Rattray, who joined BITS in September, says as more financial transactions and channels such as mobile emerge, Internet strains and security have to be addressed. "The thing that we're increasingly concerned about is the nature of these (mobile) devices," he says, "and whether they can be properly secured so that we can enable people to use mobile banking."
A core challenge: Open architecture and the software that drives mobile phones. "Thankfully, we do not see a lot of exploits focused on mobile devices," Rattray says. "But I think most security experts would concur that's because, up until this point in time, we've not seen rapid use of mobile devices for purposes that would involve being able to access personal data or financial information." As mobile banking becomes more widespread and sophisticated, so, too, will the malicious attacks aimed at exploiting mobile devices. "We need to stay out in front of that curve," Rattray says.
As the industry continues to better understand and apply existing standards and regulations to emerging banking channels, regulators and entities such as BITS are opening dialogues to hone in on security. "Are there specific regulatory concerns or regimes that will be built up around those sorts of new evolutions within the technology of the Internet?" Rattray asks. "The regulators trust the industry to the degree that they would like to continue to apply existing regulatory regimes, but make sure the banks take into account the new nature of some of these technologies and apply the appropriate controls."
During this exclusive interview, Rattray discusses:
- The role regulators play in security mandates;
- How the growing domain name system poses security challenges; and
- How BITS aims to address growing technical concerns surrounding the online and mobile channels.
Rattray is the senior vice president of security for BITS' Security Program, where he oversees the development of strategies to secure infrastructures, products and services. Before joining BITS in September, Rattray served as the Chief Internet Security Advisor for ICANN, the Internet Corporation for Assigned Names and Numbers, and was a founding partner at Delta Risk LLC, a cyberdefense, resiliency and risk management consulting firm. While at ICANN, Rattray worked with BITS and other Roundtable staff and members as the industry developed recommendations for the global domain expansion program.
Before ICANN and Delta Risk, Rattray served 23 years in the United States Air Force and worked as Director for Cyber Security on the National Security Council. He also served on the President's Critical Infrastructure Protection Board, where he contributed to the National Strategy to Secure Cyberspace. He is a member of the Council on Foreign Relations, a member of the Cyber Conflict Studies Association Board, and is involved with the Armed Forces Communications and Electronics Association. Rattray holds a master's degree in public policy from Harvard University and a Ph.D. in international affairs from Tufts University. He also is the author of "Strategic Warfare in Cyberspace."
Rattray: A New BITS VoiceTRACY KITTEN: Greg Rattray is the new head of security for BITS, a technology policy division of the Financial Services Roundtable. Greg, before we get started, could you give a little background about your position and the experience you bring to the new position, and how you expect your background to help in your new role at BITS.
GREG RATTRAY: The position here that I've just recently taken, and taken over from Paul Smocer, who has been the senior vice president for security at BITS, is really one of collaborating with the BITS membership and, more broadly, the industry as whole, in understanding the security challenges that face the industry, particularly with a technical focus. Then, working with the industry to make sure that we're effectively mitigating the risks and then having a chance to talk about what some of those key challenges and approaches for mitigating the risks are.
I come fairly new to the industry, in the sense that my background is predominately one of working within the U.S. military. I was an Air Force officer for most of my professional career, both an intelligence officer and then working on cybersecurity for the second half of my career, over operational matters and then at the policy level at the White House for a few years in the middle portion of this decade. Not coming from within the banking industry, per say, I hope that some of those experiences, particularly the insights I bring from the higher end cyberthreats that are facing both the nation and certainly the financial-services industry, bring collaboration between the government and the private sector to effectively respond to challenges.
Online SecurityKITTEN: Greg, when we talk about cybersecurity, it often revolves around the Internet. Some say the Internet is broken, overworked and overburdened. It has been pushed to its limit. What challenges will the industry and businesses, generally, face when it comes to dealing with the evolution of the Internet?
RATTRAY: Tracy, that's a crucial aspect of what the financial-services industry needs to do, and I think we at BITS provide assistance. The Internet is moving fast, so in a positive vein, it's proven to be a pretty dynamic, scalable mechanism for communication. The challenge is that evolution has resulted in an environment where the security is not necessarily as well attended to as we might like. Certainly, in a high assurance industry like banking and finance, part of what we need to do is deal with changes, like the evolution from the IPv4 to IPv6 standards for structuring Internet traffic and the use of the Internet's domain name system, which is becoming more complex, as international domain names enter the system and lead to the potential launch of a large number of what's called top-level domains as the environment becomes more competitive and open. These things need to be clearly identified; the security aspects of these evolutions need to be clearly identified and the financial-services industry needs to make sure that they are taken on different ways of approaching things in order to deal with these changes.
DNS and PhishingKITTEN: What are some of the specific challenges these Internet issues pose for banking institutions?
RATTRAY: In the case of the domain name system, it is one of the principle mechanisms by which phishing is conducted, in terms of sending a message used to route traffic to include things like e-mails that may contain malicious code or, alternatively, the use of the domain name system to underpin the World Wide Web, in terms of setting up websites. So, the ability of those trying to commit fraud to set up fraudulent websites and trying to get personal information or information necessary to conduct criminal activity can be enabled by the DNS. As the DNS becomes more complex, the use of international character sets, instead of character sets in English, presents challenges, in terms of making sure that the letters we've taken for tracking fraudulent websites, tracking phishing activity across the Internet are effectively dealt with. It's basically just making a challenge more complex and it requires attention to figure out how to address that challenge.
Emerging Channels: Mobile Banking and SecurityKITTEN: And talking about some of those complexities and challenges, when we look at some of the emerging banking channels, such as the said mobile channel, what types of additional challenges or complexity do these emerging channels pose?
RATTRAY: There is the complexity of different sorts of devices being put on the network, in the case of customers seeking to access banking services that they need access through the broader Internet, as well as the fact that banking institutions would like to enable employees and suppliers to take advantage of the mobility offered by these new devices as well. So, there are at least a couple challenges created by mobile-phone activity. And then from a security perspective, the thing that we're increasingly concerned about is the nature of these devices, and whether they can be properly secured so that we can enable people to use mobile banking or can enable employees to more effectively function with these devices. A core challenge is the open architecture associated with some of these emerging technologies and the nature of the software that is going to be used within these devices. Currently, thankfully, we do not see a lot of exploits focused on mobile devices; but I think most security experts would concur that's because, up until this point in time, we've not seen rapid use of mobile devices for purposes that would involve being able to access personal data or financial information. As the banking and finance sector considers moving toward the use of these devices, I think we may see that hackers move more into trying to understand how to exploit them, and we need to stay out in front of that curve.
Regulating and Security Emerging ChannelsKITTEN: And how would you say these limitations or challenges to cybersecurity impact the financial industry from a regulatory compliance perspective?
RATTRAY: The industry has done exceptionally well in terms of being able to understand both the requirements of regulators and the security that it needs to provide its customers. As the Internet evolves and as these new challenges arise, one of the dialogues that the industry will have is with its regulators about whether the rules need to change or how they can apply existing rules. BITS recently convened it's Security Steering Committee and working group, and we had our federal regulators in to discuss issues such as when we move to cloud computing, what are the types of changes that we believe will occur within the regulatory regime; or as banks consider the use of social media, particularly by their employees, are there specific regulatory concerns or regimes that will be built up around those sorts of new evolutions within in the technology of the Internet. I think what we found was that the regulators trust the industry, to the degree that they would like to continue to apply existing regulatory regimes, but make sure the banks take into account the new nature of some of these technologies and apply the appropriate controls to the use of these technologies.
Top 3: Mobile Security, Partnerships, Risk MitigationKITTEN: Greg, could you tell us what do you expect your top three initiatives going into this position to be?
RATTRAY: One of the experiences I have had been a military officer for 23 years is that you change your job fairly often, within the broad context of working as an Air Force officer. So, one of the things that I am doing at this point is just understanding the good work that is currently underway within the BITS security program. The program has initiatives on e-mail security, improved authentication processes, and dealing with social media and cloud computing. I am trying to work with the staff here and the members of BITS to make sure that the existing initiatives produce best practices.
One of the areas that we know we want to focus on more in the upcoming year is the area of mobile devices and the security risks there; but, more importantly, what are effective mitigations that can be put in place as banks move to enable greater use of such devices. I think something that really comes from my background is partnership. We want to leverage our partnership with financial services, coordinating our councils as much as possible in efforts to test approaches to identity management and high security zones within the Internet. We also want to work with organizations like ICANN, related to the nature of the changes in the domain name system, to ensure that as those changes occur, the financial-services sector doesn't get increased risk from the changes.