The Federal Reserve Bank — like all other financial institutions and most businesses — worries about cyber attacks. The Fed’s senior associate director of supervision and regulation is Arthur Lindo. Some see more regulation as the answer but Lindo says research by the Fed finds that’s not the answer.
“I don’t think the solution to the cybersecurity problem rests in regulation. We’re going to try a more flexible approach,” he said. Lindo did not say what the flexible approach entails.
Here’s how the Fed’s decision came about. Republican Mike Crapo — who heads the Senate Banking Committee — responded to the Fed’s request to consider more regulations. The Fed and government departments issued an intent to add rules on cyber risk management standards for financial institutions.
Cyber security experts, industry groups and individual businesses looked over the proposed rules and said no. The contention of those opposing more rules is that there are already lots of rules in place for banks and other financial institutions to follow.
In fact, it’s a mess says JPMorgan Chase’s Kevin Gronberg. His company put a spread sheet together and it consists of 2,000 lines. That shows — if anything — there’s an overlap and it may create more problems than it solves. “We tried to put it all into a common language, so we can reply with the same answer when we get the same questions from different regulators,” Gronberg said.
Thus, the idea was dropped.
With cyber attacks increasing at alarming rates, and if more rules and regulations are not the answer, then what do we do? Republican Rep. Tom Graves of Georgia and Arizona Democrat Rep. Kyrsten Sinema think businesses and individuals ought to have the right to hit back.
Even though security and legal experts are opposed, their bill is gaining traction. It amends a federal law passed in 1986 that prohibits access to someone’s computer without their specific authorization.
If passed — and it’s a long way from getting there — here’s what their bill will allow businesses to do in retaliation. The defensive measures will be limited but victims will:
• Be able to leave their networks to attribute attacks
• Be able to disrupt an attack
• Be able to retrieve or destroy stolen data
• Be able to track the behavior of the attacker
• Be able to use beacon technology to find the physical location of the attacker
Proponents — and the two congressmen — like the idea because it gives companies the power to monitor, identify and stop attackers targeting their systems. “The status quo is not acceptable anymore,” Graves said.
Their bill has now picked up seven bipartisan cosponsors including House Oversight and Government Reform Committee Chairman Rep. Trey Gowdy.
National Security Agency (NSA) Director Mike Rogers hates the idea. “My concern is, be leery of putting more gunfighters out on the street in the Wild West. As an individual tasked with protecting our networks, I’m thinking to myself, we’ve got enough cyber actors out there already,” he said.
One of his predecessors, Keith Alexander agrees. He thinks companies could start wars against each other which will just add to the problem.
Not so says Graves. He notes that he and Sinema have put plenty of controls in place to prevent vigilantism and other unintended consequences. Companies cannot destroy or damage data that doesn’t belong to them or that is stored on another person or entity’s computers.
But that doesn’t really work said Joseph Wolff who is a professor at Rochester Institute of Technology and fellow at the New America Cybersecurity Initiative. He said, “You’re talking about this idea that private actors, say mostly companies, are going to be able to know who is attacking them and know with enough certainty to be able to retaliate effectively.”
The problem is most hacks come through foreign actors who use an intermediary to do the attacking. “You’re not necessarily going after the people who initiated the attack. You could be going after somebody who is caught in the middle,” Wolff said.
And that says Washington D.C. lawyer and cyber expert Doug Henkin is the crux of the dilemma. “You’ve got to wonder whether it would be in the best interests of a company to do something like this, particularly if they had just been hacked and their systems were thus possibly vulnerable in ways they might not yet know that could actually be further exploited were they to go digging in presumably hostile systems,” he said.
Graves said critics aren’t really reading the bill. He said controls are in place to limit damage and if engaging in an “active defense” a company has to let the FBI cyber crime unit know what it is doing before it can proceed.
“We’re trying to give them more additional tools to defend themselves,” Graves said.
That could be a positive says Heritage Foundation policy wonk David Inserra. “It turns a victim — a company that has been attacked — into a witness. That’s more information that our authorities can use to find and catch the offender,” Inserra said.
While the bill does have a long way to go before seeing the light of day, Graves said the White House and the Department of Justice are doing a review. “Cyber is one of the priorities of the administration, and they are very interested in what we are proposing here and the thought that has gone into this,” Graves added.
Source links: Insurance Journal, The Hill