By Anthony Bjelke
This past September, several institutions, including the Securities and Exchange Commission, the credit rating organization Equifax, the accounting firm Deloitte, and the restaurant chain Sonic, reported that their system had been compromised by hackers. At the center of these hacks, was the personal financial information of millions of Americans. Determining how to respond to these hacks, and specifically how to defend against future hacks raises several issues. One issue, functionally one of the most important, is determining through what conduit does the federal government go about attempting to improve the security of the financial information of its citizens?
In the realm of national security, there is always the notion that the various component entities of the intelligence community are independent, reclusive entities. What the community does have, however, is organization. Even before the creation of the Office of the Director of National Intelligence, Executive Order 12333 organized the intelligence community as just that, a community. Additionally, even though the various component elements of the community may fall under different cabinet departments, they are all federal government agencies, funded by the federal government and under the control of centralized authority.
The same structure cannot be attributed to the amalgamation of institutions, offices, agencies and other groups which act, ostensibly on behalf of the government to regulate the finances of the American people. This problem is exacerbated by the ubiquity of electronic financial transactions across all elements of modern life. As demonstrated by recent hacks—whether it be in the form of commercial financial products, tax information, or the receipt for a hot dog lovingly roller-skated out to your car at a fast food chain—financial services touch almost every element of everyday life.
The complexity inherent in even thinking about an infrastructure that has such far-reaching implications is further complicated by the morass of different organizations that regulate financial products. The forms which these organizations take sometimes take make oversight and centralized efforts more difficult. Much like the world of business it regulates, the community of financial regulators varies in their structure, funding, and niche functions.
Unlike the intelligence community where its member organizations are all federal institutions that coordinate and report (ideally, of course) to the Director of National Intelligence, regulators in the financial sphere come in many forms, including various independent agencies and corporations, as well as state agencies, who in many cases have no obligation to talk to or share information with their federal counterparts. Additionally, where the funding for intelligence agencies are generally line items of the federal budget dealt with through appropriations, funding for agencies which regulate financial transactions may come from elsewhere. A prime example of this model is the Federal Deposit Insurance Corporation—serving essentially as insurance underwriters for financial institutions—whose funding comes from insurance premiums taken from member organizations. There are also institutions like the Federal Reserve System, whose income comes almost entirely from interest on bonds and other securities it holds.
Finally, where the various intelligence agencies have their niche functions, their prime directives are all to carry out their functions to gain intelligence valuable to the United States. However, concerning financial regulators, while they do assist in the proper function of the economy, the missions of the various agencies can be so granular and limited that helping to institute broad protections for financial services may not be within their power.
Mitigation steps have been taken to rectify these issues, specifically including Financial Services as a designated category recognized as critical infrastructure. This provides oversight by the Department of Homeland Security that is, in this case, delegated mostly to the Department of Treasury. The Critical Infrastructure Protection program provides for cooperation between federal, state and local entities to defend against threats to designated infrastructure and is an important step in the direction of recognizing the complexity of the problems we face in this field.
The legal basis for the critical infrastructure system emanates from a Presidential Policy Directive signed by President Obama in 2013. This fact raises issues of enforceability, including the following:
What is the PPD’s longevity, especially if proactive, and somewhat intrusive regulatory measures are proposed?
Given that it relies on partnerships with state and local agencies, to what extent does the Secretary of Homeland Security have the authority to require actions be taken?
If the PPD were to conflict with enacted law or regulation, what would the result be?1
For all of the above considerations, does the answer change, either legally or practically, when the Department of Homeland Security seeks to act under the auspices of the PPD proactively, or in the event of some crisis?
These questions require careful consideration given the complexity and scope of the threats to our cyber infrastructure. Given the scale of the recent hacks, and especially those of the SEC and Equifax, the effectiveness and enforceability of the PPD will be on display, for good or for ill.
1 This is specifically critical as many financial regulators derive their authority from congressional enactments, often decades apart and granting widely different authority. Examples include the Securities Exchange Act of 1934 (http://www.legisworks.org/congress/73/publaw-291.pdf), The Federal Reserve Act of 1913 (https://www.federalreserve.gov/aboutthefed/fract.htm), and the Employee Retirement Income Security Act of 1974 (http://www.legisworks.org/GPO/STATUTE-88-Pg829.pdf).