Banks try military tactics on cybercrime
Ex-federal cyberspies, soldiers, others fill top ranks in bank security.
O’FALLON, MO. — In a windowless bunker in this St. Louis suburb, a wall of monitors tracked incoming attacks — 267,322 in the last 24 hours, according to one hovering dial, or about three every second — as a dozen analysts stared at screens filled with snippets of computer code.
Pacing around, overseeing the stream of warnings, was a former Delta Force soldier who fought in Iraq and Afghanistan before shifting to a new enemy: cyberthieves.
“This is not that different from terrorists and drug cartels,” Matt Nyman, the command center’s creator, said as he surveyed his squadron of Mastercard employees. “Fundamentally, threat networks operate in similar ways.”
Cybercrime is one of the world’s fastest-growing and most lucrative industries. At least $445 billion was lost last year, up around 30 percent from just three years earlier, a global economic study found, and the Treasury Department recently designated cyberattacks as one of the greatest risks to the U.S. financial sector. For banks and payment companies, the fight feels like a war — and they are responding with an increasingly militarized approach.
Former government cyberspies, soldiers and counterintelligence officials now dominate the top ranks of banks’ security teams. They have brought to their new jobs the tools and techniques used for national defense: combat exercises, intelligence hubs modeled on those used in counterterrorism work and threat analysts who monitor the internet’s shadowy corners.
At Mastercard, Nyman oversees the company’s new fusion center, a term borrowed from the Department of Homeland Security. After the attacks of Sept. 11, 2001, the agency set up scores of fusion centers to coordinate federal, state and local intelligence-gathering. The approach spread throughout the government, with fusion centers used for fighting disease outbreaks, wildfires and sex trafficking.
Then banks grabbed the playbook. At least a dozen of them, from giants like Citigroup and Wells Fargo to regional players such as Bank of the West, have opened fusion centers in recent years, and more are in the works. Fifth Third Bank is building one in its Cincinnati headquarters, and Visa, which created its first two years ago in Virginia, is developing two more, in Britain and Singapore. Having their own intelligence hives, the banks hope, will help them better detect patterns in all the data they amass.
The centers also have a symbolic purpose. Having a literal war room reinforces the new reality. Fending off thieves has always been a priority — it is why banks build vaults — but the arms race has escalated rapidly.
Cybersecurity has, for many financial company chiefs, become their biggest fear, eclipsing issues like regulation and the economy.
Alfred Kelly Jr., Visa’s chief executive, is “completely paranoid” about the subject, he told investors at a conference in March. Bank of America’s Brian Moynihan said his cybersecurity team is “the only place in the company that doesn’t have a budget constraint.” (The bank’s chief operations and technology officer said it is spending about $600 million this year.)
The military sharpens soldiers’ skills with large-scale combat drills that send troops into the field to test their tactics and weaponry. The financial sector created its own version: Quantum Dawn, a biennial simulation of a catastrophic cyberstrike.
In the latest exercise in November, 900 participants from 50 banks, regulators and law enforcement agencies role-played their response to an industrywide infestation of malicious malware that first corrupted, and then entirely blocked, all outgoing payments from the banks. Throughout the two-day test, the organizers lobbed in new threats every few hours, like denial-of-service attacks that knocked the banks’ websites offline.
The first Quantum Dawn, back in 2011, was a lower-key gathering. Participants huddled in a conference room to talk through a mock attack that shut down stock trading. Now, it is a live-fire drill. Each bank spends months in advance re-creating its internal technology on an isolated test network, a so-called cyber range, so that its employees can fight with their actual tools and software. The company that runs their virtual battlefield, SimSpace, is a Defense Department contractor.
Sometimes, the tests expose important gaps.
A series of smaller cyberdrills coordinated by the Treasury Department, called the Hamilton Series, raised an alarm three years ago. An attack on Sony, attributed to North Korea, had recently exposed sensitive company emails and data, and, in its wake, demolished huge swaths of Sony’s internet network.
If something similar happened at a bank, especially a smaller one, regulators asked, would it be able to recover? Those in the room for the drill came away uneasy.
“There was a recognition that we needed to add an additional layer of resilience,” said John Carlson, chief of staff for the Financial Services Information Sharing and Analysis Center, the industry’s main cybersecurity coordination group.
Soon after, the group began building a new fail-safe, called Sheltered Harbor, which went into operation last year. If one member of the network has its data compromised or destroyed, others can step in, retrieve its archived records and restore basic customer account access within a day or two.
It has not yet been needed, but nearly 70 percent of America’s deposit accounts are now covered by it.
The largest banks run dozens of their own, internal attack simulations each year, to smoke out their vulnerabilities and keep their first responders sharp.
“It’s the idea of muscle memory,” said Thomas Harrington, Citigroup’s chief information security officer, who spent 28 years with the FBI.