Closing the CIP Technology Gap in the Banking and Finance Sector

Treasury Department

Office of Critical Infrastructure Protection and Compliance Policy

March 2005

Long-term Policy Mandate to Expand CIP R&D for Banking and Finance

• Presidential Decision Directive 63 (May 1998)– “Department of the Treasury and the financial

sector are expected to … Recommend a program of research and development to keep the industry at the cutting edge of information systems security…”

…Expanded in the National Strategy to Secure Cyberspace “Action Recommendation”

• Action Recommendation 3-6:

“A public-private partnership should continue work in helping to secure the Nation’s cyber infrastructure through participation in, as appropriate and feasible, a technology and R&D gap analysis to provide input into

the federal cybersecurity research agenda, coordination on the conduct of associated research,

and the development and dissemination of best practices for cybersecurity.”

The Banking and Finance Sector Is A Significant Factor in Cyberspace

• 9% of the U.S. Gross Domestic Product

• 12% consumer of IT sector products and services

• Large provider of e-commerce services

• Heavily dependent on telecom and IT sectors

Closing the CIP Technology GAP in the Banking and Finance Sector

• There is a significant difference between “state-of-the-practice” vs. “state-of-the-art” in CIP protection

• This is driven by a variety of factors including:– Cost vs. perceived benefits– Dissemination of information about state-of-the-art– Creation of “best practices”– Adoption time (“early-mid-late adopter” curve)

• Closing the gap must be a priority for government and industry

State-of-the-Practice vs. State-of-the-Art

N.B. Hypothetical data

The Treasury CIP R&D Agenda Project

• Goals– Advance BOTH the state-of-the-art and the state-of-the-

practice in the banking and finance sector. – Facilitate “closing the gap” between state-of-the-art and

state-of-the-practice in CIP.

• Strategy– Encourage public-private partnerships to engage in R&D

that will develop technology and business practices of near term as well as longer term value to the banking and finance sector.

Approach

• Analyzed existing R&D agendas for applicability to goals of project

• Augment with topics based on industry needs• Vet with industry experts and organizations• Develop funding and governance model• Work with public and private sector to create funding

sources• Manage RFP process• Organize information sharing

Multiple Frameworks for R&D Projects

“CIP Life-cycle:” Policy and Strategy Awareness and

Assessment Preparation and

Prevention Detection and

Restoration Risk Management

Business/Tech Impact:

• Business Continuity

• Authentication and Access Control

• Information Security

• Network and Communications

• Operations Center Management

• Best Practices

Example Projects

• Enterprise security management

• Integration of physical and cyber security

• Securing software Securing software environments including environments including COTSCOTS

• Access control language standards

• Defending against “insider” Defending against “insider” attacksattacks

• Biometric identification Biometric identification systemssystems

• Wide-scale identify theftWide-scale identify theft

• Asset movement pattern Asset movement pattern recognitionrecognition

• Business continuity strategies

• Data replication technologyData replication technology• Data decontamination

approaches• Clearing system

interoperability• Best practices repository• Life-cycle costing• Creating public policy to

promote business continuity best practices

Securing Software Environments Including COTS

• The issue:– Banks and financial institutions use and integrate software

they develop themselves and from dozens of different vendors, each with (or without) appropriate security. How can they create a secure environment with that architecture?

• Life-cycle: – Awareness and Assessment, Preparation and Prevention,

Detection and Reaction• Business/technology impact:

– Improved security of integrated systems environments• Time frame:

– Mid-term

Defending Against Insider Attacks

• The issue:– Although financial institutions vet their employees, by the

nature of their jobs they have access to large amounts of sensitive information. In addition, IT personnel have access to sensitive systems. What technology can be developed to reduce vulnerabilities in this type of environment?

• Life-cycle: – Awareness and Assessment, Preparation and Prevention,

Detection and Reaction• Business/technology impact:

– Information Security, Business Continuity, Authentication and Access Control

• Time frame: – Mid-term

High-reliability Biometric Identification Systems

• The issue:– The public is very sensitive to use of biometric identification,

particularly when reliability is less than perfect. How can systems be improved to a level of reliability that will be accepted in the financial environment?

• Life-cycle: – Awareness and Assessment, Preparation and Prevention

• Business/technology impact: – Authentication and Access Control

• Time frame: – Mid-term

Wide-spread Identity Theft

• The issue:– Credit and related information is stored in databases where

the theft of millions of identifies is possible (cf. NYTimes report 2/24 on theft of 145,000 identities from ChoicePoint)

• Life-cycle: – Preparation and Prevention, Detection and Reaction,

Recovery and Restoration• Business/technology impact:

– Information Security, Business Continuity, Authentication and Access Control

• Time frame: – Mid-term

Asset Movement Pattern Recognition

• The issue:– It is relatively easy to track small number of large value

transactions. In today’s world, terrorists are more likely to be funding operations with large numbers of small value transactions. How do we find them?

• Life-cycle: – Detection and Reaction

• Business/technology impact: – Authentication and Access Control

• Time frame: – Near term

Data Replication Technology

• The issue:– To continue operating in the face of potential wide-scale

disruptions, FIs are locating secondary and tertiary sites hundreds of miles apart. The need for “aggressive” recovery time and recovery point objectives implies the need for new types of data replication approaches.

• Life-cycle: – Preparation and Prevention, Recovery and Restoration

• Business/technology impact: – Business Continuity

• Time frame: – Near term

Selection Criteria

• Program will seek diversity in:– CIP “life-cycle phases”

– Business process and technology impact areas

– Time frame

– Research risk (exploratory to developmental)

Current Activities

• Analyzed existing R&D agendas for applicability to goals of project

• Augment with topics based on industry needs• Vet with industry experts and organizations• Develop funding and governance model• Work with public and private sector to create

funding sources• Manage RFP process• Organize information sharing

Closing the CIP Technology Gap

State-of-the-Art (Proven Technology)

State-of-the-Practice

Time

Te

chn

olo

gica

l Ad

van

ce

The State-of-the-Practice must improve at an average rate faster than improvements in the State-of-the-Art, and must deal with the uneven progress of improvements in the State-of-the-Art.

Variation among organizations can be large at any point in time.

Goal is also to reduce the variation among organizations.

For more information, contact:

– Scott Parsons, Deputy Assistant Secretary scott.parsons@do.treas.govscott.parsons@do.treas.gov

– Brian Peretti, Program Manager brian.peretti@do.treas.govbrian.peretti@do.treas.gov

The Treasury CIP R&D Agenda Project: “Close the Gap”