The full text on this page is automatically extracted from the file linked above and may contain errors and inconsistencies.
5/5/2020 Remarks of Acting Assistant Secretary for Financial Institutions Amias Gerety before the National Association of Federal Credit Unions U.S. DEPARTMENT OF THE TREASURY Press Center Remarks of Acting Assistant Secretary for Financial Institutions Amias Gerety before the National Association of Federal Credit Unions 9/12/2014 Acting Assistant Secretary Gerety NAFCU Remarks Introduction It seems that each week brings a new report of a cybersecurity incident impacting a U.S. business. And this problem is not limited to large companies. Many of you have likely managed the response to a cyber-attack yourselves. Even if your credit union has not been directly impacted, credit and debit card information is targeted everyday, and your staff should be prepared to answer members' questions and help them sort through what risks they face. Unfortunately, the cybersecurity challenges we're confronting as a Nation extend even beyond stolen credit card data and identity theft. Malicious cyber actors come in many forms and have diverse motives. Some of these actors are intent on advancing a political agenda. Others steal intellectual property for economic gain. Perhaps most alarmingly, some malicious cyber actors seek to harm the U.S. through our most vital infrastructure, and this includes the financial sector. As Secretary Lew noted during a recent speech, since 2011, we have seen more than 250 distributed denial of service attacks against U.S. banks and credit unions, overwhelming systems and forcing some web sites to go offline. The United States government assesses that these denial of service attacks represent a sophisticated threat almost certainly intended to disrupt the U.S. financial system. It does not take much insight to imagine the impact of those attacks on U.S. banks if they had penetrated core operational functions rather than temporarily disrupting public web sites and customer log-in pages. Cyber-attacks on our financial system represent a real threat to our economic and national security. While I focus most closely on threats to the financial sector in my role at the Treasury, the cybersecurity challenge is even broader still. Malicious actors could target power plants, communications systems, water treatment facilities, or transportation systems, causing significant disruptions and possibly putting lives at risk. We're also acutely aware of the critical dependence of the financial sector on many of these services, and it's worth thinking about how your organization would operate if any of these core services were significantly interrupted. Why cyber matters to credit unions When people think of the financial sector in the context of headline generating data breaches or threats to national, economic, and homeland security, they sometimes think only of attacks against major banks, financial markets, or financial utilities. However, the risk is larger than that, and understanding how to effectively manage cybersecurity risk is a critical component to managing any business today. Here's why I think cybersecurity matters specifically to you: Credit unions play a key role in the lives of millions of Americans and are in many ways central to the US financial sector. And – especially when you consider the vast electronic interconnections between our key financial systems – a significant cyber incident impacting your organizations could have or lead to a major effect on the U.S. economy. Trust is important. Your members rely on you to protect their savings and their personal information. Now more than ever, doing this well is as much about secure routers and a robust firewall as it is about surveillance cameras and security guards. Your firm's cybersecurity has a direct impact on your financial standing. The possible financial impacts of cyber incidents can be felt not only as a result of fraud and theft, but also from the significant business interruption that could occur in the event of a destructive attack. The cybersecurity problem isn't likely to get any easier or less complex anytime soon. The challenge is not only that malicious cyber actors are becoming more sophisticated, it's also that these actors only need to compromise one vulnerability in one system to gain access to a network. That one vulnerability does not even have to be in your system. It could be in a vendor or supplier's network, or on the home computer of an employee connecting to your network remotely. We at the Treasury believe that effectively countering malicious cyber actors requires a whole of nation approach that includes collaboration cross all segments of critical infrastructure, including credit unions. Treasury's cyber role Treasury has a formal role, established by a presidential policy directive to coordinate Federal government support for financial sector security and resilience efforts, especially cybersecurity. Within Treasury, this role is executed by the Office of Critical Infrastructure Protection and Compliance Policy (OCIP). Day to day, Treasury's team monitors intelligence community and law enforcement channels https://www.treasury.gov/press-center/press-releases/Pages/jl2632.aspx 1/3 5/5/2020 Remarks of Acting Assistant Secretary for Financial Institutions Amias Gerety before the National Association of Federal Credit Unions for information on threats to the financial sector; if we identify such information, we then collaborate with agencies like DHS, FBI, and DoD to assist in responding to major cyber incidents, and we work with the financial sector, including NAFCU, and other government agencies – including financial regulators – to develop policies and programs to improve security. One of the reasons that I'm optimistic about our ability to confront the challenges faced by cyber security is that government interests and credit union interests appear to be truly aligned. There is a sincere and powerful desire to collaborate among government agencies and private sector firms on cyber security. So I'd like to highlight two areas where you can take actions to improve our Nation's cybersecurity, and where you can join the collaborative effort with law enforcement, the intelligence community, the Treasury and regulators. First, I'd like to talk about the National Institute of Standards and Technology's Framework for Improving Critical Infrastructure Cybersecurity (NIST Framework). I hope that many of you have at least heard about the framework, but I recognize that even if you have, it's often impossible to find time to track down and understand one more resource on one more issue. Regardless of your current familiarity with the NIST framework, I hope to give you both motivation to review it and a jumpstart into thinking through how it can help you address your cybersecurity challenges, by walking through some concrete, practical examples of how you could put it into action as one part of your cybersecurity program. Then, I'd like to discuss the critical importance and practical benefits of cybersecurity information sharing. Importantly, I believe both of these topics are useful whether you operate your own information technology systems or whether you outsource this work to third party service providers. NIST Framework The NIST framework is a voluntary tool for helping companies manage and reduce their cyber risk, and can help you in working with the National Credit Union Administration to address your cybersecurity challenges. By comparing your current cybersecurity activities to those outlined in the framework, you can improve your baseline security level and reduce the possibility of an incident occurring. The framework is intended to be a living document that benefits from feedback from industry and other experts – version 1.0 of the framework was released in February of this year, and it included input from a broad set of stakeholders. The framework lays out a model for considering cyber risk based on five functions – identify, protect, detect, respond, and recover. Each function includes specific activities that you should consider pursuing as a part of your cyber risk management program. The NIST Framework is not a checklist, and is written to be useful for business leaders, not just technical experts. I'd suggest that it is most useful as a guide for ensuring that you're considering and addressing all the key areas needed to build a baseline level of cybersecurity. Here are a few examples of how examining each of the framework's five functions can benefit your organization. First, "identify." What does your IT environment look like? How big or complicated are your cybersecurity needs? Here's a simple question you can ask your teams: how many employees have company laptops? How many software platforms are running on your systems? Many organizations don't fully understand their cyber risk because they haven't fully assessed the extent to which their networks are exposed to the Internet. If your credit union can't answer these questions today, you'd be amazed how powerful such simple questions can be. The NIST Framework's identify function outlines considerations for managing assets that you can use to understand your network better. Second, "protect." Credit unions should view cybersecurity as a team sport. Even the most advanced security devices can be undone by an uninformed user who clicks on every forwarded email or connects their company laptop to an unsecured Wi-Fi access point. Many attacks are opportunistic, but by the same logic, simple steps can often deny them the opportunity to attack your systems. The NIST Framework's protect function helps managers frame a comprehensive approach to security and awareness training. Third, "detect." All too often, companies or their service providers install effective monitoring devices to detect malicious activity targeting their systems, but don't spend enough time assessing alerts or understanding what they mean. I'm not suggesting that managers start combing through technical data to identify malicious cyber activity - in fact I don't recommend it - but you should ensure that your technical staff or an external vendor are doing this. If you rely on an external vendor to ensure the security of your systems, you should engage with them to understand how they track threats to your network. In either case, the NIST Framework's detect function provides you with an outline for having that discussion that does not require a detailed understanding of technical data. Fourth, "respond." Do you know what you would do if you faced an attack on your public website? Do you know what you would do if you suspected that a hacker had stolen your customer's information? Every organization should have an internal plan for responding to a major cyber incident. However, the specifics of what should be in that plan vary depending on your credit union's size and complexity. There really is no one plan that is right for every case. The NIST Framework points to and organizes additional resources for developing a tailored incident response plan. Managers may know that they need a cybersecurity incident response plan, but I want to emphasize that you have the freedom and support to tailor the specifics of the plan to the level of risk you are willing to accept. Finally, "recover." After, and perhaps even during, your response, how will you restore systems and communicate your efforts to staff, members, and the public? This is more than just a matter of recovering data and restoring services, but also managing the possible longer term business impacts of a cyber-incident. The NIST Framework's recover function will help you step through your recovery, for example, by identifying key communications considerations. So what now? When you return to the office, you should consider meeting with your security staff or your service provider and asking them whether they understand how many devices are connected to your company's network, what cybersecurity training programs are in place for staff, how threats to your network are being tracked, and what your incident response and recovery plans are. If you find that more work is needed, you can engage with your team to use the NIST Framework to address those and other gaps. If you don't have an in house security team, then the next time you're meeting with a vendor, ask them whether they're using the framework. Starting this dialogue now is critical to understanding the risks your organization faces. Importantly, we're not asking you to do this work alone. There have to date been dozens of workshops held by NIST, DHS, other government agencies and private sector organizations other around the country to promote the framework's use across all sectors, and we will continue this work along with NAFCU, which is an excellent resource for more information on these issues. And in doing so, we'll also want your feedback to help ensure we can maintain the Framework as a living document that can keep up with the threats and underlying technology, informed by the experiences of those using it. https://www.treasury.gov/press-center/press-releases/Pages/jl2632.aspx 2/3 5/5/2020 Remarks of Acting Assistant Secretary for Financial Institutions Amias Gerety before the National Association of Federal Credit Unions Information Sharing While establishing a baseline level of cybersecurity is a critical step, I'd also like to highlight the importance of cybersecurity information sharing, which is perhaps the most critical component of our national cybersecurity program. In order to reduce your risk over time, you must understand the threats you face. Many times the best way to do this is to understand the threats being faced by other credit unions so you can prevent the same incidents from happening to you. At a technical level, the tools that protect your networks only work well if they know what to look for – whether understanding that a particular IP address is responsible for malicious activity, or scanning your systems for known "malware" that may have been installed by an unauthorized intruder. While significant work remains, the nation has made tremendous progress in building a robust national infrastructure for the continuous sharing of this type of technical information, and I hope you'll join this effort if you have not already. The financial services sector was one of the first sectors of critical infrastructure to establish a dedicated information sharing organizations, the Financial Sector Information Sharing and Analysis Center (FS-ISAC). On a day to day basis, the FS-ISAC facilitates sharing about critical infrastructure incidents, including cybersecurity incidents, among industry. This can include offering mitigation recommendations, providing indicators of malicious activity, and sharing more detailed analytical reports. Unless the victim company requests otherwise, data are always shared without specifically naming the victim company. Government plays an important role in these efforts as well. For example, this year the Treasury established the Financial Sector Cyber Intelligence Group (CIG) within our Office of Critical Infrastructure Protection and Compliance Policy. The CIG's role is to ensure that information about cybersecurity incidents available through law enforcement and intelligence community channels is shared with the private sector at the unclassified level. This team is delivering timely and actionable information that financial institutions can use to protect themselves. This unit consists of cyber experts and security analysts who scour law enforcement and intelligence reports constantly to find relevant activity, analyze and connect the dots between events, and issue information bulletins for security professionals in the financial sector. The FS-ISAC is a key partner for us in getting information to the sector. My second request today is that you talk with your security staff to understand how your organization is involved in cybersecurity information sharing processes, whether through the FS-ISAC or otherwise. Are you receiving information about attacks against other organizations? Are you sharing information about attacks against your organization? Assess whether you should be more involved in these efforts, and considering making additional investments to make sure your organization is up to speed on current malicious activity. Conclusion Taken together, using the NIST Cyber Framework and engaging in cybersecurity information sharing efforts are key things you can do to increase your organization's cyber posture. These are also both examples of areas where strong collaboration across industry and across sectors is required, and are efforts we can build on to create the whole of nation approach needed to counter malicious cyber activity. I hope that this conversation will help you understand the contours of the current cybersecurity debate and given you the motivation to raise this issue with your teams and at your credit unions. I understand that cybersecurity can seem a daunting and technical topic, but I want to leave you with one important reassurance: improving your cybersecurity is not that complicated. It starts with a conversation. Much of this journey is as simple as asking the right questions and getting the right information, and the resources to do so are already being developed and supported by your peers and colleagues across the sector. Thank you for having me here today and I look forward to continuing to work with you on this important topic. https://www.treasury.gov/press-center/press-releases/Pages/jl2632.aspx 3/3
@FedFRASER