Finance Group Seeks More Timely InfoExchange Hack Discovered in October Kept Secret for 102 Days
"Although we have made good progress in creating information sharing entities, to share information securely and efficiently, we have not adequately tackled the critically important issues associated with the timeliness and completeness of information," Jane Carlin, chairwoman of the Financial Services Sector Coordinating Council, testified before the House Homeland Security Subcommittee on Cybersecurity, Infrastructure Protection and Security Technologies.
Carlin cited a cyberattack on a major exchange that was discovered by the exchange last October, which she contended involved too much secrecy. Though the exchange alerted its primary regulator and law enforcement, information about the attack and its impact on other financial institutions was not disclosed to others in financial industry for 102 days, a time when financial institutions closed their books for the year and prepare annual reports. "This could have had an enormous impact on employees, stockholders, large and small, and the market as a whole," Carlin said. "The lack of meaningful information for more than three months left the entire sector unnecessarily vulnerable."
In response to the exchange attack, the council and Department of Homeland Security have agreed to collaborate on developing guidelines for when information should be shared, especially information that is technical and contextual. "A more transparent decision-making process would accelerate the dissemination of information without interfering or undermining criminal and national security investigations," Carlin said.
She said industry and the government must focus on clarifying and compartmentalizing information so that "actionable intelligence" can be disseminated to organization that will use it to protect critical infrastructure. What's actionable intelligence? Carlin said it's redacted technical information and contextual information that doesn't reveal sources and uses or tips off criminals or adversaries.
"There is a strong need to establish appropriate and well-understood protocols to share information so that we collectively understand the problems and risks that we face in order to arrive at the right response or solution," Carlin said in her remarks to the panel. "The fundamental issue of striking a balance between confidentiality for criminal investigations and timely information sharing remains a work in progress."