Protecting Cyberspace Takes Teamwork

WASHINGTON -- Protecting financial institutions from cyberattacks will take closer cooperation between the government and the private sector, panelists said Tuesday at a conference here called Homeland Security 2002: Establishing a Culture of Cooperation.

Many sessions emphasized such cooperation, which is being fostered by changing mindsets on both the government and private industry sides of the coin.

In the financial services world, banks and investment houses are most responsible for keeping up with threats and the technologies that protect against them, said Richard Marshall, deputy director of the Critical Infrastructure Assurance Office. His is one of 22 federal agencies that will soon become part of the United States' new Department of Homeland Security.

"The scope of change, the pace of change is just too quick for government regulators to keep up with," Marshall said. "This has got to be a self-curing issue."

Business continuity is key for financial firms, he said. A threat might be electronic or a physical attack or disaster. Either way, a firm must be sure it can keep operating, protect its customers' privacy, and anticipate problems in time to prevent them.

Marshall's agency is working on the finishing touches to the National Strategy to Secure Cyberspace, a collection of "best practices" that business are urged--but not required--to follow in their security plans. The public comment period on the document has closed, and Marshall said he expects President George W. Bush to approve it early next year.

"We don't pretend to know all the answers, but we believe that together we can help come up with some intelligent solutions," he said. "And we realize that it's not going to be government-down. It has to be 'let's join hands and work together.'"

Financial services firms in general are ahead of other private-sector industries in securing information, but they aren't where they should be, Marshall said. "You need to raise the security bar," he said.

The technological challenges are formidable, said Dale Hazel, senior vice president of marketing at Convera, a software company that makes search products for businesses. Financial institutions store massive amounts of data, more than many businesses, he said. Terabyte measurements are common, and he said he has seen some databases that exceed a petabyte, or 1000 terabytes. Such mountains of information stretch the limits of system scalability, he said.

Meanwhile, companies don't have a good handle on how to balance prudence with overzealousness, said J. Michael Gibbons, a former chief investigator of computer crime for the FBI and now a senior manager at consulting firm BearingPoint.

"Those of us in homeland security all just want to understand how much security is enough," Gibbons said. "We want the truth, and the quest for the truth is the most difficult thing we face."

Inside financial firms, executives see the wisdom of spending money on security, said Leigh Williams, senior vice president and chief privacy officer at Fidelity Investments. His firm spends about $1 billion a year on technology, much of it security-focused, and believes that cost is worth the payback.

"We have for a long time expected a return on our business continuity efforts," he said. "We do believe that before the September attacks, it made a lot of sense to invest very heavily in protecting the data and systems customers rely on. I don't think that has changed at all in the last couple of years."

But the firm's approach has changed, he said. The vision has become much broader than it once was.

"Before September of 2001, we approached security in a very fragmented way. We tended to split data security from physical [security]," he said. Since then, the firm has come to see both physical and cybersecurity as parts of the same issue.

Financial services as a whole have unified their approach, according to Williams. Fidelity has integrated itself more closely with financial services firms, smaller banks, and other institutions, he said.

"We're operating more as an industry and less as a collection of firms," he said. "And with that, industry is now better connected to government."

Over the past couple of years, financial trade associations, including the Securities Industry Association, the Investment Company Institute, "and a dozen other trade associations," have consolidated their efforts to interact with government through a new group they formed called the Financial Services Sector Coordinating Council, he said. Meanwhile, government agencies and regulators have also been consolidating power.

"Instead of there being hundreds of us talking at once and getting nothing done, we've become much more tightly integrated," said Williams of Fidelity.

Fidelity plans to sustain its high level of investment in security, he said. "It takes a pretty good bite out of our bottom line," he said. "We do it because we think it will offer us some payback."