BankInfoSecurity.com

"There are at least a couple challenges created by mobile-phone activity," says Greg Rattray, the new head of security for BITS, a division of The Financial Services Roundtable.

Rattray, who joined BITS in September, says as more financial transactions and channels such as mobile emerge, Internet strains and security have to be addressed. "The thing that we're increasingly concerned about is the nature of these (mobile) devices," he says, "and whether they can be properly secured so that we can enable people to use mobile banking."

A core challenge: Open architecture and the software that drives mobile phones. "Thankfully, we do not see a lot of exploits focused on mobile devices," Rattray says. "But I think most security experts would concur that's because, up until this point in time, we've not seen rapid use of mobile devices for purposes that would involve being able to access personal data or financial information." As mobile banking becomes more widespread and sophisticated, so, too, will the malicious attacks aimed at exploiting mobile devices. "We need to stay out in front of that curve," Rattray says.

As the industry continues to better understand and apply existing standards and regulations to emerging banking channels, regulators and entities such as BITS are opening dialogues to hone in on security. "Are there specific regulatory concerns or regimes that will be built up around those sorts of new evolutions within the technology of the Internet?" Rattray asks. "The regulators trust the industry to the degree that they would like to continue to apply existing regulatory regimes, but make sure the banks take into account the new nature of some of these technologies and apply the appropriate controls."

During this exclusive interview, Rattray discusses:

• The role regulators play in security mandates;
• How the growing domain name system poses security challenges; and
• How BITS aims to address growing technical concerns surrounding the online and mobile channels.

Rattray is the senior vice president of security for BITS' Security Program, where he oversees the development of strategies to secure infrastructures, products and services. Before joining BITS in September, Rattray served as the Chief Internet Security Advisor for ICANN, the Internet Corporation for Assigned Names and Numbers, and was a founding partner at Delta Risk LLC, a cyberdefense, resiliency and risk management consulting firm. While at ICANN, Rattray worked with BITS and other Roundtable staff and members as the industry developed recommendations for the global domain expansion program.

Before ICANN and Delta Risk, Rattray served 23 years in the United States Air Force and worked as Director for Cyber Security on the National Security Council. He also served on the President's Critical Infrastructure Protection Board, where he contributed to the National Strategy to Secure Cyberspace. He is a member of the Council on Foreign Relations, a member of the Cyber Conflict Studies Association Board, and is involved with the Armed Forces Communications and Electronics Association. Rattray holds a master's degree in public policy from Harvard University and a Ph.D. in international affairs from Tufts University. He also is the author of "Strategic Warfare in Cyberspace."

Rattray: A New BITS Voice

TRACY KITTEN: Greg Rattray is the new head of security for BITS, a technology policy division of the Financial Services Roundtable. Greg, before we get started, could you give a little background about your position and the experience you bring to the new position, and how you expect your background to help in your new role at BITS.

GREG RATTRAY: The position here that I've just recently taken, and taken over from Paul Smocer, who has been the senior vice president for security at BITS, is really one of collaborating with the BITS membership and, more broadly, the industry as whole, in understanding the security challenges that face the industry, particularly with a technical focus. Then, working with the industry to make sure that we're effectively mitigating the risks and then having a chance to talk about what some of those key challenges and approaches for mitigating the risks are.