Fed Cyber Security Focuses on Major Threats in a High-Risk Worldby
Focus on policy, payments-relevant systems as threats loom
Attacks on websites have become second-tier priorities
The Federal Reserve Bank of Boston’s website crashed for less than a minute, brought down by a barrage of web traffic on May 12. When a hacker claimed responsibility on Twitter, it placed the attack as part of #OpIcarus, an assault the group Anonymous has been waging against global central banks.
In a world of escalating cyber risks, such hacktivist web page interruptions no longer top the Fed’s worry list. Of greater concern than reputation-damaging events such as website overloads are online criminals’ threats to conducting monetary policy and providing services to banks -- key central-bank functions that keep the heart of the U.S. financial system pumping.
“What we look at more is: What are the things that will impact us from achieving our mission?” said Don Anderson, chief information officer at the Boston Fed. “That’s where we really focus most of our efforts now -- on the crown jewels of the organization.”
Fed cyber security confronts mounting threats from sophisticated attackers and heightened scrutiny in the wake of a massive theft from Bangladesh’s central bank. And while the Fed doesn’t disclose specifics on how procedures and technology are evolving, it says it is placing heavy emphasis on defending information and payment systems.
“The biggest challenge for us is that this is a threat that is becoming more and more sophisticated, with a lot of money behind it, and obviously, at times, foreign governments,” John Williams, president of the San Francisco Fed, said last month in New York, explaining that the Fed invests heavily in making its systems as “bulletproof” as possible. “This is not the kid in Berkeley living in his parent’s garage anymore -- we are way, way beyond that.”
Between 2011 and 2015, the Fed’s National Incident Response Team reported 51 cases that it labeled “information disclosure,” based on a Freedom of Information Act records request. The documents only cover attacks against the Fed’s Board of Governors in Washington, excluding incidents at the 12 regional Fed banks, which are not subject to FOIA requests.
NIRT also reported one incident labeled “property loss/theft,” based on the heavily redacted, 2,239-page document, first reported by Reuters on Wednesday.
The Fed’s security program and processes for detecting and countering attacks are robust, a Fed Board spokeswoman said, and its critical operations have never been affected despite the attempts.
That’s good news: Preserving the security of the Fed’s vast payment system is vital to financial stability because it helps to underpin the interconnected global banking system. Protecting sensitive information surrounding monetary policy is essential to the fair functioning of markets, because early clues about rate decisions could allow hackers to profit by trading in everything from Treasuries to stocks and currencies.
“If there was a breach that could drain the funds out of a major central bank, that’s a major issue,” said Ted Truman, a senior fellow at the Peterson Institute in Washington and a former director of Division of International Finance at the Fed Board. “At a minimum, it would be very damaging to the reputation of the bank.”
Such a scenario seems increasingly less far-fetched. News broke in March that hackers stole $81 million from the Bangladesh central bank’s account at the New York Fed, the biggest known cyber-heist in history. The regional Fed has said that the instructions to make the payments were authenticated by the Swift message system, which is widely used by financial institutions.
“It is important to note that the recent incident with the Bangladesh Bank was not caused by a breach or compromise of the New York Fed’s systems,” the reserve bank said in a statement after the incident. Still, it said it had taken a “comprehensive look at its processes” and had enhanced monitoring for some jurisdictions and transaction types.
That’s hardly a detailed description of what’s being done to avert crisis, but the Fed is vague about system security for a reason -- to avoid providing a road-map to would-be criminals.
The Fed doesn’t break out spending on cyber security clearly in its financial accounts, nor does it disclose data on system-wide cyber attacks. While the Board of Governors does report information technology expenditures, that is a broader category.
The central bank’s cyber security program is fairly centralized with common standards. The Fed has a National IT group run out of the Richmond Fed, and a National Incident Response Team located mostly in East Rutherford, New Jersey. That team handles more serious events, according to a 2012 Office of Inspector General report, though what level of threat merits passing a case to NIRT isn’t made clear.
“Organizations with data are pretty tight-lipped about how they’re protecting it,” said V.S. Subrahmanian, a professor of computer science at the University of Maryland who specializes in big-data analytics. He said that’s reasonable. “It’s a little bit like going to someone’s house and asking where the security camera is.”
Though public scrutiny of the Fed’s initiatives is limited, the central bank’s information security is reviewed by the Board’s Inspector General -- and a 2015 audit underlined problems. While the chief information officer at the Fed Board in Washington had made progress in developing a risk management program, it said “the Board will face challenges in implementing the program Boardwide.” It also found that some services from third-party providers didn’t meet all the Board’s information security standards.
New York Review
The cyber framework at the New York Fed could soon come under closer examination. House Science Committee Chairman Lamar Smith, a Texas Republican, on Tuesday sent a letter to New York Fed President William Dudley asking for a briefing and information related to the Bangladesh bank theft.
While acknowledging that the Bangladesh bank’s systems “appear to have been the weak link” in that case, the Smith letter states that it’s Congress’s responsibility to ensure that the New York Fed is “taking all precautions to protect American finances and aggressively execute its own role as overseer of Swift.”
A New York Fed spokeswoman said that the bank plans to respond to the request, but provided no other details.
The Fed is constantly adapting and evolving alongside online threats and learns from attacks against other institutions, Boston’s Anderson said. When it comes to the attacks like those coming from Anonymous, “we have controls in place that when they do that, usually within a minute or two we recover, and again it hasn’t been anything critical to the Fed.”
But a possible attack on core activities “is one of our top risks,” he said. “If we were to have a cyber event, it could have an operational impact on our ability to do monetary policy, our ability to run the payments network, but it also would have a reputational impact, and people may lose trust in the Fed.”