JOE LOCKWOOD – ‘A business problem’

A recent recommendation by U.S. Deputy Secretary for Homeland Security Gordon England that banks should engage in “war games” and simulate terrorist attacks on their computer systems has prompted industry officials to question why a new name is being placed on an old game.

Although the conflict with Iraq was what prompted England to make the request, bankers say this type of “gaming” has been going on for years, despite the new moniker.

“The government has identified cyber-attacks as a threat to the economy. [The government] has an infrastructure in place to deal with physical attacks via law enforcement and border controls, but on the cyber-security front they have nothing,” said Joe Lockwood, chief technology officer for Avon-based COCC, an information technology company tailored to financial institutions and banks throughout the Northeastern United States. “This is really a new name on an old process … and the best the government can do right now is raise awareness that this is a very real threat and while they are not positioned to stop it, we as corporations can take steps to help reduce the risk of these types of attacks.”

England said he participated in a war game experiment involving two financial institutions and found the results “pertinent, but not surprising.”

“After an attack, the financial sector needs to act predictably to promote public confidence … confidence in the [financial] markets is necessary to ensure continuity of operations and to protect the financial companies and the assets they manage,” he said.

As a result, England said he recommends war-gaming exercises to “ensure that the resiliency of the financial system can be realized.”

COCC Security Administrator Andrew Sutton, however, noted that the government is still trying to understand the complexity of banking infrastructure and security.

While the issue has been on the front burner of business strategy for years, Sutton said, the idea of terrorist attacks on financial institutions “is such a complex problem that the government is trying to get their hands around the entire problem.”

‘Intrinsic Needs’

In a statement issued two weeks ago, England called for financial institutions and banks to simulate terrorist attacks on their computer systems to “strengthen their ability to withstand such an event.”

England recommended the use of “war game” programs to test companies’ management and technology strategies and said banks should collaborate with their local regulators to develop plans that would secure the financial market and preserve consumer confidence in the event of an attack.

“The emphasis is on how we protect our banks and financial institutions and our payment systems in this country,” said Virginia Garcia, senior analyst at Towergroup, a financial services research and advisory firm based in Needham, Mass. “Because financial institutions are so connected, all of these systems are interconnected so if one goes down, they all go down – and the idea of ‘war games’ is testing that needs to be done between banks.”

Lockwood, who works with 83 financial institutions and provides 3,480 Internet-connected workstations, said banks are being told that money should not be an issue when investing in better technology and regulators are advising the government and financial institutions to simulate war game programs on bank systems.

“Regulators are taking [banks] down this path and while [war game programs] are not yet mandated, regulators are leaning heavily [toward the idea],” said Lockwood.

According to Doug Johnson, senior policy analyst at the American Bankers Association, the idea behind war gaming among financial institutions is to “build up the network and community and find out the consequences and responses” to an attack on the company’s systems.

To test the security infrastructure system currently in place, banks and financial institutions give third-party “attackers” limited information about the business – in some cases just a name and an IT address – and let the “terrorist” attempt to penetrate the system using only the information provided.

Some war game exercises work much like a cyber-attack on a bank’s infrastructure that is committed by a third party, while other more “sophisticated exercises” explain the intensity of the problem, said one industry analyst.

“This is a critical part of preparedness both for commercial enterprises including banks and governmental agencies … People have come to just accept [third-party vendors] penetrating a system and that tells you what vulnerabilities you have, but [war gaming] exercises show you what is wrong, and the processes that are wrong, and how to respond appropriately,” said Michael Vatis, director of the Institute for Security Technology Studies at Dartmouth College in Hanover, N.H. “We are susceptible not just to cyber-hackers but a more strategic level of attacks by terrorist groups or hostile foreign nations that would target not just one institution, but a conglomerate of banks. We need to take steps to minimize damage and contain it.”

The Institute for Security Technology Studies serves as a national center for counterterrorism and cybersecurity research, development and analysis. The research programs concentrate on threats to information infrastructure systems as well as national information sharing needs, and help develop technology to strengthen systems attacked by terrorists.

According to Vatis, cyber-attacks are still new and a lot remains to be explored in simulated exercises that provide “real-world situations” – so if something should happen, “people know what to do and don’t have to make it up on the fly. This is something that banks just need to do.”

Although some banks in the region were hesitant to discuss what security systems were in place to combat cyber-terrorism, analysts say many banks have a disaster recovery plan, but nothing in place to prevent attacks from initially happening.

“There are a lot of intrinsic needs in Boston because it’s a hub of financial institutions. Clearly, the custodial banks need to be on high alert … The regular retail bank certainly needs to be able to guarantee uptime in a business day, but it’s not the same sense of urgency,” said Garcia.

The disaster recovery plans and Internet security systems at Commonwealth National Bank, a $58 million-in-assets retail bank based in Worcester, Mass., are reviewed annually.

Martha A. Dean, chief operations officer at Commonwealth National, said the bank’s “disaster recovery plan and business resumption plan cover everything from a minor event, such as power outage, to a full disaster of a branch location.”

Dean said the bank acknowledges the regulatory requirement that has been placed on banks for years to have a documented disaster recovery plan, but the focus on the plan has been “heightened since the [terrorist] attacks of Sept. 11, 2001. Commonwealth National Bank is also proactive in obtaining documented disaster plans from our third-party vendors to ensure that the disaster recovery action steps for these contracted services are reviewed and tested as well.”

While banks should make every effort to test the penetration of business continuity plans and disaster recovery plans, Johnson said he does not believe war gaming should be a requirement for smaller community retail banks and instead, those banks should rely on local government officials and state legislators for regulation.

Regardless of the type of testing, industry analysts say the times have changed significantly since Sept. 11, and even further back since Y2K compliance issues, and the idea of cyber-attacking is no longer a technology issue.

“The awareness [of cyber-terrorism] is heightened and it is certainly brought to a higher level. It’s really become a business problem and not a technology issue,” said Lockwood. “Top officials and [boards of] directors in organizations have to understand the risks associated with the new technology and the updates in this day and age.”

Lockwood said the boards of directors at banks are responsible for the upkeep of the banks’ internal security systems and those board members “are held liable” for not maintaining the systems.