全球智库信息集成服务系统

The National Security Implications of Cyber Attacks Against the Financial Sector

The U.S. economy is susceptible to offensive operations carried out by national security adversaries in cyberspace. States and highly capable nonstate actors are causing increasing strategic concerns, reflecting a deeper appreciation of the national security—rather than solely criminal—dimensions of the cyber challenge. In February 2018, the director of national intelligence and heads of the National Security Agency, Central Intelligence Agency, and the Federal Bureau of Investigation warned in congressional testimony that cyber attacks perpetrated by foreign adversaries represent one of the greatest national security concerns and the top priority of the intelligence community. Director of National Intelligence Dan Coats proclaimed that the U.S. was “under attack.”

The U.S. government has focused on defending government networks and developing offensive capabilities to counter adversaries in cyberspace. However, the U.S. economy remains highly vulnerable to cyber attacks carried out by foreign threat actors. While this challenge spans many facets of the U.S. economy, this working paper focuses on cyber threats to the financial sector, especially to so-called Section 9 firms that are critical for the stability of the financial sector as a whole.¹

Given the evolution of the threat landscape, foreign threats to the U.S. financial sector in cyberspace should be conceptualized as a national security challenge. The U.S. government has made important strides in identifying the problem, developing the authorities that could justify deeper operational collaboration with the financial sector, and taking initial steps toward collaboration. However, implementation remains mired in stale models of information sharing, occasional low-context “tear lines” (separating intelligence approved for release from that which remains classified), and irregular classified briefs. A well-conceptualized, comprehensive, and fully resourced plan for deep operational collaboration between the government and critical infrastructure is needed to address the scope and scale of the challenge.

This working paper presents a comprehensive proposal for conceptualizing and implementing operational collaboration between the U.S. government and critical elements of the financial sector to defend against significant cyber threats. In particular, prioritized intelligence collection against sector-specific threats, side-by-side analytic collaboration between government and private sector analysts, fully articulated playbooks, routinized exercising of playbooks, and the development of organizational connective tissue between the sector and government would substantially enhance defense in cyberspace of a key sector of the U.S. economy.

Several key considerations are worth highlighting up front:

• Because private entities own and operate most of the financial sector’s critical infrastructure that would be targeted by foreign adversaries for strategic purposes, the government and Section 9 firms must collaborate as partners to defend this aspect of the U.S. homeland in cyberspace.
• Implementing a truly collaborative relationship between Section 9 firms in the financial sector and the U.S. government faces important hurdles that need to be acknowledged and addressed. For instance, the multinational nature of many companies raises potential tensions between U.S.-based firms with global financial interests and the U.S. government. This creates challenges for sharing sensitive national security information.
• Stakeholders on both sides should consider the potential unintended consequences of deepening cooperation between the U.S. government and Section 9 firms on national security issues in cyberspace. The cooperation may inadvertently produce escalatory dynamics or justify retaliatory attacks against the financial sector.
• Extending these recommendations to other sectors of the U.S. economy requires considering the distinctive needs of each sector. Although there are elements that could be replicated across other sectors, this working paper presents a proposal specifically directed at collaboration between the financial sector and the U.S. government.

The paper first analyzes the nature of the national security challenge and discusses existing efforts by the government and financial sector to confront it. Next, it presents a case for deepening operational collaboration between the government and the sector based on existing authorities. Then, it proposes specific policy recommendations that could be implemented to improve defense of the financial sector against cyber-related national security threats. Subsequently, it articulates how these recommendations could be implemented from an organizational perspective. Finally, the paper concludes by presenting avenues for future efforts.  

A Growing National Security Challenge

There is a long history of criminal entities targeting the financial sector via cyberspace for the purposes of economic gain. Policymakers have developed robust programs to confront criminal behavior in cyberspace, ranging from congressional legislation through the 1984 Computer Fraud and Abuse Act to extensive law enforcement efforts to investigate cyber crime in close collaboration with the private sector, such as the National Cyber Investigative Joint Task Force (NCIJTF). However, identifying economic espionage and theft as the only challenges stemming from cyberspace for the financial sector risks marginalizing the potentially significant threats posed by foreign adversaries seeking to inflict damage on the U.S. economy for political objectives or to lay the foundations for future attacks. 

In recent years, the threat landscape has evolved to encompass not only criminal or profit-motivated actors but also state and nonstate actors leveraging cyberspace to target financial institutions. The use of cyberspace for national security–related objectives ranges from the merely provocative, such as defacing websites or hijacking social media accounts, to cyber operations in support of conventional military operations, to highly disruptive or even destructive attacks against a state’s critical infrastructure. In response, states have increasingly invested in developing cyber capabilities for strategic purposes. Perhaps the most notable example is the unanticipated pace of the evolution of North Korea’s offensive cyber capabilities, from relatively simple distributed denial of service (DDoS) attacks to malware attacks such as WannaCry in 2017.

Nation states, either directly or working through proxy actors, have already demonstrated a willingness and capability to target global financial services infrastructure. North Korean cyber attacks against the financial sector, for instance, are highly connected to the U.S. sanctions regime; Pyongyang has circumvented sanctions and funded its nuclear program through, among other things, a series of heists using SWIFT, a global messaging system, against the Bank of Bangladesh in 2016 and Taiwan’s Far Eastern Bank in 2017. The Iranian DDoS attacks against the U.S. financial sector between 2011 and 2013 and the North Korean attack against South Korean banks in 2013 are other notable examples. Beyond criminal entities, the actors targeting financial institutions are highly capable states, such as Russia, China, Iran, and North Korea, or proxy actors enabled by these governments.

The U.S. financial system is a target for foreign cyber adversaries for several reasons. First, the financial sector is one of the bedrocks of the U.S.—and global—economy. Significant disruptive or destructive attacks against the financial sector could have catastrophic effects on the economy and threaten financial stability. This could occur directly through lost revenue as well as indirectly through losses in consumer confidence and effects that reverberate beyond the financial sector because it serves as the backbone of other parts of the economy. For instance, cyber attacks that disrupt critical services, reduce confidence in specific firms or the market itself, or undermine data integrity could have systemic consequences for the U.S. economy.²

Second, after over two decades of global military leadership, cyberspace is the only domain of warfare in which the United States faces near-peer, or even peer, competitors. Put together, this makes the financial sector an exceptionally attractive target for adversaries because it provides them with an asymmetric advantage: targeting the financial sector in cyberspace is one of the few ways adversaries can directly challenge the United States, through significant and potentially catastrophic effects on the U.S economy.³ Thus, when a conventional confrontation is out of the question, rivals may prefer to target the “soft underbelly” and coerce the United States via cyber means.⁴

This risk is only likely to grow as the financial sector increasingly relies on digital infrastructure and financial technology, systems become more interconnected and processes become more automated, threat actors become more capable and adaptive, and geopolitical dynamics create motivations to disrupt the U.S. economy. However, the infrastructure of information and communications technology was not designed with security as a priority.

These risks are compounded by the international and interdependent nature of the global financial system. Specifically, U.S.-based firms that are essential to U.S. financial stability have interests and operations that span the world, creating an exceptionally large surface area of attack for foreign threat actors to challenge U.S. interests far from the homeland. Moreover, global financial interdependence also breeds global financial vulnerability. A U.S. financial institution designated to be “too big to fail” in cyberspace could be held at risk indirectly through cascading effects on the global financial system if foreign threat actors target financial institutions in foreign countries. In turn, the outsized role the United States plays in the global economy also implies that the stability and integrity of U.S. financial sector firms are critical to global financial stability. Therefore, properly resourcing the defense of U.S. Section 9 firms will have positive effects that extend beyond U.S. economic and national security.    

The Protective Gap

These kinds of attacks raise important questions about the sufficiency of existing plans and capabilities for defending elements of the private sector that have been designated as critical infrastructure against foreign adversaries. The U.S. government protects the private sector from physical threats—for example, ballistic missiles. But firms in the cyber realm currently bear the brunt of the defensive burden to protect their networks against sophisticated foreign states. Most private firms lack the capabilities (such as intelligence collection and offensive action) and expertise (such as expertise in campaign planning) to contend with advanced state adversaries. And for the more sophisticated ones, the government does not grant private entities the legal authority to engage in more proactive measures to defend their networks. While some of these capabilities are inherently governmental, it is likely that, if granted the authority, firms would invest even greater resources to enhance their capabilities.

This conundrum has prompted some within the private sector to advocate legalizing “active defense” or “hacking back,” which would loosen existing constraints on how firms can defend their networks and potentially even allow them to operate outside of their networks to contend with cyber threat actors.⁵ However, enabling these kinds of activities would create considerable risks for private entities in the United States, particularly because actions taken by private actors could result in unanticipated and undesirable responses by foreign adversaries. Indeed, the advocacy for more active defensive measures by some elements in the private sector underscores the gap between the significance of the problem and the measures currently in place.

The challenge is compounded by the insufficiency of a normative framework at the international level to limit harmful behavior.⁶ The most recent meeting of the United Nations Group of Governmental Experts (GGE) ended in failure in the summer of 2017, with representatives unable to agree on fundamental issues such as the extent to which international law applies to cyberspace.⁷ This was a significant regression from 2015, when the GGE achieved consensus on the application of international law to cyberspace as well as a voluntary norm against targeting civilian critical infrastructure. More promisingly, in 2016, the G7 states issued nonbinding principles regarding guidelines for protecting the financial sector against cyber attacks, which were reaffirmed in 2017. And, in 2017, the G20 states agreed to address cyber risks to the global financial services industry. However, mechanisms for actually operationalizing and enforcing these principles are poorly defined and fleshed out.

Overall, the current international environment presents uncertainty regarding the extent to which targeting a nation’s critical infrastructure would impose significant reputational or legal costs. Furthermore, the impact of previous efforts to deter or punish attacks against critical infrastructure in cyberspace, such as imposing sanctions or indicting individuals, remains ambiguous.

As the apparent threat to U.S. critical infrastructure stemming from highly capable and highly motivated cyber adversaries has grown over time, the U.S. government has appropriately framed the scope of its mission in cyberspace to include defending the nation against these threats. However, there are continuing gaps in authorities, policy, and capabilities that should be remedied.

The Status Quo: Existing Government Efforts and Authorities for Operational Collaboration With the Financial Sector

The government has made some important steps in conceptualizing foreign threats in cyberspace and in developing the authorities to confront it. A February 2013 executive order, Improving Critical Infrastructure Cybersecurity, identifies the cyber threat to critical infrastructure as “one of the most serious national security challenges we must confront.” It defines defense of critical infrastructure in cyberspace in explicitly national security and strategic terms, rather than solely criminal or economic ones. Section 9 of the executive order directs the secretary of homeland security to identify critical infrastructure at greatest risk. The Section 9 designation encompasses a subset of private sector firms designated by the U.S. government as owning or operating infrastructure where “a cybersecurity incident could reasonably result in catastrophic regional or national effects on public health or safety, economic security, or national security.” This executive order focuses on institutionalizing mechanisms for information sharing and adopting a framework to mitigate cyber risk to critical infrastructure.

Information sharing has been the focus of the federal government’s initiatives to foster partnerships with the larger U.S. private sector (as distinguished from Section 9 firms that are classified as critical infrastructure). These initiatives were designed to distribute technical indicators useful for network defense as quickly and broadly as possible. For example, the Department of Homeland Security (DHS), the National Cybersecurity and Communications Integration Center, and the United States Computer Emergency Readiness Team automatically distribute indicators of compromise and threat information via Trusted Automated eXchange of Indicator Information, Structured Threat Information eXpression, and Automatic Indicator Sharing.

In April 2015, the U.S. Department of Defense (DOD) articulated the concept of “defending the nation” in cyberspace, moving beyond the previous framework of information sharing to reduce risk. According to the Department of Defense Cyber Strategy, one of the DOD’s three priority strategic goals for its cyber mission is to “defend the nation against cyberattacks of significant consequence.” This strategic objective is distinguished from only defending DOD networks and is therefore more encompassing in scope. The strategy document calls for working with the private sector in support of the “defend the nation” mission and identifies specific DOD functions that support this mission. These include developing intelligence and warning capabilities to anticipate threats and developing and exercising capabilities to defend the nation. Within the DOD, the Cyber National Mission Force (CNMF) is responsible for defending the nation’s critical infrastructure in cyberspace.

Presidential Policy Directive 41 (PPD-41) of July 2016 articulates principles for a federal response to cyber incidents involving either the government or private sector entities. This builds on Presidential Policy Directive 21 of February 2013, which stipulated the development of a national unity of effort, including the private sector, to ensure the security and resilience of critical infrastructure. Notably, PPD-41 expresses that “the private sector and government agencies have a shared vital interest in protecting the Nation from malicious cyber activity and managing cyber incidents and their consequences.”

U.S. President Donald Trump’s administration articulated in a May 2017 executive order, Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure, that “it is the policy of the executive branch to use its authorities and capabilities to support the cybersecurity risk management efforts of the owners and operators of the Nation’s critical infrastructure.” The 2017 National Security Strategy explicitly identifies the financial sector as part of critical infrastructure to be protected from cyber threats. It states that the government will furnish owners and operators of critical infrastructure with the authorities, information, and capabilities to prevent cyber attacks; that the government will respond with “swift and costly consequences” to the latter if they occur; and, beyond information sharing, “expand collaboration with the private sector . . .  [to] better detect and attribute attacks.”

Continuing Gaps Hampering an Effective Response to Increasing Risks

Achieving a greater understanding of the threats facing Section 9 firms requires precise analytics that are best derived from focused, full-cycle, joint intelligence efforts. Information-sharing mechanisms between the government and the financial sector should be institutionalized and routinized, with clearly defined thresholds that would trigger the sharing of threat information. More critically, both the government and the private sector would benefit from contextual information and intelligence. From the private sector side, this would enable specific efforts to defend critical infrastructure networks being targeted by nation-state adversaries for their economic and national security value. From the government perspective, this would support more focused and relevant intelligence collection efforts—as allowed by existing authorities—and a deeper understanding of the adversary and the threat environment. 

As the designated Sector-Specific Agency for the financial sector, the Department of Treasury’s Office of Intelligence and Analysis (OIA) provides intelligence support to the sector. However, the agencies that would be coordinating and responding to an attack of consequence on financial institutions, such as the DHS and DOD, need to receive sector-specific intelligence collection and analysis that would enable that mission. In short, to effectively defend the nation, the government needs precise information from critical infrastructure owners and operators in the financial sector that would enable it to support government intelligence collection against foreign sector-specific threats. Without knowledge of the systems firms use, the structure of their networks, and the types of threats they face, government collection cannot possibly be properly focused and is likely to miss the most pertinent intelligence that would aid defenders.  

In light of this review, a more comprehensive executive order that specifically addresses defense of the nation in cyberspace would be useful to drive developing and exercising operational plans commensurate with the scope and nature of the threat and to mobilize the resources required for its successful implementation.⁸ To date, the 2015 DOD cyber strategy document offers the most robust articulation of the government’s active, operational role in confronting foreign adversaries targeting critical infrastructure. The 2017 National Security Strategy employs the term “collaboration” as well. Yet, a fully articulated vision for defending Section 9 firms in cyberspace, with the private sector and government actively working together in a shared effort, does not yet exist. Therefore, an executive order that comprehensively tackles this issue is important to address existing gaps.

A Proposal for Collaborative Defense of Section 9 Firms in Cyberspace

A comprehensive proposal for the collaborative defense of Section 9 firms against national security threats in cyberspace would have several components:

• The U.S. government should prioritize government intelligence collection against foreign national security threats to the financial sector, within existing intelligence collection authorities.
• Firms and the U.S. government should formalize and institutionalize mechanisms for intelligence collaboration so that firms can share pertinent information with the government, work with intelligence community analysts on assessing threats, and utilize the intelligence produced across classification levels.
• Leaders from both the government and the private sector should work together to develop implementable playbooks for collaborative defense of the private sector and define the resources required to successfully implement them. These playbooks should drive capability development and should be validated through exercises that feed back into informing further capability development and refinement of the playbooks.

Implementing all the components of this proposal would better enable the government and the private sector to be proactive, anticipate national security threats, and have actionable plans in place to protect and defend critical elements of the financial sector against a range of malicious actors, rather than waiting until an attack has already occurred.⁹ It is worth noting that this proposal represents an initial step toward contributing to broader financial stability in cyberspace that focuses on the relationship between the U.S. government and Section 9 firms. A more holistic effort that includes the broader financial sector and international partners could be explored in subsequent initiatives.

Prioritized Intelligence Collection

Section 9 firms have invested significant resources in developing cyber threat intelligence capabilities, controls to better protect their networks, and protocols for crisis management and incident response. Despite these efforts, they are hampered in network defense by an incomplete view of the adversary. Firms simply do not have the full range of intelligence collection authorities or capabilities that are necessary to support a robust defense of their networks and infrastructure against state-level adversaries. While the U.S. government possesses these authorities and capabilities, and the DOD strives to “defend the nation” in cyberspace, it lacks a deep understanding of cyber threats to the financial sector. Put simply, a program for routine side-by-side analytic efforts does not exist. Therefore, prioritized and sector-specific foreign intelligence collection and analysis in a collaborative environment is a critical first step toward an improved model to support defending critical infrastructure in cyberspace against national security threats. Without good intelligence, defenders are blind to the threats they face and operations will not be optimized to counter them.

Within the U.S. intelligence community, the National Intelligence Priorities Framework (NIPF) establishes the nation’s priority intelligence requirements and informs how the intelligence community allocates resources for intelligence collection and analysis. The U.S. president and national security advisor provide overall guidance for the most significant issues within the NIPF, with contributions by secretaries and cabinet-level department/agency heads. Integrating a standing Title 50 intelligence collection requirement into the NIPF would ensure that there is dedicated collection against national security threats to the financial sector.¹⁰ Without a prioritized effort within the NIPF, any intellig