A recent cyber attack on J.P. Morgan Chase has compromised about 76 million private accounts and several small business accounts[1]. This cyber attack is unique because of its magnitude and because J.P. Morgan is one of the largest financial institutions that retains more customer information within its information systems than retailers would[2].
Although the investigation is on-going, the initial assessment is that the hackers:
obtained a list of software that ran on J.P. Morgan’s computer and determined their known vulnerabilities;
exploited the known vulnerabilities of the software to access the J.P.’s information;
operated overseas; obtained information about addresses[3];
set their sights on other financial institutions like Citigroup and Automatic Data Processing (ADP)[4];
stole information included names, phone numbers, addresses, and email addresses[5];
The breach is particularly concerning because of its size, nature, and industry sector that was damaged. Financial institutions have begun to take cyber security more serious because of the catastrophic risks to the U.S. economy and the potential liability that could result from a lack of cyber security [7]. Although the financial industry has a strong cyber security framework that protects them from denial-of-service and basic attacks, Symantec has found that the majority of attacks on the financial industry have been highly sophisticated[8].
This presents the interesting question of whether the nature and motivation for financial attacks are fundamentally different from the attacks against other sectors like retail and health care. A Verizon report on data breaches found that ninety-seven percent of were avoidable if basic tenets of cyber security were adhered to (strong passwords, firewalls, etc.) [9]. Furthermore, there was no recommendation in the report beyond those of strong passwords, firewalls and other basic steps[10]. As a result, there may be utility in examining whether the approaches, governance, standards, and safeguards recommended for the financial industry, government, and other select institutions have substantial differences, and whether it is worthwhile to define those differences.
The Verizon 2014 Data Breach and Investigations Report breaks down attack profiles by industry and provides tailored recommendations based upon the type of attack and the type of industry[11]. This is a good approach that allows particular industries to focus their attention on safeguards that provide the best benefits and reduce their potential exposure. As a result, it may be a good place to start in the national effort to increase cyber security.
In addition to industry research, the recent breach has re-ignited discussions for new cyber security legislation; legislation that has not been passed successfully for the last several years[12]. The most recent iteration is the Cybersecurity Information Sharing Act (CISA) that was passed by the Senate Intelligence Committee by 12-3[13]. This law would provide for increased sharing of cyber information, and would shield companies who share information from any liability[14]. Although the bill provides a good a step towards collaborating working towards a solution, there have been concerns about the bill’s ability to protect privacy; this is especially true of groups that are particularly sensitive to the recent NSA disclosures[15].
There are several financial security groups that have written objectives and statements in support of public and private collaboration. For instance, Securities Industry and Financial Markets Association (SIFMA) recently published its report on “Principles for Effective Cybersecurity Regulatory Guidance” that highlighted the need for more public-private cooperation and the critical nature of the U.S. Government’s role in cybersecurity[16]. Additionally, Reed Smith also published a white paper, “The Current State in Financial Services Cybersecurity,” that discusses the Financial Services Sector Coordinating Council’s (FSSCC’s) 2010 objectives; this included strong collaboration with the federal government[17]. There are also many other industries that support the passage of this bill as well[18].
While the bill has heavy industry support, there are plenty of other security and consumer groups that opposed the bill on the grounds of privacy concerns[19]. For example, the Center for Democracy & Technology identified seven points of concern with the bills that related to privacy, procedures, and unintended effects of disclosure[20]. Additionally, The New America Foundation identifies other issues related to data retention and the shielding of companies from liability if people are wrongly harmed by the information sharing[21].
Ultimately, the proposed language of the statute seems to generate potential benefits on information sharing, but at some costs with respect to privacy. Regardless of the potential benefits of further collaboration, it seems that industry research and implementation in its current form provides for the identification of potential attacks and methods for industries to focus on. There is likely still a lot of information to be analyzed and further insights to be gained through analysis of recent attacks and exploits; insights that may help to enhance the bill’s effectiveness while addressing (or reducing) the privacy concerns that exist today.
_______________
[1] Jessica Silver-Greenberg, Matthew Goldstein and Nicole Perlroth, JPMorgan Chase Hacking Affects 76 Million Households, NY Times Dealbook (Oct. 2, 2014 12:50PM); available at link
[2] Id.
[3] Id.
[4] Michael Riley and Jordan Robertson, JPMorgan Hackers Said to Probe 13 Financial Firms, Bloomberg News (Oct. 9, 2014 5:00AM); available at link
[5] Alessandria Masi, JP Morgan Chase Cyberattack: More than 80 Million Accounts Compromised, Says New Report On Bank Hack, IB Times, (Oct. 2, 2014 7:03PM); available at link
[6] Symantec, Financial Attacks Executive Report (2012); available at link (Page 3)
[7] Michael Baker, Timothy Nagle and Christopher J. Fatherley, The Current State in Financial Services Cybersecurity, Reed Smith, (Jul. 2013); available at link (Page 1)
[8] Symantec, Financial Attacks Executive Report (2012); available at link (Page 3)
[9] Jaikumar Vijayan, Most 2011 Cyberattacks were Avoidable, Verizon Says, Computer World, (Mar. 22, 2012 3:30PM); available at link
[10] Verizon, Data Breach Investigations Report (2012); available at link
[11] Verizon, Data Breach Investigations Report (2014); available at link
[12] Julian Hattem, Lawmakers push cyber law after JP Morgan hack, The Hill, (Oct. 3, 2014 10:23AM); available at link
[13] Press Release available at link
[14] CISA available at link
[15] Christian Flores, CISA Puts Congress in a Rough Spot, National Security Zone, (Aug. 10, 2014); available at link
[16] SIFMA, Principles for Effective Cybersecurity Regulatory Guidance, Oct. 20, 2014; available at link (Page 1)
[17] Michael Baker, Timothy Nagle and Christopher J. Fatherley, The Current State in Financial Services Cybersecurity, Reed Smith, (Jul. 2013); available at link (Page 5)
[18] CISA Support Memorandum available at link
[19] CISA Veto Letter available at link
[20] Gregory T. Najeim, Analysis of Feinstein-Chambliss Cybersecurity Information Sharing Act of 2014, CDT (Jul. 8, 2014); available at link
[21] Robyn Greene, The Cybersecurity Information Sharing Act of 2014: A Major Step Back on Privacy, New America (Jun. 23, 2014); available at link
Comments