DTCC urged a Congressional subcommittee that federal agencies and the financial sector must expand information sharing on cyber-threats to more effectively protect the capital markets from attack.
In testimony on June 1, Mark Clancy, DTCC managing director and corporate information security Officer, called for restarting the Government Information Sharing Framework (GISF), a successful but now defunct pilot program that targeted cyber espionage as part of this information sharing effort.
During the June 1 hearing, titled “Cyber Threats to Capital Markets and Corporate Account,” Clancy told the House Capital Markets and Government Sponsored Enterprises Subcommittee that the termination of the GISF program in 2011 eliminated a critical sources of threat data and analysis for the financial sector.
“While financial institutions have robust information security programs in place to protect their systems from cyber threats, they are not foolproof,” Clancy said. “A critical resource the industry relies upon to help safeguard the system is information sharing between federal agencies and the financial sector. DTCC strongly supports restarting the GISF program, removing its pilot status and expanding its reach within the financial sector to ensure that all resources are working in concert to protect and defend the capital markets from cyber-attack.”
The GISF program began in 2010 as a collaboration between the Department of Defense (DoD), the Department of Homeland Security (DHS) and The Financial Services–Information Sharing and Analysis Center (FS-ISAC), which is the primary group for information sharing between the federal government and the financial sector. It allowed for the sharing of advanced threat and attack data between the federal government and 16 financial services firms that were deemed capable of protecting highly sensitive information, explained DTCC in its release. The program was expanded over time to include the sharing of classified technical and analytical data on threat identification and mitigation techniques.
The DoD in effect terminated the GISF program in December 2011, and information sharing through DHS, which was expected to continue, also ceased that month. Since the termination of GISF, several organizations in the financial sector have experienced threat activity from actors first identified to the industry through GISF reporting, according to DTCC in its release. A recent FS-ISAC assessment found that these threats will continue to increase in the years ahead.
Clancy credited the GISF program with enhancing the financial sector’s access to actionable information with which to search for similar threat activity in their own networks. It also provided access to contextual information to better understand risk implications of various threats. The financial sector was able to adjust assessments of cyber espionage using quantifiable information that had previously been unavailable, and understand the need for developing standards to support the automation of sharing and consuming threat data.
“Information sharing like that which occurred under the program represents the most critical line of defense in managing and mitigating cyber risk today,” Clancy stated in the release. “GISF drove innovative new initiatives in the industry and helped reshape the sector’s approach to assessing cyber espionage risks.” Clancy added that while GISF was successful in many aspects, it should be expanded to include a broader group of financial institutions because the pilot program’s reach and impact were too limited and did not scale to the depth and breadth of the sector.
“Information sharing today occurs at human speed while cyber-threats occur at wire speed,” Clancy commented. “Now more than ever, an investment in standards, protocols and methods for the industry to rapidly share and consume threat and observable data is needed.”