Thursday, March 12, 2015

Futures Industry Girds for Cybersecurity Threats

By Lene Powell, J.D.

Former Senator Saxby Chambliss warned a futures industry conference that “nobody is immune” from cyberattacks, however big or small the firm, and that the enemy is very sophisticated. “You’d better have legal and technical advice” both before and in the aftermath of an attack, he advised. “Be prepared.”

In 2013, there were over 10 million cyber intrusions per day, resulting in a global cost of $445 billion, said Chambliss. The average cost to a firm of a cyber breach was $3.5 million.

As former Vice Chairman of the Senate Select Committee on Intelligence and Chairman of the Senate Agriculture Committee, Chambliss is uniquely positioned to advise the futures and derivatives industry of threats in this area. He is currently a partner at DLA Piper.

Cyberattacks. For a good overview, Chambliss said firms should read the most recent report by Mandiant, the cybersecurity firm. He also recommended a recent New York Times article about a massive bank robbery investigated by the Russian cybersecurity firm Kaspersky. In that crime, the criminals inserted malware into bank systems and patiently collected data over the course of many months, leading up to a synchronized attack in which ATM machines suddenly began pouring out cash, which was then collected by the criminals. They also adjusted bank accounts to reflect much higher balances for a short period of time, then sucked the money out of the accounts. The heist affected over 300 financial institutions in 50 to 60 countries, and the losses are approaching $1 billion, Chambliss said.

Ill-gotten gains are not always the aim of cyberattacks, Chambliss noted. The recent North Korean attack on Sony and Iranian attack on the Sands Hotel in Las Vegas were game-changers, because these attacks were the first time that attackers sought to inflict intentional damage on computer systems. These attacks came close to an act of war, and the parameters of what constitutes an act of war need to be defined.

Government response. According to Chambliss, forty-seven states have breach notification laws—and strict penalties for not following them. Federal legislation on information-sharing is needed, and he and Senator Dianne Feinstein had agreed on a bill, but it was not taken up by the last Senate. 

Chambliss said that a successful bill concerning information-sharing needs the following components to work:
  • Information-sharing must be voluntary;
  • Information must be available regardless of size of firm;
  • The framework must mesh with the framework established by the National Institute of Standards and Technology (NIST);
  • There must be a portal at the Department of Homeland Security, capable of processing data in real time;
  • There must be liability protection. If a firm acts in good faith, they must be protected from litigation;
  • Sharing must be permitted not only between the private sector and the federal government, but also between private firms, with no antitrust liability;
  • The system must be flexible.
Asked about “backdoors” introduced by our own government, Chambliss said a system with no backdoors is a mistake. The U.S. government needs to know what the bad guys are doing, without looking into the systems of the good guys any more than it needs to. The U.S. government has done a good job of that. The Chinese government is not necessarily as constrained, however, as it “wants to know everything.” 

As to whether there should be some kind of FDIC-type system to indemnify or reimburse market participants for breaches that occur as a result of government-created backdoors, Chambliss said that was an interesting concept, but he has not heard any discussion about it.

CFTC approach. In a later session, CFTC Chairman Timothy Massad said the agency is “keenly” focused on cybersecurity and has incorporated it into core principles and made it a priority in examinations. 

Massad said the CFTC cannot directly test firms’ systems due to limited resources, adding that many financial institutions spend more on cybersecurity than the agency’s entire budget. However, they are looking at whether the private companies that run core infrastructure, including exchanges and clearinghouses, are themselves adequately testing their cyber protections. The CFTC is holding a public staff roundtable on cybersecurity next week.

Exchange perspective. According to Jeffrey Sprecher, head of IntercontinentalExchange, a network of exchanges and clearinghouses including ICE and NYSE, it’s important to thoroughly test systems. One issue that comes up is how to handle system backups, because if you have a bug and you back up your system, you’ve just infected all your legacy data.

IntercontinentalExchange pays particular attention to risks posed by employees, going so far as to dock an employee’s pay if they fail a cybersecurity test.

“Your employees are keys, and they’re walking out the door every night,” said Sprecher.