The Group of Seven (G-7) leaders recently agreed on a set of guidelines to better protect global financial institutions from cyberattacks. This non-binding accord recognizes the recent pervasive cyberattacks that have hit accounts of major institutions, including the U.S. Federal Reserve. While the accord signals attention to this international problem, does it really have the ability to better secure the financial integrity of institutions? Will a new administration seek to pursue cybersecurity through a multinational lens, or will it seek a unilateral approach?
Cyber policy so far
Congress passed the Cybersecurity Information Sharing Act of 2015 to make it easier for private companies to share cyberthreat information with each other and also with government entities. The Obama Administration built on the legislation by setting forth a Cybersecurity National Action Plan (CNAP), calling for more funding to modernize government IT systems and place Federal Chief Information Security Officers to implement these changes in agencies across government. CNAP also partnered with large private companies, like Google, Microsoft, and MasterCard to make it easier for their customers to have more secure accounts and data security.
Cybersecurity is a crucial concern not only for public and private entities but also for consumers. Executive Order 13681, “to improve the security of consumer financial transactions” is a 2014 example of an effort to secure government payments, federal transactions online, and better find the perpetrators of theft from financial cybercrimes. In both its 2015 and 2016 annual reports, the U.S. Financial Stability Oversight Council (FSOC) highlighted cybersecurity as a top priority for agencies to better protect consumer information and the entire financial system.
This past summer, the Administration released a Presidential Policy Directive (PPD) on U.S. Cyber Incident Coordination, to better differentiate significant cyber incidents, categorize government efforts, designate lead agencies to specific categories, and ensure a consistent response with national preparedness.
An integrated problem
Attention toward cybersecurity has spiked in the previous weeks with malicious attacks on the internet infrastructure. On Friday, October 21, a massive internet outage was brought on by requests from millions of IP addresses that disrupted the internet directory services at least three times throughout the day. The same problem of permeability is an issue for the international financial system. Prior to the announcement of the G-7 Accord, hackers used the closed communication system that central banks use to send false money transfer requests to the Federal Reserve Bank of New York. The requests were to move money out of the Bangladesh Bank’s accounts and into ones set up by the hackers, which lead to an estimated $81 million in stolen assets.
What does a G-7 Accord do?
The G-7 nations are a group of industrialized democracies that meet to discuss global economic governance, energy, and international security. Formerly the G-8, the nations include the U.S., Japan, Canada, France, Germany, Italy and the U.K., with Russia removed from the group after its annexation of Crimea. An accord from the group spells out a common doctrine that all member states will adopt as a baseline for their own national policies or legislation to work off of.
The G-7 Fundamental Elements of Cybersecurity for the Financial Sector breaks down the high-level fundamental pieces of cybersecurity into eight elements:
- a cybersecurity strategy and framework informed by national, international and financial industry standards that would respond to specific attacks;
- governance structures for clear reporting lines, as well as cyber risk tolerance policies for regulatory or oversight bodies;
- identify activities and services that have cyber risk, identify controls to protect and manage the risks;
- establish effective monitoring processes, whether on-site, supervisory, or even through joint public-private exercises;
- establish timely containment, notification, and coordination of cyber incidents and response activities;
- ensure quick and recovery of operations once stability is regained;
- allow safe information sharing among entities to share insights; and
- allow for continuous review and learning.
While broad, the Accord does already match current U.S. efforts in cybersecurity especially with the recent Presidential Policy Directive and the 2015 Cybersecurity Act. Bringing all member nations under a similar rules regime could make it easier for non-affiliated and even state-sponsored hackers to be tracked and thwarted when engaging in major cyber incidents. As the Accord reads,
“Public authorities within and across jurisdictions can use the elements as well to guide their public policy, regulatory, and supervisory efforts. Working together, informed by these elements, private and public entities and public authorities can help bolster the overall cybersecurity and resiliency of the international financial system.”
As a non-binding accord, the guidelines have little authority to completely guide the national priorities of the G-7 nations. While representatives from the nations have agreed to these broad strokes in policy, the entire web of international cybersecurity can succumb to the adage that “a chain is only as strong as its’ weakest link.” When major financial institutions and central banks interact with entities in each of these nations there are plenty of opportunities for hackers to take advantage of less strenuous cyber policy. With no concrete mandate for each member to fully comply, there can be little guarantee that a G-7 Accord can protect international financial systems from a cyberattack.
What happens under the next administration?
Trump’s proposal calls for an immediate review of all cyber defenses and the development of protocols and cyber awareness for government employees. Like the Obama Administration’s protocols, Trump calls for joint task forces throughout the U.S. to coordinate cyber threats and make recommendations to U.S. Cyber Command for offensive and defensive cyber tasks. He also calls for the development of offensive cyber capabilities to respond to independent and state actors.
While executive actions can guide how agencies implement policy, only Congress can appropriate funding toward cyber initiatives to address the G-7 elements. International coordination in this arena can help guide the administration, but in no way does this dictate national policy or direct legislative or executive action. Instead, the G-7 Accord can only guide the Administration in its’ quest for effective cyber policy to protect financial institutions, meaning it packs less of a punch than it would appear.
From their proposals, it seems that cybersecurity will continue to be a top priority across the federal government under the Trump Administration. Since both proposals fall within the eight elements set forth in the G-7 Accord, Trump would be poised to continue and even exceed the guidance set forth by the industrial powers. Despite these ongoing efforts, the cyberinfrastructure linking the global financial system remains at risk to the independent actions of highly skilled hackers.
Image source: The Hill