By Gautham Nagesh - 09/14/11 05:27 PM EDT
Online attacks that steal financial information or target U.S. financial institutions are increasingly sophisticated and effective, according to a panel of federal officials testifying at a Wednesday hearing in front of the House Financial Services subcommittee on Financial Institutions.
The hearing comes as House Republicans are mulling their response to the comprehensive cybersecurity proposal unveiled by the White House in May. Senate Democrats have been hammering out the details of their own proposal in recent months, after settling a standoff over jurisdiction earlier this year.
Both parties have framed cybersecurity as critical to both national security and the economy, making it likely that some sort of package will reach the floor in both chambers this fall.
The White House and Senate bills both focus on compelling critical infrastructure firms, including financial institutions, into complying with cybersecurity standards and best practices established by the Department of Homeland Security in collaboration with industry.
Administration officials have suggested that publicly shaming firms that fail to take action to prevent attacks would be sufficient motivation, while some experts have called for criminal or civil penalties. Financial firms would be especially susceptible to perception issues surrounding the theft of customer data.
But the House GOP must balance the need to safeguard consumers and firms with the decidedly anti-regulatory stance they have struck in the majority. Any plan will likely include some legal protections for firms that share information with the government about security or cyber attacks to encourage reporting.
"The technological advances that provide
hackers with the ability to carry out these attacks also make it very
difficult to track the actions of the hackers," subcommittee
chairman Shelley Moore Capito (R-W.Va.) said in her prepared remarks.
"In order to effectively combat these hackers it is critical for financial institutions to share information with other institutions as well as federal law enforcement agencies."
Greg Schaffer, DHS acting deputy under secretary, acknowledged the importance of information-sharing in his opening remarks, but said firms are currently unwilling to do so at times because of uncertainty about the law and liability.
He said the administration's proposal would provide clear statutory authority for DHS to facilitate greater cooperation between government and the private sector to prevent and respond to cyber attacks.
"Despite significant outreach and relationship building, DHS faces a number of constraints in coordinating with the private sector, which may impact work with financial institutions," Schaffer said. "Some institutions have concerns about the privacy implications of sharing information with the government or about brand damage that may result from reporting an incident."
Secret Service assistant director A. T. Smith said it's vital that the government and firms share information on attacks because criminal organizations themselves are increasingly organized and specialized, swapping consumers' personal data among themselves to enable more fraud.
"Advances in computer technology and greater access to personal information via the Internet have created a marketplace for transnational cyber criminals to share stolen information and criminal methodologies," Smith said in his opening remarks.
"As a result, the Secret Service has observed a marked increase in the quality, quantity and complexity of cyber crimes targeting private industry and critical infrastructure."
"These crimes include network intrusions, hacking attacks, development and use of malicious software, and account takeovers leading to significant data breaches affecting every sector of the world economy," he added.
FBI assistant director Gordon Snow said his main concern was that cyber threats are not being taken seriously enough across industry sectors and that criminals are stealing all the data they can. He said industry standards aren't very high and that most firms are sending out the freshman team, as opposed to the varsity.
Snow said he would like to see a structure that first offers assurance that the network is protected, and second allows authorities to identify malicious actors in the system. He said the government must move more in real time.
In his prepared remarks, full committee Chairman Spencer Bachus (R-Ala.) remarked that it was fortunate the financial services industry at least has had a head start on preventing cyber attacks.
During the hearing he emphasized the need to educate the public on the fact that most digital criminals are part of sophisticated enterprises, not lone scam artists based in Nigeria.