First: Define critical infrastructure

Share this article:
Information sharing grows up
Information sharing grows up

At a recent U.S. House Financial Services subcommittee hearing on cyber threats affecting capital markets and corporate accounts, several industry experts detailed how cyber crimes represent a significant danger to the long-term national and economic security of the United States or any nation targeted for attack. During my testimony, I urged Congress to enhance collaboration and data sharing among the public and private sectors to ensure that all available resources are working in concert to protect and defend the financial sector.

While many of the attacks launched against the sector thus far have been limited in scope, cyber criminals are increasing their technological sophistication at a rapid pace – and their attempts to initiate denial-of-service attacks on the public websites of consumer banks, credit card processors and stock exchanges have the potential to produce system-wide impacts. 

The key question for the industry and policymakers is: How do we prioritize and balance risk-mitigation efforts focused on preventing an attack that could damage or destroy a key portion of the financial system's critical infrastructure against the relatively low frequency to date of impactful attempts of this nature? 

However, before this question can be answered, consensus needs to be developed around how critical infrastructure is defined.

Current law describes critical infrastructure as “systems and assets, whether physical or virtual...” The translation of this broad definition into actual “systems or assets” is an important part of the ongoing dialogue between the industry and policymakers. It is essential to determining where extra protections are needed – and just as importantly, where they are not. The definition must be narrow enough to cover the key components of the infrastructure so that investment in mitigation initiatives is properly focused. 

The Financial Services Sector Coordinating Council (FSSCC) is actively working to develop a process for defining critical infrastructure for the financial sector. This is a priority because recent federal cyber crime legislation leaves it to the agencies to make that determination. It is essential that the industry play a leading role in this process to help shape new federal policy.

The expectation is that this effort will create a framework for the industry to more accurately define what is critical infrastructure. It will also help ensure that the unique needs of the financial sector are identified while avoiding a one-size-fits-all approach. Most importantly, it will empower industry participants to have a greater hand in strengthening our collective defenses against cyber attack.

»The FSSCC is working to...
...define the key functions performed within the financial sector and determine the importance of each of those functions against the impact they will generate.

»Measurable assets
The council, on behalf of the financial vertical, is also quantifying how much of a sector function is performed in an individual “system or asset,” says Clancy.

»Targeting financial sector
Clancy says he was heartened by the level of support among members of the House Financial Services subcommittee to find solutions to the growing problem of attacks. 

»Keeping money flowing
The Depository Trust & Clearing Corp. (DTCC) is a non-commercial cooperative that serves as the critical infrastructure for capital markets globally and in the United States.

Share this article:

Sign up to our newsletters

More in Opinions

Unfair competition: Proactive preemption can save you from litigation

Unfair competition: Proactive preemption can save you ...

With each job change, the risk that the new hire will bring confidential information or trade secrets with him or her to the new company grows.

Hackers only need to get it right once, we need to get it right every time

Hackers only need to get it right once, ...

Hackers only need to find one weak point to steal valuable information. On the flip side, security pros need to account for every possible scenario.

Successful strategies for continuous response

Successful strategies for continuous response

While it isn't realistic for organizations to expect that it will never happen to them, a rapid, professional and continuous response can limit their scope and reputational impact.