First: Define critical infrastructure
Information sharing grows up
At a recent U.S. House Financial Services subcommittee hearing on cyber threats affecting capital markets and corporate accounts, several industry experts detailed how cyber crimes represent a significant danger to the long-term national and economic security of the United States or any nation targeted for attack. During my testimony, I urged Congress to enhance collaboration and data sharing among the public and private sectors to ensure that all available resources are working in concert to protect and defend the financial sector.
While many of the attacks launched against the sector thus far have been limited in scope, cyber criminals are increasing their technological sophistication at a rapid pace – and their attempts to initiate denial-of-service attacks on the public websites of consumer banks, credit card processors and stock exchanges have the potential to produce system-wide impacts.
The key question for the industry and policymakers is: How do we prioritize and balance risk-mitigation efforts focused on preventing an attack that could damage or destroy a key portion of the financial system's critical infrastructure against the relatively low frequency to date of impactful attempts of this nature?
However, before this question can be answered, consensus needs to be developed around how critical infrastructure is defined.
Current law describes critical infrastructure as “systems and assets, whether physical or virtual...” The translation of this broad definition into actual “systems or assets” is an important part of the ongoing dialogue between the industry and policymakers. It is essential to determining where extra protections are needed – and just as importantly, where they are not. The definition must be narrow enough to cover the key components of the infrastructure so that investment in mitigation initiatives is properly focused.
The Financial Services Sector Coordinating Council (FSSCC) is actively working to develop a process for defining critical infrastructure for the financial sector. This is a priority because recent federal cyber crime legislation leaves it to the agencies to make that determination. It is essential that the industry play a leading role in this process to help shape new federal policy.
The expectation is that this effort will create a framework for the industry to more accurately define what is critical infrastructure. It will also help ensure that the unique needs of the financial sector are identified while avoiding a one-size-fits-all approach. Most importantly, it will empower industry participants to have a greater hand in strengthening our collective defenses against cyber attack.
»The FSSCC is working to...
»Targeting financial sector
»Keeping money flowing