As the four-star general in charge of U.S. digital defenses, Keith Alexander warned repeatedly that the financial industry was among the likely targets of a major attack. Now he’s selling the message directly to the banks.
Joining a crowded field of cyber-consultants, the former National Security Agency chief is pitching his services for as much as $1 million a month. The audience is receptive: Under pressure from regulators, lawmakers and their customers, financial firms are pouring hundreds of millions of dollars into barriers against digital assaults.
Alexander, who retired in March from his dual role as head of the NSA and the U.S. Cyber Command, has since met with the largest banking trade groups, stressing the threat from state-sponsored attacks bent on data destruction as well as hackers interested in stealing information or money.
“It would be devastating if one of our major banks was hit, because they’re so interconnected,” Alexander said in an interview.
A lesson in the vulnerabilities came yesterday, when it was disclosed that hackers disrupted high-speed trading at a large hedge fund and rerouted data that might be used to make money in rogue stock-market transactions. Paul Henninger, global product director for BAE Systems Applied Intelligence, said that the eight-week incident at the unidentified firm had “all the signatures of an organized crime attack.”
Banks that not long ago had 10 or 15 people repelling computer invaders now have 50 to 100 people “that do nothing but respond to attacks and review intelligence,” Joe Nocera, head of the financial-services cybersecurity group at PriceWaterhouseCoopers LLP, said in an interview.
The largest banks are allocating the most resources. JPMorgan Chase & Co. has 1,000 people focused on the danger and will spend $250 million this year, Chief Executive Officer Jamie Dimon said in an April letter to shareholders.
Financial executives responding to a PricewaterhouseCoopers survey reported that incidents rose from 1,720 in 2012 to 4,628 last year. Losses from the attacks are up “significantly,” according to the report.
For several months beginning in fall 2012, major U.S. bank websites were hit by what is known as distributed denial-of-service attacks, in which hackers flood systems with information to shut them down. Clients of JPMorgan, Bank of America Corp., Citigroup Inc. and Wells Fargo & Co. had trouble accessing their accounts. The banks turned to the NSA for help in analyzing and protecting against the attacks, the Washington Post reported at the time.
Alexander, 62, said in the interview he was invited to give a talk to the Securities Industry and Financial Markets Association, known as Sifma, shortly after leaving the NSA and starting his firm, IronNet Cybersecurity Inc. He has met with other finance groups including the Consumer Bankers Association, the Financial Services Roundtable and The Clearing House.
At the sessions, Alexander discussed destructive computer programs such as Wiper, which the U.S. government said was notable because attacks using it appeared to originate from North Korea and Iran. “I told them I did think they could defend against that,” Alexander said.
Still, despite the banks’ growing investments in computer security, Alexander said, “many of them aren’t really confident they’re getting their money’s worth.”
The ex-NSA chief is leasing office space from Promontory Financial Group LLC, a Washington consultancy that focuses on the banking industry. Eugene Ludwig, Promontory’s founder and chief executive officer, joined Alexander at a meeting with Sifma, Wall Street’s largest lobby group.
Alexander offered to provide advice to Sifma for $1 million a month, according to two people briefed on the talks. The asking price later dropped to $600,000, the people said, speaking on condition of anonymity because the negotiation was private.
Alexander declined to comment on the details, except to say that his firm will have contracts “in the near future.”
Kenneth Bentsen, Sifma’s president, said at a Bloomberg Government event yesterday in Washington that “cybersecurity is probably our number one priority” now that most regulatory changes imposed after the 2008 credit crisis have been absorbed.
“There are a lot of very high-caliber people that have served in public positions who bring a tremendous amount of expertise that our industry or other industries can benefit from. General Alexander is certainly one of those people,” Bentsen said.
Former U.S. intelligence officials are part of the burgeoning Internet security industry. Michael Morell, who last year was deputy director of the Central Intelligence Agency, now works for Beacon Global Strategies LLC and appeared at a Sifma event to warn financial firms about cybersecurity threats. CrowdStrike Inc., a security-technology company that does work for the largest banks, has former FBI officials on its staff.
The firm’s general counsel, Steven Chabinsky, was a deputy assistant director in the FBI’s cyber division. Cybersecurity is at the center of digital-dominated banking, he said in an interview.
“It’s consumer confidence; it’s consumer protection; it’s the way money is moved,” he said. “It’s the integrity of the entire global system.”
Alexander specialized in technology and intelligence during four decades in the military, including as commander of Army Intelligence and Security and deputy Army chief of staff, before being named to head the NSA in 2005. Defense Secretary Robert Gates nominated him in 2009 to also head the new Cyber Command, which consolidates resources from all the military branches.
Alexander had devoted many of his public statements to the growing threats to private infrastructure -- before his tenure at the NSA became embroiled in responses to revelations about the agency contained in files leaked by former intelligence contractor Edward Snowden.
“Offensive cyber programs and capabilities are growing, evolving and spreading before our eyes,” he told the Senate Armed Services Committee in March 2013. “They are particularly targeting our telecommunications, information technology, financial, security and energy sectors. They are exploiting these targets on a scale amounting to the greatest unwilling transfer of wealth in history.”
In the interview, Alexander said that a successful major attack on a bank would shake consumer confidence even if the institution were able to recover quickly.
“If all your banking stuff was just wiped out” and the bank had no record of how much money its customers had on deposit, “they could go back to their last surviving record -- but that might not be today,” Alexander said.
That scenario also has banking regulators and lawmakers pressing the industry to strengthen protections.
Comptroller of the Currency Thomas Curry, who heads the federal agency overseeing national banks, said his examiners used to focus exclusively on financial risks. Now the regulators scrutinize cyber defenses to ensure the firms are meeting new expectations for being prepared, he said in an interview.
Curry said the recent data breaches at large retailers including Target Corp. “put the issue on the front page and in forefront of executives’ and regulators’ minds.”
Some state regulators also have been leaning on the banks they supervise.
“I don’t want to be Chicken Little and say the sky is falling,” Benjamin Lawsky, superintendent of New York’s department of financial services, said in an interview. “But we really need to focus on this issue.”
In Congress, Representative Shelley Moore Capito, a West Virginia Republican who chairs a House Financial Services subcommittee, held a March hearing on the security of customer data, saying “recent breaches demonstrated an evolving sophistication of attacks.”
Alexander said in the interview that one obstacle to a stronger system is the legitimate concern banks have about privacy and liability when they give data to other firms and the government. The Senate Intelligence Committee next week will take up a bipartisan bill -- sponsored by Senators Dianne Feinstein, a California Democrat, and Saxby Chambliss, a Georgia Republican -- which would set rules and protections for information-sharing.
Such a law would be an important tool to improve the nation’s defenses, Alexander said.
“What I’m concerned about is we’re going to have a 9/11 in cyberspace,” he said. “We don’t need to suffer this kind of attack.”