First: Define critical infrastructure

Share this article:
Information sharing grows up
Information sharing grows up

At a recent U.S. House Financial Services subcommittee hearing on cyber threats affecting capital markets and corporate accounts, several industry experts detailed how cyber crimes represent a significant danger to the long-term national and economic security of the United States or any nation targeted for attack. During my testimony, I urged Congress to enhance collaboration and data sharing among the public and private sectors to ensure that all available resources are working in concert to protect and defend the financial sector.

While many of the attacks launched against the sector thus far have been limited in scope, cyber criminals are increasing their technological sophistication at a rapid pace – and their attempts to initiate denial-of-service attacks on the public websites of consumer banks, credit card processors and stock exchanges have the potential to produce system-wide impacts. 

The key question for the industry and policymakers is: How do we prioritize and balance risk-mitigation efforts focused on preventing an attack that could damage or destroy a key portion of the financial system's critical infrastructure against the relatively low frequency to date of impactful attempts of this nature? 

However, before this question can be answered, consensus needs to be developed around how critical infrastructure is defined.

Current law describes critical infrastructure as “systems and assets, whether physical or virtual...” The translation of this broad definition into actual “systems or assets” is an important part of the ongoing dialogue between the industry and policymakers. It is essential to determining where extra protections are needed – and just as importantly, where they are not. The definition must be narrow enough to cover the key components of the infrastructure so that investment in mitigation initiatives is properly focused. 

The Financial Services Sector Coordinating Council (FSSCC) is actively working to develop a process for defining critical infrastructure for the financial sector. This is a priority because recent federal cyber crime legislation leaves it to the agencies to make that determination. It is essential that the industry play a leading role in this process to help shape new federal policy.

The expectation is that this effort will create a framework for the industry to more accurately define what is critical infrastructure. It will also help ensure that the unique needs of the financial sector are identified while avoiding a one-size-fits-all approach. Most importantly, it will empower industry participants to have a greater hand in strengthening our collective defenses against cyber attack.

»The FSSCC is working to...
...define the key functions performed within the financial sector and determine the importance of each of those functions against the impact they will generate.

»Measurable assets
The council, on behalf of the financial vertical, is also quantifying how much of a sector function is performed in an individual “system or asset,” says Clancy.

»Targeting financial sector
Clancy says he was heartened by the level of support among members of the House Financial Services subcommittee to find solutions to the growing problem of attacks. 

»Keeping money flowing
The Depository Trust & Clearing Corp. (DTCC) is a non-commercial cooperative that serves as the critical infrastructure for capital markets globally and in the United States.

Share this article:
You must be a registered member of SC Magazine to post a comment.

Sign up to our newsletters

TOP COMMENTS

More in Opinions

Heartbleed, Shellshock and POODLE: The sky is not falling

Heartbleed, Shellshock and POODLE: The sky is not ...

While it may seem like 2014 is the year of the vulnerability, in reality, this year has not been much different than years past.

Technology alone isn't going to secure IoT connected devices

Technology alone isn't going to secure IoT connected ...

It's clear that vulnerabilities continue to exist, despite our best efforts to combat them. In fact, we have addressed many of the same problems before.

DDoS is the new spam...and it's everyone's problem now

DDoS is the new spam...and it's everyone's problem ...

As new solutions emerge, it's critical for organizations to protect themselves by being informed, aware, and acting whenever possible. Those that don't take action are playing a very dangerous game.