JPMorgan Goes to War
In the days following the massive breach of JPMorgan Chase’s computers last summer, the bank’s security chief, James Cummings, rarely left his operations center in its Manhattan headquarters. He directed a select group of colleagues to search for links to the Russian government. There was little evidence of a government tie, especially so early in the investigation, but Cummings, a former head of the U.S. Air Force’s cybercombat unit, was confident they’d find more.
Convinced that it faces threats from governments in China, Iran, and Russia, and that the U.S. government isn’t doing enough to help, JPMorgan has built a vast security operation and staffed it increasingly with ex-military officers. Soon after joining the bank in early 2014, Cummings helped hire Gregory Rattray—like Cummings, a former Air Force colonel—as chief information security officer. Together the men oversee a digital security staff of 1,000, more than twice the size of Google’s security group. To make it easier to woo military talent, the bank built a security services facility in Maryland near Fort Meade, home of the National Security Agency.
The military overtones are no accident. JPMorgan is responding to attacks that the federal government is unable or unwilling to stop, says Nate Freier, research professor at the U.S. Army War College, yet it isn’t clear whether the bank’s weapons-grade operation is doing a better job than law enforcement agencies. “It’s a brave new world that’s not very well understood by the people playing the game,” Freier says. “It really is every man for himself.”
The bank hasn’t said publicly who it believes is responsible for the June attack, in which hackers stole the names, addresses, and e-mail addresses—but not credit card numbers or passwords—of 83 million individuals and small businesses. Several people connected to the probe say Cummings and Rattray strongly suspected very early that it was engineered by the Kremlin. That message was delivered through back channels to the White House, according to a senior U.S. official.
Cummings and Rattray, who was Condoleezza Rice’s cyber expert when she headed the National Security Council under President George W. Bush, retain a network of high-level contacts in Washington. Less than three weeks after the breach was discovered on Aug. 27, the two men organized a conference call with more than a dozen agents from the FBI, Homeland Security, the Secret Service, and the Treasury Department. Over the course of an hour, they made the case that the breach was a national security matter, say two people familiar with the call.
Patricia Wexler, a JPMorgan spokeswoman, declines to say how the bank categorizes the breach. “While we were open to all theories in the early stages of the investigation, we never concluded that this was a state-sponsored attack,” she wrote in an e-mail. The bank wouldn’t make executives available.
The military orientation of JPMorgan’s security team leaders may incline them to see the involvement of governments and spies when companies face a range of threats, many motivated purely by profit, says Brendan Conlon, who spent 10 years in computer network operations with the NSA and now runs Vahna, a security firm in Washington. “It’s like groupthink,” he says.
The FBI initially assigned two groups of agents from the New York office to the case—one specializing in nation-state attacks and one in criminal hacks—because it was unclear which group would be needed. Rattray and Cummings had already decided, according to two people familiar with the investigation; they advised the bank security team to refer to the breach as a probable national security event.
A person familiar with the investigation says Rattray and Cummings were under pressure from bank executives to obtain a letter from the Department of Justice that would have exempted the bank from having to notify customers and regulators of the data loss. These rare waivers are typically only granted when the victimized company can convincingly show that the loss was the result of a state-sponsored or serious criminal attack that requires absolute secrecy while the government investigates.
Within two weeks of the conference call, the FBI handed the investigation to criminal specialists and told the bank it wasn’t getting the letter. One key piece of evidence the FBI considered was that the hackers were using a data center in St. Petersburg, Russia, of the sort used by low-level cybercriminals to send spam or operate botnets, according to three people familiar with the probe, who were among more than two dozen interviewed about the breach and who asked to remain anonymous because the investigation is confidential. “The evidence collected thus far points to it being a criminal actor and not a nation-state,” says Ari Baranoff, assistant special agent in charge of the Secret Service’s Criminal Investigative Division.
Bank insiders say Rattray and Cummings, aided by private cybersecurity companies, haven’t found a smoking gun. But there are what one person familiar with the probe described as nation-state fingerprints. The attackers appeared to have deleted or altered server logs that would have helped investigators retrace their steps inside the network—a degree of meticulousness that’s a hallmark of an intelligence agency or someone trained by one. And they lingered on servers that would seem to have no value to criminals.
To Cummings and Rattray, those were signs the hackers might be engaged in a long-term operation. Rather than steal easily marketable data such as credit card numbers or account passwords, they may have been looking for deep vulnerabilities in the bank’s infrastructure or custom software that could be exploited later. “Greg usually knows what he’s doing,” says James Lewis, a senior fellow in cybersecurity at the Center for Strategic and International Studies in Washington. “You can say these guys see spies everywhere, but the problem with that is spies are everywhere.”
Not all of that information was shared with the FBI. While Rattray and Cummings were asking the government to help, they were also tightly limiting access to the attack data, to prevent leaks and also to allow the bank to control the investigation, say two people familiar with those decisions. Rattray stalled law enforcement requests for information with vague explanations about legal process, according to people familiar with the matter.
The Secret Service, which has a secondary role in the investigation, became so frustrated that it threatened to seize the evidence, says one person familiar with the situation. Joseph Demarest, assistant director of the FBI’s cyber division, called Chief Operating Officer Matthew Zames to discuss the issue. The bank and the FBI settled their dispute after Demarest’s call with a formal agreement on information sharing. “Our relationship with JPMorgan Chase remains outstanding, and we continue to work together to solve this crime,” Demarest says. Wexler, the bank spokeswoman, wrote: “The report of clashes regarding information sharing is not true.”
On Jan. 8 a group of 15 state attorneys general sent a letter to the bank, asking it to explain how it can be sure that more sensitive information wasn’t stolen in the breach. The answer is, it can’t be sure. Six months after the hack, and despite a security budget of a quarter of a billion dollars, JPMorgan still faces big holes in its understanding of the attackers’ movements or exactly what data they removed from the network. It owned an expensive system designed to capture that data—something like a video security camera that gives an after-the-fact view of a crime—but programmed it with too little storage to retain all evidence of the intrusion, according to people familiar with the bank’s response. “We have a full accounting of what information was breached,” Wexler wrote.
Following the attack, CEO Jamie Dimon vowed to increase JPMorgan’s security budget and move quickly to address any problems exposed in the hack, which in turn has led to more hiring of defense contractors and people with military backgrounds, say three people familiar with the bank’s team. Some security experts say that whatever the government’s failings at protecting American companies from cyberattack, creating a mini-NSA in Midtown Manhattan isn’t the answer, especially given the power and influence already wielded by Wall Street banks. Digital war is being privatized, says Freier, the U.S. Army War College professor. “What you worry about is a virtual Guns of August moment, where every actor is so well-armed and so able to mobilize assets in their own defense that they start an escalation.”
The bottom line: JPMorgan has hired men with military backgrounds and increased spending to improve its cyber defenses.