By the time Tom Harrington left the Federal Bureau of Investigation (FBI) in 2012, after 30 years with the agency, the last two as associate deputy director in Washington, the financial crimes group in which he started his career had become the largest arm of the entire organization. It is a measure of how the range and scale of the cyber-threats to a highly digitized industry have grown and evolved since he joined the FBI in 1984. Now, recently retired as managing director and chief information security officer (CISO) at Citi in New York, Tom Harrington shares his experience of putting the knowledge he gained at the FBI into practice in the corporate sector.
“Too many people in the financial services industry want to go to a checklist,” says Tom Harrington, who retired recently as chief information security officer (CISO) at Citi in New York. “I do not know how many times I have heard people say, ‘We have done this’ or `We have done that,’ or `We are in compliance with this guideline.’ It does not help you. Cyber-threats are dynamic. They are constantly changing. Only if you are intelligence-led will you be in a position even to understand the threats you face.”
This is the advice of an expert who spent 30 years with the Federal Bureau of Investigation (FBI) before joining the corporate sector in 2012. Over the six years he spent on Wall Street, the bank he advised became a byword for best practice in cyber-security, admired by both peers and regulators for the systematic nature of its approach to the management of cyber-threats. Being intelligence-led is something Harrington learned at the FBI, especially after he became second-in-command of the anti-terrorist programme following 9.11.
Though he passed nine tenths of his career at the FBI dealing with financial crime and securities fraud, Harrington thinks it is his post-9.11 experience that has proved most valuable in his current role. Under pressure to make sure that such a terrorist outrage could never happen again, the FBI had to develop a strategy, and opted for an approach that was threat-focused and, above all, intelligence-led. The radically different nature of the terrorist threat demanded a different approach.
“Our goal was to understand our adversaries, and the steps they have to take to be successful in what they are trying to do,” explains Harrington. “We developed such an approach, and we have not had a catastrophic attack in the United States since 9.11, in part because of it.” Banks too have had to adopt a different approach. “They recognise that they are no longer going to be successful just by improving the perimeter of the organization,” he says. “They are looking to replicate what we learned at the FBI in the corporate environment. I was convinced we could do it, and I think we did.”
Central securities depositories (CSDs) are in a somewhat analogous position to banks. A major incident has yet to occur, but cyber-threats are increasing in volume and sophistication. In fact, the securities markets as a whole have escaped a serious cyber-assault. But Harrington warns this luck is unlikely to hold. “Every financial institution is built on a foundation of trust, and there is a war on trust taking place, right now,” he says. “Any organization that has demonstrated high trust levels is going to find itself under attack. Cyber-attacks are one of the tools used by our adversaries to erode trust in our institutions. And CSDs are trusted institutions.”
As he points out, the nation-states that are the most potent source of cyber-attacks – such as Iran and North Korea – are now focusing their attention not on the relatively well-defended financial institutions and financial market infrastructures of the developed markets but on their less well-resourced brethren in the developing markets.
“Securities market infrastructures may have escaped a serious cyber-incident because they are more difficult to attack, but it may also be that their time has not yet come,” says Harrington. “Nation-state actors have patience. They may have gained access to securities market infrastructure systems already and are just waiting for that time in the future when they feel ready to use it.”
The banks and the payments market infrastructures (PMIs) that service them are under constant assault already, not just for the obvious reason (“That is where the money is,” as bank robber Willie Sutton put it) but because disrupting payments systems is a form of warfare. “Banks are in a low-level cyber conflict every day,” says Harrington. “Payment systems are an area that nation-states looking to disrupt entire economies are going to focus on.” He points to the 2008 attacks on Internet provision in Georgia and the December 2015 attack on the Ukraine power grid as instances of attacks aimed not at government institutions, but at civilian populations.
Disabling the ability of citizens to make and receive payments means that PMIs are a logical target for nation-state adversaries. Harrington adds that sophisticated criminal groups have a different incentive to attack PMIs – to steal money – but the deleterious effect on public trust in the financial system is the same. Worryingly, he argues that both nation-states and criminal groups have not paid any significant price for their activities. Operating remotely, they have behaved with impunity, and have yet to be discouraged by meaningful penalties.
Where they do encounter obstacles, they shift their focus. This is the threat now facing CSDs, which deal every day in transactions of extremely high value. “When we talk about criminal groups, we talk typically of their return on investment,” says Harrington. “If we put up higher fences than others, they tend to move on to other opportunities where the fences are lower.” Nation-states, on the other hand, represent what CISOs call an “advanced persistent threat” (APT). They are prepared to insert malware into a system and then wait for opportunities to mature.
“Nation-state actors will always be there,” explains Harrington. “They will always be looking for gaps in systems and try to take advantage of them. Once they are in, they just want to maintain access to your systems until they day comes when they want to use it – whether that is to disrupt an economy or steal money.” This is why it is important, he says, for CSDs to monitor the geo-political environment in which they operate. “Every nation-state wants to use cyber as a first strike weapon,” warns Harrington. “Attribution is difficult, and the erosion of public trust works for them.”
Search systems and study adversaries
To combat APTs, targets need to search inside their own systems continuously for anomalies. Harrington worked on the assumption that adversaries will eventually overcome any defences an institution erects, simply because the most sophisticated are investing as heavily in cyber-attacks as their targets are investing in cyber-defences. So combing both systems and databases for anomalies, using Artificial Intelligence (AI), machine learning and Big Data search tools as well as conventional software, is a crucial component of a successful cyber-security strategy. “You have got to catch them as early as you can in your environment,” says Harrington.
Successful defence also depends on studying the behaviour of adversaries. Regular “red team attacks” help test defences and identify vulnerabilities. “You need to do this work every business day,” says Harrington. “Heads of security at any financial institution have got to be thinking about their weaknesses and strengths and about the opportunities their adversaries see and how they are planning to act. It is not only about what you have seen in the past. It is about what you are going to see in the future. Ask how you are adding to your knowledge and improving your education. You have to be a learning organization. You learn every day from what you see in the public domain, what you get from your intelligence sources, and what you hear from governments. Ask yourself who in your organization sees all that knowledge, grows it and acts on it in a way that improves your security posture.”
He acknowledges that CSDs have fewer resources than large, profit-seeking banks, but believes the threat is urgent enough to warrant seeking help, not just from vendors and consultants but from customers and peers. Contrary to the widespread perception that companies do not share details of cyber-threats, and especially of successful cyber-attacks, Harrington was never disappointed by the amount of information which was pooled. The real challenge, he says, is not accessing or sharing information. It is to distinguish the useful information from the noise in the daily torrent of data.
To help filter it, he advises CSDS to meet regularly with their peers and with major users, under non-disclosure agreements, to review what each institution is seeing and doing. Harrington also benefited from membership of a vendor-free CISO network, whose size was deliberately constrained to maintain a high level of trust. “Most of the people I talked to seem to get all their information from vendors, who are not always reliable,” he says. “It is better to be talking to people who have the same responsibilities that you have, and which are facing the same challenges that you are. Likewise, if you have a good idea, share it with them.”
Strategize and war-game
However, Harrington warns that collaboration must be allied to a coherent cyber-security strategy. He advises CSDs to base their strategy on the Framework for Improving Critical Infrastructure Cybersecurity published by the National Institute of Standards and Technology (NIST). This will not only enable CSDs to benchmark their cyber-security processes and procedures against an agreed set of standards but allow issues to be broken into a smaller series of tasks without losing their coherence. The FBI, says Harrington, was fond of the eating-the-elephant metaphor, and he still believes that the best way to tackle a challenge as amorphous and evolving as cyber-security is to break it into smaller pieces.
Harrington also advises CSDs to draw up risk registers of systems (such as a settlement platform) and assets (such as customer data) and conduct war-games to identify vulnerabilities. These can then be assessed regularly against the current range of cyber-threats, and the readiness of the organization to defeat them can be measured. “Any gaps or concerns which are identified should lead to an initiative, in which you try to close the gap or address the concern,” says Harrington. The measures taken should then be monitored for effectiveness, and named individuals made accountable for managing the risks. That process also helps maintain a focus on current threats.
DDoS attacks, for example, have diminished as a cyber-security threat from a technical perspective. “People are just throwing garbage at you, and eventually you are going to be able to clean that out,” explains Harrington. “The real issue is destructive malware.” He adds that ransomware attacks are best considered as a distraction – a technique used by thieves since time immemorial – rather than a direct threat, because back-up systems can eliminate the problem. “Our first thought after a ransomware attack was, `Has something been stolen from us?’” he explains. “Because the attacker had probably dropped some ransomware on the way out to distract our attention from a much larger issue in our environment. If you fail to notice the real objective, once you re-establish your system after the ransomware attack, they can come right back in.”
In his estimation, cyber-security depends on lateral thinking of this kind. One question which Harrington says never failed to disconcert an audience is this: do you have any cyber-security defences on your smart phone? “Think about how much data you have on that little machine,” he says. “If I was still an intelligence officer, and I had to create a pattern of your life because we are investigating you, I would in the past have had to spend weeks following you, watching you, and trying to understand your finances and so on. Nowadays, all I would need to do is spend a few hours on your phone and I would know all I needed to know about you: where you go, how you behave, what your interests are, and who your circle of friends and influences are.”
Build muscle-memory and battle rhythm
It is why Harrington urges the senior management of any institution to clean their histories from their smartphones, because they almost certainly include a repository of emails containing sensitive information of value to adversaries of many different kinds. “Get some anti-malware software on your `phone,” he advises. It is a good example of a surprising insight that needs to become a habit.
As Harrington sees it, success in cyber-security depends on a continuous, disciplined vigilance governed by routines which are followed daily, weekly, monthly, quarterly and annually. This “battle rhythm,” as Harrington calls it, enables an organization to keep abreast of evolving cyber-threats. It has also ensured that decision-makers have “muscle-memory” that frees them to respond quickly and energetically when a threat materializes. “If you have not planned, and prepared and practised, and you get unlucky, you are not going to get a good outcome,” warns Harrington.
When threats do materialize, have a map to follow, he adds. The FBI adopted the military notion of a “kill chain.” The seven step Lockheed-Martin adaptation of the “kill chain” – reconnaissance, weaponization, delivery, exploitation, installation, command and control, and actions on the objective – classifies the steps a cyber-attacker must take. “Every single day, as you manage cyber-events internally, you can learn by working out how you caught a cyber-attack before it succeeded,” he explains. “What technology worked? What technology did not work? What opportunities did you miss at an earlier stage in the kill chain?”
Work as a team and never blame others
But people are even more important than process. “You need talent, team-work and technology, but the most important is team-work,” says Harrington. “Of course, institutions have to invest in technology, and the talent that you have in your organization is going to be key to your success. But that success is built on team-work, not individuals – you all have you be playing for the same team. Too often, people have it in reverse. They want to buy the technology somebody is selling them. They fail to invest in the people who understand how to use it in their systems and strategy. And they do not get the organizational silos in their company to work as a team so that every time a cyber-threat emerges there is more finger-pointing than prioritization.”
The risk of shifting the blame for an incident to others can be mitigated by establishing one or more groups that bring together separate parts of the organization to work jointly on assessing and managing cyber-threats – every day. These “cyber-fusion” centres, as Harrington calls them, ensure that each element of the organization takes full responsibility for implementing their share of the solutions devised. “Try in everything you do to reinforce the message that information security is everybody’s responsibility, from the boardroom to the branches,” says Harrington.
Harrington is nevertheless conscious of the thanklessness of the role of CISO – if nothing happens, no one thanks you, but if something does happen, everyone blames you. “The bad guy only has to get lucky once,” he muses. “But the CISO has to have a perfect record. Whoever gets the job does not sleep too well.”
But there is one common nightmare that never woke Tom Harrington up in the night: lack of preparation for the test. When presenting on cyber-security, he always used to ask which members of the audience were girl-guides or boy-scouts. “The motto of those organizations was, `Be prepared,’” he says. “Cyber-security is that simple. Are you prepared to meet this particular set of challenges?”