My compliments and support for a well framed position on a topic which desperately needs additional attention and resourcing by our government. Financial services is part of the nation’s critical infrastructure and is under siege by both domestic and international cyber-theft-rings. The internet has provided the ability to globally “reach out and touch someone.” Unfortunately, the international criminal element is reaching out and touching us in the worst way with little fear of consequences or reprisal. We need the intellectual, intelligence, diplomatic, and technical resources coupled with the global legislative influence that can only be harnessed by our government to stand up and respond effectively to the current threats.

This is not a financial services only threat – it is a threat to our citizens, commerce, economy, government, and yes, even intelligence apparatus and national security. In the financial services and internet world – “Information = Transactional Access” and the bad guys are compromising the customer authentication processes, getting into authenticated space, and leveraging our confidential information against us. From an intelligence perspective, there is little so valuable as detailed personal and commercial financial information to develop actionable Human Intelligence (HUMINT) that can be used for strategic and tactical exploits by hostile states and individuals. As we have moved as country from “computer assisted” to “computer reliant,” our reliance on the internet has become crucial to our way of life within the industry, commerce, and government as well as individuals. No one entity can address this threat by themselves, we must put forth a well coordinated front with appropriate command and control and we need our government beside us, helping with the “heavy lifting.”

We would not intentionally put an Automatic Teller Machine on a dangerous street between a bordello and crack house – let’s collectively bolster the protections to make sure that we are not doing the equivalent on the cyber highway in the cyber world.

Respectfully submitted,
Brian McGinley
BGM Risk Management Group, LLC

[...] standpoint, many believe that it is the U.S. government’s obligation to step up and take more proactive approach. What do you all think? The bottom-line is that cybersecurity is, and will continue to be, [...]

I think the United States needs to support the strengthening of our Cyber-Network. Right now, our Cyber-world seems to be amalgamation of different networks and systems, creating gaps in the security and thereby allowing easy penetration.

I like Brian’s comment above that “we would not intentionally put an ATM on a dangerous street between a bordello and crack house….”.

Cyber criminals will only continue to become more savy. We need to put measures into place before it gets worse.

Thank you for the insightful posting.

While your blog states correctly that “the bad guys seem to be one step ahead”, it is not because the bad guys are more intelligent than the good guys. The good guys simply do not have the incentive, or the mandate, to develop fraud prevention technologies that are PRO-ACTIVE and not have to play catch-up to combat viruses stealing personal information as well as potentially causing havoc with government and/or military data. Once again, it should be the combined efforts of industry and government to confront these compelling dangers. Bottom line, a cooperative partnership by industry and government should be underwritten and assembled to tackle these threats.

From Linked-In:

“The internet has been placed to uses for which it was never designed. It was designed for email, document transfer, and remote computing among a group of trusted colleagues. When the internet went public, and the group was no longer a trusted group; all bets were off. The first big issue is really that the internet’s IPv4 is an inherently insecure medium, and no matter how many layers of security you place on top of it, there is always going to be a way to defeat the insecure underpinnings. The only viable option for real improvement is migration to IPv6 (which hsa weaknesses, but is much more secure, and has been available for several years); while laying a roadmap that will ease future protocol upgrades. Unfortunately, the cost of these upgrades across our the whole infrastructure will be staggering; and will likely take years to complete.”

From Linked-In:

“In short, yes I agree, we need to do more. However, we face a more immediate threat of greater magnitude from the even more organized cyber espionage and intrutions by nation states and non-state actors against our national security related entities. Yes crime costs money, but the backdoors and “sleeper programs” implanted by intell agencies will cost lives in the event of an attack. What I consider a lesser threat, but more a likely one is the confluence of cyber crime with terrorists. A well financed terrorist organization can “hire” the very powerful capabilities of cyber criminals and gain the ability to effectively attack us. They cannot match the potential power of a nation state, and therefore could attack us as a nation, but they could focus on a region, or an industry sector, or a corporation / Gov’t Agency, and effectively bring then down. Clearly, the National Gov’t needs to do more, but the rub is not killing commerce, and privacy/civil liberties in the process. Of less concern, but equal difficulty is that to do this right, we need to break a good bit of structural “china”, and change some time honored Washington sacred cows over money and authorities. Right thing to do? Absolutley! Easy it will not be.”

From Linked-In:

“I agree, as I read on the news the US shutdown of mccolo (*) is, in my opinion a good example of coordination between government and industry but had limitation in being been mostly reactive. From proactive security stand point, industry and government can benefit coordinating the efforts to target high risk threats for identity theft and internet fraud such as malware delivered botnet controlled phishing. Preventing measures for internet systemic risks such as DDoS (Distributed denial of service) from my opinion could benefit the most from coordination between US and other countries. (*) [http://voices.washingtonpost.com/securityfix/2008/11/the_badness_that_was_mccolo.html|leo://plh/http%3A*3*3voices%2Ewashingtonpost%2Ecom*3securityfix*32008*311*3the_badness_that_was_mccolo%2Ehtml/U9Cd?_t=tracking_disc]“

From Linked-In:

Matt International crime is not solely a US problem. The biggest issue we have in tackling international hacker rings is getting better cooperation between law enforcement agencies throughout the world. This is also compounded by different legal systems in each jurisdiction. What may be illegal to do in one country may not be illegal in the next. For police to tackle online criminals takes a lot of time and effort to ensure correct legal due process is followed in each of the jurisdictions. The criminals on the other hand do not have these restrictions. I would also say that the problem is not just one for governments to tackle, US or otherwise, but preventing crime is everyone responsibilities. Too many companies, organisations and individuals do not take information security seriously. This people then end up either as victims of these criminals or their networks and computers used as part of botnets for the criminals to attack others. So tackle online crime we need better awareness amongst businesses and individuals on how to protect themselves when online and also encourage each of our own governments to provide law enforcement with the necessary resources and legal support to deal with online crime properly”

From Linked-In:

“ They could, great firewall of china style… but should they… as a country that prides its self on the concept (even if not totally true) that we are open, It would, I feel, damage/erode free commerce as it exists. Instead the Government should do more to build out networks separate from the commercial infrastructure for data and communications and only allow minimal entry and exit points for traffic, all military and government contractors would then be required to be attached to this new system with out the need to mess with the rest of the commercial networks and systems. Companies should be required to handle there own issues, security is not a area large business’ can ignore any longer.”

From GovLoop:

First off, I work for my agency’s IT Security Officer, so I am in line with the whole “security first” thought path. I just see the frantic building of “better” security as the answer to these threats as cartoonish. Ever watch a cartoon as a kid where the protagonist, a guy, a duck, whatever tries to make his home mouseproof, or rabbitproof, or chipmunk proof? It becomes an arms race and finally ends up with the protagonist standing proudly in the smoking ruins of his home proclaiming victory while the little furry pest peeks out from the rubble and laughs. It is far easier to break something than build it, thus the advantage will always be with the black hats. You were right when you said there were deep cultural issues to be addressed. I’m not sure government subcommittees with all their meetings and reports are going be effective here. The black hats do not fear our consequences. And mostly our weapons are talking men in suits. Perhaps we need different ordnance. A hacker squad of our own going after them… Hmm. Now I see it all in a movie with Bruce Willis emoting away as he types furiously on a keyboard… Well, obviously I don’t have any answers!

From Linked-In:

“With the recent reports that the US Energy grid/Infastructure has been compromised, the US Government is facing multiple issues regarding cyber attacks that could be potentially devastating. Spying from countries from China & Russia are no surprise, and I am sure that the US has been conducting cyber snooping of their own over the last 20-30 years, however there does not appear to be a unified stance coming out of Washington on what the IT security priorities are specifically. A Washington insider recently confessed to me that the battle was being fought between agencies within to determine who is responsible for certain segments, but there must be a convergence of multiple groups to truly make the programs effective, in my opinion.”

From Linked-In:

there are multiple ways to control C.C. theft. All very high in cost and this is why they are not applied.

A simple example is to verify charge via a call or SMS to the card owner. This will insure that no charge will be made without proper authorization.

Another thing someone can do it, is to use a token , similar to the one we use for web banking. It can also generate a proper authorization code, even on the spot while buying something. Still something that costs extra , not to mention that Banks would have to upgrade both hardware and software.

Now when it comes to Identification theft, lets focus on the human factor. Which is always the most vulnerable one. People tend to put personal details on Facebook, MySpace, or even give them willingly over the phone to a supposed researcher who is asking questions over the speaker for his “survey”. People need to train. There should be an equally balanced effort from both govt and public. Otherwise nothing will work.

Hackers are no idiots. They do not aim at highly protected hardware infrastructure. They target the individual. The weakest link. The simple guy who does not update software, does not know how to use a firewall or how even to close down the phone to someone who is being “pushy” as to get info from him/her.

No matter what a company or state will do , if the person who is in charge of his own property does not know train on how to do it, then i do not see a way on how to protect ID, C.C. or even access to my place of work via an infected laptop with a trojan.

Good article and insightful words by Brian McGinley above. I agree that this is not simply a financial services industry issue, but one of economy, commerce, government and national security. It is surprising how little attention cyber security has received of late, and the perception that it is merely an issue for the financial services industry to solve keeps us one if not several steps behind. While Willie Sutton robbed banks because that is where the money is, hackers focus on banks because that is where the rich information resides. We need more cooperative efforts among several industries, government and countries.

From Linked-In:

While I agree that the government needs to be more proactive. I believe the solution will need to come from a concerted effort between the private sector and government. We act like the government is an all powerful being, when, in fact, government agencies are the whole reason why we are behind the power curve on this issue. Certain agencies who had the capability to have systems in place and increase manpower and training as the Internet grew from the ground up did not do so. Hackers were around since the very beginning of small computer networks. The whole Internet Security idea has been talked about for the last 10 years as a “new concept” and the government side is much further behind than the commercial sector on protecting themselves. Goverment has been playing defense and catchup for a very long time and I have worked in these areas and discussed these things with people on the inside of the problem.

There are no easy answers but one of the biggest problem is simply a lack of manpower. Lack of manpower is followed by a lack of educated or experienced individuals who will work in government. Next we have the fact that most cyber security jobs related to government that makes the biggest difference are those requiring a security clearance. This security clearance issue further compounds the manpower problem. Therefore, manpower, government bureaucracy, and training or education and experience remain the biggest hinderance for being proactive.

Commercial sector defenders have much more experience in the realm of seccurity itself while government can supply intelligence (law enforcement and otherwise) as well as some special technology. Moving forward government should work closer with the commercial sector and radically change the cyber missions of agencies command and control or organizational structures and policies to become *real* centers of excellence. Otherwise, the battle is being lost – as some have commented…the bad guys are always one step ahead.

From Linked-In:

this might as well read “The Internet is infected and WORLD citizens are paying a steep price …”. But, I agree. There is a hesitancy for the Congress to mandate measures to state and local that will provide better protection and better tracking/prosecution of these computer criminals(note, hackers are not necessarily criminals and skateboarding is not a crime). The US is designed around “local” governance, not Federal mandates. The state rights fight, and protecting the little guy from big brother. On top of this who do we ask? Currently every faction of the fed is fighting for this turf. FBI, NSA, DHS, DOJ, Secret service, USAF and now the Whitehouse wants to directly manage it. We pay for this with a slow national government …and foreign governments are just slow.
So, knowing this, asking the US gov. to manage a unified front against a worldwide problem is a difficult proposition. Once over that hurtle, The next is to what end. We find these attackers and maybe have heavy fines and prison sentences. At this point we are looking at creating a new set of laws maybe suspend posse comitatus, maybe rendition or mitigation with extreme prejudice?

Its not an easy answer like.. the government should fix it. OBTW the same government that runs the TSA. But the fix is in the slow change that comes with time, volunteering, participation and sacrifice.