Information sharing with the federal government related to cyber security threats is benefitting the financial services sector but having more people in industry access to more classified information and improvements with how information is shared would speed access to this data and improve its value, a representative of the sector told a House panel recently.
The financial services sector is benefiting from its participation with the Department of Homeland Security’s cyber command center, called the National Cybersecurity and Communications Integration Center (NCCIC), which has resulted in “greatly enhanced situational awareness and information sharing between the sector and the government, as well as across other critical infrastructure sectors that participate on the floor,” Anish Bhimani, the chief information risk officer with JP Morgan Chase, said on behalf of the Financial Services Information Sharing and Analysis Center (FS-ISAC).
The FS-ISAC recently has a full-time representative on NCCIC, allowing for daily participation to submit and respond to information requests, to analyze data, and help determine what information is most useful to the sector, Bhimani told the House Homeland Security Committee. The FS-ISAC provides the nation’s financial services firms with information to help protect them from cyber attacks.
The sector has also benefited from having more than 250 of its key personnel receive Security clearances and a few Top Security clearances, providing access to information on “new security threats,” enabling it to improve its cyber defenses, Bhimani said. But given that so much of the cyber threat information is classified, he said more FS-ISAC members need this data.
“The FS-ISAC would like to see this process updated and expanded to provide more clearances to the private sector, and make it easier for this information to be shared more broadly and quickly with our members,” Bhimani said in his prepared remarks.
One information sharing effort that Bhimani highly praised was managed by the Defense Department and permitted16 financial services firms to see advanced threat information and analysis of threat actors that provided “actionable, timely, and contextual information that allowed them to search for similar threat activity in their own environments” and to “adjust their assessments of cyber espionage threats.” However, the Government Information Sharing Framework (GISF) pilot was suspended due to funding limitations and has already impacted the sector, he said.
Bhimani said that “numerous financial institutions” have experienced activity from actors first identified through GISF reporting and intelligence. He urged DoD and Congress to resolve the funding issue for the program and to expand it further across the sector.
Cyber threats are growing in complexity and “are coming at us faster than ever before,” Bhimani said, arguing that the framework for information sharing has to be strengthened “around how we share.” That framework includes two-way information sharing between the government stakeholders and companies “at network speed,” he said.
Last month President Barack Obama issued an Executive Order on cyber security that among other things allows companies to voluntarily participate to receive classified and unclassified cyber threat information from the federal government. Setting up a stronger framework so that the private sector is more willing to share information with the government and other companies about cyber threats affecting it will require congressional legislation that creates incentives such as liability protections.