‘A team sport’: Collaboration is best defense against cyber-enabled crime

Malicious actors have become more sophisticated, pervasive and opportunistic.

By John Carlson

The U.S. government is partnering with the private sector like never before to protect banks and other critical infrastructure from increasing cyber threats. And the number of ransomware attacks is likely far greater than is known by authorities.

TOOLKIT > Attendees and remote registrants can access streamed content from the 2023 ABA/ABA Financial Crimes Conference through Jan. 31, 2024. Deadline for new registration is Jan. 15. Check it out.
These and other equally important messages were delivered by Kiersten Todt, former executive director of President Barack Obama’s cybersecurity commission, during a wide-ranging discussion with me before attendees at the recent ABA/ABA Financial Crimes Enforcement Conference.

Todt has a wealth of experience in cybersecurity, having also served as chief of staff of the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency. She currently is CEO and managing partner of Liberty Group Ventures.

Todt argued that defending against cyber-enabled crime is “a team sport,” requiring increased public and private sector collaboration and engagement against criminal enterprises and nation states, which are constantly improving their tactics and using new technologies such as artificial intelligence.

Malicious actors have become more sophisticated, more pervasive and more opportunistic, Todt pointed out. The malicious actors include the “top four” nation states: Iran, which operates in a retaliatory manner, highlighted by its current efforts to conduct attacks against Israel; North Korea, which operates like a criminal enterprise; Russia, which seeks to sow societal discord and disrupt U.S. critical infrastructure; and China for its efforts to infiltrate networks and critical infrastructure, steal intellectual property, and for its increasing aggression against Taiwan. This recent CISA advisory lays out more details.

Adversaries are using advanced technologies to target businesses and government agencies. These include artificial intelligence to develop more advanced email phishing to defraud individuals and companies as well as mis- and dis-information campaigns that undermine confidence in our democracy.

Todt added that cybersecurity “underpins our economy” and as such has become a top priority for CEOs and boards of directors of companies. She noted that less than a decade ago, when she managed a non-profit on cyber readiness in supply chains, the thinking among senior executives around how much to invest in cybersecurity protections was more discretionary. Today it is mandatory as companies have learned that “cyber risk is business risk.” Companies cannot wait until a cyber-attack happens before investing in risk-based controls.

Todt highlighted cyber incident notification as essential to defending our nation’s critical infrastructure. She emphasized the importance of reconciling federal notification requirements on companies to inform customers, financial regulators, other government agencies and the public.

Todt added that while new SEC regulations, which push for corporate cyber responsibility, are good steps forward, the requirement of publicly traded companies to notify the SEC and public within four business days after determining a “material” cyber incident could be challenging. She added that based on past incidents, four days is often not enough time, and it could lead to negative impacts on victimized firms, financial market stability and threat mitigation. Todt noted that DHS/CISA is working on a cyber notification regulation required by the Cyber Incident Reporting for Critical Infrastructure Act of 2022, or CIRCIA.

Given that many cyber incidents originate in third party providers that banks rely on, Todt added that firms are struggling with the breaches that occur at service providers. In response, the government is increasing attention on third party risk management in general, requiring companies to disclose more on the software they use and considering ways to expand oversight of cloud service providers. This includes treating cloud service providers as part of “critical infrastructure.” Much of this is laid out in the National Cybersecurity Strategy and Treasury’s report on financial sector reliance on cloud service providers.

Todt stated that the Biden administration’s sweeping Executive Order on Safe, Secure, and Trustworthy Artificial Intelligence directs numerous federal agencies to examine use of artificial intelligence across multiple sectors of the economy, including financial services. She added that AI has benefits and risks. The EO aims to “get out in front of the issue, and avoid the challenges that emerged from not engaging with technology, specifically social media, early on” and to ensure there are guardrails. One aspect addressed is the importance of ensuring humans remain involved in the evolution of generative AI.

Todt looked back at the evolution of her former employer, DHS, from its creation–in which she played a role as co-drafter of the legislation in the Senate, after the September 11, 2001 attacks—to its progress today in leading cyber defense. She assessed that DHS has made great progress in supporting efforts to increase public and private sector cyber threat information sharing and fostering greater collaboration among government agencies and with the private sector. “There’s an increasing awareness that cybersecurity is a team sport that requires elevated levels of collaboration because no one entity can defend itself,” she said.

The distributed denial of service attacks over a decade ago were major catalysts for ramping up information sharing among financial institutions and with government agencies. Todt emphasized how persistent ransomware attacks are. “Ransomware is about making money and opportunism,” she said. Todt added that one of the reasons why there continues to be a market for ransomware attacks is because of the inverse role cyber insurance has had, by, early on, covering ransomware and, in some cases, covering contracts with legal companies to help negotiate ransomware payments.

In response to a question about whether the federal government should prohibit the payment of ransoms, Todt added that “prohibiting ransomware payments is an obvious goal and some larger companies should not be as vulnerable as they are because they have failed to institute appropriate cyber risk management controls.” She expressed concern, however, over small businesses and under-resourced critical infrastructure organizations, such as water authorities and health organizations, which provide critical services to communities.

“We have to do more to help these under-resourced organizations, particularly as it pertains to ransomware,” she said, adding that the White House is leaning in on making ransomware payments illegal and companies will soon be required to notify DHS when they make ransomware payments, as mandated by CIRCIA. This forthcoming regulation will produce important information on how prevalent ransomware attacks are and confirm an assumption that there have been far more ransomware attacks that is known by authorities. Todt added that it might also inform future cyber insurance policies. She recommended that firms should develop relationships with government partners well before a crisis.

Looking ahead, Todt pointed out that a “driver for future cyber events is the escalating geopolitical environment, and the intentions and capabilities of our adversaries, driven by technologies and specifically AI.” She also expressed concern with the rise in mis-and dis-information and the need for increased education and awareness. She noted that the Colonial pipeline ransomware attack several years ago resulted in long lines at gas stations due to the fear that there would be no fuel, not because there was no fuel. She asserted that we need to push ourselves in how we plan and prepare and exercise for events and that it is incumbent on each individual to take responsibility and be accountable for how they approach security. There needs to be continuous improvement in public-private sector collaboration and information sharing and cited recent examples of how much progress has been made on industry-government engagement to defend critical infrastructure.

She closed by adding that “cognitive thinking is critical infrastructure” and that we need to provide everyone from kids to seniors basic cyber education.

John Carlson is senior VP for cybersecurity at American Bankers Association.

Photos by Ralph Alswang.