Banks adopt military playbook against cybercrime

Missouri

IN A windowless bunker here, a wall of monitors tracked incoming attacks - 267,322 in the last 24 hours, according to one hovering dial, or about three every second - as a dozen analysts stared at screens filled with snippets of computer code.

Pacing around, overseeing the stream of warnings, was a former Delta Force soldier who fought in Iraq and Afghanistan before shifting to a new enemy: cyberthieves. "This is not that different from terrorists and drug cartels," Matt Nyman, the command centre's creator, said as he surveyed his squadron of Mastercard employees.

"Fundamentally, threat networks operate in similar ways." Cybercrime is one of the world's fastest-growing and most lucrative industries. At least US$445 billion was lost last year, up around 30 per cent from just three years earlier, a global economic study found, and the Treasury Department recently designated cyberattacks as one of the greatest risks to the US financial sector.

For banks and payment companies, the fight feels like a war - and they are responding with an increasingly militarised approach. Former government cyberspies, soldiers and counter-intelligence officials now dominate the top ranks of banks' security teams. They have brought to their new jobs the tools and techniques used for national defence: combat exercises, intelligence hubs modelled on those used in counterterrorism work and threat analysts who monitor the Internet's shadowy corners.

At Mastercard, Mr Nyman oversees the company's new fusion centre, a term borrowed from the Department of Homeland Security. After the attacks of Sept 11, 2001, the agency set up scores of fusion centres to coordinate federal, state and local intelligence-gathering.

The approach spread throughout the government, with the centres used to fight disease outbreaks, wildfires and sex trafficking. Then banks grabbed the playbook. At least a dozen of them, from giants such as Citigroup and Wells Fargo to regional players such as Bank of the West, have opened fusion centres in recent years, and more are in the works.

Fifth Third Bank is building one in its Cincinnati headquarters, and Visa, which created its first two years ago in Virginia, is developing two more, in Britain and Singapore. Having their own intelligence hives, the banks hope, will help them better detect patterns in all the data they amass.

The centres also have a symbolic purpose. Having a literal war room reinforces the new reality. Fending off thieves has always been a priority - it is why banks build vaults - but the arms race has escalated rapidly. Cybersecurity has, for many financial company chiefs, become their biggest fear, eclipsing issues such as regulation and the economy. Alfred F Kelly Jr, Visa's chief executive, is "completely paranoid" about the subject, he told investors at a conference in March.

Bank of America's Brian T Moynihan said his cybersecurity team is "the only place in the company that doesn't have a budget constraint". (The bank's chief operations and technology officer said it is spending about US$600 million this year.) The military sharpens soldiers' skills with large-scale combat drills such as Jade Helm and Foal Eagle, which send troops into the field to test their tactics and weaponry. The financial sector created its own version: Quantum Dawn, a biennial simulation of a catastrophic cyberstrike.

In the latest exercise in November, 900 participants from 50 banks, regulators and law enforcement agencies role-played their response to an industry-wide infestation of malicious malware that first corrupted, and then entirely blocked, all outgoing payments from the banks. Throughout the two-day test, the organisers lobbed in new threats every few hours, like denial-of-service attacks that knocked the banks' websites offline. The first Quantum Dawn, back in 2011, was a lower-key gathering.

Participants huddled in a conference room to talk through a mock attack that shut down stock trading. Now, it is a live-fire drill. Each bank spends months in advance recreating its internal technology on an isolated test network, a so-called cyber range, so that its employees can fight with their actual tools and software. The company that runs their virtual battlefield, SimSpace, is a Defense Department contractor. Sometimes, the tests expose important gaps. A series of smaller cyber drills coordinated by the Treasury Department, called the Hamilton Series, raised an alarm three years ago.

An attack on Sony, attributed to North Korea, had recently exposed sensitive company emails and data, and, in its wake, demolished huge swathes of Sony's Internet network. If something similar happened at a bank, especially a smaller one, regulators asked, would it be able to recover? Those in the room for the drill came away uneasy. "There was a recognition that we needed to add an additional layer of resilience," said John Carlson, the chief of staff for the Financial Services Information Sharing and Analysis Center, the industry's main cybersecurity coordination group.

Soon after, the group began building a new fail-safe, called Sheltered Harbor, which went into operation last year. If one member of the network has its data compromised or destroyed, others can step in, retrieve its archived records and restore basic customer account access within a day or two. It has not yet been needed, but nearly 70 per cent of America's deposit accounts are now covered by it. The largest banks run dozens of their own, internal attack simulations each year, to smoke out their vulnerabilities and keep their first responders sharp.

What everyone in the finance industry is afraid of is a repeat - on an even larger scale - of the data breach that hit Equifax last year. Hackers stole personal information, including Social Security numbers, of more than 146 million people. The attack cost the company's chief executive and four other top managers their jobs. Who stole the data, and what they did with it, is still not publicly known. The credit bureau has spent US$243 million so far cleaning up the mess.

It is Mr Nyman's job to make sure that does not happen at Mastercard. Walking around the company's fusion centre, he describes the team's work using military slang. Its focus is "left of boom," he said - referring to the moments before a bomb explodes. By detecting vulnerabilities and attempted hacks, the analysts aim to head off an Equifax-like explosion. NYTIMES