‘Cyber Armageddon’? Worried NY Fed unveils infosec big hitters
Sarah Dahlgren, executive vice president of the New York Fed’s Financial Institution Supervision Group, announced the creation of the bank’s cybersquad in a speech Tuesday in Manhattan.
“While cybersecurity has been on our agenda for quite some time, and we have been dedicating resources to assessing it in large complex firms and setting expectations for smaller firms, we have elevated our efforts in recent months and have formed a dedicated team focused on further strengthening our overall supervisory approach to cybersecurity,” Dahlgren told an audience at the OpRisk North America Annual Conference on Broadway.
On the heels of high-profile cyberattacks, such as last year’s assault on the computer network of Sony Pictures Entertainment, and as fears mount of a so-called “cyber Armageddon,” Dahlgren said that she’s grown weary of the bank’s own ability to fend off attacks.
“I am often asked about my list of ‘things that keep me awake at night,’ and I think it's fair to say that cybersecurity is at the top of that list,” Dahlgren said, according to a copy of her prepared remarks.
The “interconnectedness of firms” within the finance sector remains a major problem, Dahlgren said, despite years of debate and discussion concerning what could come of a cyberattack waged against Wall Street.
“During the last financial crisis, we began to get a glimpse into the challenges faced as a result of interconnectedness and systemic failures,” she said. “Years later, we are still faced with some of the same challenges, with only a limited view into the true complexities behind how firms are linked, connected, and ultimately intertwined to form the fabric of the financial industry.”
“While we have begun to address other areas of systemic risk, I feel the industry as a whole is just beginning to scratch the surface of the potential system-wide impact of a significant cyberattack,” she said.
In order to keep the NY Fed on top of any potential attacks, the bank has promoted its former information security officer, Roy Thetford, to lead its new cybersquad, Dahlgren said. In that role, he’ll “establish a new risk-based cybersecurity assessment framework” as the bank begins to collaborate with security experts, other financial institutions, law enforcement and third-party service providers to prevent any holes from opening with the “interconnectedness” that has increased in the digital age. Thetford joined the NY Fed in 2006, and previously worked as the infosec director for Progressive Insurance.
Benjamin Lawsky, New York State’s superintendent of financial services, said in a speech at Columbia Law School last month that a successful hack against Wall Street posed the possibility of “creating a run or panic that spills over into the broader economy,” according to Quartz.
That same month, National Security director James Clapper downplayed concerns of how debilitating such an attack might be.
“Cyber threats to US national and economic security are increasing in frequency, scale, sophistication, and severity of impact," according to Clapper’s "Worldwide Threat Assessment of the US Intelligence Community” report handed to Congress last month. "Rather than a 'Cyber Armageddon' scenario that debilitates the entire US infrastructure, we envision something different. We foresee an ongoing series of low-to-moderate level cyberattacks from a variety of sources over time, which will impose cumulative costs on US economic competitiveness and national security," the report said.
According to a Foreign Policy report from last year, the National Incident Response Team, or NIRT, currently is tasked with protecting the Federal Reserve System’s main networks and systems.
"If a member bank gets compromised or there’s a breach, we make sure it didn’t affect the Fed," a former NIRT member explained to the outlet. "We’ll look at our systems and make sure we weren’t penetrated and that there was no exfiltration."
The former NIRT member, who was not named by FP, described a hypothetically successful attack against the Fed’s network as being “a shit-your-pants type of emergency.”
Earlier this month, the Senate Intelligence Committee voted 14-1 to advance a cybersecurity bill meant to expand information-sharing between the private sector and the government. The panel’s vote came months after a dozen groups, including the American Bankers Association, Securities Industry and Financial Markets Association (SIFMA) and Credit Union National Association, asked Congress to pass legislation that would give the government’s cybersecurity experts increased access to the financial sector’s networks in order to prevent potential attacks.