[House Hearing, 114 Congress]
[From the U.S. Government Publishing Office]
PROTECTING CRITICAL INFRASTRUCTURE:.
HOW THE FINANCIAL SECTOR.
ADDRESSES CYBER THREATS
=======================================================================
HEARING
BEFORE THE
SUBCOMMITTEE ON FINANCIAL INSTITUTIONS
AND CONSUMER CREDIT
OF THE
COMMITTEE ON FINANCIAL SERVICES
U.S. HOUSE OF REPRESENTATIVES
ONE HUNDRED FOURTEENTH CONGRESS
FIRST SESSION
__________
MAY 19, 2015
__________
Printed for the use of the Committee on Financial Services
Serial No. 114-26
[GRAPHICS NOT AVAILABLE IN TIFF FORMAT]
U.S. GOVERNMENT PUBLISHING OFFICE
95-070 PDF WASHINGTON : 2015
________________________________________________________________________________________
For sale by the Superintendent of Documents, U.S. Government Publishing Office,
http://bookstore.gpo.gov. For more information, contact the GPO Customer Contact Center,
U.S. Government Publishing Office. Phone 202-512-1800, or 866-512-1800 (toll-free).
E-mail, [email protected].
HOUSE COMMITTEE ON FINANCIAL SERVICES
JEB HENSARLING, Texas, Chairman
PATRICK T. McHENRY, North Carolina, MAXINE WATERS, California, Ranking
Vice Chairman Member
PETER T. KING, New York CAROLYN B. MALONEY, New York
EDWARD R. ROYCE, California NYDIA M. VELAZQUEZ, New York
FRANK D. LUCAS, Oklahoma BRAD SHERMAN, California
SCOTT GARRETT, New Jersey GREGORY W. MEEKS, New York
RANDY NEUGEBAUER, Texas MICHAEL E. CAPUANO, Massachusetts
STEVAN PEARCE, New Mexico RUBEN HINOJOSA, Texas
BILL POSEY, Florida WM. LACY CLAY, Missouri
MICHAEL G. FITZPATRICK, STEPHEN F. LYNCH, Massachusetts
Pennsylvania DAVID SCOTT, Georgia
LYNN A. WESTMORELAND, Georgia AL GREEN, Texas
BLAINE LUETKEMEYER, Missouri EMANUEL CLEAVER, Missouri
BILL HUIZENGA, Michigan GWEN MOORE, Wisconsin
SEAN P. DUFFY, Wisconsin KEITH ELLISON, Minnesota
ROBERT HURT, Virginia ED PERLMUTTER, Colorado
STEVE STIVERS, Ohio JAMES A. HIMES, Connecticut
STEPHEN LEE FINCHER, Tennessee JOHN C. CARNEY, Jr., Delaware
MARLIN A. STUTZMAN, Indiana TERRI A. SEWELL, Alabama
MICK MULVANEY, South Carolina BILL FOSTER, Illinois
RANDY HULTGREN, Illinois DANIEL T. KILDEE, Michigan
DENNIS A. ROSS, Florida PATRICK MURPHY, Florida
ROBERT PITTENGER, North Carolina JOHN K. DELANEY, Maryland
ANN WAGNER, Missouri KYRSTEN SINEMA, Arizona
ANDY BARR, Kentucky JOYCE BEATTY, Ohio
KEITH J. ROTHFUS, Pennsylvania DENNY HECK, Washington
LUKE MESSER, Indiana JUAN VARGAS, California
DAVID SCHWEIKERT, Arizona
FRANK GUINTA, New Hampshire
SCOTT TIPTON, Colorado
ROGER WILLIAMS, Texas
BRUCE POLIQUIN, Maine
MIA LOVE, Utah
FRENCH HILL, Arkansas
Shannon McGahn, Staff Director
James H. Clinger, Chief Counsel
Subcommittee on Financial Institutions and Consumer Credit
RANDY NEUGEBAUER, Texas, Chairman
STEVAN PEARCE, New Mexico, Vice WM. LACY CLAY, Missouri, Ranking
Chairman Member
FRANK D. LUCAS, Oklahoma GREGORY W. MEEKS, New York
BILL POSEY, Florida RUBEN HINOJOSA, Texas
MICHAEL G. FITZPATRICK, DAVID SCOTT, Georgia
Pennsylvania CAROLYN B. MALONEY, New York
LYNN A. WESTMORELAND, Georgia NYDIA M. VELAZQUEZ, New York
BLAINE LUETKEMEYER, Missouri BRAD SHERMAN, California
MARLIN A. STUTZMAN, Indiana STEPHEN F. LYNCH, Massachusetts
MICK MULVANEY, South Carolina MICHAEL E. CAPUANO, Massachusetts
ROBERT PITTENGER, North Carolina JOHN K. DELANEY, Maryland
ANDY BARR, Kentucky DENNY HECK, Washington
KEITH J. ROTHFUS, Pennsylvania KYRSTEN SINEMA, Arizona
FRANK GUINTA, New Hampshire JUAN VARGAS, California
SCOTT TIPTON, Colorado
ROGER WILLIAMS, Texas
MIA LOVE, Utah
C O N T E N T S
----------
Page
Hearing held on:
May 19, 2015................................................. 1
Appendix:
May 19, 2015................................................. 37
WITNESSES
Tuesday, May 19, 2015
Bentsen, Hon. Kenneth E., Jr., President and Chief Executive
Officer, the Securities Industry and Financial Markets
Association (SIFMA)............................................ 4
Fitzgibbons, Russell, Executive Vice President and Chief Risk
Officer, The Clearing House Payments Company L.L.C............. 9
Garcia, Gregory T., Executive Director, the Financial Services
Sector Coordinating Council (FSSCC)............................ 6
Healey, Jason, Senior Fellow, the Atlantic Council............... 11
Nichols, Robert S., President and Chief Executive Officer, the
Financial Services Forum....................................... 8
APPENDIX
Prepared statements:
Hinojosa, Hon. Ruben......................................... 38
Bentsen, Hon. Kenneth E., Jr.,............................... 40
Fitzgibbons, Russell......................................... 47
Garcia, Gregory T............................................ 54
Healey, Jason................................................ 62
Nichols, Robert S............................................ 68
Additional Material Submitted for the Record
Neugebauer, Hon. Randy:
Written statement of the Independent Community Bankers of
America.................................................... 72
Written statement of the National Association of Federal
Credit Unions.............................................. 75
Written statement of the National Association of Insurance
Commissioners.............................................. 78
PROTECTING CRITICAL INFRASTRUCTURE:
HOW THE FINANCIAL SECTOR
ADDRESSES CYBER THREATS
----------
Tuesday, May 19, 2015
U.S. House of Representatives,
Subcommittee on Financial Institutions
and Consumer Credit,
Committee on Financial Services,
Washington, D.C.
The subcommittee met, pursuant to notice, at 12:59 p.m., in
room 2175, Rayburn House Office Building, Hon. Randy Neugebauer
[chairman of the subcommittee] presiding.
Members present: Representatives Neugebauer, Pearce, Lucas,
Posey, Fitzpatrick, Westmoreland, Luetkemeyer, Stutzman,
Mulvaney, Pittenger, Barr, Guinta, Tipton, Williams, Love;
Clay, Hinojosa, Velazquez, Lynch, Heck, Sinema, and Vargas.
Chairman Neugebauer. The Subcommittee on Financial
Institutions and Consumer Credit will come to order. Without
objection, the Chair is authorized to declare a recess of the
subcommittee at any time.
Today's hearing is entitled, ``Protecting Critical
Infrastructure: How the Financial Sector Addresses Cyber
Threats.''
Before I begin, I would like to thank our witnesses for
being here today and for traveling all the way over to 2175. We
had a little preview of our new digs, but there is a thing in
construction called a ``punch list,'' and I think we had to
remove ourselves for a week or so, so they could work on a
punch list over there. But we hope to be back in there soon.
As a little bit of housekeeping, I am sure that the
majority leader forgot I was having a hearing this afternoon
and has scheduled votes sometime here in the next few minutes.
And I am sure that was an oversight on his part. But
nonetheless, we will have Members who have to go vote. We are
going to take care of that little constitutional duty.
I will just remind everyone that the Chair is authorized to
call a recess at any time, and so the Members can vote. So I
think what we are going to try to do here is we are going to
have opening statements and we are going to keep going until
they ring the bell. We will ask Members to quickly go over and
vote, and we will come back and resume the hearing. After that,
we should be good to go for the rest of the hearing.
I am now going to recognize myself for 5 minutes to give an
opening statement.
The financial services sector is one of the most complex
and critical sectors of the U.S. economy.
Financial sector participants hold deposits for consumers;
ensure the consistent flow of capital through our capital
markets; provide loans for small businesses; support large,
internationally active corporations; and operate some of the
most sophisticated payment systems on the globe.
Literally trillions of dollars flow through the financial
sector each and every single day. Given its position of
critical importance, the financial services sector has become a
top target for cyber attacks.
Today and every day this year, there will be 117,334 cyber
incidents against the U.S. economy, according to a
PricewaterhouseCoopers study.
A recent Depository Trust & Clearing Corporation study
highlighted cybersecurity as the number one issue of concern
for financial institutions. This top position is held over
risks such as overregulation and geopolitical risks.
Last week, SEC Chair Mary Jo White noted that cyber attacks
are the ``biggest systemic risk'' facing the United States of
America. And Treasury Secretary Jack Lew noted that
cybersecurity is one of those issues that keeps him up at
night.
Given the importance of this threat, the financial services
sector has responded well. The sector has been a leader in
setting up an information-sharing framework and has been an
active and constructive participant in working with U.S.
regulatory agencies and law enforcement. And further, the
sector's investment in cybersecurity infrastructure and
engagement by senior management has been crucial to preventing
future attacks.
However, we should all remember that there is no single
institution or system that is 100 percent protected from cyber
attacks. The sector faces threats posed by a growing array of
cyber criminals, national and state actors, and terrorist
organizations. Each has tremendous financial and political
incentive to continue looking for weak spots, and to cause
sector disruption.
Today's hearing is important for Members to gain a better
understanding of some of the top cyber issues facing the
financial services sector.
First, we must better understand the nature of cyber
threats. Where are threats coming from? What do they look like?
And how are we working with global partners?
Second, information-sharing and liability protection are
crucial elements to a cyber response framework. We should
explore how public-private partnerships help facilitate
comprehensive responses to cyber threats, and if there are
areas where we should be and can be improving.
Third, contingency preparation is critical to being able to
provide continuity in the sector in the wake of a cyber attack.
We should better understand the steps the financial services
sector is taking to plan for attacks, train employees, and test
its system.
Cybersecurity is a shared responsibility. It is a shared
responsibility among financial institutions. It is a shared
responsibility between the public sector and the government. It
is a shared responsibility between the United States and our
global allies.
And finally, being thoughtful leaders on this issue is a
shared responsibility for members of this committee. I would
like to thank my Democratic colleagues for taking this issue so
seriously and contributing to a very constructive dialogue.
I would now like to recognize the ranking member of the
subcommittee, Mr. Clay, for 3 minutes.
Mr. Clay. Thank you, Mr. Chairman, and thank you to each of
today's witnesses for your testimony. I welcome today's
testimony from our panel of practitioners and content area
experts. And I view this afternoon's hearing as an important
opportunity to shed some light on the financial services
industry's ability to effectively monitor, detect, and respond
to cyber attacks.
Cyber criminals, state-sponsored and affiliated hackers,
and politically-motivated ``hacktivists'' have all targeted the
financial services industry. And their tactics have continued
to evolve and expand in frequency, scale, sophistication, and
severity.
To that end, the financial services industry's response,
monitoring, and information-sharing infrastructure, as well as
the response capabilities of the relevant Federal regulators,
must reflect the dynamic nature of cyber threats.
Mr. Chairman, I firmly believe that cybersecurity is one of
a few issues where our committee can truly work in a bipartisan
fashion to ensure that our regulators and regulated entities
have the necessary resources and support to defend against
cyber attacks. I look forward to each witnesses' testimony, and
I yield back the balance of my time.
Chairman Neugebauer. The Chair now recognizes the
gentlewoman from Arizona for 2 minutes.
Ms. Sinema. Thank you, Mr. Chairman. When hackers stole the
credit card information of Susan, one of my constituents from
Chandler, Arizona, she initially didn't notice an unauthorized
$10 donation to a small charity, but the next month she did
notice the several hundred dollars in police uniforms that a
man in London had purchased using her card, and that is when
she called the FBI.
Unfortunately, Susan's story is all too common. Last year
alone, according to Verizon's 2015 Data Breach Investigations
report, there were more than 79,000 security incidents reported
and more than 2,000 confirmed data breaches. These breaches
have exposed the personally identifiable information, as well
as sensitive financial information, of millions of consumers.
Securing the financial services sector requires us to
continue to strengthen security practices and information-
sharing infrastructures.
Educating consumers and financial sector participants is
also crucial if these efforts are to be successful.
The evolving nature of cyber threats calls for a vigorous
and dynamic response. I look forward to hearing more from our
witnesses today about how industry is developing safety
protocols that keep pace with technological innovation, and how
educating consumers and financial sector participants will help
better protect consumers like my constituent, Susan.
Thank you, Mr. Chairman. I yield back my time.
Chairman Neugebauer. I thank the gentlewoman.
We will now turn to our witnesses. Today we welcome the
testimony of the Honorable Kenneth E. Bentsen Jr., president
and CEO of SIFMA; Mr. Gregory T. Garcia, executive director of
the Financial Services Sector Coordinating Council; Mr. Robert
S. Nichols, president and CEO of the Financial Services Forum;
Mr. Russell Fitzgibbons, executive vice president and chief
risk officer for The Clearing House Payments Company; and Mr.
Jason Healey, senior research scholar at the School of
International and Public Affairs, Columbia University, and
senior fellow at the Atlantic Council.
You will each be recognized for 5 minutes to give a summary
of your testimony, and without objection, your complete written
statements will be made a part of the record. We would ask you
to limit your remarks to 5 minutes.
Mr. Bentsen, you are now recognized for 5 minutes.
STATEMENT OF THE HONORABLE KENNETH E. BENTSEN, JR., PRESIDENT
AND CHIEF EXECUTIVE OFFICER, THE SECURITIES INDUSTRY AND
FINANCIAL MARKETS ASSOCIATION (SIFMA)
Mr. Bentsen. Thank you, Chairman Neugebauer, Ranking Member
Clay, and members of the subcommittee for allowing me the
opportunity to testify on this critically important topic.
A large-scale cyber attack resulting in the destruction of
books and records and disruption of our capital markets is
among the most significant and systemic threats facing our
economy today, so it is appropriate that so much time and
energy is being focused on developing public-private
partnerships and identifying solutions to mitigate that risk.
The financial services sector has invested huge sums of
capital into their cyber attack deterrence programs over the
years, enhancing their efforts to match the growing threat.
As policymakers and the industry focus on addressing the
causes of the last financial crisis, it is equally, if not more
important that we focus on the future risks, and cyber crime is
the greatest.
Some 18 months ago, SIFMA's members commenced the five-part
multiyear effort to address cybersecurity threats and related
risks to broker-dealers and asset managers. Emanating from our
previous work as part of the industry's business continuity
planning, and in response to the 2014 NIST framework, the goal
of these five initiatives is to better identify the
vulnerabilities to our sector and to prepare individual firms
of all sizes and the broader sector to defend themselves and
our clients, thereby enhancing protection for the millions of
Americans who access these markets every day.
My written testimony goes into much more detail on these
five initiatives, but I would like to touch on just a few.
SIFMA recently published its principles for effective
cybersecurity regulatory guidance and called for regulations to
be harmonized across agencies for greater effectiveness. These
principles build upon the highly valuable NIST framework, an
initiative which we contributed much time and energy to, and
after its release have sought out opportunities to promote its
use within the sector by mapping existing compliance
requirements so firms can see where they could not only enhance
risk management, but compliance as well.
The industry also looks to the government to help identify
uniform standards, promote accountability across the entire
critical infrastructure, and provide access to the essential
information. SIFMA urges policymakers to consider how best to
incorporate the principles into the respective regulatory
initiatives. Importantly, regulators should coordinate their
efforts to ensure harmonization.
SIFMA assembled a working group to develop a diagnostic on
the U.S. equity and treasury markets to determine the sector's
resiliency during the attack. After mapping process flows
within these markets, a workshop was held during which a set of
10 diverse cyber risk scenarios were applied to the markets,
and a number of potential vulnerabilities were identified.
These results are being addressed via a number of public
and private internal working groups. As a result of this
exercise, we have undertaken efforts with the accounting
industry and the American Institute of CPAs (AICPA) to develop
a third-party vendor risk audit standard, referred to as SOC 2,
that should provide increased transparency and accountability
with third party vendors.
Building off of the lessons learned from the SIFMA-
sponsored cyber exercise ``Quantum Dawn 2'' in 2013, and from
our experience in Superstorm Sandy, SIFMA continues to revise
the industry's playbook for responding to a cyber attack which
could result in market closures. On a continuing basis, we are
working with stakeholders including exchanges, clearinghouses,
and regulators to ensure the current state of readiness.
Our dialogue with the FSSCC and with our partners in
government has evolved into a joint exercise program of
quarterly tabletop exercises and other large-scale simulations
to test industry preparedness and response. Additionally, we
have made substantial progress in developing an improved
process to request technical assistance from the Federal
Government in the midst of a cyber attack. This pre-positioning
will help reduce the time it takes to engage the relevant
civilian and law enforcement agencies to assist firms.
SIFMA and its member firms have spent considerable time and
energy to improve cyber threat information-sharing both within
our sector and with our government partners. And at a high
level, there has been increased collaboration and communication
between the government and the financial services industry.
Importantly, we are endeavoring to continue this
collaboration on a regular basis, again to ensure a current
state of readiness. There is room for further improvement.
However, I would like to flag three recommendations for this
committee's consideration.
First, our industry needs clarity on which government
authority is responsible for each specific aspect of
cybersecurity.
Second, the financial services sector would benefit from
higher quality and more frequent classified briefings.
And third, we need Congress to get a cybersecurity
information-sharing bill to the President before the next
crisis, not after.
Neither the industry nor the government can prevent or
prepare for cyber threats on their own. SIFMA has brought
together experts from across the public and private sectors to
better understand the risks involved in a cyber attack and to
develop best practices to be prepared to thwart an attack, but
to be effective, we must work closely with the Federal
Government to strengthen our partnership, and protect our
economy and the millions of Americans who place their
confidence and trust in the financial markets each and every
day.
Thank you.
[The prepared statement of Mr. Bentsen can be found on page
40 of the appendix.]
Chairman Neugebauer. I thank the gentleman.
Now, Mr. Garcia, you are recognized for 5 minutes.
STATEMENT OF GREGORY T. GARCIA, EXECUTIVE DIRECTOR, FINANCIAL
SERVICES SECTOR COORDINATING COUNCIL (FSSCC)
Mr. Garcia. Thank you, Chairman Neugebauer, Ranking Member
Clay, and members of the subcommittee for the opportunity to
testify today.
I am the executive director of the Financial Services
Sector Coordinating Council, or FSSCC, which was established in
2002. FSSCC involves 66 of the largest financial firms and
their industry associations. I am also pleased to be able to
share the witness table today with the FSSCC chairman, Mr.
Russell Fitzgibbons.
Today I will discuss how we are organized under regulatory
and partnership frameworks to manage the cyber risks and
threats that are faced by the financial sector.
The financial sector operates over a network of information
and communications technology platforms, making cybersecurity
of paramount importance to the sector. A successful
cybersecurity or physical attack on these systems could have
significant impacts on the global economy and the Nation.
For example, malicious cyber actors vary considerably in
terms of motivation and capability, from nation-states
conducting corporate espionage to sophisticated cyber criminal
groups stealing money, to ``hacktivists'' intent on making
political statements. Many cybersecurity incidents, regardless
of their original motive, have the potential to disrupt
critical systems, even inadvertently.
Thus, the FSSCC's mission is to strengthen the financial
sector's resilience against attacks and other threats. We work
with the Treasury Department, law enforcement, the Department
of Homeland Security, the intelligence community, and
regulators toward four main objectives.
First, identify threats through robust information-sharing.
Second, promote protection and preparedness through best
practices.
Third, coordinate incident response through joint
exercises.
And fourth, consider how the policy environment can promote
the above activities.
In practice, these objectives have yielded numerous
accomplishments for the benefit of the sector and the economy
over the past 10 years.
For example, just to list a few recent examples, we are
improving information-sharing content and procedures between
government and the sector. We have developed and we maintain an
all-hazards crisis response playbook and a cyber response
coordination guide that lead our incident responders and our
executive decision-makers through decision and action
procedures during an incident.
Also, we are conducting joint exercises affecting different
segments of the financial system. As Mr. Bentsen alluded to, we
maintain a physical presence in the Department of Homeland
Security's National Cybersecurity and Communications
Integration Center, or NCCIC. This serves as a hub for sharing
information related to cybersecurity and communications
incidents across sectors.
Our representative there is cleared at the Top Secret/SCI
level. Relatedly, we have worked closely with government
partners to obtain security clearances for key financial
services sector personnel. These clearances have been used to
brief the sector on new information security threats and have
permitted the exchange of timely and actionable information. We
develop best practices involving third-party risks, supply
chain, and cyber insurance strategies, among many others.
To go on, we have developed research and development
priorities to improve the tools for protection resilience. We
are engaging with other critical sectors and international
partners to understand and leverage our interdependencies such
as communications and electricity.
We have created a financial sector-owned, operated, and
governed .bank and .insurance top-level Internet domains. When
the Internet-governing authority expanded the number of the so-
called top-level domains beyond .com, .gov, .org, .edu, et
cetera, they expanded them to hundreds of different names, but
we established the .bank and .insurance domains on our own to
ensure that we have security standards to protect our system
from fraud and cyber attack. This includes imposing eligibility
requirements, verification, name selection standards, and other
security-focused technical requirements.
Our operational arm, the Financial Services Information
Sharing and Analysis Center, or FS-ISAC, has developed a
technical tool called Soltra Edge that automates threat sharing
and analysis and speeds the time to decision and mitigation
from days to hours and minutes.
Finally, a word about regulation. Mr. Chairman, the
financial sector is often credited for having developed a
mature cybersecurity risk management posture. This is due in
part to the fact that financial services is a heavily regulated
industry, but it is also because our business models, consumer
confidence, and the stability of the financial system are
dependent upon a secure and resilient infrastructure. We really
can't afford to be complacent.
The financial sector supports the need for regulatory
guidance on effective standards of practice for cyber risk
management, but as the regulatory agencies are independent,
there is not sufficient coordination among them in our
experience. One institution may face multiple and differing
sets of examination questions about the same security controls
depending on which regulator is doing the assessment.
We would urge more uniformity among the regulatory agencies
in their examination procedures. This process could be more
efficient so that financial firms can focus more on securing
our infrastructure and less on answering multiple
questionnaires in different ways. We need to ensure we are all
aligned with unity of effort toward a common objective:
financial services security and resiliency.
Mr. Chairman, that concludes my testimony. I will be happy
to answer any questions.
[The prepared statement of Mr. Garcia can be found on page
54 of the appendix.]
Chairman Neugebauer. I thank the gentleman.
Mr. Nichols, you are now recognized for 5 minutes.
STATEMENT OF ROBERT S. NICHOLS, PRESIDENT AND CHIEF EXECUTIVE
OFFICER, FINANCIAL SERVICES FORUM
Mr. Nichols. Thank you, Mr. Chairman, Ranking Member Clay,
and members of the subcommittee for the opportunity to
participate in today's hearing on the threat posed by cyber
attacks to our financial system.
As you mentioned, I am here as the CEO of the Financial
Services Forum, which is a financial and economic policy
organization comprised of the CEOs of 18 of the largest and
most diversified financial institutions doing business here in
the United States.
Your hearing is both enormously important and remarkably
timely. In recent years, cyber attacks have grown rapidly, both
in number and level of sophistication. According to Symantec
Corporation, a leading information and Internet security firm,
cyber attacks around the world have soared 91 percent in 2013
alone.
Just last week, the Depository Trust & Clearing
Corporation, a New York-based securities settlement and
clearing firm, released its Systemic Risk Barometer for the
first quarter of 2015, based on a survey of financial market
participants. Asked to identify the top risks to the financial
system, respondents cited cyber attacks. Indeed, nearly half of
the respondents, 46 percent, cited cybersecurity as their top
concern, with respondents specifically noting the growth in the
frequency and sophistication of cyber attacks.
Effectively defending against the mounting threat of cyber
attacks requires resources, technical sophistication, and
cooperation among financial institutions and between the
financial industry, other critical infrastructure sectors, and
the relevant government agencies. Large financial institutions
are working hard to deliver every day on each of those critical
fronts.
With regard to resources and technical expertise, large
financial institutions remain at the cutting edge of cyber
protection and are regarded by most experts--both in the public
sector and the private sector--as having developed and deployed
some of the most sophisticated and effective defenses against
cyber attacks in the corporate world.
With regard to industry cooperation and coordination,
cybersecurity in the financial sector is a team effort--because
it has to be. To be successful, the industry must invest in,
and operate within, a single unified cybersecurity culture.
In particular, large financial institutions are investing
in ever-more robust and automated systems of threat analysis
and sharing. Automated threat analysis enables the quick and
reliable detection and diagnosis of threats. And automated
sharing enables the swift dissemination of clear and precise
threat information across the financial system. In a very real
sense, large financial institutions serve, as one could say, as
the forward guard of America's cyber defenses.
Cooperation between industry and government is vital if the
battle against mounting cyber threats is to be won. To
encourage better cyber threat information-sharing within the
financial sector and between industry and government,
legislation providing sensible ``Good Samaritan'' protections
is needed.
Such legislation should facilitate real-time cyber threat
information-sharing to enable financial institutions and
government to act quickly; provide liability protection for
good faith cyber threat information-sharing; provide targeted
protections from public disclosures, such as exemptions from
certain Freedom of Information Act requests; facilitate
appropriate declassification of pertinent government-generated
cyber threat information and expedite issuance of clearances to
selected and approved industry executives; and lastly, include
appropriate levels of privacy protections.
With these needs in mind, the bill passed by the House on
April 22nd, which, of course, you supported, Mr. Chairman, is a
major and important step forward, and will greatly facilitate
industry's cooperation with government. We hope the Senate will
soon take up its information-sharing proposal to continue
progress on this important issue. We would urge swift movement
and passage on that important legislation.
On behalf of the Forum and its members, I commend you for
drawing attention to this issue and this effort. We look
forward to working with you in the days ahead.
Thank you, Mr. Chairman.
[The prepared statement of Mr. Nichols can be found on page
68 of the appendix.]
Chairman Neugebauer. I thank the gentleman.
Mr. Fitzgibbons, you are now recognized for 5 minutes.
STATEMENT OF RUSSELL FITZGIBBONS, EXECUTIVE VICE PRESIDENT AND
CHIEF RISK OFFICER, THE CLEARING HOUSE PAYMENTS COMPANY L.L.C.
Mr. Fitzgibbons. Thank you, Chairman Neugebauer, Ranking
Member Clay, and members of the subcommittee. My name is Russ
Fitzgibbons, and I am the executive vice president and chief
risk officer of The Clearing House Payments Company.
As the chief risk officer, I am responsible for enterprise
risk management, information security, and business continuity.
I also serve, as referenced by Mr. Garcia, as the current Chair
of the Financial Services Sector Coordinating Council. I
appreciate the opportunity to appear before you today to
discuss issues that are critical to all Americans--the
protection of our payment systems against cyber threats.
The Clearing House is the Nation's oldest banking
association and payments company, founded in 1853, and
currently owned by 26 banks. We provide payment, clearing, and
settlement services to our owner banks and other financial
institutions, clearing and settling nearly $2 trillion daily.
The Clearing House also engages in payments technology and
payments systems security advocacy.
The Clearing House operates the Clearing House Interbank
Payments System, commonly referred to as CHIPS, and we are a
leading participant in the Automated Clearing House, referred
to as ACH, network. We are the only private-sector ACH operator
in the country, processing approximately 50 percent of all
commercial ACH volume in the United States through our
networks.
CHIPS is the largest private-sector US-dollar funds
transfer system in the world, clearing and settling an average
of $1.5 trillion in payments--both domestic and cross-border--
daily.
Because of the volume and importance of the financial
transactions enabled by The Clearing House's systems, robust
protection of these systems from cyber threats is essential.
Those threats have become more frequent and more sophisticated
in recent years. The criminal organizations and other groups
launching these threats are constantly innovating, and we need
to be at least as agile as they are in defending ourselves.
I would like to discuss some of the ways in which The
Clearing House works both on its own and frequently in
collaboration with other financial services firms to defend
itself and its institutional customers against cyber threats.
First, like others in our sector, The Clearing House is
subject to special legal and regulatory requirements such as
those promulgated by the Federal financial regulatory agencies
of the Federal Financial Institutions Examination Council, the
FFIEC. The Clearing House's data security practices are subject
to regular examination and supervision through the FFIEC's
Multi-Regional Data Processing Servicers Program, referenced as
MDPS.
Second, we are constantly innovating. One example of
innovation for improved cyber defense is a new platform of The
Clearing House which replaces account numbers with randomly
generated temporary numbers during processing. With Secure
Token Exchange, the customer's actual account information
remains behind bank firewalls while preserving the current
customer experience.
Third, we engage in training and exercises through
simulations that put our cyber defense processes to the test
and identify areas for improvement.
Finally, we engage in extensive information-sharing by
actively engaging with the FS-ISAC, its member organizations,
and our government partners. Truly effective cybersecurity will
also require increased efforts by the Federal Government to
defend the financial sector against threats often originating
overseas, and above all, more effective collaboration between
the private sector and the government.
My written statement details some of the additional
components of our information-sharing efforts. However, I would
like to mention a couple of them.
Through FS-ISAC and the Depository Trust & Clearing
Corporation, the sector recently deployed a more effective
platform for real-time automated sharing of cyber threat
information called Soltra Edge. Utilization and integration of
Soltra Edge across the sector's infrastructure is expected to
scale significantly over the next few years.
We also coordinate closely with the National Infrastructure
Coordinating Center, the Department of Homeland Security's
Operation Center that maintains awareness of critical
infrastructure for the Federal Government. We participate
actively in the Financial Services Sector Coordinating Council,
and we also work closely with the Treasury Department's office
for critical infrastructure, protection and compliance, and its
cyber intelligence group.
While the financial services sector has made considerable
strides in its sharing with the sector and with our government
partners, there are still areas for improvement. Companies in
the financial sector share information quite extensively with
the government. We have lots of opportunity to improve our
ability to support our cyber first responders, defend critical
infrastructure, and protect our stakeholders.
To that end, the Administration has issued two Executive
Orders designed to improve sharing from the government to the
private sector, and there have been resulting improvements. But
we think more work could be done with the analysis of threat
information, and government agencies need to continue to
increase prioritization and allocation of resources for
declassification of information that pertains to network
defense.
I would also add that we believe Congress has an important
role to play in promoting greater and more effective
cybersecurity information-sharing. We support two bills that
have passed the House, and we support the information-sharing
legislation that is moving through the Senate. And we would
urge you to move as quickly as possible to get those bills to
the President's desk.
Thank you again for the opportunity to testify, and I look
forward to your questions.
[The prepared statement of Mr. Fitzgibbons can be found on
page 47 of the appendix.]
Chairman Neugebauer. I thank the gentleman. And Mr. Healey,
you are recognized for 5 minutes.
STATEMENT OF JASON HEALEY, SENIOR FELLOW, THE ATLANTIC COUNCIL
Mr. Healey. Chairman Neugebauer, Ranking Member Clay, and
distinguished members of the subcommittee, thank you for the
honor of testifying today.
Over the past nearly 20 years, I have been involved in
cyber operations and policy in the military and intelligence
community, the White House, and the finance sector. Now, with
Columbia University's SIPA and the Atlantic Council think tank,
I may be less involved in the day-to-day cyber tumult than my
colleagues, but with a bit more freedom to analyze what might
be next. Therefore, in the interest of time, I will agree with
the strength of the sector that my colleagues have already
mentioned in order to look ahead.
Last year we published the first history of cyber conflict
of how states have really, over the past 25 years, fought in
cyberspace. One of the key lessons is that it may be easy to
disrupt a target using the Internet but it is far more
difficult to keep it down over time in the face of determined
defenses. And as we saw after the attacks of September 11th,
the finance sector can be extremely determined.
Therefore, looking forward, I believe the committee need
not be overly concerned about a James Bond-style large-scale
disruptive attack taking down the sector. This should not mean
that we should rest on our successes to date.
In fact, I am deeply worried that the finance sector will
get caught up in what I believe is the Internet's most
dangerous moment. If nuclear talks with Iran collapsed, there
might be a rapid spike in truly disruptive attacks by a
dangerous cyber adversary who has already struck at U.S.
financial targets. Worse, President Putin of Russia may
likewise feel that with his own economic back against the wall,
it is time to retaliate with some just deniable enough little
green bytes. Facing potentially existential regime threats,
Iran and Russia may see little downside to digitally lashing
out against a global financial system in which they have few
remaining stakes.
As an example of what we might expect, while a next
generation Sony-style attack would not take down the sector as
a whole, it might seriously disrupt a systemically important
financial institution so that it could not clear or settle
within--by the end of the day. These dangers require immediate
contingency planning and can--including exercises such as those
my colleagues have talked about within the sector and with the
regulators and other Federal and international partners.
On the government side, the Executive Branch could do a
better job of leading from the front and sharing protection and
restraint.
The government berates companies to share information, but
despite recent gains, it keeps too much information classified
or stuck behind bureaucratic barriers. It may need some added
push from committees like yours, which oversees the sectors
which so desperately need that stuck information.
Likewise, as someone who has proudly worked in both the
public and private sectors, it is frustrating to hear
bureaucrats or even directors of NSA complain that companies
miss standards even in the face of their own Federal
Information Security Management Act (FISMA) scores. And even
though it should be in the long-term interest of the United
States that financial infrastructures should be off-limits to
cyber attacks, the Department of Defense has not yet made clear
statements to create that norm.
In conclusion, this subcommittee might also usefully push
the Executive Branch to think of a broader set of possible
responses to give the finance sector more staying power in the
event of a sustained conflict such as against Russia or China.
When I was working finance sector-wide events with the FS-
ISAC, our responses could have been far more successful not
with DOD suppressing fire or cyber ninjas, but with solid
officers and NCOs ready to roll up their sleeves to help corral
the countless details of a major response. In the face of
nation-state cyber threats, we would not want the sector to
stumble simply for the lack of a few MOUs in place beforehand
for more flexible partnerships.
And if you remember, the FS-ISAC would likely never have
been as strong as it is today, if it had not been recapitalized
12 years ago by a grant from Treasury, with the proviso that it
would provide service to all regulated American financial
institutions, not just those who paid a membership fee. It may
be the time for additional innovation using grants, perhaps not
directly to the sector anymore, but to the countless other non-
stake groups who help defend this Nation's critical
infrastructure.
Thank you for your time.
[The prepared statement of Mr. Healey can be found on page
62 of the appendix.]
Chairman Neugebauer. I thank the gentleman. The Chair now
recognizes himself for 5 minutes for questions.
Mr. Garcia and Mr. Fitzgibbons, in your testimony you
talked about Soltra Edge, and I was kind of intrigued by that
process. Evidently, that is an electronic detection and
notification software, I assume. I am interested in how that
database is updated, and then what is the distribution once a
detection is made? Obviously, it is meant to be an information-
sharing tool, so what is the dissemination process on that?
Mr. Fitzgibbons. Sure. So I will start, great. The benefit
of Soltra Edge actually recognizes the fact that while it is
widely accepted that information-sharing is the right thing to
do, sharing that information when done effectively creates a
ton of information--extraordinary amounts of information. And
what was recognized is that the recipients, through the FS-
ISAC, for example, who would get this--these threat indicators,
it was a lot of work to try and get it into their systems and
so forth.
We recognized that to really be effective, we needed to
automate that stream, and we needed to create a machine-
readable language. We needed to create standards by which that
information would actually transit from the FS-ISAC onto or
through the Soltra system onto the various firms that
participate.
So what actually happens is that all the members who have
come across threat indicators will put them into the system
using the appropriate standards and so forth. And then by
joining that system and participating in it, you will be the
recipient of that information so you can protect yourselves
using information that the whole community has actually
uncovered about threats that are actually emanating. And then
you can update your detection systems automatically, and that
is really the benefit of it all, to take this opportunity to
take something that is created by many and then share it out to
everyone else quickly and effectively in a machine-readable
form that can be updated to systems.
Chairman Neugebauer. Mr. Garcia, do you want to elaborate
on that?
Mr. Garcia. Yes. Mr. Fitzgibbons is exactly right. It is a
fact that machine-to-machine information-sharing enables faster
response times and better, more uniform analysis of the
threats, making sense of what we are seeing. And I think we
credit that a lot to a standard developed by the Department of
Homeland Security, they are called STIX and TAXII. I won't go
into the acronym. But one of them describes a common
nomenclature, a common language, a dictionary for how we refer
to threats and all of the various characteristics of those
threats. And the other one is a common communications platform
so that everybody can use this. So this is taxpayer dollars
well spent.
It is a standard and open specification that is available
to all sectors. And the financial sector has overlaid on top of
those standards a software program that enables us to share
among ourselves, and if we so choose, with other sectors as
well.
Chairman Neugebauer. Thank you.
Mr. Bentsen, I think you mentioned in your testimony that
over the last several years, you have held cyber attack
simulations to kind of, I guess, prepare for what if, and how
to respond. Can you tell us some of the benefits that have come
out of hosting those simulations?
Mr. Bentsen. Yes, Mr. Chairman, a couple of things. Over
the years, we have run a couple of simulations, Quantum Dawn 1,
and Quantum Dawn 2, which was most recently in 2013. We will be
doing a Quantum Dawn 3 in the third quarter of this year.
The Quantum Dawn 2 exercise, and then some subsequent
tabletop exercises that we have done with our government
partners as well as our partners at this table, allow us to
iteratively grow our capabilities to respond to identify gaps
in whether it is information-sharing, coordination, whether we
have the right parties involved. In the case of Quantum Dawn 2,
which was a simulated attack on the U.S. equity markets and
multi-pronged simulated attack on the U.S. equity markets, the
outtakes from that were that we needed more engagement from our
exchange partners and that we needed a better coordination
mechanism going into a situation recovery that was talked about
here as well.
So our view is that these exercises are good not just on a
one-off basis but on an ongoing basis. And one of the things
that we have talked with our government partners about is to
continue both these large simulations and tabletop exercises on
a regular basis so we maintain a state of readiness and we
don't atrophy in the process.
Chairman Neugebauer. And do you generate a deliverable then
that is shared across the industry and with all the
participants--
Mr. Bentsen. What we did in the case of Quantum Dawn 2, is
we used that as well as our experience coming out of Superstorm
Sandy, which did result in a closing of the equity and fixed
income markets to improve our playbook with the exchanges with
the regulators, with the industry partners, and those involved
in it.
Likewise in the tabletops, we are trying to come out with
deliverables both for the industry and for the government.
Chairman Neugebauer. I thank you.
And now the gentleman from Missouri, the ranking member of
the subcommittee, Mr. Clay, is recognized--
Mr. Clay. Thank you so much, Mr. Chairman.
Chairman Neugebauer. --for 5 minutes.
Mr. Clay. Let me start with Mr. Healey. Given the level of
sophistication of cyber attacks from China, in particular, is
it reasonable to expect that financial institutions will be
successful in stopping them?
Mr. Healey. We have been learning over time that a
determined offense will almost always get through. This is not
a recent trend; we have seen quotes that go back to the 1970's
that essentially say the bad guys are going to get through if
they want to. So the best, I think, any company, any
organization can do is to not just try to keep them out, but to
do what the financial--I think it has been pretty good at, at
least at the main institutions, is presumption of breach.
Assume that there is already a heist going on, that you
have a sophisticated set of diamond thieves who are already
inside the bank, and then how do you find those sophisticated
diamond thieves when they are inside? I suspect JPMorgan Chase
would not have discovered an intrusion of they hadn't been
using this presumption of breach.
But this is still difficult. It is tough even for the big
institutions to do, so I am worried about how the small and
medium-sized financial institutions are going to try to catch
up.
Mr. Clay. Anyone else? Mr. Fitzgibbons?
Mr. Fitzgibbons. One of the things I would mention--I agree
very much with Mr. Healey, but one of the things that is really
a benefit of--gets to the small and medium institutions of an
institution such as FS-ISAC that it does take advantage of the
resources, the experiences, and so forth of a firm such as, I
heard reference to JPMorgan.
When you go into the ISAC, that is where those threat
indicators are shared. And then when you go into some of the
other forms where tactics and techniques are discussed, as well
so using a form such as the ISAC, actually allows us to take
those lessons learned and those resources available at some of
the larger firms and get it out to the smaller and the medium
banks and so forth.
And that is why the partnership with a membership in the
ISAC is so important and why we have seen it growing as well;
everybody is trying to avail themselves of that.
Mr. Clay. Mr. Bentsen?
Mr. Bentsen. Mr. Clay, I would add two things to that.
First, following up on Russ' comments, expanding the membership
of the ISAC is critically important. And what we and others
have tried to do is one, to get all of our members to
participate in it, to encourage our regulators--FINRA, SEC, and
others--to encourage to the extent they can that all of their
regulated entities are participating in the ISAC.
Two, to develop standards across the sector that aren't
just for the larger institutions who may have more
capabilities, but for all members because they are all linked
together. They are all trading together.
The other thing--the point I would make is, I don't think
we can stand up here and say that we can create an impregnable
defense that will keep all attacks out. And I don't think you
have been saying that. We certainly need to try and have the
most established firewalls, but the key is also to be prepared
to recover when there is an attack, and that takes a tremendous
amount of work as well.
Mr. Clay. Can any other panelist give me a sense of the
scope and nature of the types of cyber attacks that we are
seeing from China, Russia, North Korea, and Iran?
Mr. Healey, any sense of--
Mr. Healey. Yes.
Mr. Clay. --the scope of the attacks?
Mr. Healey. Yes, sir. Certainly, what we have seen--the
Verizon data breach investigations report, which was already
brought up, does a good job of seeing the kinds of attacks that
have been hitting the finance sector as a whole. The larger set
of attacks hitting the finance sector has been point-of-sale
and other kind of similar attacks are those that go like
phishing emails after Web sites.
What is surprisingly small for the finance sector has been
inside abuse, which has been only about 7 percent of the total,
and also espionage, which again we tend to associate with
China, has only been about 1 percent. So really, cyber
espionage hasn't been the scourge for finance as it has for
some of the other sectors.
Russia, Eastern European hackers, because they dominated a
lot of that criminal market has been I think a lot more
significant than North Korea or China. Again, we saw Iran very
significantly 2, 3 years ago and we may see them again.
Mr. Clay. Mr. Fitzgibbons?
Mr. Fitzgibbons. One thing I would add is there is an
important point here, and that is really regardless of the
threat, and those threats that you have referenced are
certainly recognized, the defenses against it often are very,
very similar. And they come down to some very, very basic
fundamentals.
Mr. Healey referenced phishing attacks and so forth. That
still is probably the single-most prevalent form of attack
against institutions. So regardless of where that attack is
emanating from--the training, the education, and the discipline
around infrastructure and security, et cetera is really the
best way to ensure that regardless of the threats that we are
protecting ourselves to the greatest extent.
Mr. Clay. Thank you so much. Mr. Chairman, I yield back.
Chairman Neugebauer. I thank the gentleman. We will now
recess. We have four two-vote series. I encourage all Members
to return as quickly as you can, and we will get started as
soon as we get back.
With that, this hearing is recessed, subject to the call of
the Chair.
[recess]
Chairman Neugebauer. The committee will come back to order.
And I now want to recognize the gentleman from New Mexico, the
ranking member and past Chair of the subcommittee, Mr. Pearce,
for 5 minutes.
Mr. Pearce. Thank you, Mr. Chairman. I am trying to re-
register. Maybe I will stay where I am at.
So, Mr. Fitzgibbons, Mr. Healey said that looking ahead, we
need not be overly concerned with large-scale attacks that
might seriously disrupt the economy. Is that something you
would agree with?
Mr. Fitzgibbons. I would agree to a point, okay. I think
when you look at the nature of the attacks and what is possible
and what is potential, we tend to look at things as what is
going to be the extreme, what is the worst, worst possible
scenario.
So while I might agree, kind of conceptually or
theoretically, that that is maybe not likely, you have to
prepare regardless. So when we are actually doing our analysis
and also with our regulatory authorities, they are actually
asking us, how would you recover from that extreme event they
referred to as extreme yet plausible. So while I agree with the
concept, we prepare for the catastrophic attack.
Mr. Pearce. Mr. Bentsen, you also said that transparency
and regulations--the regulations should move towards
transparency, is that more or less it? Is that something you
would also agree with?
Mr. Bentsen. I think transparency and harmonization--I
think some of the other panelists mentioned this beforehand. I
have members who are bank-affiliated broker-dealers and futures
commission merchants, so they are regulated by three prudential
regulators as well as the SEC, the CFTC, FINRA, and the
National Futures Association. All of these agencies
appropriately are looking at guidance and regulation with
respect to--an inspection with respect to cyber defenses in the
firms. And we believe there should be harmonization across
those agencies.
Mr. Pearce. Now, as I listen, as you can tell, I don't have
a Ph.D. in cyber warfare, but it seems like we are mostly on
defense and cyber warfare. In other words, we are like goalies
on a dart team trying to catch the dart before it sticks in the
board behind us. Do we ever have any offense like when they get
into our systems? Do we have malware that is waiting for them
to greet them and go into their systems and start?
Mr. Garcia?
Mr. Garcia. No, sir. That is illegal. Offense from the
private sector side is not a legal thing to do. So that is the
purview of the department.
Mr. Pearce. Do we prosecute people? Do we--
Mr. Garcia. Prosecute, yes. As they are--we work closely--
Mr. Pearce. How many--
Mr. Garcia. --with law enforcement.
Mr. Pearce. In a given year, the prosecutions might be what
percent of the people who are trying to get into our systems?
Mr. Garcia. Good question. I don't have that figure.
Mr. Pearce. Anybody? Mr. Healey?
Mr. Healey. On the earlier question and shooting back, this
is something that the Department of Defense has taken very
seriously. And now they have a national mission for us at U.S.
Cyber Command that is there looking into what they say, red
space, looking at the United States' main adversaries. And if
there were a large-scale attack on the United States of the
kind I talked about, U.S. Cyber Command would be there to try
and disrupt the incoming attacks on the finance sector.
Mr. Pearce. Okay. And you feel like that has validity
because in your closing statement you said that really you
weren't looking for the military ninjas or something like that,
cyber ninjas. And so you would feel like that offensive
capability has some validity?
Mr. Healey. Yes, I am very pleased. It is there. I think if
we were able to get more response in place and think more
broadly, we might be able to get to fix the sector before it
reaches the point that the Department of Defense needs to shoot
back and potentially escalate the crisis.
Mr. Pearce. Okay. So if we look back to the question of
prosecution, do any of you know what the penalties are? In
other words, are they sufficient to keep people from trying?
Does it sound like we are too active in prosecuting people who
carry out cyber warfare. Is that correct?
Mr. Garcia. I think there is a bit of feeling that law
enforcement could always use more resources and higher
penalties so that they can really go after the cyber criminals.
I would also suggest though that there are other innovative
ways of using existing law. In the past, the financial sector
has partnered with companies like Microsoft. And as Microsoft
sees everything that is happening on its platforms, the Hotmail
and Windows, et cetera, they can see where some of these
networks of cyber criminals are operating and how they are
attacking financial institutions and together--
Mr. Pearce. Okay. I need to get on another question. We are
running out of time. They all are staring at me. The concept
of--James Rickards in his book talks about how in 2009 the
Pentagon sponsored a fairly significant cyber warfare on our
financial institutions using stocks, derivatives, currencies.
Is that--Mr. Healey, was that a process that was beneficial and
is it still ongoing? Do you know?
Mr. Healey. I'm sorry. The 2009--
Mr. Pearce. Yes, it was just the Pentagon sponsored a
really significant mock warfare in the cyber theater.
Mr. Healey. Yes. Those kinds of exercises, I think, have
been very interesting in getting some lessons that have fit in.
But again, I think we often go to those extreme cases, which I
think are less likely--are going to be--
Mr. Pearce. --a small amount.
Thanks. I yield back.
Chairman Neugebauer. I thank the gentleman. And now the
gentleman from Massachusetts, Mr. Lynch, is recognized for 5
minutes.
Mr. Lynch. Thank you, Mr. Chairman. And I want to thank the
witnesses for your help today.
I have my doubts about how well-prepared we are. Back in
2010 we had the flash crash, of course, and the market
plummeted 600 points in a couple of minutes and then it came
right back up. And we did a full study, the CFTC and the SEC,
and they told us it was a firm here in the United States, and
it was a result of certain trading patterns from that firm.
And then last month, so that was the story they had been
giving the Financial Services Committee for the past 4 years.
And then they did a further analysis in April of this year.
They came out and said that was all wrong. It was actually a
fellow named Sarao, a U.K. trader, who was spoofing and doing
thousands and thousands of trades. So we had this whole
narrative of 4 years about what they found was the problem with
the system, and it was all hogwash. And finally 4 years later
we find out--we think we find out what the real story is.
So I am just very skeptical that we have a good and strong
assessment about the weaknesses in our financial services
electronic trading and commerce in general.
Am I wrong in being suspect of the handle that at least the
CFTC and the SEC have on all of this?
Mr. Healey?
Mr. Healey. To some degree, I certainly agree with you. The
system has become so complex that it is difficult for anyone to
try and understand it. At least when we had--just trying to
understand financial risk prior to 2008, we had risk modelers,
we had VAR, we had all sorts of tools and people whose
responsibility it was to track this complexity and figure out
who was holding the risk at the end of the day.
I am worried that on cyber risk, not just in the finance
sector, the system has gotten so complex that we can't model
what we know who is ultimately holding the risk at the end of
the day. And I think the sector has started to get their arms
around this by looking at vendor management, active contact
management to figure out not just how is the security at a
single bank, but how is the security of their supply chain and
those they depend on.
So we are starting to get our arms around it as a sector--
Mr. Lynch. Yes.
Mr. Healey. --but I think it is very difficult.
Mr. Lynch. Yes. I actually want to compliment the Chair of
this subcommittee and the Chair of the full Financial Services
Committee. We have been calling for these hearings just to look
at cybersecurity for a little while, and they have been very
responsive. This is the second hearing we have had in a couple
of weeks.
Is there--I do want to talk about the financial services
part of this, though. That is the one that we are principally
involved in. And is there a moral hazard in the way we are
handling this? Have we incentivized companies, especially
JPMorgan Chase and others who have the reputational risk if
their system is compromised?
Have we really--it seems like, with the Target hack and
JPMorgan and others where you have had social security numbers
compromised widely, there hasn't been a lot of downside for
them other than the fact that some of their investors are
probably worried about their personal information?
Mr. Bentsen?
Mr. Bentsen. I would say two things about that, Mr. Lynch.
Number one, every time those firms have a situation with
information being stolen or we don't represent the consumer
side of the business, but credit card numbers being stolen, it
is those firms that underwrite the cost of doing that. So I
think that if you look at the cost to the firms that they were
having to absorb, and that is--and it is the right thing to do
for the benefit of maintaining the confidence of their
customers.
A second point I would make--and I take your point about
the flash crash. And as you know, the regulators are in the
process of putting in a consolidated audit trail, which the
industry will pay for ultimately. It would be a mistake if the
industry wasn't doing what it is doing right now and has been
doing to map out what is going on to look and see where the
vulnerabilities are, to look and see where the risks are with
third party vendors across the spectrum.
And so, we may not be there yet, but I think you have to
take stock of what is being done right now.
Mr. Lynch. Okay. Thank you.
Mr. Nichols. I would add to--echo Mr. Bentsen's point about
restoring trust with the consumer, it is a critically important
thing and financial institution can operate without it, of
course. But I would say to your point, it is extremely
challenging.
The institutions have to be right all the time.
Mr. Lynch. Yes.
Mr. Nichols. The bad actors can only be right once.
Mr. Lynch. Yes.
Mr. Nichols. But I will say that all the institutions have
made cyber defense a number one public policy priority.
Mr. Lynch. Okay. My time has expired. I yield back.
Thank you, Mr. Chairman.
Chairman Neugebauer. I thank the gentleman.
And the gentleman from Oklahoma, Mr. Lucas, is recognized
for 5 minutes.
Mr. Lucas. Thank you, Mr. Chairman.
Listening to you--to the panel, I suppose the one
observation I would offer up is that in the nature of criminal
activity, the desire of the criminal, of course, is to bleed
the process, but not to kill the patient--to be able to return
and bleed the patient again. Cyber activity that is
nationalistic in nature, my phrase, clearly is out to inflict
economic damage, to kill the patient.
So in the spirit of that, take me back to the fundamental
rudimentary issues here. Describe for me how these kinds of
attacks unfold in the fashion we are seeing now. And I don't
care which member of the panel discusses it--how these cyber
attacks unfold on financial institutions from the perspective
of criminal activity or the perspective of a nationalistic
effort.
Mr. Healey. If I can, I will take the national part, just
to get us warmed up here.
So we have seen a number of these national state attacks
that have looked at the finance sector. The most recent one
where denial of service attacks by Iran, probably about 2012
that unfolded over the course of a year, almost 2 years of
whether or not they were angry at sanctions and decided the
finance sector was the right target to show their displeasure
or out of--because they had been attacked by Stuxnet. So a
group that was difficult to pin directly on Iran, but
intelligence was able to help determine that it was.
Every day, every couple of days would decide on a new set
of American banks that they would target. They would direct
Botnet zombies under their control of compromised computers
onto those targets every couple of days. They would change
those targets to flood the Web site.
This wasn't a big deal if it was only interrupting getting
to the main Web site of the bank. Again, it might hurt consumer
confidence a little bit, but there is no real information that
is important to the market.
If it was keeping them from getting access to look at their
account, their online information, then it starts getting a
little bit worse. Still not systemically important, because
they can still get their money from the ATM; they just can't
look at it online and do some of the bill pays or other things
that they might want to do. That has been, I think, one of the
best examples.
When the United States has wanted to do it against others,
we have looked at, can we do covert actions, say against
Slobodan Milosevic or Saddam Hussein. And we still--we love
that idea, but it doesn't appear like we have done it just yet.
Mr. Lucas. Gentlemen, on the criminal side?
Mr. Garcia. I could--a common form of attack that can
happen in any major organization is--as was alluded to before,
a phishing attack. An employee receives an email that looks
like it is from her boss or from a customer or from somebody
they know and trust, and it looks authentic. They open the
email and perhaps there is an attachment. Maybe they were even
expecting that attachment.
And once it is opened, that actually turns out to be an
attachment that is owned by the cyber criminal that then
deposits into the computer system of the recipient some form of
malware, a Trojan or some kind of a virus that then propagates
throughout the corporate system. And then once they are in,
they can browse around the corporate network and see where
there is data of value, and you steal it, corrupt it, destroy
it, and that is very common, and it is getting more and more
sophisticated.
Mr. Lucas. So the volume of attacks, I think was alluded to
earlier, are increasing. At what rate would you describe from
the criminal perspective this increase and is it from a
dramatically different set of sources?
Mr. Garcia. The increase--the potentially good news about
the increase is that we have increasingly sophisticated tools
to detect malicious activity. So having greater situational
awareness about what is happening to us is a good thing, and
then we can start--we can continue to tailor tools to combat
that.
So, I think the vexing thing about technological innovation
is not only does it give us great new tools for working and
living, and playing, and entertaining, but it also gives
enterprising criminals new sources of vulnerabilities to
exploit.
Mr. Fitzgibbons. Congressman, if I could just add one of
the things that the increasing number of attacks certainly is
important. But as we increase our defenses and can kind of
recognize an attack and stop it, that is great. It is really
the sophistication of the attacks and using the examples such
as the phishing attack.
One of the things that we have seen whether it be nation-
state or whether it be criminal is these attacks are very, very
well structured. They obviously have information or they have
information that suggests they understand your infrastructure.
They understand your processes.
So your employees, your staff will be getting an email that
you actually expected. You have heard that there was an upgrade
to your email system and you are hearing from the systems
administrator that, oh, in order to actually successfully move
you across, we need to do this. And that is really the
challenging part, because we can stop something that we know
about and send it 100 times while stopping 100 times.
But when they find those backdoors and those side doors
that take advantage of people's understanding of how their own
company works, that is where it gets physically challenging.
Mr. Lucas. Thank you.
Chairman Neugebauer. The time of the gentleman has expired.
The gentleman from Washington is recognized for 5 minutes.
Mr. Heck. Thank you, Mr. Chairman. I want to add my voice
to that of Mr. Lynch's expressing my appreciation for
conducting this hearing on what I consider to be a very
important subject. I appreciate it very much, sir.
I don't know to whom I should address this question. I am
going to try Mr. Garcia, just randomly here as a follow up to
some of Mr. Lucas' line of inquiry. Do we have a rough sense
about what the division is between nation-state attacks and
domestic criminal attacks on cyber systems?
Mr. Garcia. I don't have specific numbers, but I think
cyber criminal attacks are much more numerous partly because
there is a big business behind actually providing hacker tools
to people who want to buy them.
Mr. Heck. So a majority of the attacks come from criminals
domestically?
Mr. Garcia. Yes.
Mr. Heck. So now I want to pursue--also as a follow up to
Mr. Lucas kind of the accountability link here. I am not an IT
professional, and I don't follow this as closely as those who
are in the business do. But I have a simple if not simplistic
view, namely cyber attacks cost money, destroy things of
economic value. Just as certainly as if you were to know that I
did--I was not within my home nor any of my family, but you
burned it down. You would cost value, economic consequence.
And yet the truth is--I think I have read one or maybe two
instances of somebody going to jail over this stuff. Now, look
I realize we are in the midst of a legitimate debate about
whether we are putting too many people in jail, certainly for
non-violent crimes, but these have enormous economic costs. Do
we have the legal framework to provide accountability for
people who are destroying things of value, our time, our
effort, our resources, to hold them to a standard of
accountability that might disincentivize what is otherwise
clearly an exploding field of the malicious activity?
Would anyone care to respond to that?
Mr. Fitzgibbons. Congressman, that is a terrific question.
And one of the challenges, one of the discussions we will often
hear is these are crimes without consequence. It is a great
business case, do a cyber attack and what is the chance of
getting caught.
I think that is a bit unfair because when we speak with law
enforcement, they are working very hard to try and get at these
folks. I think--
Mr. Heck. Are the perpetrators being indicted and jailed?
Mr. Fitzgibbons. There are indictments that are actually
being passed against the people who are actually outside our
borders. And when those opportunities present themselves,
apprehension is actually taking place. I think one of the
things that we enjoy is when we do have these opportunities to
speak with law enforcement to hear more about what they are
trying to do.
Having said that, we want to see more from the private
sector. We do want to see more consequence. We do want to see
more prosecution. We do want to see more people being held
accountable, but we recognize they are somewhat complex given
the happening outside our borders and it is not easy to do, but
the dialogue between ourselves and law enforcement is very good
in terms of, we have a common objective.
Mr. Heck. Do we have an adequate statutory framework?
Mr. Healey. I believe in the United States we do, sir. I
think the statutory framework here goes back something like 30
years. It is very solid. The law enforcement agency has been
catching up.
What worries me and probably the whole panel is there are
sanctuaries. If someone is hitting you from China, you are
probably never going to get them. If someone is hitting you
from Russia, you are probably never going to get your hands on
them, and so they are able to operate from these sanctuaries
with--
Mr. Heck. What could we do?
Mr. Healey. Russian Mafia with ties to the Russian
government--
Mr. Heck. No, no, no, what could we do to disincentivize
this behavior?
Mr. Healey. I think put pressure on the governments where
we can, try and include this into our overall conversation.
Mr. Heck. Diplomatic pressure.
Mr. Healey. And also just--
Mr. Heck. How is that working out for us?
Mr. Healey. We are never going to get cuffs on them, sir,
so I think the more that we can do to disrupt their operations,
things like botnet takedowns, try and increase the cost on them
so that way--if we can't put the cuffs on them by putting them
in jail, we can increase the cost so it becomes more and more
and more difficult.
Mr. Heck. I have one last question quickly. I see my time
is dwindling. I am interested in whether or not our emerging
new payment methods, whether it is Apple Pay or Google Wallet,
how has this increased our exposure? What is the trend line?
Are we seeing an expansion of attacks associated with these new
payment methods diminished within that segment of payment,
holding--comparable to other means? Are we more exposed, less
exposed? What is the trend line?
Mr. Fitzgibbons. Maybe I will take a shot at that,
Congressman. I think when we see innovation in the payment
space such as Apple Pay and those other things, from a payment
system perspective, we welcome innovation. A lot of this
innovation is really being driven by just those threats
themselves, taking account numbers and personal identifiable
information out of the mix.
But having said that, the adversaries are very, very quick
to adopt to different things so they will look for weaknesses
in that and we need to remain ever vigilant that we actually
are going after them.
One thing I would mention there is that in the payment
systems there is a huge amount of regulation and understandably
so. When we look at some of these other service providers and
we are talking about something as important as cybersecurity,
are they subject to the same regulations? So that is something
that needs to keep pace for the reasons that you were just
referencing.
Mr. Pearce [presiding]. The gentleman's time has expired.
The Chair now recognizes Mr. Pittenger from North Carolina.
Mr. Pittenger. Thank you, Mr. Chairman. And I thank each of
you for being here and for your valuable time.
As we consider the stability and the viability of our
financial markets and financial institutions, what concern do
you have for our electric grid, the important factor that
plays? Who would like to respond to that?
Mr. Bentsen. I will start, Mr. Pittenger. I think every
sector, every critical sector, critical infrastructure is
working on this. I obviously can't speak for the others. But we
are concerned from our standpoint of making sure that those
sectors are equally protected or taking the necessary steps to
provide defense.
As one of my members had said before, if the Fed wire is
down, we can probably work around it. But if we don't have
power, we really can't do anything at all. And I think the same
would be true with other critical infrastructure like the
telecom sector.
We can talk a lot about the financial services sector and
the work that is being done, and I think there is a lot of work
being done, but we have to take into consideration that we are
connected to these other critical sectors.
Mr. Pittenger. Sure. Would anyone else like to comment?
Mr. Garcia. Yes, sir. The Financial Services Sector
Coordinating Council has embarked on some cross-sector
initiatives to engage particularly with the electric sector and
the communication sector.
First, to just understand what our interdependencies are,
what our mutual vulnerabilities are, and then think about ways
that we can collaborate in areas such as joint exercises in the
event that the power goes out; how will that affect our
respective sectors. So it is a positive cross-sectoral
engagement going on.
Mr. Fitzgibbons. One thing I would add to Mr. Garcia's
statement is it was very interesting that when we were reaching
out recognizing this cross-sector requirement, we can't just be
an island into ourselves. We often enjoy this reputation of
being kind of out in front and so forth. But again, to your
point, the other sectors, we are all dependent upon each other.
So when we were actually reaching out to the electric sector,
they were literally picking up the phone to call us as well.
And I think that really does speak to how very broadly
these threats are actually being taken by all the critical
infrastructure. So I think there is a good news for you in
that.
Mr. Pittenger. About a month or so ago I was in Israel and
met with some of the individuals who have been playing an
active role in securing their grid through a cyber war. And
then subsequent meetings in Vienna and back here a week or so
ago, they will be here. And I would just like to personally
invite you to come. This will be a Members' meeting, but it
will be one that you would be most welcome to come to, on June
2nd at 4 o'clock.
And the head of the National Cyber Bureau who works
directly under the Prime Minister will be here to address this
issue and show us what they have done to seek to secure their
grid from cyber attack.
On another matter, Mr. Healey, given that we have limited
extradition treaties with certain countries, particularly in
Eastern Europe, what other ways can we seek to justice against
these individuals if we don't have extradition treaties and the
limitations there?
Mr. Healey. Justice is going to be very difficult and, in
fact, might be unattainable. So we have to look for other
positive public policy outcomes that we can achieve.
The sector, I think, has done a good job in working with
the telecommunications sector, ISPs and others, vendors like
Microsoft in asking, how can we disrupt their attacks to begin
with? That doesn't give us the satisfaction of seeing the
punishment that they deserve, but it can stop the attacks from
having the effect that they want on the sector.
I am very hopeful that now that the White House has come
out with their plan for information-sharing and analysis
organizations, we can use these kinds of groups to be more
purpose focused.
I have not spoken much about information-sharing. I don't
care much about information. I want to see results. And so if
we build our groups around stopping DDoS attacks, stopping
account takeovers and the rest, and build our information-
sharing to that, I think we can thwart them much better than we
have been.
Mr. Pittenger. Certainly. I yield back. Thank you.
Chairman Neugebauer. I thank the gentleman. Now the
gentlewoman from New York, Ms. Velazquez, is recognized for 5
minutes.
Ms. Velazquez. Thank you, Mr. Chairman. I, too, want to
thank the chairman and the ranking member for holding this
important hearing.
Mr. Garcia, if I may, what is being done by the public and
private sectors to advertise the importance of cybersecurity to
the small business community? Also, what cost-effective steps
can they take to protect themselves and their customers?
Mr. Garcia. That is a very good question. Thank you for
that. There actually is quite a network of private sector
organizations that are thinking regularly about how to get
those tools and awareness into the hands of small business
owners and consumers.
There is an organization called the National Cybersecurity
Alliance; one of our member institutions is on the board. They
host, along with the Department of Homeland Security, every
October, National Cybersecurity Awareness Month and it is a
major national campaign. All 50 governors declare--
Ms. Velazquez. Are you aware of any coordination with the
Small Business Administration?
Mr. Garcia. Yes, and the Small Business Administration is a
part of that. Many major--many of the Federal agencies are a
part of it and our own Treasury Department and some of the
Federal regulators for the financial institutions reach out to
the small banking community institutions to raise awareness
there.
And the National Institute of Standards and Technology has
developed a framework called the NIST Cybersecurity Framework,
which we are helping to push out to the small institutions. And
that is one of the cost-effective tools. It is simple. It is
scalable, and it gives them a sense from the IT administrator
up to the CEO what their responsibilities are for managing
cyber risk.
Ms. Velazquez. Thank you.
Mr. Nichols, the nature of the U.S. card market presents
unique challenges as we move forward with EMB implementation.
As you know, many of the 28 million small businesses in the
United States now accept card transactions, and switching over
to card reader technology will be costly. Is there anything
being done to help mitigate the costs and also to inform the
small business community of the risk of not upgrading?
Mr. Nichols. Upgrading to--did you say chip and PIN? Okay.
Ms. Velazquez. The new technology.
Mr. Nichols. Yes, sure. I guess, an observation on that, it
is obviously--I will talk about the underlying technologies for
a second. It is a good technology. I would say that there is
probably no single technology that will prevent all breaches.
We have talked at length today about the creative and inventive
ways that the bad actors participate in this market.
We are also mindful that the government doesn't
inadvertently stifle future innovation by speaking to--overly
praising one particular technology, in part, Congresswoman,
because innovation is moving so quickly at such a rapid pace
not just in payments but in other aspects of the financial
sector and the general technology community.
Who knows what tools we are going to need 5 years from now,
10 years from now, 15 years from now or 20 years from now. The
space is so rapidly changing, looking so dramatically
different. So we need to keep--we obviously--we need to keep
pace with whatever the latest technologies are.
It also underscores a point I made very briefly earlier
about the priority level that this is within the financial
institutions in America. The leaders of these financial
institutions are saying things like, no expense will be spared
as it pertains to our cyber protections.
Another leader said that in an area where they are doing
lots of cost-cutting, this division of the company never needs
to ask permission to spend more money. It is a huge priority
getting this right. And it is something that these institutions
think about each and every day.
Ms. Velazquez. Thank you.
Mr. Bentsen, we all know that Federal spending to combat
cybersecurity continues to grow at an extremely rapid rate. How
do we tap the unique talents of small technology firms in an
effort to strengthen our national cybersecurity defenses,
especially in the financial sector?
Mr. Bentsen. That is a good question, Ms. Velazquez. I
think that this is a problem that is not unique to the largest
firms both in terms of the largest banks or the largest
technology providers, and there is a tremendous amount of work
that is being done to look at it because this is such a
priority.
And so I think you are right that we--the industries--are
going to have to look at who is going to be coming up with
better mouse traps as we go along in this process. And it is
important that we don't, to follow on to Mr. Nichols' comments,
in a broader context, not in the chip and PIN, that is not
really in our space that we don't stifle the ability of tech
companies, startups and others to work on this. There are quite
a few in this space today, and we hope that there are more down
the road.
Chairman Neugebauer. I thank the gentlewoman. The
gentlewoman's time has expired.
The gentleman from Colorado, Mr. Tipton, is recognized for
5 minutes.
Mr. Tipton. Thank you, Mr. Chairman. I would like to thank
the panel for taking the time to be here. Ms. Velazquez and I
have a common interest in small businesses.
And, Mr. Garcia, you just mentioned that there was a big
effort to be able to get information out to those small
businesses. What is the participation level? Do you have any
idea?
Mr. Garcia. The FSSCC has a Small Institutions Outreach
Working Group that is--that involves the Independent Community
Bankers of America, and several other trade associations are
involved, and several other companies. And we are thinking
about, how do we get their attention when you have small bank
CEOs who are really focused on running their business. And now
we are asking them to think harder about cybersecurity and how
to manage their third party service providers.
We are working closely with our government counterparts in
Treasury and the FFIEC to consider the best strategy for
pushing out the best, simplest, scalable--
Mr. Tipton. I am just kind of curious. Do you have any
idea--you know, if we have 100 percent independent bankers? X
percent participate in some of these rollouts. Is there any way
to be able to identify that?
Mr. Garcia. I wouldn't have that information. Perhaps maybe
some of my colleagues--
Mr. Bentsen. Yes, sir. I would just add to that on the
broker-dealers and asset management side, to your point, SIFMA
and our membership made a decision to underwrite membership for
our smallest firms, 6 percent of our member firms have less
than $200 million a year of revenues, but for the smallest
firms, membership in FS-ISAC because we want 100 percent
participation.
And to be fair, it has been painstaking to get these firms
in because in some cases you have--the CEO is also the chief
technology officer in a very small firm. So this has been sort
of almost a one-on-one communication.
Likewise, we have been working with those firms on what
their insurance policies are, how they can--whether they can
come together to buy insurance policies together, what they
have in their insurance policy. And we have encouraged the
regulators, FINRA, for instance, who is the self-regulatory
organization for broker-dealers, to work with the smaller
members in this process.
Mr. Tipton. Great. Mr. Nichols, do you have any comments on
this?
Mr. Nichols. No.
Mr. Tipton. No, okay. Great. Just as a little bit of
follow-up on this, with smaller institutions, can they be a
gateway to the bigger institutions when we are looking at the
cybersecurity? Does that stress the importance of getting this
information?
Mr. Bentsen. Absolutely. Everybody is a gateway. Everybody
is linked together in the trading world or on the bank side.
And that is why we did our diagnostic and worked to develop
standards that would apply across the industry because they
clear with others, they trade with others, and that is why we
want to make sure everybody is in the information grid, that
everybody's insurance is up-to-date. And so it is something
that, and I know that the bankers are doing the same thing, we
have to get universal adoption within the industry.
Mr. Nichols. Congressman, I would add just very briefly to
that. In my written testimony, I talked about this issue of the
automated programs and all the investments that are being made
there. Kind of two points apply here.
One, what does that actually mean in layman's terms? I am
not a cyber expert like these two guys are. But in layman's
terms, is it that we are trying to get the financial system to
operate like your body's immune system, so that it fights off
the illness before it gets there? So one, these programs allow
you to quickly differentiate a small attack or a low priority
attack versus the really serious stuff, the really wicked and
malicious stuff. So that is kind of half of what it does.
And the second half of what this automation, these programs
and systems does is quickly and swiftly disseminate the nature
of the threat across the system to institutions of all sizes.
And that is where a lot of the large financial institutions are
making investments that help not only themselves and their
clients and customers, but people all across the spectrum.
Mr. Tipton. Right. Thanks.
Mr. Garcia, something I just wrote down as you were
speaking, giving your testimony was the need for more
uniformity, and examinations regarding--is there duplication?
Is there overlap? Are there additional costs that are being
driven that could be better spent on cybersecurity?
Mr. Garcia. Yes, I think that is our experience and it is
anecdotal, but one company could have several different
regulators, depending on their various businesses. And the
examiners who come in have different sets of questions. And
they are all getting to the same issue--security and
resiliency--but we have to answer the questions in different
ways.
Our point was if we could harmonize, as Mr. Bentsen said,
across all other regulatory agencies, we could have the same
sets of questions. We could focus on actual security and
resiliency and not answering questionnaires or answering fewer
questionnaires.
Mr. Tipton. And just one final question here, Mr.
Fitzgibbons, you mentioned about the recovery process by small
and medium-sized firms after an attack. How does that compare
to a big firm? I think I know the answer, but what are some
special challenges our smaller firms are facing on a recovery
after an attack?
Mr. Fitzgibbons. Congressman, thanks. It is an interesting
question. Many of the regulations that the larger firms have to
deal with actually require a significantly accelerated recovery
time. So it is almost as if the bigger the bank, the faster you
can actually recover. A lot of that is driven by regulatory
requirements. A lot of that is driven by the sophistication and
the investment they make in a lot of technology. So
significantly, systematically important, financial institutions
actually recover very, very quickly from outages.
The small and the medium-sized institutions may not have
that regulatory mandated requirement. Having said that, the way
that technology is shared, the way the technology evolves and
so forth, recovery out of various critical systems and so
forth, be it the payment system or DDA system--
Mr. Tipton. Yes. Thank you, sir. I yield back.
Chairman Neugebauer. I thank the gentleman. And now the
gentleman from Texas--
Mr. Williams. Thank you, Mr. Chairman. I thank you all--
Chairman Neugebauer. --is recognized for 5 minutes.
Mr. Williams. --for being here today. I think for me, as
someone who comes from a small business background, this issue
is clear. I think I can give you a little unique perspective on
this topic.
As retailers, your ability to sell a product is everything,
as you know. Once you lose that ability, you damage your
reputation, and you limit your ability to be truly successful.
In my instance, I just happen to be a small business owner;
I am a car dealer. My customers trust that whatever information
they share with me is protected. The Federal Government doesn't
need to tell me that. But whether it is my industry or
something else, gaining and keeping customers' trust is vital.
Without that trust, you might as well not be in business.
Now because the debate is really about making sure the
customer is protected first and foremost and giving them the
best service possible, I think is what we have talked about
today.
So let me bring this up. In 2014, the auto industry and the
National Highway Traffic Safety Administration came together to
create a sharing advisory center, known as Auto ISAC, to share
cyber threats among 34 auto manufacturers. The idea is for
automakers to share information about attempted security
breaches so they can be neutralized quickly. Also, the Society
of Automotive Engineers established the Electrical Systems
Security Committee, which is created to review challenges, and
capture solutions standards to prevent cyber attacks in current
future vehicles.
As a car dealer myself, the coordination of my industry and
the Federal Government is encouraging because again reputation
is everything. I believe they have seen what has happened in
the retail and financial sectors and try to be proactive. With
mobile devices like Wi-Fi and other technologies almost
commonplace in vehicles, the bar needs to be high.
So can any of you on the panel comment on what the auto
industry has done and how this might be a helpful model for
other financial industries when coordinating information-
sharing with the Federal Government? Any of you?
Mr. Healey. Sir, a lot of the ISAC dates back to 1998 when
President Clinton asked because, of course, he couldn't tell
the private sector to come together and put these ISACs in
place for their sectors.
The finance sector started the year after--1999 was the
Financial Services, ISAC. I had the honor to be vice chairman
of that group several years after that. So a lot of the--the
finance sector is one of the few that of those original set
that is kind of going strong. Telecommunications has been good.
Information technology has been good.
Many other sectors, they have kind of been born and died in
the time before auto came together. So I think auto is in a
great position of having been able to look at what has worked
best in these ISACs and what hasn't.
For example, in the early days of the financial services
ISAC, we wanted to jump right into automated sharing of the
kind that we heard about today with Soltra Edge. But we weren't
ready, we didn't have the trust between us yet. We had to sit
down together, get to know one another, have a few drinks
together, and then we built up that trust between ourselves and
with government.
Also, one of the big lessons is a higher level of
governance for the sector. The ISAC was operational only. Then,
when we had to deal with the government on larger issues, we
were too operationally focused to have that. So, we came up
with a group that Greg now represents, the FSSCC, to be there
at that higher level and the regulators set up the FIEBC, their
structure, so that we had this government regulators and
finance sector policy level, at the managing director level to
cooperate.
So I think the Auto-ISAC is on great ground and I look
forward to seeing what lessons that finance can draw from it.
Mr. Williams. Thank you very much.
Mr. Bentsen, you said in your testimony that Congress needs
to remain proactive and vigilant on the topic of cybersecurity
and that passing legislation is needed for the financial
industry. Does the Federal Government need to mandate policies
on sharing cyber threats again, as we can see the auto leaders
and the Federal Government are already working together without
Congress telling them to do so?
Mr. Bentsen. I think in the case of information-sharing and
giving, and liability protection, FOIA, which the House has
done, is very important. The industry is certainly working
within the law as it is today, but it would be that much better
if the other body would move forward in passing the CISA bill
and getting it to the President's desk.
I think beyond that what we called for in our
recommendations is for the Federal Government--the regulatory
agencies to look at what the industry has done and create
guidance out of that, and do it across the agencies in a
harmonized way. So to the earlier points that we don't have--
our members don't have to have different guidance, different
examination structures from regulators who are all seeking the
same outcome.
And if there--to me, in dealing a lot of regulatory policy,
if there was ever an example where regulators could come
together on a uniform approach, this is it.
Mr. Williams. Mr. Chairman, I yield back.
Chairman Neugebauer. I thank the gentleman. Now the
gentleman from South Carolina, Mr. Mulvaney, is recognized for
5 minutes.
Mr. Mulvaney. Thank you, Mr. Chairman, and thank you,
gentlemen, for doing this.
I am going to ask some simple questions, and I hope I know
the answers in advance. But I just want to clarify this
because, Mr. Healey, you got my attention during your opening
statement, about one of your concerns--probably a valid
concern--about the risks that the financial system faces in the
event of some rogue international actor.
I think you specifically mentioned Iran or Russia being
backed up against the wall, feeling they have no vested
interest in the financial system, with very little to lose,
especially since they could pull off some type of plausibly
deniable type of effort.
So I guess, for the sake of starting the discussion, let me
ask you the question then that should be first and foremost in
everybody's mind, which is how safe is our money? If I have
money in a particular financial institution--pick one of the
major institutions--how safe is it in your opinion, sir?
Mr. Healey. I believe it is safe. The--
Mr. Mulvaney. Tell me why.
Mr. Healey. --I believe the American financial system is
sound. I think it would be very difficult, as we also said in
those opening comments, for any adversary to systemically
disrupt the American financial system over a long period of
time. It is just very difficult, I believe, in all of the
strengths that we have talked about here.
However, particular institutions, well, one we might see
shorter-term disruptions, maybe not being able to close at the
end of the day like we would normally expect to.
Mr. Mulvaney. Mr. Healey, let me cut you off.
Mr. Healey. Sure.
Mr. Mulvaney. If you could take that to a retail level for
me, because you understand what it means for banks not being
able to clear at the end of the day. Sometimes I think I
understand, sometimes I don't. What does that mean to an
ordinary family?
Mr. Healey. Right. If the--especially if this kind of
attack were to happen, for example, on the 15th of the month or
the last day of the month at a particular institution, then I
believe that--no financial institution, I believe, can stand up
to the kind of attack that we might be able to see from one of
these organizations.
That doesn't lead to anything systemic, but I think it is
going to give a single bank a really bad day.
Mr. Mulvaney. Would anybody else care to weigh in on that?
Mr. Fitzgibbons. I think when you talk about attacks on the
financial system or financial institutions and then the impact
on the family, there is impact. So it could very well be. It
is--they are trying to make a payment, a bill pay or whatever
it may actually be, and that actually gets disrupted. So they
can actually feel that particular impact.
Coming back to the point about safe, having said that and
recognizing there is the potential for attacks and potentially
successful attacks, that doesn't mean that the system is
unsafe. I think we need to keep it safe. I believe it is safe.
I believe we need to make it safer. I believe that when we see
a threat or there is a threat or an attack against a particular
thing, what is important is how quickly we react to that, how
quickly we isolate it and move forward.
Mr. Mulvaney. Thank you for that. That is a wonderful
summary. Thank you both, gentlemen, for clarifying that because
what I think we are saying is that while individual
institutions may be subject to attack, that the system will
remain strong, and that any impact on ordinary Americans would
be temporary at worse. So it would be something that could be
fixed in short order. I think it is important that we come out
of this, Mr. Chairman, recognizing the fact that the
institutions are sound and it is still safe to put your money
in the bank.
Now, let me ask a follow-up question. How safe is my
personal information? I will come back to you, Mr. Healey,
because I think you said you didn't care that much about it,
but I may have--
Mr. Healey. No.
Mr. Mulvaney. I may have heard that out of context. So how
safe is my personal information, especially in light of this
world we are creating now? And I think we were inevitably there
where you all have--different institutions have to share
information. So how safe is my personal information?
Mr. Healey. I do not believe it is safe. We have seen the
hackers be able to hit for decades to be mostly unstopped. Year
after year, they have continued to make gains over us, the
defenders.
Of the places where my personal information lives, I feel
safest of where it lives in the finance sector. I am really
happy that my bank has my social. I feel a little bit worse
that the Social Security Administration has my social. I am
pleased that student loans are with my bank. I am a little bit
more nervous with the Department of Education.
That said, it is a deep concern. No one's information is
safe.
Mr. Mulvaney. Anybody else? Mr. Bentsen? Mr. Nichols?
Mr. Nichols. I would echo Mr. Healey's observation. We are
all at risk, even though the financial sector is widely
acknowledged to have the best protections right now. But I echo
your sentiment about the concern.
Mr. Bentsen. Look, the industry has the greatest interest
in protecting the information of its clients because if they
don't their clients are going to go somewhere else. But it is
extremely difficult.
I do want to say one--
Mr. Mulvaney. It would be hard to go to a different Social
Security Administration.
Mr. Bentsen. Well, perhaps. But I do want to add one other
thing. I think the system is safe today. I think there is risk
to markets and that could have impact in pricing. It could
impact the individual investor. But I think we have to
recognize that the people who are seeking to do this, whether
they are individual criminals, or nation-states, or terrorists,
or whomever they may be, they are getting better every day as
well.
So it is the same person that somebody was trying--somebody
is trying to pick a safe, they may not know how to do it now,
but they are going to keep trying to get better and better, and
so we have to keep preparing for the worst-case scenario.
Mr. Mulvaney. Gentlemen, thank you very much.
Chairman Neugebauer. I thank the gentleman. Now the
gentleman from Missouri, the chairman of our Housing and
Insurance Subcommittee, Mr. Luetkemeyer, is recognized for 5
minutes.
Mr. Luetkemeyer. Thank you, Mr. Chairman. It is kind of
interesting that we have a TV show now, CSI Cyber. It is
interesting that we have come that far.
I want to follow up a little bit on Mr. Mulvaney's remarks
with regard to the security of information. But I want to
approach it a little bit differently, from a standpoint of
sharing the information between the various entities. How much
individual information is being shared between the different
groups that are involved here whether it be law enforcement,
whether it be the EFT transaction folks, the securities, banks,
whatever? How much individual information is being shared
there? None, a lot, everything?
Mr. Fitzgibbons. So when--to talk information-sharing
because often it is referenced as a way to share threat
information, threat indicators and so forth to allow us to
protect ourselves.
In that forum, and I can tell you from our strengths, when
we are sharing threat indicator, we do not share personally
identifiable information. That is not really what we are
talking about. We are talking about information-sharing.
Mr. Luetkemeyer. That is the point I want to get to here is
that when we--you talked about information-sharing, the people
watching this hearing today, the radar goes up like, oh, my
gosh, the NSA is watching and now we have all these cyber guys
out here watching. So I think it is important that you clarify
that from a standpoint this is not individual information that
you are sharing. This is more transactional activity that is
being monitored by some outside group, and you are sharing that
kind of information. Is that--
Mr. Fitzgibbons. That is a terrific point, Congressman.
Actually, I appreciate the opportunity to provide that clarity.
Oftentimes, when you are dealing with these issues, you are
speaking in terms that are kind of understood. But it is
important to understand that when we talk about information-
sharing as it relates to the threats, it is not PII, it is
about IP addresses or different bits of code that you should be
on the lookout for in your particular systems.
When there is an attack, what actually happens is PII will
be very, very deliberately stripped out so that there is no
sharing of that information--that specific information. So we
are talking about threat indicators, not personal information.
Mr. Luetkemeyer. Okay. Along that line, how much sharing
goes on between industries? In other words, between the
financials--the banks, the credit unions, the insurance
companies, financial or securities folks. Between the
industries, is there this information going on or only just
between bank to bank or credit union to credit union, or
insurance companies to insurance company? Can anybody elaborate
on that?
Mr. Garcia. Certainly, within the Financial Services ISAC,
there are I think north of 5,000 member organizations now
spanning the financial services subsectors. At the same time,
the vice president of the FS-ISAC is Chair of the National
Council of ISACs, so you have the electric ISAC and the telecom
ISAC, and the financial ISAC.
Mr. Luetkemeyer. Okay.
Mr. Garcia. And they are all working together sharing
information at a higher level, not at the level of detail and
specificity that the FS-ISAC is, but that sharing is happening.
Mr. Healey. And the ISAC has taken on international
members, so we are starting to work outside with our key
financial partners.
Mr. Luetkemeyer. Okay, very good. Thank you.
Along those lines, one of the reasons that we are having a
hearing today is not only to determine the kinds of threats
that are out there and what else going on, but also what tools
do you need in your toolbox to be able to fight this? Are there
legal impediments--in other words, does Congress get some
ability here to help you? Are there things that we need--that
are in place right now that are hurting you? Are there things
that we need to put on you to stop some of the stuff you are
doing that may be beyond your scope or beyond what we really
need to be involved in. It is kind of a long question.
But I think if you can give me an idea if you think there
are some things that we can do to tweak the law or I am sure we
haven't found a whole lot to probably go after anybody on, but
along those lines.
Mr. Bentsen. Congressman, again I would go back to the need
for information-sharing given the liability employer protection
would be important. Again the industry is concerned about PII;
it is a customer confidence issue. But to do everything we need
to do to protect the customer, we don't want to have the
situation being second-guessd after the fact when you are
trying to deal with an ongoing cyber attack.
I think beyond that, to the extent that the Congress can
encourage the regulators to work collaboratively, and I think
we are doing better at that, so we have harmonization, that
will help the industry, as the industry itself moves to
implement the standards and recovery protocols, and
information-sharing as well as things like third party vendor
verification or audit practices. And so I think that
encouragement can help quite a bit, and then let the industry
collaborate with the public sector, so we are talking to one
another in dealing with how we respond to attacks, how we deal
with recovery, how we deal with information-sharing.
Mr. Luetkemeyer. Perfect. I see my time is about up. I will
yield back, Mr. Chairman. Thank you very much.
Chairman Neugebauer. I thank the gentleman. Now the
gentleman from California, Mr. Royce, the chairman of the House
Foreign Relations Committee, is recognized for 5 minutes.
Mr. Royce. Thank you, Chairman Neugebauer. I appreciate
that.
Mr. Bentsen, it is good to see you, and the rest of the
panel members there--Mr. Garcia.
I guess, as we get down to the nitty-gritty of how we get
to where we need to go, you mentioned earlier the concept of
having these different sectors work together. You all work with
a number of Federal agencies or--including with the financial
regulators, you work and have some knowledge of their
expertise, since I think we even have a representative on the
NCCIC (N-kick) watch floor.
So the question would be, for better coordination or
harmonization, to get there somebody, in my opinion, has to be
in charge. Somebody has to take the lead on it, and I don't
think that has been asked yet. Maybe, Mr. Bentsen, you could
start. Who should be in charge--Treasury, OCC, Homeland, DOD?
How do you set this up? Because at the end of the day, unless
somebody is in charge, bringing everybody together, it is
awfully hard to make it work.
Mr. Bentsen. That is an excellent point. My own view is--in
our experience throughout this process is that--Treasury has a
huge role to play in the financial sector. Obviously, DHS has a
role to play, but does the national security apparatus,
particularly as we are talking about nation-state attacks or
terrorists. So I think where the coordination needs to occur,
and I would argue that it is occurring now is at--in the
Executive Branch and in the Executive Office of the President
because that is where the ultimate national security apparatus
is. So you have to bring together the different groups.
It can't just be Treasury. It can't just be DHS. It has to
be--somebody has to be coordinating at the top, and so that is
where we are seeing in some of the exercises we are doing in
working across the different agencies, not just the financial
agencies.
Mr. Royce. The second question I would ask--I understand
your concept there and where the decision-making--where the
focus should be in the Executive Branch, but I still think you
probably have to give most of the key decision-making to the
entity that has access to the most information and understands
it the best.
But in your testimony you also talked about the need to
increase the pool of educated cybersecurity personnel. There
are a lot of universities now involved in this sphere,
including Cal Poly Pomona, which is in my district. But I am
wondering what the industry is doing to address this particular
workforce shortage in this area of expertise. Are you working
with higher education institutions in order to churn out
people?
I can tell you, on the other side, Moscow clearly is
working hard and educating teams on the other side of this
equation. Now they have that special bureau from North Korea
that is out there educating right now in terms of how to hack
into the South Korean banking system. So if we are going to do
some good defense work, it is good to work through the
university system as well in order to offset what is probably
coming.
Mr. Garcia. Yes, sir, Congressman, that is a great
question. Within the FSSCC we have two task groups that are
focused on that question. One is a workforce task group--how do
we build capacity for cyber talent that we can use in the
financial services sector and how do we describe the range of
job responsibilities that we need--number one.
And number two, we have a research and development
committee. And within R&D, you think about trying to drive
funding--Federal funding--a lot of it through the university--
research colleges and universities to work on some of those
grand challenges related to cybersecurity. And in the process,
you are building a pipeline of graduates and post-graduate
professionals who will be entering the workforce, providing
their level of expertise.
Mr. Royce. I am going to go back to Mr. Garcia and Mr.
Healey's points. The concept of being allowed to hack back
under strict controls, maybe being deputized by an accredited
law enforcement agency, if that can be put together, is it a
general consensus that it might be workable in terms of
counter-battery work against those who are attacking these
systems, any exception to that, or do you think it just might
work?
Mr. Garcia. An example that--perhaps stated in a different
way was the financial sector's partnership with Microsoft where
Microsoft was watching as was the financial sector all of the
attacks on the Microsoft platform--
Mr. Royce. Right.
Mr. Garcia. --like Hotmail and Windows.
Mr. Royce. You are not legally allowed--
Mr. Garcia. They went to--
Mr. Royce. --to go on offense and you are saying they would
be allowed to go on offense.
Mr. Garcia. They cut off the command and control. They went
to the U.S. marshal and got a court order to go to the command
and control center where the servers were hosting these botnets
and they severed that link.
Mr. Royce. Yes, yes. Okay.
Mr. Chairman, thank you.
Chairman Neugebauer. I thank the gentleman. I want to thank
our witnesses for your testimony. This has been a very healthy
discussion. I hope the takeaway for the Members and even for
some people who may be watching this hearing is that there is a
lot of good cooperation going on within the industry because
everybody has a vested interest here.
I think this is an ongoing dialogue. While we have only had
two hearings here, I think this is an interest to our country
from a national security standpoint, but also as far as
protecting the financial network, which is so important to our
economy.
Without objection, I would like to submit the following
statements for the record: the Independent Community Bankers of
America; the National Association of Federal Credit Unions; the
National Association of Insurance Commissioners; and the
opening statement from Mr. Hinojosa of Texas.
The Chair notes that some Members may have additional
questions for this panel, which they may wish to submit in
writing. Without objection, the hearing record will remain open
for 5 legislative days for Members to submit written questions
to these witnesses and to place their responses in the record.
Also, without objection, Members will have 5 legislative days
to submit extraneous materials to the Chair for inclusion in
the record.
And with that, this hearing is adjourned.
[Whereupon, at 3:12 p.m., the hearing was adjourned.]
A P P E N D I X
May 19, 2015
[GRAPHICS NOT AVAILABLE IN TIFF FORMAT]