Cyber Security: 'It's What We Don't Know that Worries Us'Interview with New and Outgoing Chairs of FSSCC
This is the message from the current and past chairmen of the Financial Services Sector Coordinating Council for Critical Infrastructure Protection and Homeland Security (FSSCC).
George Hender, outgoing FSSCC Chair, and new Chairman Shawn Johnson recently spoke with Information Security Media Group on some of the highlights of the council's work over the past two years, including the execution of the first national pandemic planning exercise for the financial services industry.
Johnson, who became FSSCC Chairman on June 26, lays out his vision for FSSCC's future direction, including a cyber-security test for the financial services industry. Johnson also is chairman of the Investment Committee of State Street Global Advisors (SSgA), the world's largest institutional asset manager, and Director of Institutional Fiduciary Services. He also oversees SSgA's private equity investments.
Q: George, Looking back at your term as Chairman of FSSCC, what were some of the highlights of your tenure?
Hender: You have to go back and see why this organization was created. It stems back to the events around 9-11, which was an attack on our financial services industry and an attack on our government. The terrorists truly believed that the heads of Wall Street were housed in the Twin Towers, and they believed if they could kill the heads of Wall Street, that would destroy the financial structure of this country and destroy our economy. Shortly after 9-11, the President decided that even though the attack was centered on the financial services industry and the government, he wanted to set up some kind of a network of organizations to protect those organizations that are vital to the country -- those that if they didn't survive, the country wouldn't survive. The government went about setting up such organizations as FSSCC, which was under the direction of the Treasury department.
Now, the FSSCC is a group of more than 30 private-sector firms and financial trade associations that works to help reinforce the financial services sector's resilience against terrorist attacks and other threats to the nation's financial infrastructure. FSSCC works with the Department of Treasury, which has direct responsibility for infrastructure protection and homeland security efforts for the financial services sector, while also serving under the overall guidance of the Department for Homeland Security.
The secretary of the Treasury decided that it wouldn't just work if government was involved; they saw the need to bring in the private sector to work with the public sector. The task, to keep the financial services industry from imploding from some event, whether localized or nationwide.
I was involved early on in FSSCC's work and then I became chairman. I went around and spoke to every one of the members to determine what our agenda should be, and what they think we should be focusing on.
Hurricanes Rita and Katrina and the Northeast Blackout had already happened before I took over the chairmanship. Those types of events were clearly on everyone's list; the threat of a pandemic was also on the list. These events really were our agenda, and FSSCC completed a number of exercises in the past two years to ensure our industry can operate in a crisis environment. FSSCC held one-day localized tests in major cities to see how well the financial services companies located there could handle events.
As the pandemic situation began to grow in importance in the industry and worldwide, a different kind of test was envisioned for the industry. We saw the pandemic test as a multi-week nationwide test with some international components to it. We were fortunate to get funding from Treasury so we could offer the test to a very wide audience. Some of the institutions are tiny, but we wanted them to participate, so with the funding, we didn't have to charge for it.
There was some nervousness when we sent out invitations to the firms asking them to participate. We were pleasantly surprised when we had more than 2500 firms with 7,500 to 10,000 individuals take part in the three week event. People participated from both the public and private sectors. (Pandemic Exercise Report Released; Calls for Enhanced Preparations)
Q: George, In your estimation, what is the overall preparation for a pandemic in our industry? Are we closer to being prepared?
Hender: I think when you do an exercise such as we did and you see the communication between the private and public sectors and the lessons that we learned, we are in better shape than before the test. That's not to say if we had a full blown pandemic break out today, where we're talking about 50 percent of the population being affected, that there aren't going to be some consequences that the industry would have to deal with. But that's why we did the exercise and ramped up absenteeism to 50% to see where the stress points are and work around them. People have gone back to the drawing board with the information gathered during the exercise to rethink some of their plans based on what was found during the test.
There's no question we are in better shape, but if there is a full blown, it will be tough for everyone in the country. I'll tell you it won't be business as usual; it will be a business of surviving and getting through it.
Q: Shawn Johnson, what will be some of your challenges as you come into this chairmanship?
Johnson: The cyber security issue in our industry -- in order to address it, we will need some genuine expertise. This means we will have to reach outside of our existing membership to owner/operators to get the skills we need. The critical areas have been identified by Treasury and other partners on the government side, and we will look to get those skill sets filled quickly. We're also going to have to deal with the transition in government here in the next six to eight months, and that may or may not be a big deal, but it is something we are certainly going to have to cope with. At this point, we have a tremendous working relationship with Treasury, but it could change based on who wins the election.
We are also broadening our membership. The FSSCC voted in a dozen owner operators within the industry, and they will be asked to join the membership. Everyone that I have spoken to is interested in joining. With the addition of new members, we will be changing some of the internal infrastructure and organization of FSSCC, including the development of working groups to address specific issues.
The biggest area will be the cyber security issue. We feel pretty comfortable about the things we already know, but it's the things we don't know, the unknowns that worry us.
One of the reasons we are creating a working group just to look at cyber issues is to specifically try to understand the scope of the problem and get the appropriate resources focused on it, and that includes getting some people in the owner/operator community briefed at the appropriate levels to be made aware about the unknown cyber security issues. Then we can assess how vulnerable we are and how secure we are because of things we are doing already. We've had some interaction with some of the intelligence agencies. I have received a secret security clearance, and we will have more FSSCC members get their clearance in order to be able to sit in on intelligence briefings.
Q: Will there be a cyber security test similar to the national pandemic test in the future for the financial services industry?
Johnson: That is something we will have to decide, and will be one of the things that comes out of this working group, which is made up of government and private sectors, four separate work streams covering long range planning, international issues such as persons travelling to China for the Olympics, and if there will be any issues with, say, wireless communications. Is there any practical guidance that we can get through all the channels that would have to be approved by to brief the financial services community about what precautions they would have to take, say, if their CEO went to China to watch the diving competitions? If their CEO takes his Blackberry with him, will someone be reading all of the communications?
Several workstreams like this are coming out of this working group that will address cyber security issues like the one I've just described.
The area of expertise that the intelligence agencies bring to the working group is different than the financial services companies bring, and what the regulatory agencies bring, and what we want to do is bring all of these groups together to craft a way forward. It may turn out that we will want to do a test similar to the one we did for the pandemic, or some subset of that and test only certain things. We already do a lot of testing in our industry in backup systems testing, and we do a lot of tests that relate to these types of issues.
There will be five different areas of focus moving forward -- policy, crisis management (incident response), intrasector communication, intersector communication and international issues. We are inherently global in our industry, so we have to look at could we be penetrated overseas that would affect our services here in the US, especially in the outsourced work that our industry has placed in foreign countries.