Cyber-resiliency essential in age of relentless cyber threats
Central banks and other orgs should focus on key vulnerabilities
The spread of digital technology to all corners of the globe is full of opportunities, but not only for the good guys.
As technology becomes more integrated into our daily lives, we are significantly increasing our digital footprint and leaving massive trails of data behind. Here are just a few examples:
- Our phones and smartwatches are consistently tracking our position and activity
- Internet of Things devices record video of our front doors and tell us the temperature of our living rooms
- Social media captures life’s highs and lows.
Most of this trail is invisible and managed and secured (or not) to varying degrees by different companies with differing policies and intent. We all love the benefits that come with these new capabilities, but there is now more data than ever to defend and more opportunities for cyberattackers to use that information against us. Basic “cyber-resiliency,” which ensures security and systems are optimized, should be a top priority, not just for the Federal Reserve, but for organizations large and small, and private citizens, as well.
At the Federal Reserve Bank of Boston, our view of the threat landscape is broad and evolving, and we take steps to ensure our entire operation, from our applications to the employees running them, is ready to protect us from adversaries we know we can’t underestimate.
Protecting more and more data
The enormous amount of data being produced today is mind-bending. The last Visual Networking Index from Cisco estimates that global IP traffic will reach 4.8 zettabytes per year by 2022, triple the 1.5 zettabytes in 2017. To put that in perspective: If each gigabyte in a zettabyte were a brick, they could be used to build 258 Great Walls of China. This massive and growing traffic flow includes 473,000 tweets, 13 million texts, and 49,000 Instagram photos every minute.
There’s big value in that data flow, and cyber criminals want at it. Their relentlessness can be seen in a crowded timeline of 20+ online attacks on central banks, banks, and financial services over the course of 2018, from February’s hack on email systems of the People’s Bank of China, to a breach of personal customer data at London-based HSBC in November.
As organizations work to fend off attacks, I see emerging threats becoming clear in several distinct areas:
- Business Efficiency: Recent years have seen companies increasingly adopt technologies intended to make businesses more personalized and easier to operate. For instance, chatbots – highly sophisticated computer programs that can hold a conversation with a website visitor or customer service caller – are points of vulnerability. They’re quickly deployed and easily spoofed, can be audio- or text-based, and users are more likely to provide private information to the chatbot than an actual person.
- Data Collection: Companies are getting new insights from data we’ve never been able to collect and at a scale once thought unimaginable, but criminals want to commandeer growing data networks. The IoT is already estimated to include tens of billions of connected devices, and it’s a target for hackers working to steal information or spread malware for their own purposes, such as performing Distributed Denial of Service attacks or blasting spam emails.
- Social Media: The reach and influence of vast social media networks make them targets for scammers looking for victims. Hostile governments have used social media in disinformation campaigns, and employees can be targeted with customized phishing emails that use information from their social media profile to convince them to click on malicious links.
- Third-Party Dependencies: Digital transformation has enabled organizations to outsource computing tasks to third parties, like cloud providers. This data might actually more secure with cloud providers than even the best-protected private companies, but organizations must find ways to verify the level of security, compared to their own programs, and identify potential gaps. In addition, with the cloud provider market highly concentrated around a few large players, companies must ask, “Are those providers now critical infrastructure, and can an organization rely on only one provider for critical applications?”
A simple view of a protection plan focuses on three areas: 1) the system or application; 2) internal concerns, meaning employees, 3) external concerns, including customers, partners and adversaries.
At the system level, applications must be capable of defending themselves. This includes measures such as aggressive patching, two-factor authentication, consistent vulnerability assessment, and developing the forensic capabilities needed to detect or eliminate problems.
The fact that employees can be the best defender or worst enemy is an internal concern, and it’s prompted a multi-faceted response including user education, exercises to help employees spot phishing emails, and limiting access to particular network areas to a need-to-know basis. At the Boston Fed, we also run an insider risk-management program to help identify employees who may be compromised or to prevent workers from causing unintended harm.
Finally, we need external protection and prevention efforts to prepare for the most unpredictable, determined, and sophisticated adversaries possible. That includes content filtering, detailed threat assessments, establishing 24X7 monitoring and forensic capabilities, and cultivating collaborative relationships with law enforcement and our peers.
Criminals won’t relent, so the good guys can’t, either. But we can lower risks through collaboration, information-sharing, and a commitment to be just as tenacious as our adversaries.
To learn more about the Boston Fed’s efforts in cybersecurity and other areas of financial technology, check out our FinTech page.