CHIPS recently interviewed Dr. Cathy Allen regarding the security of financial transactions on the Internet. BITS was formed by the Chief Executive Officers (CEOs) of the largest bank-holding institutions in the United States as the strategic "brain trust" for the financial services industry in the e-commerce arena.
CHIPS: In your opinion what is the role of government and public organizations in security issues?
BITS has thought from the beginning that there should be public and private partnership in this area. Next to the government, the financial industry has the most interest in security. BITS has been working with the Department of the Navy, specifically the DON Chief Information Officer and the former Undersecretary of the Navy, and we are supportive of the Government identifying security as a critical issue. With top-level changes taking place in the Administration, it is important to have continuity on the issue of security.
CHIPS: What is the role of private industry in security issues?
First, private industry should partner with government, as stated earlier. Second, the financial industry must provide a safe and secure environment, gaining the trust of their customers. Third, they need to educate each other on what the issues are. The Department of Treasury and financial institutions created the Financial Services Sharing and Analysis Center as a way to share anonymously, breaches and hacks, and ways to alleviate them. Currently 54 financial institutions are members. This center was the first one to be formed in response to the Clinton Administration's Policy on Critical Infrastructure Protection: Presidential Decision Directive 63. The three objectives of the center are information sharing, testing (using the BITS lab), and education (briefing others on findings and best practices).
CHIPS: In the near future what security issues need more attention?
There are several security issues that will need more attention in the future. They include:
•Internet fraud (viruses, etc., that impact electronic transactions)
•The liability of outsourcers who host Web sites and processing centers
•Wireless communications, which are more challenging in terms of security
•The growing need for insurance or gap analysis because you cannot guarantee security when transactions and processing are so distributed
•Authentication
•The next generation of viruses
•Speed to market. There is enormous pressure, driven by Internet time, to bring products quickly to market. It used to be that two years was the average time to get a new product to market; now it's six to nine months. In introducing products to market quickly, we must be aware of the risks above, and government and private industry must work together
CHIPS: What steps or procedures have you taken to guard against "insider threat?"
Insider threat is the number one issue in security today. Insider threat involves someone who works on the inside of an organization doing something he is not supposed to be doing. The BITS lab is very active in researching this issue and has described minimum security criteria that financial services companies can use as baseline criteria for access control. In addition, the BITS Fraud Working Group deals with check and Internet fraud, sharing best practices on what we are doing in these areas. We are working on a certification program that would consist of verifying employees, background checks, and training employees on internal security practices.
CHIPS: The Internet has removed geographic borders. What is the United States' role internationally?
BITS has taken the lead internationally on security issues. BITS is working with the Office of the Comptroller of the Currency (OCC) and the BASEL Committee (a committee headquarters in Basel, Switzerland) to standardize and apply what BITS is doing on a global basis.
BITS has also met with private finance organizations in Canada, the United Kingdom, Japan, and the European Union to share information and focus on Internet security. We are trying to reach agreement on common business practices on how transactions take place.
CHIPS: What kind of issues will we face in the future?
We are concerned about major breaches. We have to look at this as an ongoing and ever challenging problem as we move more and more to distributed technology and, in particular, electronic transmission.
We tend to look at security breaches in terms of three groups of people: hackers, who are either malicious or kids just trying to see if they can do it: criminals; and terrorists, who will use various fraud and security breaches as a way to impact an economy or impact a particular company.
I think it is something we have to approach in a holistic manner. You cannot say, “I’ve got the best encryption technology.” That’s only a piece of the puzzle. You’ve got to consider technology and make it as secure as possible, your business practices and processes, and insurance – gap insurance and the regulatory requirements that protect customers.
Other countries don’t have the level of fraud that we have here in the United States, but because we are more regulated than any other country; we are more attuned to the consumer protection issues than most other countries.
CHIPS: You are one of the pioneer thinkers in smart card technology; how do you see the use of smart cards in the U.S.? In your opinion why is the U.S. market not as excited about smart cards as the European market?
I think there will be resurgence in the use of smart cards, and very similar to the Navy, it will be for access control identification, authentication and authorization.
In the U.S., I think the reason why we haven’t seen many smart cards is the lack of standards. Financial institutions and merchants are not interested in investing in the infrastructure, which is estimated to be around $10 billion, to accept smart cards, especially when we don’t have agreement on the standards.
The second issue is that there just hasn’t been a business case for stored value in the U.S. Unlike other countries, we are a high debit or credit card use country and there are pockets that only want to use cash. We don’t see the worth of stored value.
In the U.S. there are more opportunities for standards around access control using smart cards and Public Key Infrastructure (PKI). When that infrastructure is in place, I think we will start to see other applications put on top of that. I don’t believe it will be a generic payment card; I think it will continue to be used for access card type applications.
The major challenge in the e-commerce and B2B [business to business] arena is the issue of authentication – how to identify and authenticate customers and ensure transactions are secure.
CHIPS: What kind of education or awareness is needed for the general public? Is this a government or industry responsibility?
The government and private industry share joint responsibility to educate the public. Education is one of our goals here at BITS; we generally do this through our member organizations. We have produced consumer information kits that member organizations use and we have ongoing discussions with organizations on the areas where they can have impact.
We provided information on identity theft to member banks. We also work with the Information Technology Association of America to educate youth—the up and coming users of information technology.
Another effort to educate the public is a television program produced by the Stevens Institute of Technology on security. BITS also puts consumer tips on its website [www.bitsinfo.org].
CHIPS: As we move more and more to a wireless environment, what challenges will we be facing?
BITS is doing quite a bit in the area of wireless communications. A Wireless Technology Working Group was formed out of the BITS’ Security and Risk Assessment group to work on wireless standards, security and market development.
This working group is exploring how to influence standards and enhance security and reliability. It brought together wireless experts and created requirements, which were sent to wireless carriers, solution providers and device manufacturers. This is sending a message to providers that we, as an industry, have requirements that must be met.
CHIPS: The Electronic Signature Act was passed recently. Does BITS have a role in this area?
BITS’ member organizations are looking at how the Electronic Signature Act will affect them. BITS served as a clearinghouse to identify what the problems are and how we might solve these problems. Currently, there is a lack of guidance in this area, but BITS is working with agencies to help get clarification.
CHIPS: There is an assumption that technology always moves faster than business plans or human adaption. What is the financial world doing to harness the power of information technology? How is the banking industry dealing with dotcom bankers?
The concept of dotcoms is not going away. In this Evernet environment, people are “on” 24 hours a day, seven days a week. [The term “Evernet” was coined by the Center for Education and Research in Information Assurance and Security (CERIAS) at Purdue University.]
Regulators have been working closely with the dotcoms, and BITS is continuing its work in developing standards and business practices and sharing intellectual capital.
We are putting the best of the best together and learning from each other.
The BITS’ mandate is to:
-- Facilitate the growth of electronic banking and financial services
-- Facilitate development of superior, market-driven technologies
-- Maintain the industry’s role at the heart of the payments system as e-commerce evolves
-- Sustain consumer confidence and trust by ensuring the safety, soundness, privacy and security of finance transactions.
For more information about BITS, visit www.bitsinfo.org.