Treasury Secretary warns of cyber threats to financial sector

Treasury Secretary Jacob Lew warned of the dangers of cyberattacks on the financial sector in a July 16 speech in New York City, calling the cyber defense of businesses and government "a central test for all of us going forward."

"When credit card data is stolen, it disturbs lives and damages consumer confidence. When trade secrets are robbed, it undercuts America's businesses and undermines U.S. competitiveness," Lew said. "And successful attacks on our financial system would compromise market confidence, jeopardize the integrity of data and pose a threat to financial stability."

Private firms are primarily responsible for protecting themselves against cyber threats, but government can help by prosecuting cyber criminals, holding "state-sponsored attackers accountable and [providing] critical intelligence about specific threats and to share best practices," he said.

Hackers have already taken aim at the U.S. financial sector, notably in September 2012 when several big banks were hit by distributed denial-of-service attacks. Then-National Security Agency Director Gen. Keith Alexander warned last year that a foreign nation could cripple America’s financial system with a cyberattack.

More than 250 DDOS attacks have hit U.S. banks and credit unions since 2011, Lew said.

"Cyberattacks on our financial system represent a real threat to our economic and national security, but a malicious cyber actor can cause catastrophic damage to our financial system without directly attacking a bank," he said.

"Risks to the system can be found at the vendors, suppliers and contractors who keep our financial system running," Lew added, referencing the hacking last year of billing information for tens of millions of Target customers. Hackers allegedly breached Target’s computer network through a heating and air conditioning contractor.

Lew beseeched financial services firms and vendors that serve them to use the Obama administration’s framework document for managing cyber risk for critical infrastructure. "Just as you consider your counter-parties when you take on financial risk, you should also consider your counter-parties in the area of cyber risk," he advised.

Lew joined a chorus of administration officials calling on Congress to pass a cybersecurity bill to bolster public-private information sharing of threats and to protect firms from liability for sharing such information.

"As it stands, our laws do not do enough to foster information sharing and defend the public from digital threats," Lew argued.

Experts have credited a $2 million grant from the Treasury Department in 2003 for boosting the effectiveness of the Financial Services Information Sharing and Analysis Center, a forum for banks and other financial firms to share cyber-threat information. In his speech, Lew highlighted a complementary tool available to the financial sector: a working group of cyber experts set up by the Treasury Department that feeds threat information to banks.

The Treasury secretary visited Verizon Enterprise Solutions' office in Ashburn, Va., on July 15 for a private briefing on cyber threats with Verizon executives. Lew then toured the telecom subsidiary’s network operations center, stopping for a minute to tell reporters, "we've made a lot of progress, but we still have work to do to make sure that our systems are all safe from cyber threats. It's a very important challenge that we face economically, and in terms of our security."

Michael Maiorana, a senior vice president of Verizon Enterprise Solutions who met with the Treasury secretary, said his main message to agency heads like Lew is that “their networks are under constant attack.” Federal chief technology and information security officers routinely come to VES’s sprawling Ashburn facility for detailed cybersecurity briefings, he said.