Navigating the Evolving Threat Landscape: Adapting Financial Sector Cybersecurity Efforts
In the last decade, the financial sector of the U.S. has undergone sustained targeting and subsequent disruption from Iranian Cyber Attack Campaigns. Additionally, Saudi and Middle Eastern regions have been targeted, resulting in global disruptions specific to the financial sector (Iran Cyber Global Finance Brief 1).
The desired strategic end state for the financial sector experiencing disruption will be to effectively defend and deter cyber attacks, experience minimal or zero disruption, and restore quickly if the first two objectives fail.
Naturally, an adversary has motive and reasoning behind their actions; if it were as easy as asking them politely to stop, we would be facing a very different political climate. Knowing that the adversary cannot be controlled for obvious reasons, they can be influenced. "Understanding the adversary" (Schmidle 2) is a crucial first step in developing a strategy to achieve the desired end state. One must understand the feasibility and battlefield. For example, Iran is pursuing these attacks for religious reasons, meaning influencing them to stop will be more challenging than if their efforts were motivated by fiscal return. If disrupting the financial sector was no longer profitable, then that group may be persuaded to discontinue the attacks. However, this case study is ideological and based on ancient teachings making it a poor candidate for deterrence through influence and persuasion tactics.
In addition to understanding the adversary is "understanding ourselves," as Schmidle discussed when he said that without an understanding of ourselves systemically, we will lack the understanding of assets and deficiencies present. Additionally, understanding cyber scenarios that have the potential to affect financial stability is another angle to be evaluated to help us better understand ourselves. Finally, identifying how the U.S. could be affected draws attention to potential vulnerabilities to be addressed. As Healey explored, multiple systems could be strategically attacked to cause the most devastating amount of impact, damage, and disruption. Examples include attacking the electrical grid and co-dependent systems that support a significant part of the population, like payment processing systems and retailers (Healey 10).
The U.S. and company being affected would benefit from a strategy focused on, as stated above, defense and deterrence, with an emphasis on resiliency. Therefore, these three objectives would make the investment of Iran's resources and efforts less fruitful. As a result, lessening the reward of the attacks and the damage experienced by the financial sector.
Important tenants must be considered when implementing a strategy focused on the main strategic pillars of defense, deterrence, and resilience. First, there will be naturally occurring economic and resource-specific factors that will both enable and restrain the strategy (Schmidle 2). For example, suppose a strategic objective is to achieve effective DDoS attack defense across the financial sector to achieve the desired end state. In that case, there will be subsequent limitations from the organizations involved around architecture, budget, and resources. The financial sector in the U.S. and across the targeted states comprises public, private, and government entities. So that provides a comprehensive set of circumstances that would be a hurdle to work through, leading us to the first tenet.
The current industry model for defense advancements depends on the government's and each other's support. As Butler observed, cyberattacks are outpacing "defender security improvements" across the spectrum of technology, processes, and education (1). The current model allows vulnerabilities to be easily exploited across the financial industry. The 2019 Worldwide Threat Assessment from the Director of National Intelligence observed this specific to Iranian activities reporting that Iran continues to use "increasingly sophisticated cyber techniques to conduct espionage" as well as develop "cyberattack capabilities that would enable attacks against critical infrastructure in the United States and allied countries…" (Butler 3). Strategic partnerships are a critical component to address this and further achieve the strategic end state discussed previously. The current level of engagement and cooperation is not sufficient to achieve this. In addition to nurturing the existing relationships, new partnerships will also need to emerge between the federal government and the financial industry (Butler 5). Progress would mean increased defensive measures and the minimization of vulnerable and attackable surfaces across the targeted financial industries by increased collaboration. Distributing the costs across the public, private, and government sectors would be a way to address this challenge further.
The second tenet to evaluate is the concept of cyber risk, a notoriously tricky metric to measure and address. As crucial as the first tenet, it is impossible to collaborate away vulnerabilities inherent to the technology, which translates to risks. Systemic risks within the financial system possess a unique set of challenges to address, much like how computers and networks were not built with security in mind. These financial systems are built on top of that already insecure architecture designed for sharing, not security. Unfortunately, until a new way to connect and compute is developed, the current infrastructure is what we are stuck with. As Kaffenberger observed, the internet is expanding at an alarming rate, "1.5 billion new users accessed the internet between 2010 and 2016" (1). In addition to threat actors outpacing the speed of security professionals and advancements, the size of the internet is also expanding, adding additional pressures to an already intense situation. An ever-expanding attackable surface provides even more opportunities for attackers.
The third tenet is the issue of deterrence and appropriately framing the present dynamic. As Jervis observed, the U.S. and other entities targeted by Iran must be clear about the repercussions if Iran continues attacking and pursuing undesirable actions. As significant as the threat of consequence is the promise of withholding those punishments if they comply (Jervis 67).
Next, we move on to an operational plan after having evaluated vital elements that affect the achievability of our desired strategic end state. Regarding the first tenet, encouraging public, private, and government partnerships will bring us closer to the desired result of increased defense, deterrence, and resiliency. All concepts are supported by addressing the skills and resource shortages common in cyber security departments across organizations. By supplying subject matter experts who can advise on the architecture of building secure and resilient systems, deterrence will follow as Iran's efforts to cause disruption will less often result in success. The shortage of industry experts, however, is a struggle that is a concern shared across all sectors, including finance. Despite government support in finances, education, or staff augmentation, the struggle to source subject matter experts (SMEs) in the field is an ongoing issue. The skills shortage issue will need further attention and efforts to support the end-state strategic goal outlined.
Further, in the context of the second tenet, systemic cyber risk within the financial sector can be addressed by the measures outlined previously for the first tenet. By increasing the number of educated individuals who can build secure systems, private sector concerns will likely share similarities with the previous tenet in locating resources to address the systemic issues and the shortage of educated individuals who can fulfill that role.
As for the third tenet, deterrence can be implemented in various ways through technical controls or policy. As Wheeler suggested, the cyber realm is more kin to the wild west, and we need a "digital Geneva Convention" (1). In the specific case of Iranian-backed and sponsored attacks, however, we have observed that their motivation stems from religious and cultural beliefs. Pressuring them to abide by rules they do not support would be a fruitless challenge. However, from the perspective of global peace-centered policies, this will provide an avenue for accountability and sanctions. Concerns within the private sector include the lack of collaboration with affected local and foreign governments. An even hairier aspect is the legality of implementing a digital Geneva Convention and the likelihood of it being agreed upon unanimously. The concept may be a solution in theory, but achieving it, in reality, will prove to be a hefty challenge.
The strategic end state will require much more than just achieving the objectives outlined above; presented are high-level concepts that, if addressed, will improve the cyber security condition of the financial sector. However, like all worthwhile endeavors, it will take time and strategically invested efforts.
Healy et al. 2018. “The Future of Cyber Risk and the Financial Sector.” Brookings Institution Working Paper
"Issues Arising from Sustained Iranian Cyber Attack Campaigns Against US and Global Financial Sector Targets.” Brief.
Jervis, R. 2016. “Some Thoughts on Deterrence in the Cyber Era.” Journal of Information Warfare.
Kaffenberger and Kopp. 2019. “Cyber Risk Scenarios and the Financial System.” Working Paper, Carnegie Endowment for International Peace.
Kramer and Butler. 2019. “Cybersecurity: Changing the Model.” The Atlantic Council Working Paper
Schmidle, Robert. “Principles of Strategic Thinking”.
Wheeler, Tarah. “In Cyberwar, There Are No Rules.” Foreign Policy, 12 Sept. 2018, foreignpolicy.com/2018/09/12/in-cyberwar-there-are-no-rules-cybersecurity-war-defense.
