Some of the nation's largest banks are now collaborating with the Treasury Department, playing role-playing games and sharing information that was previously closely guarded.
"You're only as good as your weakest link," said Ron O'Hanley, CEO of State Street Corp., one of the largest money managers and custody banks in the United States. "Networks are put together not just by what you do, but by the vendors you rely on, the counter-parties you deal with, and even the regulators you deal with," he explained in an interview.
Treasury officials gathered executives from several top banks late last month to practice how they would reach one another and collaborate across a range of cyber-attack scenarios as part of a larger move to strengthen defenses.
This previously unknown simulation exercise included JPMorgan Chase & Co., Bank of America Corp., and Morgan Stanley. It went through five fictitious threat levels, from minor assaults to a full-scale assault on multiple banks and critical payment systems.
"You can invest in defenses," said J. F. Legault, global head of cybersecurity at JPMorgan Chase, over the phone.
Treasury officials have also taken steps to declassify more intelligence in order to get it in front of financial executives, as well as to extend security clearance to more employees at large banks.
Russia's invasion of Ukraine, and the subsequent sanctions imposed on Moscow, have upended a fragile financial security equilibrium. Governments adept at cyber warfare, such as China and Russia, were previously regarded as stakeholders in the market for global dollar assets, giving them an incentive to leave financial infrastructure alone.
Best in the World
"What was different about Russia-Ukraine was that the potential threats were not only obvious, but you had a player who was reputed to be the best in the world in terms of cyber threats," State Street's O'Hanley explained. "We take all cyber threats seriously, but when it's a nation-state, especially in the context of an armed conflict, you start to think about it differently."
The Treasury was also aware that the threat landscape was changing late last year. Officials concluded that cyberattack preparation needed to be increased as they planned the sanctions to be imposed in the event of an invasion of Ukraine.
"Once we knew where we were going to land with some of the initial sanctions packages by the end of 2021 and how severe they were going to be," Todd Conklin, a counselor to the Treasury's No. 2 official, Deputy Secretary Wally Adeyemo, said in an interview.
It's part of a growing public-private partnership focused on cyberattack response.
The Cybersecurity Infrastructure Security Agency, or CISA, was established in 2018 as the lead agency for cyber protection as part of the Department of Homeland Security. When asked what kept Fed Chair Jerome Powell awake at night during a congressional hearing that year, he replied, "the clear answer to me from that would be cyber risk."
Nonetheless, Adeyemo stated that Treasury Secretary Janet Yellen told him on his first day to prioritize cybersecurity.
Adeyemo has drawn on previous financial crises to demonstrate how banks' interconnectedness makes them vulnerable.
"Telling them to'shield up' without providing additional support and intelligence sharing isn't very helpful," Conklin said. "It's ensuring that if something does happen, we have a plan in place for a coordinated response."
Officials say that when any point in the financial system is attacked, information about the event must be distributed as quickly as possible across the network of firms, regulators, and intelligence agencies. Firms must think cooperatively, sharing intelligence, rather than hoarding information for competitive advantage and burying any negative developments.
"It's sharing information as soon as possible to ensure that if there's an attack somewhere, the rest of the system is protected," Adeyemo explained.
The largest banks have known this for some time, but they are going further than in the past.
The eight largest players, led by JPMorgan and Bank of America, established the Analysis and Resilience Center for Systemic Risk (ARC) in 2016, with the goal of increasing collaboration in monitoring and protecting critical systems exposed to the internet, with a focus on early-warning capabilities. Since then, it has expanded to include exchanges and clearing houses, as well as several large energy companies.
Government Collaboration
According to Scott DePasquale, ARC's president and chief executive officer, the group established its headquarters just outside Washington because bank executives wanted ARC to work closely with the government. The group's risk committee is co-chaired by a Treasury official.
The Financial Services Information Sharing and Analysis Center, whose members range from banks and insurers to fintechs from more than 70 countries, is a larger counterpart to the ARC.
Concerns remain, particularly about third-party service providers.
According to US officials, Russian hackers used a compromised piece of software in the 2020 SolarWinds attack to target 100 companies and nine federal government agencies, including the Treasury, Homeland Security, and the State Department.
'Continuously' Probed
However, the targets do not have to be so visible to cause harm. Kaseya, a US company that provides IT management and security software services and has many small banks as customers, was the target of a ransomware attack in 2021.
The problem, which was later blamed on the Russian group REvil, was resolved in a matter of days and without the need for a ransom payment. However, it forced officials to consider what would happen if thousands of small banks across the country were paralyzed, as well as how widespread an attack would have to be before it could spark a larger run on bank deposits and a wider liquidity crisis across the financial system.
"One of the reasons this community is ahead of others is that cyber criminals are constantly probing them," said James Andrew Lewis, director of the strategic technologies program at the Center for Strategic and International Studies in Washington.
"The top 20 banks — I'm pretty confident they're a really difficult target," he added. "I'm not sure I'd be as confident if you picked the bottom 20 financial institutions and even some of the plumbing service providers."
Timeline Acceleration
There are also reservations about the government. The Treasury and other agencies are more than just regulatory watchdogs. The Treasury issues US government debt, and the Fed is an interbank payments provider, both of which are vulnerable to cyberattack.
Following SolarWinds, the Treasury began fortifying its own defenses. According to officials, it has since invested significantly in modernizing its IT, advancing encryption technology, and rebuilding its entire email system. Russia's preparations for an invasion of Ukraine accelerated the project, reducing a three-year timeline to a six-month sprint.
The Treasury has requested an increase of $135 million for department-wide cybersecurity investments in the coming fiscal year.
Employee fatigue has emerged as a problem. The Treasury, like other employers, has struggled to find and hire as many skilled IT professionals as it would like, and the pressure is only increasing.
So far, Russia has not responded to sanctions by launching a coordinated attack on the United States, instead focusing on Ukrainian firms and government operations.
Adeyemo warns that danger is always present.
"Every day, there are actors of all kinds attempting to penetrate or exploit our financial system or regulatory system," he said. "Regardless of what happened yesterday, we must be just as vigilant today as we were yesterday."