FROM THE OFFICE OF PUBLIC AFFAIRS

Chairman Bennett, Ranking Member Bryan, and Members of the Subcommittee, I am pleased to have this opportunity to discuss with you Treasury's efforts to protect the critical infrastructures of the nation's financial services sector. Mr. Chairman, I had the pleasure of joining you in launching one part of this effort, the BITS Financial Services Security Laboratory. We are grateful for the leadership you have shown both on this issue and on Y2K.

Secretary Summers and the rest of us at Treasury view protection of the financial services sector as important work. If electronic commerce, and in particular electronic finance, are to thrive, then consumers must feel confident that their financial information and delivery systems are secure. Information in the financial services industry is particularly susceptible to risk. Thus, the stakes here are very high.

Today, I will first provide background information on Treasury's role in critical infrastructure protection (CIP) and, in particular, our relationship to the information sharing and analysis center recently established by the financial services industry. Second, I will discuss other Treasury efforts to prevent disruption of computer systems in the industry. Finally, I will discuss how the center performed during the recent Love Bug virus attack, and what effect that attack had on the financial services industry.

The Administration has been focused on the threat to our information systems for some time. In 1996, the President commissioned a blue ribbon Commission on Critical Infrastructure Protection, which released its final report in October 1997. That report identified banking and finance, information and communications, energy, transportation, water supply, emergency services, and government services as sectors of the nation's economy both critical to national well being and increasingly dependent on computer and information systems.

In response to the perceived vulnerability of these critical infrastructures to cyber attacks, and in recognition of their overwhelmingly private sector ownership, the Commission recommended a comprehensive program based on public-private partnerships and information sharing to protect all such critical infrastructures against cyber threats. The Commission's report was reviewed by an National Security Council working group and was used as the foundation for Presidential Decision Directive 63 (PDD 63), issued in May 1998. PDD-63 established the framework and responsibilities for implementing the Commission's recommendations.

The focus of the Directive was rightly on national security, and the emerging risk that our enemies may use the United States' dependence on information technology as a weapon against us. Of course, we recognize that the primary concern of financial services firms is on the higher probability, lower impact risks posed by disgruntled employees or idle teenagers. Fortunately, though, what serves to protect against lower impact risks is also one component of what is needed to defend against other risks.

PDD 63 directed each federal department and agency to reduce its own exposure to cyber threats, and directed government to work in partnership with the private sector in order to protect critical private sector infrastructures. In the latter respect, PDD 63 assigned Treasury as the "lead agency" responsible for working with the banking and finance sector of the economy. I have been designated by Secretary Summers as the liaison to the private sector for this purpose. My counterpart, Steve Katz, the Chief Information Security Officer at Citigroup, serves as the private sector coordinator.

As a first step toward the private sector outreach mandated by PDD-63, former Secretary Rubin convened a Treasury information security conference on October 7, 1998. Attendees included a large number of industry information security officers and representatives of the financial regulatory agencies and others with a direct interest in critical infrastructure protection. We hoped that such a conference would, at a minimum, allow the best minds in the financial services sector to meet each other, share expertise, and continue to network.

Industry reaction to the conference was extremely favorable. Industry representatives at the October 7 conference readily agreed that the goals of PDD 63 (such as information sharing, education and outreach, vulnerability assessment, and research and development) were worth pursuing, and they agreed to create and support what is now known as the Banking and Finance Sector Coordinating Committee on Critical Infrastructure Protection (the Coordinating Committee), chaired by Sector Coordinator Katz. The industry representatives also established four subgroups to address the issue areas they considered to be of highest priority: vulnerability assessment; research and development; CEO outreach; and information sharing. This blueprint has defined the activities of Treasury and the industry since 1998.

The second meeting of the Coordinating Committee, on March 11, 1999, was a "nuts-and-bolts" type of meeting that established specific agendas for each of the working groups going forward. At that meeting, it was also decided that the creation of an industry information sharing and analysis center was especially important, largely because of impending Y2K concerns among government and industry leaders and other signs of an increase in cyber threats. The third meeting, held on April 10, 2000, focused on assessing the vulnerability of the financial services sector to attack and on research and development priorities.

Each of the working groups is at a different stage. The R&D Working Group is consulting government, academic, and industry experts to develop priorities for government- and private sector-funded research. The Vulnerability Assessment Working Group is reviewing a vulnerability analysis prepared for the President's Commission, and the Congress has authorized funding for a follow-up report based on their analysis, which we hope will be appropriated. The CEO council has worked with the Critical Infrastructure Assurance Office at the Commerce Department to help raise awareness of these issues.

As noted earlier, one of the most important goals of PDD 63 was government encouragement of private sector information sharing and analysis centers (ISACs). These centers would be designed to encourage information sharing about actual or potential cyber attacks, and distribute alerts about, and suggested remedies for, such attacks to their respective industry sponsors, the actual owners and operators of the critical infrastructures.

Dealing with a computer virus or new type of attack is both a technological and an administrative problem. Just as combating the annual flu virus involves isolating and identifying the strain, developing a vaccine, and inoculating millions of people, so too does combating a computer virus involve determining the strain, developing a fix (patch or screen), notifying users of the need to protect themselves and delivering the fix. In the case of computer viruses, the administrative problems can be a daunting task since it can involve large numbers of servers and stations.

For this reason, we believed from the outset that an information sharing center was an area where Treasury could add value. The financial services sector already represents the state of the art in information technology. The sector spends considerable resources, employs talented people, and retains respected consultants. Financial services firms, perhaps more than non-financial services firms, have strong reputational, financial, and competitive incentives to safeguard their information assets.

The incentives for competing financial services firms to share information, however, are not as strong. The first instinct of a company under a debilitating attack is not to highlight its problems to the public and help its competitors avoid the same fate. Thus, we believe that this area is one where government could profitably act as a facilitator.

The financial services industry was among the first to respond to PDD 63's call for the establishment of an ISAC. After an arduous period of technical, legal, and organizational negotiations, approximately a dozen major financial services firms and industry utilities established the Financial Services Information Sharing and Analysis Center - what they call the FS/ISAC. Its official opening was announced by Treasury Secretary Summers on October 1, 1999, with the participation of Chairman Arthur Levitt of the Securities and Exchange Commission, Vice Chairman Roger Ferguson of the Federal Reserve Board, and Richard Clarke of the National Security Council and the new FS/ISAC Board members.

Let me emphasize at the outset that the members of the Center and Treasury view this entity as an important experiment, but still just an experiment. There will be other ways for firms to share or gather information: Carnegie-Mellon's Computer Emergency Response Team (CERT) (funded partly by the U.S. Government) currently performs a valuable service in identifying and warning of threats to information security. The NIPC provides an important watch and warning function and works closely with GSA's Federal Computer Incident Response Capability (FedCIRC) and Carnegie-Mellon's Computer Emergency Response Team (CERT). The anti-virus firms themselves operate centers to learn of new threats, develop fixes, and sell patches. Consulting firms now frequently offer a myriad of information security services. I think it is too soon to know which of these efforts will succeed. It may be that some will eventually be linked. But we thought that a sector-based, financial services center deserved a try.

It is important to understand what the Center is.

• The FS/ISAC is most easily understood as a mechanism for developing and sharing a secure database of information on cyber threats, incidents, vulnerabilities, resolutions and solutions. This information can be shared in a voluntary authenticated and anonymous manner, so that member institutions can participate without taking on reputational risk. The members were quite insistent on this point. Indeed, a majority of the members wish to have even their membership kept confidential.
• The Center is a limited liability company owned by its current 22 members, who include the largest banks, securities firms, insurance companies, and investment companies in the country. Together, they hold nearly 22 percent of total U.S. financial assets, excluding the monetary authority. The Center is not in any way funded or governed by the Treasury Department or any other governmental agency. My staff and I participate in board meetings solely as observers.
• Information comes into the Center either from its participating members or from the vendor that operates the Center. Information contributed to the Center can come from publicly available sources, government sources (local, state, and federal), members submitting anonymously, members submitting in an attributable manner, and others. Importantly, no customer account information is shared. No one at Treasury or any other agency sees the input or output of the Center since it is the property of the FS/ISAC membership.
• We are hoping, however, to facilitate the sharing of information directly from the government to the Center, and eventually from the Center to the government. The Center and the Pentagon's Joint Task Force/Computer Network Defense, representing United States Space Command, are currently discussing an information exchange agreement, and we hope that some information from Pentagon CERTs will flow to the Center. Once a trusted relationship is established, we hope that sharing at the appropriate and approved levels will be reciprocal.

It is important that the Center be viewed as a sort of Internet start-up - albeit one that thus far has assets exceeding its liabilities. It has been in full operation for fewer than eight months. Like other Internet start-ups, its success or failure will hinge largely on its ability to scale up. The Center becomes more valuable as more members join and share information.

That said, we believe that the FS/ISAC and other efforts to enhance the safety of electronic systems deserve the attention of firms of all sizes. With respect to the FS/ISAC, small- and medium-sized firms would pay a $13,000 annual fee - small in comparison to almost any firm's security budget - and in return receive not only information about nascent threats and warnings of particular incidents, but they can also call the Center's analysts at any time to answer questions. This latter option may mean less to large firms with in-house expertise and extensive contacts with vendors, but it should be especially valuable to smaller firms.

I want to emphasize that participation in the Center does not absolve any financial institution of its obligation to report criminal activity. Indeed, the Treasury's Financial Crimes Enforcement Network (FinCEN) and the five federal bank regulatory agencies (the Federal Reserve Board, the Office of the Comptroller of the Currency, the Federal Deposit Insurance Corporation, the Office of Thrift Supervision and the National Credit Union Administration) have recently revised their suspicious activity report for banking institutions with respect to computer activity. The new form will be published on June 19th. The revised form includes an additional check box specifically for suspicious activity involving computer intrusions. The new box should be used by banking institutions reporting suspicious activity when access is gained to a computer system to:

• Remove, steal, procure, or otherwise affect funds of the institution or its customers;
• Remove, steal, procure, or otherwise affect critical information of the institution, including customer information;
• Damage, disable or otherwise affect critical systems of the institution.

The instructions to the revised form were carefully drafted to avoid imposing undue burdens on the banking industry, which includes the only private sector firms under an obligation to report computer intrusions on this form. Thus, under instructions to the form, computer intrusions do not include attempted intrusions of websites or other non-critical information systems of the institutions that provide no access to institution or customer financial or other critical information.

Regulators have increasingly recognized that protecting the information assets of a financial institution is a crucial part of safety and soundness. Thus, on May 16, the OCC issued updated guidance to national banks on how to prevent, detect and respond to intrusions into their computer systems. The guidance supplements an OCC bulletin on cyber-terrorism published last year and an alert on distributed denial of service attacks issued in February.

The updated guidance discusses controls that can be employed to prevent and detect intrusions, ranging from basic security procedures, such as employee and contractor background checks, to technology-based tools, such as data encryption and real-time intrusion detection software. The bulletin encourages national banks to perform intrusion risk assessments, implement controls, establish intrusion response policies and procedures, and perform periodic testing.

The updated guidance also reminds national banks to report intrusions and other computer crimes to law enforcement authorities and regulators by filing Suspicious Activity Reports. The bulletin provides guidance for gathering and handling information on intrusions, and highlights three organizations that are primarily involved with the Federal government's national information security initiatives: Carnegie Mellon University's CERT, the FS/ISAC, and the FBI's NIPC.

Similarly, OTS has taken several specific actions to encourage thrift institutions to be proactive in addressing potential security threats. Starting in October 1997, OTS issued detailed guidance to the thrift industry and its examiners in a revised examination handbook section, which is continually updated as technology evolves.

In November 1998, OTS issued its electronic operations rule that is designed to facilitate safe, sound, and prudent innovation in the use of emerging technologies. The rule requires management to identify, assess, and mitigate potential risks, implement a strong system of internal controls, and monitor and update security procedures to keep pace with changing industry standards.

OTS has also issued numerous policies and guidance that address information and technology security issues. These include CEO memoranda concerning procedures for recovering information systems that may be damaged by malicious activity; defining lines of responsibility to respond and report suspicious activity to appropriate law enforcement authorities; training staff on information security precautions; and seeking out assistance from information security organizations when appropriate.

On May 4, the Visual Basic Script (vbs) Love Letter worm - what some call the Love Bug computer virus - swept into the United States through innumerable electronic mail messages.

Reports indicate that activity related to the Love Letter worm has now subsided, including activity resulting from variations of that worm, such as "Very Funny.vbs" and "mothersday.vbs." However, there is no systematic reporting of the effects of viruses or worms for any industry, including the financial services industry. Instead, we have anecdotal reports from the bank regulators and individual institutions, from which it does not appear that this worm disrupted any of the core functions of the financial services industry - for example, the payments system or any of the major clearinghouses or exchanges. It did, however, cause substantial disruption to the e-mail servers of some financial services firms, requiring them to shut down those servers for hours or even days. In the coming weeks, we will seek to learn more about the effects of the Love Bug, and how information about it flowed through the industry.

As we understand it now, the first accounts of the Love Bug came into U.S. firms early on the morning of May 4th. Those firms with Asian or European offices heard first, some as early as 3:00-4:00 a.m., as their overseas affiliates reported trouble. Even for those who got early warning, however, the only immediate option was to warn employees not to open certain e-mails and to stop all e-mail communications.

The distributed denial of service (DDOS) threat was the first major test for the FS/ISAC, which was successful in terms of sharing critical information. The Love Bug was the second major test for the FS/ISAC and exposed some flaws in its present operating procedures. Only a few firms reported the incident - either because they were too busy resolving their own problems or because they assumed everyone was aware of the problem. Although the Center's operator posted a threat notice early on the morning of the 4th, the paging system used to alert the members to an urgent threat did not reach all the member contacts. The Center determined from this experience that it needs to implement alternate notification procedures (e.g., a conventional telephone-line, fax-based notification system for those times when e-mail or other Internet services are not working). We expect that the system will be better for these reforms, and will induce even greater vigilance by the financial services industry.

Mr. Chairman, thank you for asking me to appear here today. I will be pleased to answer any questions you or Members of the Subcommittee may have.