Wikimedia Commons
By Michael Sexton, Columnist
Beginning in June 2014, hackers exploited vulnerabilities[1] in programs used by J. P. Morgan Chase (JPM) to breach over 90 corporate servers[2] and steal data belonging to approximately 76 million households and 7 million small businesses.[3] JPM has stated there is no evidence that money or private data (account numbers, passwords, user IDs, and social security numbers) have been stolen;[4] however, the company expressed concern that the contact information exposed could enable criminals to launch a spearphishing campaign against their clients.[5] Because the breach was traced to Russia,[6] the possibility of apprehending the suspects is remote – Russian national Aleksandr Kalinin, indicted last year[7] for hacking into NASDAQ’s computer systems in 2011, remains at large.[8] If the issue at hand is bolstering bank security and preventing future breaches, whose job is it to secure Americans’ financial information?
JPM’s slipshod protection of personal information belonging to over half of the households in the United States demonstrates the need for the federal government to impose cyber security regulations upon large financial institutions. The White House has taken proactive measures to strengthen cyber security for critical U.S. infrastructure, but President Obama’s cyber security czar Michael Daniel rejected the possibility of imposing stronger standards upon private industry, saying, “we have a long history of voluntary frameworks being effective.”[9] The mindset that federal cyber security policy can be adequately assessed by its history and not its implications is symptomatic of the perennial black swan problem, and the JPM data breach is a wake up call. President Obama and his advisors have been briefed on the data breach as federal officials attempt to identify its perpetrators and their motive,[10] but reactionary approaches are inadequate: if we regulate financial institutions to prevent them from crashing the global economy, we ought to regulate them to protect private citizens’ finances.
The cyber threat to American financial institutions does not end at JPM. The web address that carried out the breach also targeted at least five other banks, including Citigroup and HSBC.[11] JPM Chief Executive Jamie Dimon has since urged Wall Street banks to cooperate in preventing future data breaches.[12] This cooperative effort may secure Americans’ financial information better than independent plans, but we should not leave Wall Street to regulate itself. The Financial Services Information Sharing and Analysis Center (FS-ISAC) exists for this voluntary cooperative purpose[13] and failed to anticipate or mitigate this breach. The incentives for self-regulation are not strong enough: broader movements in the stock market have affected JPM’s stock price far more than this data breach, and we cannot expect a substantial exodus of clients taking their business to other banks with no less opaque security. The federal government should employ a framework similar to the Dodd-Frank Wall Street Reform Act’s treatment of Systemically Important Financial Institutions (SIFIs) to designate large consumer banks and regulate their cyber security. Cyber specialists in the Federal Bureau of Investigation (FBI) should have access to the banks’ computers to ensure their systems are updated and secure, and to conduct penetration tests to assess the feasibility of a breach. The National Security Agency (NSA) should inform banks’ cyber security teams of zero-day exploits (newly discovered and unpatched software vulnerabilities) whenever there is no planned or ongoing U.S. cyber operation that relies upon it remaining classified. The knowledge shared in the process of this active cyber defense may have ripples abroad and make U.S. cyber operations less viable, but there is no national security benefit in leaving Americans’ finances vulnerable.
Mike Sexton is a columnist at the Georgetown Security Studies Review, a research assistant at Georgetown University and an MA Candidate in the Security Studies Program. Previously, he worked as the Data Manager at the Chicago Project on Security and Terrorism. He holds a BA in Mathematics from the University of Chicago and writes on cyber security and other issues at the intersection of computer science and security policy.
[1] Robertson, Jordan, and Michael Riley. “JPMorgan Hackers Came In the Front Door — in June. Two Months of Mayhem.” Bloomberg.com. August 29, 2014. Accessed October 21, 2014.
[2] Silver-Greenberg, Jessica, Matthew Goldstein, and Nicole Perlroth. “JPMorgan Chase Hacking Affects 76 Million Households.” The New York Times. October 2, 2014. Accessed October 21, 2014.
[3] http://investor.shareholder.com/jpmorganchase/secfiling.cfm?filingID=1193125-14-362173
[4] Ibid
[5] MacDonald, Elizabeth. “JPMorgan Bracing For ‘Spear Phishing’ Campaign: Sources.” Fox Business. October 6, 2014. Accessed October 21, 2014.
[6] Robertson and Riley, “JPMorgan Hackers Came In the Front Door — in June. Two Months of Mayhem.”
[7] Stuart, Hunter. “Aleksandr Kalinin, Nikolay Nasenkov Indicted In Financial Hacking Cases.” The Huffington Post. July 25, 2013. Accessed October 21, 2014.
[8] Corkery, Michael, Jessica Silver-Greenberg, and David E. Sanger. “Obama Had Security Fears on JPMorgan Data Breach.” The New York Times. October 8, 2014. Accessed October 21, 2014.
[9] Roberts, Paul. “White House Cyber Chief: JP Morgan Underscores Critical Infrastructure Risk.” The Security Ledger. October 9, 2014. Accessed October 21, 2014.
[10] Silver-Greenberg, Goldstein, and Perlroth. “JPMorgan Chase Hacking Affects 76 Million Households.”
[11] Ibid
[12] Thomas, Landon. “Dimon Calls for Help on Cyberattacks.” DealBook Dimon Calls for Help on Cyberattacks Comments. October 10, 2014. Accessed October 21, 2014.
[13] “About FS-ISAC.” Financial Services Information Sharing and Analysis Center. Accessed October 22, 2014.