The Department of Homeland Security’s Computer Emergency Readiness Team (US-CERT) raised a few eyebrows in late November when it sent a warning out to U.S. banks and financial institutions about a possible cyber attack by Islamic militants. The alert, dated Nov. 30, was triggered by a posting on what the DHS considered an Islamic jihadi Web site calling for hackers to attack U.S. financial and banking Web sites, apparently to protest the detention of Muslims at Guantanamo Bay, Cuba. However, the warning was heavily qualified, with DHS calling the threat “more aspirational than operational.” Financial firms downplayed the danger, too. One security executive at a major brokerage told InfoWorld that the warning was a “non-event.”
But could repeated warnings about such non-events eventually make critical infrastructure owners deaf to DHS’s warnings? InfoWorld Senior Editor Paul F. Roberts recently chatted with John Carlson, senior director of security and risk Assessment at BITS, a financial-services industry consortium focused on security, fraud, and risk management, about the DHS warning and state of the public-private partnership on cybersecurity.
InfoWorld: I’m guessing that your members received the US-CERT warning about the cyber terrorist attack?
John Carlson: There were two messages sent: the first was [Nov. 30]; then a second revision came out [Dec. 1]. The gist of it was that these reports were not corroborated.
IW: What was the reaction of BITS members to the warning?
JC: Our members have an “all hazards” approach to business-continuity planning. They’ve got well-developed approaches that have been bolstered since 9/11. In response to new regulatory requirements, firms have done a lot to improve backup, they’ve done tests with the various exchanges. They’re also working in closer harmony with the federal government to share information on threats and vulnerabilities. I think there’s a spirit of appreciation that the government is willing to share information with the financial services industry. The firms take that information into account in responding and activating their business continuity plans.
IW: How do your members apply information like this that comes from DHS?
JC: I’m not sure I can give a blanket answer. Each firm has its own mechanisms for gathering information. Risk-management professionals at these firms read the paper and understand the military conflicts and they’re mindful of that. They take it into account when they have employees traveling. They’ll monitor where they are. With the [bird flu] pandemic issue, firms were monitoring that closely and trying to figure out what impact it would have on their organizations.
IW: Is there a danger from these warnings of creating a “Boy Who Cried Wolf” situation, where firms begin to disregard the warnings?
JC: There’s always a concern about the crying-wolf syndrome. But our firms appreciate getting the information even if it’s not corroborated. A continuous flow of information helps build trust between the private and public sectors.
IW: Was this warning about the jihadist threat something that your members see all the time, or was this an unusual kind of warning from DHS?
JC: I think the warning came across the transom at a high level [saying] “pay attention to this.” So it was different from what we normally get. We’re getting a steady stream of information on threats and vulnerabilities and a range of things. For example, if there’s a known virus that’s being perpetrated in [the United States] or against a financial institution. We’re also getting information on political changes around the world.
IW: Do you think DHS has its arms around the cybersecurity problem?
JC: My personal opinion is that the government has some capabilities, but not all capabilities. In general, our firms would like more information, but there are many reasons why if (the government) has the information they don’t provide it. But it’s a touchy question. People have lots of different views.
IW: Do you feel like your members are getting all the information they need?
JC: There’s some filtering, but I don’t have information to compare or validate what the filter is. We talk about issues through coordinating councils that meet quarterly. It’s a two way conversation.