criminal investigations to identify and apprehend
those responsible for computer intrusions. Further
strengthening these capabilities will assist DHS in
accomplishing its mission to safeguard and secure cyberspace.
As necessary, DHS will continue to work with its partners
in the interagency and in Congress to develop and advance
legislative proposals that foster rapid cybersecurity
information sharing and that strengthen Federal law
enforcement's authorities to investigate cybercrime, including
the President's recent cybercrime authorities proposal which
includes increased authorities to prosecute cybercrimes.
------
RESPONSES TO WRITTEN QUESTIONS OF SENATOR WARNER
FROM PHYLLIS SCHNECK
Q.1. In responding to all questions below (in every category),
please respond as if a ``data security breach'' is the
``unauthorized access to, or acquisition from, a system
operated or maintained by a financial institution or other
entity within the financial services industry, or an agent,
affiliated organization or service provider to that financial
institution or other financial services entity, that
compromises the protection, security, integrity,
confidentiality, or privacy of any customer financial
information that is itself personally identifiable or that may
be associated with personally identifiable information of a
customer.''
How many data security breaches of systems operated or
maintained by a financial institution or other entity within
the financial services industry--whether such breach has been
publicly reported or not--is your Government department or
agency aware occurred during 2013 or 2014? In responding to
this question, please note the following request for an
explanation:
If your response to the forgoing question is that you do
not have knowledge of any such data security breaches
whatsoever, please indicate why your department or agency is
not aware of any breaches given the public reports of multiple
breaches within the industry in 2013 or 2014.
Additionally, if your department or agency has knowledge of
such data security breaches that includes nonpublic
information, and your answer will indicate that your are
subject to a confidentiality obligation that prohibits your
answering this question completely, please indicate which
specific Federal law or other rule prohibits you from
testifying to the Committee about this information on data
security breaches of which your department or agency has
knowledge.
A.1. There were 14 incidents reported from the financial sector
that are associated with data breaches in 2013-2014. Bear in
mind that private entities are not required to report breaches
to the NCCIC, though we make effort to encourage them to share
information so that we can better inform our private and public
partners. The NCCIC is the Federal coordination point for
information sharing and analysis. We maintain trust-based
relationships across the public and private sector to encourage
entities to share information and to request assistance as
needed, without fear of reprisal.
Through the Protected Critical Infrastructure Information
(PCII) program, information voluntarily given by the private
sector for homeland security purposes is exempt from disclosure
except under specific procedures for Congressional disclosure.
The PCII Program is an information-protection program that
enhances voluntary information sharing between infrastructure
owners and operators and the Government. PCII protections mean
that homeland security partners can be confident that sharing
their information with the Government will not expose sensitive
or proprietary data. Designating information as PCII provides a
level of protection that facilitates DHS's ability to work
directly with the infrastructure owners and operators to
identify vulnerabilities, mitigation strategies, and protective
measures.
While protecting their information, DHS has the
responsibility to provide assistance to those private-sector
entities who request it and who voluntarily share information
regarding an incident. Upon receipt of a Request for Technical
Assistance (RTA), DHS provides on-site and/or remote
operational support to Government and private-sector partners,
focusing most specifically on supporting remediation, posture
adjustment, and recovery efforts. DHS coordinates RTAs with DOJ
and DOD, and participates in interagency response teams.
A DHS response team typically includes malware analysts,
control systems experts, netflow analysts, and DHS law
enforcement representation, when appropriate. Information
learned during the operational support process is used not only
to support the victim, but is also integrated (without
attribution) into DHS's information-sharing products for the
broader community.
Q.2. In responding to all questions below (in every category),
please respond as if a ``data security breach'' is the
``unauthorized access to, or acquisition from, a system
operated or maintained by a financial institution or other
entity within the financial services industry, or an agent,
affiliated organization or service provider to that financial
institution or other financial services entity, that
compromises the protection, security, integrity,
confidentiality, or privacy of any customer financial
information that is itself personally identifiable or that may
be associated with personally identifiable information of a
customer.''
Of those data security breaches at financial institutions
and/or other entities within the financial services industry
which your department or agency is aware occurred in 2013 or
2014, please indicate:
Approximately how many financial services customers--
whether individuals or organizations--you estimate were
affected by each of those data security breaches.
How many data security breaches resulted in individual
customer notices mailed, emailed, or otherwise personally
delivered to affected customers by the financial institution or
other financial services entity?
How many data security breaches resulted in some form of
public notice by the financial institution or other financial
services entity? (In response to this subquestion, please
indicate for each data security breach if notice was made to
major media outlets in the geographic region served by the
institution or entity, and/or if the notice resulted from media
reports following a public regulatory filing.)
How many data security breaches have never resulted in any
form of individual customer notices mailed, emailed, or
otherwise personally delivered to affected customers by the
financial institution or other financial services entity?
A.2. Private-sector entities are not required to report
breaches to DHS; our interactions with them are voluntary. DHS
notifies victims of cyber incidents primarily through the NCCIC
(U.S.-CERT, ICS-CERT, and National Coordinating Center) and the
USSS, and this notification is executed in coordination with
Federal cyber centers and with the FBI. Importantly, DHS is
responsible for notifying not only the known targets of an
attack, but also other organizations and sectors that could be
targeted in the future. These cross sector alerts and warnings
are a key piece of DHS's efforts to develop shared situational
awareness and feed various protection efforts. DHS, however,
does not have the authority to instruct or require financial
institutions to provide us with information regarding their
affected customers and their policies regarding customer
notification of a breach.
The NCCIC is proud of the partnerships it has established
with the financial sector. In fact, there are several financial
partners with presence in NCCIC operations center. The below
list of NCCIC financial sector partners constitute entities
that maintain physical and/or virtual representation on the
NCCIC operations floor:
Department of the Treasury
Financial Sector-Information Sharing and Analysis
Center (FS-ISAC)
Federal Deposit Insurance Corporation
United States Secret Service (USSS)
Federal Bureau of Investigation (FBI)
private-sector entities
Individuals from the private sector, through FS-ISAC
representatives, cleared at the Top Secret/Sensitive
Compartmented Information (TS/SCI) level, can and do access
daily briefs and other NCCIC meetings to share information on
threats, vulnerabilities, incidents and potential or known
impacts to the sector. The FS-ISAC, formed to share specific
threat and vulnerability assessments and effective incident
response practices, reaches more than 11,000 financial
institutions throughout the country. FS-ISAC members include:
banking firms and credit unions, securities firms, insurance
companies, credit card companies, mortgage banking companies,
financial services sector utilities, financial services service
bureaus, sector-appropriate industry associations.
Building the trust necessary to have these relationships
with private sector and Federal partners is one of our most
important goals. However, we have run into numerous examples
whereby partners have chosen not to share information with us
despite the possible protection that information could offer
other partners. We have found that companies' are often
concerned that if knowledge of a cyber incident becomes public
it will cause serious damage to their reputation.
To alleviate these fears, the Department offers protection
from disclosure of sensitive information under the Protected
Critical Infrastructure Information (PCII) Act. The PCII
program helps to ensure the confidentiality of private-sector
company information, allowing us to strengthen our trust and
thereby our information sharing and response activities.
Q.3. In responding to all questions below (in every category),
please respond as if a ``data security breach'' is the
``unauthorized access to, or acquisition from, a system
operated or maintained by a financial institution or other
entity within the financial services industry, or an agent,
affiliated organization or service provider to that financial
institution or other financial services entity, that
compromises the protection, security, integrity,
confidentiality, or privacy of any customer financial
information that is itself personally identifiable or that may
be associated with personally identifiable information of a
customer.''
Of those data security breaches which you are aware
occurred in 2014, and for which no individual customer notice
was given by the financial institution or other financial
services entity, has your department or agency investigated the
circumstances of the breach and considered taking any action to
require or encourage individual customer notice of the same by
such institution or entity?
A.3. The responsibility to regulate actions by financial sector
entities before, during or after a cyber breach is not within
the purview of DHS responsibilities--as DHS is not a regulator
of the financial sector. However, we are a coordination point
for information sharing during and after a cyber breach; and
the NCCIC works to mitigate damages and provide technical
assistance upon request. For instance, following attacks on the
financial services sector in 2013 and 2014, U.S.-CERT went on-
site with major financial institutions and other critical
infrastructure to provide technical assistance. U.S.-CERT's
technical data and assistance included identifying 600,000
Distributed Denial of Service-related IP addresses and
contextual information about the source of the attacks, the
identity of the attacker, or associated details. We have had
long-term, consistent threat engagements with the Department of
Treasury, the FBI, and private-sector partners in the Financial
Services Sector.
DHS notifies victims of cyber incidents primarily through
the NCCIC (U.S.-CERT, ICS-CERT, and NCC) and the USSS. This
notification is executed in coordination with Federal cyber
centers and with the FBI. Importantly, DHS is responsible for
notifying not only the known targets of an attack, but also
other organizations and sectors that could be targeted in the
future. These cross-sector alerts and warnings are a key piece
of DHS's efforts to develop shared situational awareness and
feed various protection efforts. DHS, however, does not have
the authority to instruct or require financial institutions to
provide us with information regarding their affected customers
and their policies regarding customer notification of a breach.
Q.4. In responding to all questions below (in every category),
please respond as if a ``data security breach'' is the
``unauthorized access to, or acquisition from, a system
operated or maintained by a financial institution or other
entity within the financial services industry, or an agent,
affiliated organization or service provider to that financial
institution or other financial services entity, that
compromises the protection, security, integrity,
confidentiality, or privacy of any customer financial
information that is itself personally identifiable or that may
be associated with personally identifiable information of a
customer.''
Has your department or agency ever engaged in any
enforcement action against a financial institution or other
entity within the financial services industry for failure to
individually notify affected customers of a data security
breach suffered by that entity?
Has your department or agency ever assessed any civil
penalty or fine against a financial institution or other entity
within the financial services industry for failure to
individually notify affected customers of a data security
breach suffered by that entity?
If the answer to either question is yes, please specify the
specific date of the department or agency action, the type of
action taken, the entity which was subject to the action, and
the amount of any penalty or fine that was assessed. If the
answer to either question is no, please indicate the reason why
your department or agency has not.
A.4. The responsibility to regulate actions by financial sector
entities before, during or after a cyber breach is not within
the purview of DHS responsibilities--as DHS is not a regulator
of the financial sector. However, we are a coordination point
for information sharing during and after a cyber breach; and
the NCCIC works to mitigate damages and provide technical
assistance upon request. For instance, following attacks on the
financial services sector in 2013 and 2014, U.S.-CERT went on-
site with major financial institutions and other critical
infrastructure to provide technical assistance. U.S.-CERT's
technical data and assistance included identifying 600,000
Distributed Denial of Service-related IP addresses and
contextual information about the source of the attacks, the
identity of the attacker, or associated details. We have had
long-term, consistent threat engagements with the Department of
Treasury, the FBI, and private-sector partners in the Financial
Services Sector.
DHS notifies victims of cyber incidents primarily through
the NCCIC (U.S.-CERT, ICS-CERT, and NCC) and the USSS. This
notification is executed in coordination with Federal cyber
centers and with the FBI. Importantly, DHS is responsible for
notifying not only the known targets of an attack, but also
other organizations and sectors that could be targeted in the
future. These cross-sector alerts and warnings are a key piece
of DHS's efforts to develop shared situational awareness and
feed various protection efforts. DHS, however, does not have
the authority to instruct or require financial institutions to
provide us with information regarding their affected customers
and their policies regarding customer notification of a breach.
------
RESPONSES TO WRITTEN QUESTIONS OF SENATOR CRAPO
FROM VALERIE ABEND
Q.1. Fast, efficient sharing of actionable cyberthreat
information between law enforcement, the intelligence
community, and industry is a vitally important component of
protecting information systems. While we have seen significant
progress over the past couple years in the timeliness and
quality of information sharing, there is still room for
improvement. Please describe, first, what steps are being taken
at your agency or Department to improve the information-sharing
process and more quickly disseminate actionable information to
those who need it.
First, What steps are being taken at your agency or
Department to improve the information-sharing process and more
quickly disseminate actionable information to those who need
it?
Second, what obstacles or constraints delay the
dissemination of such information?
A.1. Cyberthreats evolve rapidly, and banks and their critical
service providers need to have in place appropriate methods for
monitoring, sharing, and responding to threat and vulnerability
information to safeguard customer and other sensitive
information and technology systems. For this reason, the OCC,
along with the other Federal Financial Institutions Examination
Council (FFIEC) members, issued the Cybersecurity Threat and
Vulnerability Monitoring and Sharing Statement on November 3,
2014. The statement reiterated that banks are expected to
monitor and maintain sufficient awareness of cybersecurity
threat and vulnerability information so they can evaluate risk
and respond accordingly. This statement also recommended that
banks participate in the Financial Services--Information
Sharing and Analysis Center (FS-ISAC) and leverage other
resources to obtain threat information on a timely basis.
We recognize that obtaining timely, relevant, and
actionable information is critically important for financial
institutions and the ability of the financial sector to prepare
for, respond to, and mitigate evolving threats. Constraints on
the timely dissemination of threat information can vary
depending upon the speed at which institutions share, process,
and act upon the information. To address these obstacles, the
private sector is working to develop more automated processes
for distribution of threat information. Further, a statutory
safe harbor from liability for the sharing of information about
cyberthreats among institutions and the Federal Government
would encourage information sharing.
Q.2. During some recent data breaches, hackers have been able
to break into companies' systems by exploiting vulnerabilities
of vendors. Please discuss:
First, what the financial regulators are doing to address
cybersecurity capabilities at third party service providers for
financial institutions, using their authorities under the Bank
Service Company Act of 1962;
Second, what regulators expect from financial institutions
in their management of third party relationships; and
Finally, whether, based on the FFIEC assessment conducted
this past summer, small institutions are capable of meeting
these expectations.
A.2. The OCC supervises third-party service providers under our
Bank Service Company Act (BSCA) authority. The OCC, together
with the other Federal bank regulatory agencies, developed a
program to supervise, on an interagency basis, those third-
party technology service providers (TSPs) that are most
critical to the banking industry. Supervision of the largest
TSPs is coordinated through the Information Technology (IT)
Subcommittee of the FFIEC Task Force on Supervision. Other TSPs
that are smaller in size or complexity are supervised on an
interagency basis through the regional offices of the agencies.
As provided in the BSCA, the services performed by a TSP
for a depository institution are subject to regulation and
examination to the same extent as if such services were
performed by the depository institution itself on its own
premises. Accordingly, the Federal bank regulatory agencies
examine the adequacy of TSPs' cybersecurity programs, including
their IT risk management, controls, and information security.
Examinations are conducted using the same FFIEC information
technology work programs that are applicable to depository
institutions. A report of examination is then issued to the
TSP, along with an URSIT \1\ rating. The examination report is
made available to depository institutions that use the examined
services at the time of the examination. The supervision
program standards used by the Federal bank regulatory agencies
can be found in the FFIEC IT Examination Handbook Supervision
of Technology Service Providers booklet. Each Federal bank
regulatory agency has issued guidance for financial
institutions regarding the oversight of third-party service
providers. For the OCC, this guidance is contained in OCC
Bulletin 2013-29 Third-Party Relationships: Risk Management
Guidance. This guidance outlines risk management expectations
for financial institutions' selection, oversight and ongoing
monitoring of their third-party service providers. This
guidance has been incorporated into the OCC' s supervisory
strategies used to examine national banks and Federal savings
associations. In addition to agency specific guidance, the
FFIEC members have jointly issued guidance on exam procedures
to examiners that can be found in the FFIEC IT Examination
Handbook Outsourcing Technology Services booklet.
---------------------------------------------------------------------------
\1\ Uniform Rating System for Information Technology.
---------------------------------------------------------------------------
Based on the results from this past summer's pilot of new
exam procedures, we found that OCC-supervised community
institutions involved in the assessment generally have
processes to manage third-party relationships. We will continue
to communicate the risks posed by third-party relationships and
our expectations that financial institutions manage these
risks. Where examiners determine that an institution does not
meet our expectations, they will require the institution to
ensure any gaps are addressed.
------
RESPONSES TO WRITTEN QUESTIONS OF
SENATOR MENENDEZ FROM VALERIE ABEND
Q.1. As you know, Federal financial regulators have supervisory
authority with respect to the cybersecurity efforts of
regulated financial institutions. For example, the Gramm-Leach-
Bliley Act requires financial institutions to safeguard
consumers' personal information. But today's financial system
extends far beyond regulated financial institutions--in the
consumer payments area alone, for example, it extends to
payment networks, merchants, and third-party payment
processors, to name a few.
Aside from the Federal Trade Commission's Section 5
authority to guard consumers against unfair, deceptive, or
abusive practices, there seems to be a critical gap in the
standards and attention that apply to parts of the system
beyond financial institutions. In last year's data breach at
Target, for example, a third-party vendor's credentials were
used to infiltrate a retailer's system, resulting in the theft
of consumer financial information.
How do you see the role of the FFIEC and its members in
protecting against cybersecurity risks to the financial system
more broadly, beyond just regulated institutions?
A.1. Weak cybersecurity has become an increasing risk to the
safety and soundness of financial institutions and the whole
financial system. In recognition of this risk, the FFIEC
created a Cybersecurity and Critical Infrastructure Working
Group (CCIWG). The CCIWG serves as a dedicated forum to address
policy relating to cybersecurity and critical infrastructure
security and resilience of financial institutions and their
technology service providers. In support of this role and its
objectives, the CCIWG communicates with the intelligence
community, law enforcement, and homeland security agencies
regarding cybersecurity and critical infrastructure issues on
an ongoing basis. The CCIWG also serves as a forum for members
to communicate, collaborate, and build on existing efforts to
support and strengthen the activities of other interagency and
private sector groups that promote financial services sector
cybersecurity and critical infrastructure security and
resilience.
Q.2. What tools do Federal financial regulators have to address
risks to parts of the system outside of regulated institutions,
such as payment networks, other than through supervision of
regulated institutions' relationships with third-party vendors?
A.2. The OCC regulates national banks, Federal savings
associations, and their third-party service providers. The
OCC's legal authority to supervise third party service
providers is set forth in the BSCA. Under this authority, the
OCC in conjunction with other FFIEC member agencies, supervises
TSPs, including several payment system processors. Supervision
of the largest and most systemically important TSPs is
centrally coordinated through the IT Subcommittee of the FFIEC
Task Force on Supervision.
Other third-party TSPs, smaller in size or complexity, are
supervised on an interagency basis through the regional offices
of the agencies.
As provided in the BSCA, the services performed by a TSP
for a depository institution are subject to regulation and
examination to the same extent as if such services were
performed by the depository institution itself. Accordingly,
the Federal bank regulatory agencies examine the adequacy of
TSPs' cybersecurity programs as part of their examinations of
IT risk management, controls, and information security.
Examinations are conducted using the same FFIEC information
technology work programs that are applicable to depository
institutions. A report of examination is then issued to the
TSP, along with an URSIT rating. The TSP's examination report
also is made available to insured financial institutions using
the examined services at the time of the examination. The
supervision program standards used by agencies can be found in
the FFIEC IT Examination Handbook Supervision of Technology
Service Providers booklet.
In addition, under the Dodd-Frank Act, the Financial
Stability Oversight Council (Council), of which the OCC is a
member, has the ability to designate critical payment,
clearing, settlement and other financial market utilities as
systemically important. Designated financial market utilities
performing payment, clearing, or settlement activities are
subject to heightened prudential standards and supervision by
the Board of Governors of the Federal Reserve System.
Also, the OCC is a member of the Financial and Banking
Industry Infrastructure Council (FBIIC) and directly interacts
with other financial sector regulatory agencies. The FBIIC
coordinates efforts to improve the reliability and security of
financial information infrastructure. Through this interaction,
the OCC can elevate any concerns it has with financial sector
service providers that are supervised by other regulatory
agencies.
Q.3. Are there additional tools that would be helpful to have?
A.3. It would be helpful if sectors such as telecommunications
and public utilities, upon which banks depend, were subject to
similar standards and oversight.
Q.4. Like Federal regulators, State financial regulators are
also incorporating cybersecurity considerations into their
examination and supervision of regulated institutions. On
December 10, for example, the New York Department of Financial
Services (NYDFS) announced new examination procedures relating
to information technology (IT), including a focus on
cybersecurity as part of an institution's risk-management
strategy.
While there appears to be some overlap with Federal
financial regulators' requirements, there also seem to be some
notable differences, such as in the information requested and
whether the level of scrutiny varies based on factors like the
size of the institution. One press report in the American
Banker describes NYDFS's requirements as ``tougher than the
FFIEC's.''
How would you compare the FFIEC's cybersecurity approach
and examination procedures to State efforts such as NYDFS's?
A.4. The OCC by itself, and in conjunction with other members
of the FFIEC, has developed a comprehensive IT supervision
program that includes supervisory guidance and examination
procedures relating to cybersecurity. This approach has been in
place for several years and the NYDFS' recently announced
examination procedures appear similar.
The FFIEC IT Examination Handbook includes 11 individual
booklets covering examination areas such as IT Management, IT
Audit, Information Security, Development and Acquisition,
Operations and other key technology control functions. Each of
these booklets, and the Information Security booklet in
particular, addresses cybersecurity controls.
The FFIEC also has issued a number of guidance statements
covering cybersecurity-related risks including:
Authentication in an Internet Banking Environment
Guidance and the related supplement.
Cyber Attacks on Financial Institutions' ATM and
Card Authorization Systems Joint Statement.
Distributed Denial of Service Attacks, Risk
Mitigation, and Additional Resources Joint Statement.
Threat and Vulnerability Monitoring and Information
Sharing Statement.
In addition to guidance issued jointly through the FFIEC,
examples of guidance issued specifically by the OCC include:
OCC Bulletin 2008-16 Information Security:
Application Security.
OCC Bulletin 2013-29 Third-Party Relationships:
Risk Management Guidance.
Since cybersecurity threats and attacks evolve, the OCC and
FFIEC have mechanisms in place to continually reevaluate and
strengthen overall information technology supervision
processes. We compare and leverage information from recognized
governmental, regulatory, and industry frameworks and standards
when developing our examination programs to ensure the scope of
our examinations adequately cover evolving risks.
Recognizing the need to continue to strengthen supervision
of cybersecurity processes at financial institutions, FFIEC
members piloted a cybersecurity examination work program
(Cybersecurity Assessment) at over 500 community financial
institutions to evaluate their preparedness to mitigate cyber
risks. The FFIEC members are using the results of this
Cybersecurity Assessment to identify and prioritize actions to
enhance the effectiveness of cybersecurity-related supervisory
programs, guidance, notification expectations, and examiner
training.
Q.5. What operational areas does the FFIEC consider most
important for cybersecurity? How does this compare to State
approaches, such as NYDFS's?
A.5. The OCC assesses the key operational areas needing
examination coverage based on the inherent risk of each
institution supervised. A financial institution's inherent risk
is based on the products and services it offers, its processing
volumes, customer base, technologies used, third-party
connectivity, and a number of other factors.
While the risks and corresponding control expectations will
differ based on the inherent risks of the institution, key
areas of our focus include:
Risk Management and Oversight;
Threat Intelligence and Collaboration;
Cybersecurity Controls;
External Dependency Management; and
Cyber Incident Management and Resiliency.
These areas of focus are similar to those of the NYDFS.
Q.6. Because of the fast-evolving nature of the cybersecurity
field, to what extent does the FFIEC look to State efforts for
possible models or elements to incorporate into Federal
approaches?
A.6. The OCC and other FFIEC members, which include State bank
regulators, have been considering many statutory, regulatory
and industry-recognized frameworks, such as the Federal
Information Security Modernization Act requirements, National
Institute of Standards and Technology publications and
framework, Control Objectives for Information and Related
Technology framework, International Organization for
Standardization standards, Capability Maturity Models, and
others when developing supervisory policies and examination
programs.
The OCC also monitors State laws for possible elements to
incorporate in its guidance and examination approaches, if
appropriate. For example, when promulgating its customer
information guidance in 2005, the OCC reviewed and was guided
by the California breach notification law.
Q.7. Are there elements of NYDFS's model that FFIEC is
considering incorporating? For example, is the FFIEC
considering expanding the information it requests to include
any items covered by NYDFS's new policy?
A.7. Information outlined in the NYDFS letter, dated December
10, 2014, on its New Cyber Security Examination Process
generally is already requested as part of ongoing examinations
at the financial institutions we supervise. The OCC has
requested such information from institutions for quite some
time and tailors its requests for information based on the risk
and complexity of products and operations of the individual
institution being examined. Examples of the type of information
requested can be found in the FFIEC IT Examination Handbook.
Q.8. To what extent are Federal financial regulators engaging
with State regulators more generally relating to cybersecurity
examinations and supervision, to help inform State regulators
as well as to be informed by their experiences?
A.8. State banking regulators are represented on the FFIEC. The
Chair of the State Liaison Committee (SLC) is a voting member
of the FFIEC and the SLC is comprised of representatives from
the Conference of State Banking Supervisors, the American
Council of State Savings Supervisors, and the National
Association of State Credit Union Supervisors.
The State Liaison Committee is also represented on the
FFIEC Task Force on Supervision's IT Subcommittee and the
CCIWG. These groups are responsible for developing and
implementing the FFIEC IT guidance statements, work programs,
and the cybersecurity pilot outlined throughout this response.
These groups also provide a forum for Federal and State
regulators to share experiences regarding cybersecurity
examinations and supervision.
------
RESPONSES TO WRITTEN QUESTIONS OF SENATOR WARNER
FROM VALERIE ABEND
Q.1. In responding to all questions below (in every category),
please respond as if a ``data security breach'' is the
``unauthorized access to, or acquisition from, a system
operated or maintained by a financial institution or other
entity within the financial services industry, or an agent,
affiliated organization or service provider to that financial
institution or other financial services entity, that
compromises the protection, security, integrity,
confidentiality, or privacy of any customer financial
information that is itself personally identifiable or that may
be associated with personally identifiable information of a
customer.''
How many data security breaches of systems operated or
maintained by a financial institution or other entity within
the financial services industry--whether such breach has been
publicly reported or not--is your Government department or
agency aware occurred during 2013 or 2014? In responding to
this question, please note the following request for an
explanation:
If your response to the forgoing question is that you do
not have knowledge of any such data security breaches
whatsoever, please indicate why your department or agency is
not aware of any breaches given the public reports of multiple
breaches within the industry in 2013 or 2014.
Additionally, if your department or agency has knowledge of
such data security breaches that includes nonpublic
information, and your answer will indicate that your are
subject to a confidentiality obligation that prohibits your
answering this question completely, please indicate which
specific Federal law or other rule prohibits you from
testifying to the Committee about this information on data
security breaches of which your department or agency has
knowledge.
A.1. All national banks and Federal savings associations are
expected to report to the OCC ``as soon as possible when the
institution becomes aware of an incident involving unauthorized
access to or use of `sensitive customer information,' '' as
defined in 12 CFR Part 30 Appendix B, Supplement A (national
banks), and Part 170, Appendix B, Supplement A (Federal savings
associations) (referred to in the answers that follow as ``The
Response Program Guidance'' or the ``Guidance''). The OCC
issued the Guidance together with the Board of Governors of the
Federal Reserve System (State member banks), the Federal
Deposit Insurance Corporation (State nonmember banks) and the
National Credit Union Administration (credit unions).
During 2013 and 2014, there were approximately 20 reported
security breaches of systems at financial institutions
supervised by the OCC that fell within the scope of the
Response Program Guidance.
Q.2. Of those data security breaches at financial institutions
and/or other entities within the financial services industry
which your department or agency is aware occurred in 2013 or
2014, please indicate:
Approximately how many financial services customers--
whether individuals or organizations--you estimate were
affected by each of those data security breaches.
A.2. The number of customers impacted by any one of the events
about which the OCC was notified range from less than 10
customers to over 83 million customers.
While a single event can potentially affect millions of
customers, most events have had an impact on fewer than one
thousand customers, with many of the individual events
affecting a small number of customers.
Q.3. How many data security breaches resulted in individual
customer notices mailed, emailed or otherwise personally
delivered to affected customers by the financial institution or
other financial services entity?
A.3. The Response Program Guidance states that a financial
institution should notify a customer of unauthorized access to
sensitive customer information if it determines that the misuse
of such information has occurred or is reasonably possible. OCC
examiners, as a part of their ongoing supervisory activities,
determine whether a financial institution that experiences a
breach of sensitive customer information has notified customers
in accordance with the Guidance. OCC examiners also determine
whether the institution has policies and procedures to ensure
that it is complying with any relevant State laws.
Of the incidents listed in response to Question 1 above,
all but three resulted in direct notification to the affected
customers. In two instances, it was determined that while
malware affected the bank's system, no sensitive customer
information was viewed or removed from the bank's system and
thus misuse of sensitive customer information did not occur and
was not reasonably possible, within the meaning of the Response
Program Guidance. In the third instance, the type of
information accessed did not meet the definition of sensitive
customer information contained in the Response Program
Guidance. Therefore, in these cases, notification was not
required. In the third instance, the institution did, however,
issue a public press release and posted notice on its public
Web site.
Q.4. How many data security breaches resulted in some form of
public notice by the financial institution or other financial
services entity? (In response to this subquestion, please
indicate for each data security breach if notice was made to
major media outlets in the geographic region served by the
institution or entity, and/or if the notice resulted from media
reports following a public regulatory filing.)
A.4. The Response Program Guidance does not require public
notification to media outlets. The OCC has observed that
financial institutions typically issue a press release or
public statement for large-scale breach events.
Q.5. How many data security breaches have never resulted in any
form of individual customer notices mailed, emailed, or
otherwise personally delivered to affected customers by the
financial institution or other financial services entity?
A.5. Of the incidents noted above, there is only one data
security breach where an institution did not notify affected
customers. As described above, it was determined that the
customer information accessed or removed from the institution's
system did not meet the definition of sensitive customer
information described in the Response Program Guidance. The
institution did, however, issue a public press release and
posted notice on its public Web site about the breach event.
Q.6. Of those data security breaches which you are aware
occurred in 2014, and for which no individual customer notice
was given by the financial institution or other financial
services entity, has your department or agency investigated the
circumstances of the breach and considered taking any action to
require or encourage individual customer notice of the same by
such institution or entity?
A.6. When the OCC is notified that a breach of sensitive
customer information has occurred, as defined by the Response
Program Guidance, and the institution determines that the
information has been or reasonably likely to be misused, a
financial institution is expected to provide notice to affected
customers. The OCC reviews the facts upon which the
institution's determination is based to ensure that customers
are notified when warranted.
Q.7. Has your department or agency ever engaged in any
enforcement action against a financial institution or other
entity within the financial services industry for failure to
individually notify affected customers of a data security
breach suffered by that entity?
Has your department or agency ever assessed any civil
penalty or fine against a financial institution or other entity
within the financial services industry for failure to
individually notify affected customers of a data security
breach suffered by that entity?
If the answer to either question is yes, please specify the
specific date of the department or agency action, the type of
action taken, the entity which was subject to the action, and
the amount of any penalty or fine that was assessed. If the
answer to either question is no, please indicate the reason why
your department or agency has not.
A.7. The OCC has not brought an enforcement action against a
financial institution or other entity within the financial
services industry for failure to individually notify affected
customers of a ``data security breach'' suffered by that
entity, as defined in Question 1. However, between 2009 and
2013, the OCC took formal enforcement actions against 60
national banks for failing to have adequate information
security programs and required them to enhance their
information technology systems and/or third-party management
processes.
National banks and Federal savings associations are
expected to provide notice to customers in accordance with the
Response Program Guidance and any applicable State law. The OCC
has not observed failures to provide this notice and therefore
has not taken any enforcement action requiring a financial
institution to do so.
Q.8. Based in part to the OCC's responses to the questions
above, in addition to other information it deems relevant,
please give the Committee your complete and thorough assessment
of the following questions regarding the interpretive guidance
issued by the OCC, Federal Reserve Board, FDIC, and OTS on
March 29, 2005, to every financial institution regarding their
implementation of a response program designed to address
incidents of unauthorized access to sensitive customer
information maintained by the financial institution or its
service provider:
Has the OCC conducted an annual or other periodic review of
the interpretive guidance since its issuance in 2005 and, if
so, what are the OCC's conclusions from those reviews with
respect to the current applicability and sufficiency of the
interpretive guidance to today's data security breaches?
A.8. The OCC conducts periodic reviews of our Response Program
Guidance, and has done so most recently as part of a
Cybersecurity Risk Assessment of over 500 financial
institutions that was conducted under the auspices of the FFIEC
in which the OCC participated. We currently are reviewing the
results of the Assessment together with other sources of
information, to determine whether the Guidance should be
changed and, if so, how best to make these changes.
Q.9. In light of the 47 State laws regarding breach
notification that have been enacted to date, has the OCC
reviewed the circumstances under which financial institutions
may be subject to such laws, and has it considered updating the
2005 interpretive guidance to bring it in line with current
requirements for all businesses subject to such State laws to
individually notify affected customers when that business
suffers a breach (as defined under each law)?
A.9. Financial institutions are subject to State breach
notification laws that provide greater protections than the
Response Program Guidance. See Section 507 of the Gramm-Leach-
Bliley Act (GLBA), 12 U.S.C. �6807. While drafting the Response
Program Guidance in 2005, the OCC reviewed and was guided by
existing State laws, in particular California's breach
notification law. The OCC also reviews State breach
notification laws from time-to-time for new developments. Many
of the current State laws are similar to the Response Program
Guidance.
Q.10. In the opinion of the OCC, does the 2005 interpretive
guidance legally ``require'' financial institutions, or other
entities within the financial services industry, to provide
individualized notices via mail, email, or other personal
deliver service to all potentially affected customers when a
system operated or maintained by a financial institution or
other financial services entity, or an agent, affiliated
organization or service provider to that financial institution
or other financial services entity, suffers a data security
breach? If your response to this question is ``yes,'' please
explain the legal reasoning that supports your conclusion that
the interpretive guidance ``requires'' financial institutions
to notify customers in light of the text of the guidance
indicating financial institutions ``should'' contain procedures
to notify customers when warranted, and does not explicitly
State that financial institutions ``shall'' notify affected
customers (similar to the express obligation in Sate data
breach notification laws).
A.10. As noted above, national banks and Federal savings
associations are subject to State law breach notice
requirements. The Response Program Guidance interprets section
501(b) of the GLBA and the lnteragency Guidelines Establishing
Information Security Standards. See 12 CFR Part 30, Appendix B
(national banks) and Part 170, Appendix B (Federal savings
associations). The Guidelines, which are enforceable by their
terms, require banks to have a response program that specifies
actions to be taken when the bank suspects or detects that
unauthorized individuals have gained access to customer
information systems, including appropriate reports to
regulatory and law enforcement agencies. The Guidance
elaborates on this requirement to state that the OCC expects a
financial institution's response program to include procedures
for notifying customers when there has been unauthorized access
to their sensitive information and misuse of the information
has occurred or is reasonably possible.
Q.11. If your response to the subquestion above indicates that
individual customer notice is legally ``required'' for a data
security breach, please indicate whether the OCC has ever
enforced such a ``requirement'' against any financial
institution or other financial services entity, or any agent,
affiliated organization, or service provider to that financial
institution or other financial services entity. If the OCC has
not enforced such a legal ``requirement'' to notify in all
cases of which it is aware of a data security breach that has
not resulted in such notice, please explain why it has not
enforced this requirement in each case.
A.11. Please see the response to Questions 7 and 8.
Q.12. If your response to the subquestion above indicates that
individual customer notice is legally ``required'' for a data
security breach, please indicate if the OCC has ever assessed
any civil penalty or fine against any financial institution or
other financial services entity, or any agent, affiliated
organization, or service provider to that financial institution
or other financial services entity, for failure to individually
notify affected customers of a data security breach suffered by
that entity.
A.12. Please see the response to Questions 7 and 8.
------
RESPONSES TO WRITTEN QUESTIONS OF SENATOR CRAPO
FROM WILLIAM NOONAN
Q.1. Fast, efficient sharing of actionable cyberthreat
information between law enforcement, the intelligence
community, and industry is a vitally important component of
protecting information systems. While we have seen significant
progress over the past couple years in the timeliness and
quality of information sharing, there is still room for
improvement. Please describe:
First, What steps are being taken at your agency or
Department to improve the information-sharing process and more
quickly disseminate actionable information to those who need
it?
A.1. The U.S. Secret Service (Secret Service) continues to be
committed to quickly disseminating actionable information to
those who need it, and continues to take steps to further
improve our ability to notify victims of computer intrusions
and widely share information to aid organizations in protecting
their computer networks from the latest cybercriminal methods.
In FY2014, the Secret Service notified or responded to network
intrusion incidents at nearly 400 organizations.
As the Secret Service investigates cybercriminal activity,
we frequently discover new criminal techniques or methods that
can inform computer network defense activities. As the Secret
Service discovers such information, we partner with the
National Cybersecurity and Communications Integration Center
(NCCIC), and other public and private entities, to rapidly and
widely disseminate actionable cybersecurity information, while
protecting victim privacy and ongoing investigations.
For example, this past summer, UPS Stores, Inc. announced
it had been able to use information published in a joint report
on the Back-Off malware to protect itself and its customers
from cybercriminal activity. The information in this report was
derived from a Secret Service investigation of a network
intrusion at a small retailer in upstate New York. As a result,
UPS Stores, Inc. was able to identify 51 stores in 24 States
that had been impacted, approximately 1 percent of their total
stores, and then contain and mitigate this cyber incident
before it developed into a major data breach.
The Secret Service continues to expand its network of
Electronic Crimes Task Forces (ECTFs) and build relationships
with public and private-sector partners in order to further
improve our ability to share actionable cybersecurity
information in a timely manner.
Q.2. Second, what obstacles or constraints delay the
dissemination of such information?
A.2. The primary constraint in disseminating cybersecurity
information is sufficient personnel to analyze the cyberthreat
information collected through Secret Service investigations, in
order to extract the relevant actionable cybersecurity
information to enable computer network defense activities,
while protecting victim privacy and ongoing investigations.
------
RESPONSES TO WRITTEN QUESTIONS OF SENATOR WARNER
FROM WILLIAM NOONAN
Q.1. In responding to all questions below (in every category),
please respond as if a ``data security breach'' is the
``unauthorized access to, or acquisition from, a system
operated or maintained by a financial institution or other
entity within the financial services industry, or an agent,
affiliated organization or service provider to that financial
institution or other financial services entity, that
compromises the protection, security, integrity,
confidentiality, or privacy of any customer financial
information that is itself personally identifiable or that may
be associated with personally identifiable information of a
customer.''
How many data security breaches of systems operated or
maintained by a financial institution or other entity within
the financial services industry--whether such breach has been
publicly reported or not--is your Government department or
agency aware occurred during 2013 or 2014? In responding to
this question, please note the following request for an
explanation:
If your response to the forgoing question is that you do
not have knowledge of any such data security breaches
whatsoever, please indicate why your department or agency is
not aware of any breaches given the public reports of multiple
breaches within the industry in 2013 or 2014.
Additionally, if your department or agency has knowledge of
such data security breaches that includes nonpublic
information, and your answer will indicate that your are
subject to a confidentiality obligation that prohibits your
answering this question completely, please indicate which
specific Federal law or other rule prohibits you from
testifying to the Committee about this information on data
security breaches of which your department or agency has
knowledge.
A.1. The Secret Service has identified 52 case files involving
confirmed data breaches of financial services entities in 2013
or 2014.
Q.2. Of those data security breaches at financial institutions
and/or other entities within the financial services industry
which your department or agency is aware occurred in 2013 or
2014, please indicate:
Approximately how many financial services customers--
whether individuals or organizations--you estimate were
affected by each of those data security breaches.
A.2. The Secret Service does not generally keep records of the
number of customers affected, and instead focuses on the total
fraud losses or other measures of economic impact. A review of
the 52 case files indicates that the cases vary from
potentially a single customer impacted to millions of customers
impacted. Recorded fraud losses range from $2,000 to in excess
of $8 million.
Q.3. How many data security breaches resulted in individual
customer notices mailed, emailed, or otherwise personally
delivered to affected customers by the financial institution or
other financial services entity?
A.3. The Secret Service generally keeps no records on whether
customer notifications are performed as a result of a data
security breach. The Secret Service is focused on investigating
and apprehending the criminals responsible for data breaches.
Q.4. How many data security breaches resulted in some form of
public notice by the financial institution or other financial
services entity? (In response to this subquestion, please
indicate for each data security breach if notice was made to
major media outlets in the geographic region served by the
institution or entity, and/or if the notice resulted from media
reports following a public regulatory filing.)
A.4. The Secret Service does not generally keep records on
whether the victim organization made any form of public notice.
Q.5. How many data security breaches have never resulted in any
form of individual customer notices mailed, emailed, or
otherwise personally delivered to affected customers by the
financial institution or other financial services entity?
A.5. The Secret Service does not generally keep records on
whether the victim organization made any form of notice to
their customers.
Q.6. Of those data security breaches which you are aware
occurred in 2014, and for which no individual customer notice
was given by the financial institution or other financial
services entity, has your department or agency investigated the
circumstances of the breach and considered taking any action to
require or encourage individual customer notice of the same by
such institution or entity?
A.6. The Secret Service is focused on working collaboratively
with victim companies to investigate the criminals responsible
for data breaches and minimize fraud losses. The Secret Service
does not have authority to require victim companies to make
customer notice, and generally only encourages companies to
take actions as they further our investigative aims of
countering the cybercriminal activity.
Q.7. Has your department or agency ever engaged in any
enforcement action against a financial institution or other
entity within the financial services industry for failure to
individually notify affected customers of a data security
breach suffered by that entity? If yes, please specify the
specific date of the department or agency action, the type of
action taken, the entity which was subject to the action, and
the amount of any penalty or fine that was assessed. If no,
please indicate the reason why your department or agency has
not.
A.7. The Secret Service has not engaged in any enforcement
action against a financial institution or other entity within
the financial services industry for failure to individually
notify affected customers of a data security breach suffered by
that entity. The Secret Service does not have any authority to
engage in any such enforcement action.
Q.8. Has your department or agency ever assessed any civil
penalty or fine against a financial institution or other entity
within the financial services industry for failure to
individually notify affected customers of a data security
breach suffered by that entity? If yes, please specify the
specific date of the department or agency action, the type of
action taken, the entity which was subject to the action, and
the amount of any penalty or fine that was assessed. If no,
please indicate the reason why your department or agency has
not.
A.8. The Secret Service has never assessed any civil penalty or
fine against a financial institution or other entity within the
financial services industry for failure to individually notify
affected customers of a data security breach suffered by that
entity. The Secret Service does not have any authority to
assess civil penalties or fines for such matters.
Additional Material Supplied for the Record
LETTER TO AGENCIES SUBMITTED BY CHAIRMAN JOHNSON AND SENATOR CRAPO
[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]
LETTER OF RESPONSE SUBMITTED BY JOINT AGENCIES
[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]
LETTER OF RESPONSE SUBMITTED BY THE DEPARTMENT OF THE TREASURY
[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]
LETTER OF RESPONSE SUBMITTED BY FEDERAL DEPOSIT INSURANCE CORPORATION
[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]
LETTER OF RESPONSE SUBMITTED BY THE NATIONAL CREDIT UNION
ADMINISTRATION
[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]
LETTER OF RESPONSE SUBMITTED BY THE BOARD OF GOVERNORS OF THE FEDERAL
RESERVE SYSTEM
[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]
LETTER OF RESPONSE SUBMITTED BY THE OFFICE OF THE COMPTROLLER OF THE
CURRENCY
[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]
LETTER TO THE CONFERENCE OF STATE BANK SUPERVISORS SUBMITTED BY
CHAIRMAN JOHNSON AND SENATOR CRAPO
[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]
LETTER OF RESPONSE SUBMITTED BY THE CONFERENCE OF STATE BANK
SUPERVISORS
[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]
STATEMENT SUBMITTED BY THE NATIONAL ASSOCIATION OF FEDERAL CREDIT
UNIONS
[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]
STATEMENT SUBMITTED BY THE SECURITIES INDUSTRY AND FINANCIAL MARKETS
ASSOCIATION
[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]
STATEMENT SUBMITTED BY THE INDEPENDENT COMMUNITY BANKERS OF AMERICA
[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]
``PROTECTING MERCHANT POINT OF SALE SYSTEMS DURING THE HOLIDAY SEASON''
[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]