Bill Nelson, NACHA’s long-time executive vice president, left that organization effective Feb. 1 to be the FS/ISAC executive director. His job: Grow the organization from its current 1,800 members—up from 60 in 2002—and reinforce its mission, possibly to include fraud alerts in its daily information feeds.
“We want every financial institution in the country to be a member,” says Nelson. “There really isn’t any reason they shouldn’t be, in some capacity. So I’m going all over the country as part of an ongoing FDIC road show and pitching it. The U.S. Treasury, the FDIC, and the American Banker’s Association have all endorsed it.”
The FS/ISAC, or Financial Services Information Sharing and Analysis Center, is one of the country’s main computer security umbrella organizations. It was created in 1999 by Presidential Directive, after a series of war games, played under the aegis of the President’s Commission on Critical Infrastructure Protection, demonstrated that most of this country’s critical industries were unprepared to resist cyber-attack.
Most of the nation’s other critical industries developed ISACs at the same time. Their original job was to be a nexus for information sharing among computer security professionals, the idea being to create a forum in which they could safely, and anonymously, share information about hacking, distributed denial of service, virus, and other cyber-attacks. As part of that idea, conferences were scheduled at which these executives could meet and get to know each other; that way, in the event of some emergency, went the thinking, a level of trust would already exist that could override ordinary institutional caution about sharing operational details about computer security.
That was the FS/ISAC’s original writ, too, but it’s morphed in recent years, and now also includes issuing warnings about physical attacks on financial institutions, and recovery from natural disasters like Hurricanes Katrina and Rita. Nelson’s direct contacts at the U.S. Treasury are in the Office of Critical Infrastructure Protection and Compliance Policy. He works closely with the FDIC, the Federal Reserve, and the Department of Homeland Security (DHS), as well as the Financial Services Sector Coordinating Council and the Financial and Banking Information Infrastructure Committee.
“We’re almost the operating arm for disaster response, and planning for responding to attacks, be they cyber attacks or physical, for the financial services sector,” says Nelson. This is one reason he’s considering expanding the FS/ISAC’s role to include distributing fraud alerts. “We have this great operations system here—why not utilize it?”
Nelson acknowledges that the Department of Homeland Security has recently been prompting his group to share more information with it, a process that could undermine the mutual trust that’s been built up among members. But, he says, the FS/ISAC is having none of it.
“We get feeds from the DHS, but in order to keep the level of trust up, we don’t give confidential information back to DHS,” even though they’re asking for it, he says. “It’s a cooperative effort, but our lead agency is the Office at the U.S. Treasury; so when we meet with DHS, we want Treasury involved,” he says. “We keep it confidential within the financial services community, though if the community has something it wants to share with DHS, we’ll share it.”
The number of threats that require communicating through Nelson’s group is larger than the public would really like to imagine. The physical threats alone, says Nelson, range from actual bank robberies and threats from al-Qaeda, to malicious power outages, such as recently occurred in Missouri. ”There are hundreds of different incidents every year,” he says.
Every morning, the group sends a DHS daily security report to its members, who distribute it on a need-to-know basis to the people directly involved in any particular threat. The network security person, for instance, wouldn’t see the reports about al-Qaeda unless it was conducting a cyber-attack. “The chief security officer just wants the cyber stuff, and he can structure the portal so they just get those alerts,” he says. The FS/ISAC’s portal already distributes some fraud alerts, particularly from the FDIC. And bi-weekly conference calls brief members on progress against various threats floating about.
Also every morning, there’s a conference call with the other ISACs, during which the IT/ISAC briefs the ISAC community on various cyber threats facing the U.S. that day— worms, viruses, Trojan horses or other attacks. If something’s reported that touches on the financial sector, but hasn’t yet been reported by Nelson’s own members, an alert goes out. This includes, where necessary, emergency remediation via chat room, so any institution that might be under attack can fight it off with the help of the rest of the community. News on potential physical issues, including matters like Hurricanes Katrina and Rita, are shared every week.
This evolution in FS/ISAC’s mission was necessary, says Nelson, because the various threats “are so interrelated these days. Cyber attacks have changed from a college kid in his dorm room having fun, to pros—organized crime in the U.S., Rumania and other countries—and organized by some governments, which is where the DHS gets involved.”
The value of information sharing shouldn’t be minimized. In the week following the 9/11 attacks, for instance, the financial services sector in this country was suddenly confronted by the NIMDA virus which attacked the main administration systems and caused an unknown, but reportedly extensive, amount of damage. That sort of attack could have caused much less damage if the FS/ISAAC membership had been larger at the time.
But the value of trustworthy advice on how to deal with the unexpected stretches in many directions, which is why the FS/ISAC’s mission grew. Nelson cites the lessons learned from Katrina.
“What happened with Katrina was you had banks with no electricity, running water, or sewage, but they opened,” he says. “Experienced people [from the passbook savings days] could handle it, but inexperienced people couldn’t, so sharing information in that situation was crucial.” Nelson ticks off events like earthquakes, tornados, bombs and fires, as things that can ruin a banker’s day, and in which he or she can benefit from shared information. In cases like these, the FS/ISAC’s Critical Infrastructure Notification System kicks in.
There’s still plenty of room for improvement, though, says Nelson. For instance, the FS/ISAC membership is mainly made up of senior executives—chief operating officers, chief security officers and the like. Emergencies, though, rarely occur during business hours: Three o’clock in the morning is more like it, when few CSOs are lounging about the operations center. Critics have suggested that it would be productive to include more lower-level personnel in the ISAC infrastructure so that when something happens, they can call a colleague they know at another institution, saving valuable response time.
Nelson thinks including such line-operations people in the FS/ISAC is a good idea. “We need to reach out to the various levels within the financial institutions and make sure they know each other, in addition to the high-level people,” he says.
Nelson says the FS/ISAC, which is self-funding, has a variety of different membership levels, with different benefits. Some are even free. “At the lower end, if there’s an extreme threat—let’s say Treasury wants to send out a threat alert of High Priority 7—we have a basic price of zero,” he says. Prices and services begin at $750 a year to receive alerts, but few other services; $5,000 buys a standard membership, and $10,000, a premier membership, with extensive services and benefits, personal service, and access to the group’s analysts; a platinum membership, mostly just what Nelson calls “the big guys,” costs as much as $50,000, and buys virtually unlimited, customized services. (Contact: FS/ISAC, Bill Nelson, 703-777-2803)