Cybersecurity: A Collaborative EffortDomestic and International Organizations Need to Come Together
The Obama Administration's cybersecurity proposal requires collaboration among different financial-services providers, domestically and internationally. Leigh Williams, head of BITS, the technology policy division of The Financial Services Roundtable, says he's optimistic more collaboration will reap promising results.
"It requires a lot of people working together to make it happen," says the BITS president in an interview with BankInfoSecurity.com's Tracy Kitten [transcript below].
Williams says it's difficult to come up with a policy solution everyone will love. "But this is something that I think will work well for people who come to financial services from different angles," he says.
Williams spoke with members of the Senate and House this past June, explaining that BITS supports Obama's cybersecurity proposal. He mentioned that preventing data breaches will take a strong focus from the entire online ecosystem.
The five key points of the proposal that touch financial services are:
- Heightened penalties for computer crime;
- Breach notification, which Williams says should extend to all industries, not just banking;
- Critical infrastructure protection, which will give more authority to DHS;
- Working with federal systems;
- Limiting data center services to specific geographies, which for cloud vendors and data centers, is a real benefit, according to Williams.
"If, through associations or directly, institutions can provide some input, not just on what they like but on what they think needs to be polished or refined a little bit, that would be very helpful," Williams says.
In the interview, Williams discusses:
- The five primary sections of the Obama administration's proposal and the impact each section is expected to have on financial services across the board;
- Challenges regulators and private entities face when it comes to international cooperation;
- Why financial institutions should take an interest in cybersecurity legislation.
Williams is the president of BITS, the technology policy division of The Financial Services Roundtable, which focuses on improving operational practices and public policy in the financial sector. Before joining BITS in 2007, Williams was a senior fellow at Harvard's Kennedy School of Government, researching public and private sector collaboration in the governance of privacy and security. Williams also worked at Fidelity Investments in various risk, security, privacy and policy roles.
Cybersecurity ProposalTRACY KITTEN: You testified this week before the Senate Committee on Banking, Housing and Urban Affairs at the Cybersecurity and Data Protection in the Financial Sector hearing to express BITS' support of national legislation to promote cybersecurity. Can you provide our audience with some background about the key legislative points mentioned in the Obama Administration's proposal that touch financial services?
LEIGH WILLIAMS: You mentioned the word ecosystem in connection with this legislative proposal. I think that's the best way to think of it, as there are about five sections of the proposal, all of which, if you start to think about them individually, begin to connect the financial services sector with requirements and with performance in other sectors.
Of the five, the first is heightened penalties for computer crime, which I think those of us in financial services risk management see as a benefit. The one addition that we suggested to it is that it was based on fraud and damage to critical computers. We have some concerns about theft of intellectual property that we would have added to it. The second is on breach notification. We have breach notification rules in banking. No good reason why other industries shouldn't have them too. The third is in critical infrastructure protection, generally giving more authority to DHS. While we think that our financial regulators and our sector-specific agency treasury should be a part of this process, we're happy to have DHS help knit what we do together with other sectors. The fourth is work in federal systems. One of the things that I think is fundamentally different about this legislation is that it treats private sector and public sector both. If we strengthen federal performance, ultimately this ecosystem will be a stronger place. And finally, there's a prohibition on limiting data centers to only serving people in their geographies which, for those of us who are working in cloud or even just have data centers spread around the country or around the world, would be a real benefit.
KITTEN: Now I understand that you also testified before the House. Can you tell me about government-sponsored solutions and how they might be combined with market-based solutions?
WILLIAMS: That was an interesting topic. There was some discussion about whether the right answer is putting all of this in government hands, or keeping all of it in private sector hands. For our part, in a regulated industry where the government is already involved and where we've found some interesting insights from DHS and from the intelligence community, we see a government role in all of this. Even so, if most of what we do stays on the private side, if we have our utilities like the Information Sharing and Analysis Center, our own vendors, often industry-owned, like Early Warning Services, and we have market-based approaches like the provision of cyber insurance, that's all good and that probably should still be where the weight of the effort lies.
KITTEN: Now going back to the legislation specifically, how does this legislation differ from legislation about cybersecurity that we've seen in the past?
WILLIAMS: One difference is that it pulls all this together. Those half-dozen titles that I reeled off don't really exist in any other single piece of legislation. Everyone else has dealt with a point solution, whereas this proposal really begins to knit it all together across industries, across public and private and even across different topics, all the way from individual level breach notification and identity theft up through the most sophisticated defenses against the most sophisticated attacks.
International CollaborationKITTEN: And it sound like the legislation is relatively detailed. But how detailed is it when it comes to collaboration that's needed among and between entities that cross international borders?
WILLIAMS: That's one place where we think it could use some extension. It was natural for very little to be in this proposal, because the administration was just releasing its international strategy for cyberspace. But we think there's a lot more work to be done there.
KITTEN: What about collaboration and information sharing among financial services providers, such as those that are traditional, like financial institutions, and those that are nontraditional, like PayPal?
WILLIAMS: For a long time we've had this artificial but important distinction between regulated and unregulated financial services providers, between banks and others, or insurance and securities and others. Part of what this legislation would do is it would eliminate that distinction. It would say we have, in financial services, a structure in place. But even for those like PayPal who might live outside of it, there's something else that also applies to them. So whether it's knitting us together with PayPal and the way that we operate, with Microsoft or Verizon, this would find a way to make those connections.
KITTEN: And how critical will it be for this legislation to get support from all entities in the financial and payments space?
WILLIAMS: I don't know that we'll ever have a policy solution that absolutely everyone will love. But this is something that I think will work well for people who come to financial services from different angles. I'm hoping it'll also work well for people who come from different industries and even from the public sector.
KITTEN: Now going back to the testimony that you gave before the Senate committee, you stressed the need for new legislation to carefully balance overall cyberspace protections, as well as sector-specific efforts. What are some of those sector-specific efforts, from your perspective?
WILLIAMS: Some of them are proactive efforts that we have as an industry, like the work of our Information Sharing and Analysis Center. Some of them are reactions that we have to specific regulations or compliance requirements, like the audits that our examiners do in our institutions. Either way, those I think should continue in the sector. But the output from them, or even the input into them, should be connected to analogs over in other industries. If DHS takes on a hub role in all of this work, it will need to be connected with what's happening in treasury, the banking regulators and what's happening in our ISAC and in other industries' ISACs.
Top Challenges with LegislationKITTEN: And what do you see as being the greatest challenges facing this legislation, as well as the international cybersecurity fight overall?
WILLIAMS: Well, I don't know if it's a coincidence or if you hit just precisely on the connection between those two, but I'd say what they share is the universality. This legislation is so comprehensive that it's going to be hard to pull it all together and to have people from all these different places support it. The same is true for international. International is not a binary discussion between the U.S. and some other country. It requires a lot of people working together to make it happen. That will be tough, but I think it's doable on both counts.
KITTEN: Before we close, could you tell our audience what they should be doing to support this legislation. Why should it be important to banks and credit unions?
WILLIAMS: I think if there's a way that we can express our general support for the overall proposal, that's always helpful. If people hear that the financial services industry is for something as important as cybersecurity, that's a great and important message. I think it needs to be paired with a candid discussion of where we think things need to be more detailed or move a little bit left or right. If, through associations or directly, institutions can provide some input, not just on what they like but on what they think needs to be polished or refined a little bit, that would be very helpful.