Two years ago, when Mark Graff joined Nasdaq OMX Group as chief information security officer, he could find no list or directory of his counterparts at markets around the world. Having spent the previous nine years in a similar role at Lawrence Livermore National Laboratory, a research and engineering facility that is part of the U.S. national security apparatus, Graff was attuned to the high-tech threats any multinational financial enterprise faces and the defenses it needs to deploy. But among his new peers, there were no organized communications about incidents and vulnerabilities that the various trading infrastructures had in common or about measures to counteract them.
The exchange companies lacked what is known in the trade as information sharing, and Graff did something about it. He located other CISOs and brought a couple dozen of them together in what became, as of December, the World Federation of Exchanges (WFE) cybersecurity committee.
The committee, which Graff chairs, has not only put sharing mechanisms in place but is also representing organizations that appear to be remarkably forthcoming — both among themselves and to the outside public — regarding the problems they face. Their transparency contrasts sharply with other companies’ and industries’ inclination to keep potentially embarrassing security breaches under wraps, and it just may be a better way to go.
As malware has grown ever more potent and sophisticated, with frightening consequences — as in last fall’s theft of millions of credit card records from Target stores — private industry has struggled to keep pace in terms of communicating and acting on threat intelligence. The February 2014 release of the U.S. Framework for Improving Critical Infrastructure Cybersecurity, fulfilling a presidential executive order of a year earlier and commonly known as the NIST Framework, was designed to encourage exactly that sort of data gathering and sharing with government and within and across industries.
It is one thing to resist media coverage of an incident that might damage a victimized company’s reputation — a bullet that will be harder and harder to dodge, if Target is any indication. It is a different kind of affront to withhold from corporate peers information that could help prevent or mitigate a costly, even catastrophic, breakdown.
The financial industry turns out to be the grown-up when it comes to both disclosing to the public and sharing with industry peers. Since the Clinton administration designated financial services a critical infrastructure, U.S. banks, insurers, exchanges and others have participated in one of the oldest and most active of more than a dozen information sharing and analysis centers (ISAC). Crediting the FS-ISAC and the 12-year-old, public-private Financial Services Sector Coordinating Council, Graff says finance has long been considered “in the forefront of industrywide collaboration and cooperation.”
At a Securities and Exchange Commission cybersecurity roundtable in March, Larry Zelvin, director of the Department of Homeland Security’s National Cybersecurity and Communications Integration Center, addressed the private sector participants: “You people are ahead of the rest of the country. You are attacked a lot. You share information with the government. Other sectors can learn from financial services.” (Indeed, in the wake of the Target breach, it was banking trade groups and the Financial Services Roundtable that sprang into action and brought retailers into a new “cybersecurity partnership.”)
In the glare of the SEC spotlight, panelists — including Graff, Depository Trust & Clearing Corp. corporate information security officer Mark Clancy and BATS Global Markets CISO Aaron Weissenfluh — spoke unflinchingly about their attackers, necessary defenses and even the need to ponder what Clancy termed cybercontagion.
“How would we handle a systemic event?” asked the DTCC executive. “Between three minutes and 30 years from now, we will have one.”
Clancy said the “actors” can be described in four ways — criminal, hacktivist, espionagelike and warlike — the last three being of most present-day concern. That wouldn’t have been news to anyone familiar with a July 2013 joint WFE–International Organization of Securities Commissions working paper that catalogues cyber- and systemic risks to the markets and asserts that improved, global information sharing is essential because “cyber crime does not recognize state borders.”
The WFE’s effort is a variation on the ISACs’. An industry subsector — market infrastructures — sharing information on a global scale, it is uniquely positioned to demonstrate how forthrightness and vigilance go hand in hand. • •