War rooms helping fight cybercrimes
IN A bunker in Missouri, a wall of monitors tracked incoming attacks – 267,322 in the last 24 hours, according to one hovering dial, as a dozen analysts stared at screens filled with snippets of computer code.
Overseeing the stream of warnings, was a former Delta Force soldier who fought in Iraq and Afghanistan before shifting to a new enemy: cyberthieves.
“This is not that different from terrorists and drug cartels,” Matt Nyman, the command centre’s creator, said as he surveyed his squadron of Mastercard employees. “Fundamentally, threat networks operate in similar ways.”
Cybercrime is one of the world’s fastest-growing and most lucrative industries. At least $445 billion was lost last year to cybercrime, up 30 percent from three years earlier, a global economic study found, and the US Treasury Department recently designated cyberattacks as one of the greatest risks to the US financial sector.
Former government cyberspies, soldiers and counterintelligence officials dominate the top ranks of banks’ security teams. They’ve brought to their new jobs the tools used for national defence: combat exercises, intelligence hubs modelled on those used in counterterrorism work and threat analysts who monitor the web’s corners.
At Mastercard, Nyman oversees the company’s new fusion centre, a term borrowed from the US Department of Homeland Security. After the attacks of September 11, 2001, the agency set up scores of such centres to coordinate federal, state and local intelligencegathering.The approach spread throughout the government.
Then at least a dozen banks grabbed the playbook, opening fusion centres, and more are in the works. Fifth Third Bank is building one in its Cincinnati headquarters, and Visa, which created its first two years ago in Virginia, is developing two more. Having their own intelligence hives, the banks hope, will help them better detect patterns in all the data amassed.
The centres also have a symbolic purpose. Having a literal war room reinforces the reality. Fending off thieves has always been a priority, but the arms race has escalated rapidly.
Alfred Kelly, Visa’s CEO, is “completely paranoid” about the subject, he told investors at a conference in March.
The military sharpens soldiers’ skills with large-scale combat drills, which send troops into the field to test their tactics and weaponry. The financial sector created its own version: Quantum Dawn, a biennial simulation of a catastrophic cyberstrike.
In the latest exercise in November, 900 participants from 50 banks, regulators and law enforcement agencies role-played their response to an industrywide infestation of malware that first corrupted, and then blocked, all outgoing payments from the banks. Throughout the two-day test, the organisers lobbed in new threats every few hours, like denial-of-service attacks that knocked the banks’ websites offline.
The first Quantum Dawn, in 2011, was a lower-key gathering. Participants huddled in a conference room to talk through a mock attack that shut down stock trading. Now, it is a live-fire drill. Each bank spends months in advance recreating its internal technology on an isolated test network, a so-called cyber range, so that its employees can fight with the actual tools and software. The company that runs their virtual battlefield is a Defense Department contractor.
Sometimes, the tests expose important gaps. A series of cyber drills coordinated by the Treasury Department, called the Hamilton Series, raised an alarm three years ago. An attack on Sony, attributed to North Korea, had recently exposed sensitive emails and data, and, in its wake, demolished swaths of Sony’s internet network.
If something similar happened at a bank, especially a smaller one, regulators asked, would it be able to recover? Those in the room for the drill came away uneasy.
“There was a recognition that we needed to add an additional layer of resilience,” said John Carlson, the chief of staff for the Financial Services Information Sharing and Analysis Center.
Soon after, the group began building a new fail-safe, called Sheltered Harbor, which went into operation last year. If one member of the network has its data compromised or destroyed, others can step in, retrieve its records and restore basic customer account access within a day or two. It has not yet been needed, but nearly 70 percent of America’s deposit accounts are now covered by it.
The largest banks run dozens of internal attack simulations each year, to smoke out their vulnerabilities and keep their first responders sharp.
“It’s the idea of muscle memory,” said Thomas J Harrington, Citigroup’s chief information security officer, who spent 28 years with the FBI.
What everyone in the finance industry is afraid of is a repeat of the data breach that hit Equifax last year. Hackers stole personal information, including Social Security numbers, of more than 146 million people. The attack cost the company’s CEO and other top managers their jobs. Who stole the data is still not publicly known.
It is Nyman’s job to make sure that does not happen at Mastercard. Walking around the company’s fusion centre, he describes the team’s work using military slang. Its focus is “left of boom”, he said – referring to the moments before a bomb explodes. By detecting vulnerabilities, the analysts aim to head off an Equifax-like explosion.
But the attacks keep coming. As he spoke, the dial displayed over his shoulder registered more assaults on Mastercard’s systems. The total so far this year exceeds 20 million.