Via CNN : Some of the banking industry’s top executives are concerned that hackers will continue to attack the global financial system by breaking into smaller banks.
In February, computer hackers stole $101 million from Bangladesh’s central bank. In a potentially disastrous move, they gained access to SWIFT, the worldwide interbank communication network that settles transactions.
Hackers performed that attack a second time recently, on what is believed to be a commercial bank in Vietnam.
On Monday morning, those attacks were discussed in stark terms by bankers present at a special meeting of President Obama’s Commission on Enhancing National Cybersecurity.
They expressed frustration about the futility of fighting hackers: Large American companies spend millions of dollars defending their computer networks from data breaches and potentially destructive digital bombs. But hackers can simply target smaller, less defended banks to gain access to the global banking system.
That’s how bank robbers successfully made five transfers out of Bangladesh Bank’s account at the Federal Reserve Bank of New York in early February. They broke into a less-defended bank, then posed as that legitimate institution to pull money out of a bigger bank.
“The weakest link in the chain is where exposure happens. I’m deeply concerned about the fact that smaller banks could be broken into,” said MasterCard CEO Ajay Banga, who sits on the commission.
Banga directed his comments at three visiting panelists, high-ranking cybersecurity officials at American Express (AXP), Goldman Sachs (GS) and JPMorgan Chase (JPM). Banking is typically regarded as the industry best prepared to fight off hackers. It has the most money to lose.
“At the end of the day, every institution is not equal,” noted Greg Rattray, head of global cyber partnerships at JPMorgan. He previously served as the National Security Council’s cybersecurity director during the Bush administration.
Rattray said the banking industry needs to take a look at increasing the security of shared systems that settle payments, like SWIFT, “and make sure they’re as strong as the large institutions are.”
Marc Gordon, American Express’s chief information officer, noted that small- and medium-sized businesses do get peppered with tips on how to keep hackers out of their computers. But in reality, it’s a problem smaller players just can’t tackle well.
“We work with dozens of startups. This is not something that’s easily achieved by medium-sized companies,” Gordon said.
Another member of the president’s special commission, retired four-star U.S. Army General Keith Alexander, asked about what happens after a hack.
“How do you interact when you have a serious problem, like the bank in Bangladesh? It seems to me what you need is the real-time information sharing,” said Alexander, who served as NSA director for nearly a decade ending in 2014.
Gordon said banks receive “good support” from the Department of Homeland Security, FBI and Treasury Department investigators after an attack. But Gordon said federal agencies aren’t communicating enough with private companies to warn them about impending assaults on their computers.
The U.S. government, which spies on Internet traffic worldwide and routinely spots hacks first, is in a position to provide further information to corporations. But much of that information is classified as sensitive to national security and kept secret for prolonged periods of time.
Bankers at Tuesday’s meeting discussed an urgent need to increase — and even automate — the communication between U.S. intelligence agencies and American corporations.
“We should attempt to desensitize and declassify as much as possible,” said Phil Venables, chief information risk officer of Goldman Sachs.
Last year, President Obama signed into law measures that promise to do just that. But privacy advocates worry the law will just increase unchecked surveillance on innocent Americans.
The result of this commission’s inquiries will be proposed to the next elected U.S. president.