Wall Street’s biggest trade group has proposed a government-industry cyber war council to stave off terrorist attacks that could trigger financial panic by temporarily wiping out account balances, according to an internal document.
The proposal by the Securities Industry and Financial Markets Association, known as Sifma, calls for a committee of executives and deputy-level representatives from at least eight U.S. agencies including the Treasury Department, the National Security Agency and the Department of Homeland Security, all led by a senior White House official.
The trade association also reveals in the document that Sifma has retained former NSA director Keith Alexander to “facilitate” the joint effort with the government. Alexander, in turn, has brought in Michael Chertoff, the former U.S. Secretary of Homeland Security, and his firm, Chertoff Group.
The document sketches an unusually frank and pessimistic view by the industry of its readiness for attacks wielded by nation-states or terrorist groups that aim to “destroy data and machines.” It says the concerns are “compounded by the dependence of financial institutions on the electric grid,” which is also vulnerable to physical and cyber attack.
“The systemic consequences could well be devastating for the economy as the resulting loss of confidence in the security of individual and corporate savings and assets could trigger widespread runs on financial institutions that likely would extend well beyond the directly impacted banks, securities firms and asset managers,” Sifma wrote in the document, dated June 27.
Liz Pierce, a spokeswoman for Sifma, declined to comment on the document, adding that the group “is doing everything possible to help the industry prepare for and defend against cyberattacks.” Caitlin Hayden, spokeswoman for the White House National Security Council, declined to comment.
Alexander had been pitching Sifma and other bank trade associations to purchase his services through his new consulting firm, IronNet Cybersecurity Inc., for as much as $1 million per month, according to two people briefed on the talks.
He has made much the same argument to Sifma as the association is now making to the government about the emergence of new kinds of software assaults. For several months beginning in fall 2012, major U.S. bank websites were hit by what is known as distributed denial-of-service attacks, in which hackers flood systems with information to shut them down.
The next wave of attacks “in the near-medium term” is likely to be more destructive and could result in “account balances and books and records being converted to zeros,” while recovering the lost information “would be difficult and slow,” according to the Sifma document.
“We are concerned that the industry may not have the capabilities that we would like to effectively defend against this newer form of potential attack, the capability that we would like to stop such an attack once commenced from spreading to other financial institutions, or the capability we would like of effectively recovering if an initial attack is followed by waves of follow-on attacks,” the document says.
Computer intrusions also have been a concern of regional and small banks. Camden Fine, president of the Independent Community Bankers of America, said today that an account-draining cyberattack is “a question of when.” He predicted the government would have to grapple with difficult questions including whether the Federal Deposit Insurance Corp. would cover any losses.
“When it does happen, the hue and cry will go up,” Fine wrote in an e-mail. “Who will be liable? What will the FDIC do? It is like watching a train wreck in the making and there is nothing you can do to stop it.”
The Sifma document, while noting that the coordination between industry and government on cyber threats has improved in recent years, said a joint council would produce a more focused response.
The government-industry group would develop plans for “much quicker, near real-time” dissemination of information from agencies to the private sector and ways to “actively defend the industry” if preparations for a cyber attack are discovered in advance. Sifma is also seeking “pre-discussed and mutually understood protocols” for the industry to request government help during and after an attack.
Representative Alan Grayson, a Florida Democrat, said today he was concerned that industry members in such a joint group could improperly get involved in pre-emptive strikes against a person or state planning an assault on the U.S.
“This could in effect make the banks part of what would begin to look like a war council,” Grayson said in an e-mail. “Congress needs to keep an eye on what something like this could mean.”
In its proposal, Sifma also called for greater protection for the U.S. electricity grid, which it says is “vulnerable to physical destruction of transformers and other equipment in a small number of undefended substations.”
“The core problem is that if transformers and critical equipment were destroyed at these sites, it could take months to build the replacement equipment,” Sifma wrote.
The Senate Intelligence Committee plans today to take up a bipartisan bill -- sponsored by Senators Dianne Feinstein, a California Democrat, and Saxby Chambliss, a Georgia Republican - - aimed at improving private-sector cyber-defenses. The bill includes rules that would insulate banks from liability arising from sharing information for cybersecurity, addressing a point financial institutions have raised in the past.