With global tensions rising over Ukraine, the cutthroat competitiveness of the US financial sector is yielding to partnership over the conviction that a cyberattack against even a group of minor banks - or a third-party service provider - could imperil everyone in a highly connected system.
Some of the nation’s largest banks are now working with the Treasury Department, engaging in role play and sharing information they would have guarded closely in the past.
“You’re only as good as your weakest link,” said Ron O’Hanley, chief executive officer of State Street Corp, one of the largest US money managers and custody banks. “Networks are put together not just by what you’re doing, but the vendors you’re relying on, the counter-parties you’re dealing with, even regulators you’re dealing with,” he said in an interview.
As part of a broader move aimed at strengthening defences, Treasury officials late last month gathered executives of several top banks and practised how they would reach one another and work together across a range of cyber-attack scenarios.
That simulation exercise, which hasn’t been reported before, included JPMorgan Chase & Co, Bank of America Corp and Morgan Stanley. It ran through five hypothetical threat levels, ranging from minor assaults to a full-scale onslaught on multiple banks and critical payment systems.
“You can invest in defences, but that aspect of practising over and over again, and continuous improvement, is the critical element in responding to the next threat,” said J F Legault, global head of cybersecurity at JPMorgan Chase in a phone interview.
Treasury officials have also moved to declassify more intelligence to get it in front of financial executives, and to extend security clearance to more employees within the big banks.
Russia’s invasion of Ukraine and the subsequent sanctions against Moscow have upset a fragile equilibrium in financial security. Governments adept at cyber warfare such as China and Russia used to be considered stakeholders in the market for global dollar assets - in effect giving them an incentive to leave financial infrastructure alone.
“What was different about Russia-Ukraine was the potential threats were not only obvious, but you had a player that was reputed to be the best in the world at it in terms of cyber threats,” said State Street’s O’Hanley. “We take all cyber threats serious, but you start to think about it differently when it’s a nation-state and, particularly in connection with an armed conflict.”
The Treasury also knew the threat landscape was shifting late last year. As they mapped out the sanctions to be unleashed in the event of an invasion of Ukraine, officials concluded that cyberattack preparation needed to step up.
“Once we knew where we were going to land with some of the initial sanctions packages by the end of 2021 and how severe they were going to be, we knew we had to update our incident-response playbooks and work with the sector to increase intel sharing,” said Todd Conklin, a counsellor to the Treasury’s No 2 official, Deputy Secretary Wally Adeyemo, in an interview.
It’s part of a steady expansion of a public-private partnership around cyberattack response.
The Cybersecurity Infrastructure Security Agency, CISA, part of the Department of Homeland Security, was founded in 2018 as the lead agency for cyber protection. Nevertheless, Adeyemo said Treasury Secretary Janet Yellen instructed him on his first day to make cybersecurity a priority.
Adeyemo has drawn from past financial crises, which made clear how the banks’ inter-connectedness makes them vulnerable.
“Telling them ‘shields-up’ without providing additional support and intel sharing isn’t that helpful,” Conklin said. “It’s making sure, if something does happen, we have a plan in place for a collective response.”
When any point in the financial system comes under attack, information about the event must get sent out across the network of firms, regulators and intelligence agencies as quickly as possible, officials say. Instead of hoarding information for competitive advantage and hushing up any unhappy development, firms must think co-operatively, sharing intelligence. “It’s sharing information as soon as possible to ensure that if there’s an attack somewhere, you’re protecting the rest of the system,” Adeyemo said.
The largest banks have known that for some years, but are going further than they have in the past.
In 2016, the eight biggest players, led by JPMorgan and Bank of America, formed the Analysis and Resilience Center for Systemic Risk (ARC), aimed at ramping up collaboration in monitoring and protecting critical systems exposed to the Internet, with a focus on early-warning capabilities. It’s since grown to include exchanges and clearing houses as well as several big energy companies.
The group set up its headquarters just outside Washington because bank executives wanted ARC to work closely with the government, according to Scott DePasquale, ARC’s president and chief executive officer. A Treasury official co-chairs the group’s risk committee.
There’s also a wider counterpart to the ARC, the Financial Services Information Sharing and Analysis Center, whose members include a broad array of firms ranging from banks and insurers to fintechs, from more than 70 countries.
Worries remain, especially over third-party service providers.
In the 2020 SolarWinds attack, according to US officials, a compromised piece of software was used by Russian hackers to gain access to nearly 18,000 computer systems at more than 100 companies and nine federal government agencies, including the Treasury, Homeland Security and the State Department.
But the targets need not be so high-profile to cause damage. In 2021, Kaseya, a US firm that provides IT management and security software services - with a customer base that included many small banks - found itself the target of a ransomware attack.
The issue, later blamed on the Russia-based group REvil, was resolved within days and without a ransom payment. But it forced officials to ponder what would happen if thousands of small banks across the country were paralysed, and to ask how extensive an attack needed to be before it might provoke a larger run on bank deposits and a wider liquidity crisis across the financial system.
“One of the reasons this community is ahead of others is that they are constantly being probed by cyber criminals,” said James Andrew Lewis, director of the strategic technologies programme at the Center for Strategic and International Studies in Washington.
“The top 20 banks - I am pretty comfortable they are a really hard target,” he added. “If you were to pick the bottom 20 financial institutions and even some of the service providers in the plumbing, I don’t know if I would be as confident.”
There are also concerns about the government itself. The Treasury and other agencies aren’t just regulatory supervisors. The Treasury issues US government debt and the Fed is an interbank payments provider, and their systems can be subject to attack.