Expect the unexpected: cyber security in 2017 and beyond

Speaker: Nausicaa Delfas, Executive Director, FCA
Location: Financial Information Security Network, Luton
Delivered on: 24 April 2017

Key points:

• The threat landscape is ever evolving - including the emergence of the “internet of things” being exploited to conduct DDOS attacks through SMART TVs and fridges.
• Rather than treading over old ground, it’s time to step forward to address the ever widening gap between criminal capability and intent, and our capability to defend ourselves.
• To manage these threats we need to move the dialogue on:
  
  • getting the basics right could prevent 85% of breaches
  • moving to a secure culture – take staff on a journey to change their mindsets
  • measuring that culture
  • use other drivers beyond the boardroom, such as institutional investors
  • sharing information
  • building capability

Note: this is the text of the speech as delivered.

Thank you to The Network Group for inviting me to speak today. I am Nausicaa Delfas, Executive Director at the FCA, and currently acting COO. Having for a long time been focused purely on the regulatory, supervision side, I am finding I am stepping more into your shoes, with now having oversight of internal information security and cyber resilience. 

I want to cover a few key areas from the FCA’s perspective, and I invite questions at the end:

Firstly, I want to look at the threat landscape from our perspective. The FCA operates in a unique position in the Financial Services spectrum; we have visibility of over 56,000 firms and we are well positioned to observe the myriad of threats and issues that these firms experience on a daily basis in the cyber world. 

Secondly, what can we do about those threats? How should we manage these risks? There are strategies that range from patching and information risk management, to people strategies, to security cultures, to information sharing, to what we can do to collectively improve our understanding of the threats and best practices to mitigate against them.

I think we need to move the dialogue on. Some of you may be thinking that you have heard some of this before – you may have done. Rather than treading over old ground, now it’s time to step forward to address the ever widening gap between criminal capability and intent, and our capability to defend ourselves.

Threat landscape

So, the threat landscape…

We have witnessed some interesting changes over the last 12 months, with the re-emergence of some old foes (such as ransomware) and the development of some innovative and dangerous criminal networks. 

Perhaps the widest coverage of these has been given to the emergence of the “internet of things” and the associated leverage of this enormous network to facilitate the largest DDoS attacks we have ever seen. 

We need to move the dialogue on.

Attacks exceeding 1.5 Tb per second are now entirely feasible and the scale is expected to grow. We are seeing SMART televisions, fridges, routers and cameras being exploited to form botnets (a network of private computers infected with malicious software and controlled as a group without the owners' knowledge, e.g. to send spam), without the owner of the device ever becoming aware. As fibre optic broadband becomes the norm and bandwidth grows exponentially, these devices become capable of being compromised, aggregated and directed at financial institutions resulting in detriment to consumers and, potentially, impact upon the markets through the loss of service availability.

As a regulator, we are not immune either. In February 2017 the internal systems of Polish Financial Supervision Authority (KNF) were compromised in an attempt to infiltrate Polish banks with malware. At the FCA, we have seen attempts to use the FCA brand in phishing campaigns against the UK financial sector. Such attacks are yet another example of creative cybercriminals leveraging diverse technologies to seed and propagate attacks across multiple financial institutions.

Ransomware continues to be a focus for criminal groups, offering an off-the-shelf capability to monetise malware whether distributed in a ‘scattergun’ approach (DDOS) or specifically directed at firms. Both models have benefits, and both yield results. We have seen criminal groups infiltrate networks, carry out reconnaissance and plant ransomware directly onto pre-determined network assets to cause the maximum damage, and in some rare cases, backups have also been destroyed by the same attacker. By removing all possible recovery elements, the organisation is left with a fairly binary choice: pay or lose the data … that’s a pretty effective business model if you are the criminal… 

Attacks exceeding 1.5 Tb per second are now entirely feasible.

This demonstrates the criticality of a good backup strategy. We expect firms to maintain online and offline backups to ensure that data can be restored without the need to pay a ransom - I have heard of some institutions having bitcoin accounts to pay ransoms - but this will simply encourage more criminality and carries no guarantee that the attacker will actually release the data.

We have also seen a rise in the risk of targeted network attacks being carried out against firms. Whilst we have not yet seen significant market impacts or consumer detriment occur as a result, we know from our work with firms that there is no shortage of criminal networks continuing to attempt to compromise the corporate networks of our financial institutions. An interesting example is ATM attacks, where criminals have been observed trying to both compromise banks’ ATM machines to reach the corporate network, whilst equally trying to compromise the corporate network to reach ATM’s. This is a clear demonstration of the need for holistic detective, protective and responsive capabilities.

These are some examples of the major threats we see on a regular basis through our supervisory channels. These threats very much align to our reporting which continues to increase rapidly. Over the course of 2014 we had 5 reports of cyber Attack from the firms we regulate, in 2015 this rose to 27 and in 2016 we had 89 reports. Whilst this significant increase indicates more attacks are occurring, this may also suggest better detection and greater reporting to us on the part of firms, which we very much encourage.

In terms of threats, I have been asked: what do we focus on? State sponsored attacks on large institutions or criminal other attacks on smaller institutions? The answer is not all that simple – whatever the motivation – whether “CHEW” - for criminal, hactivist, espionage or war reasons – attacks can serve to disrupt financial institutions, whether by compromising the integrity of a market (eg data stolen), or causing consumers loss (cyber fraud), or by the knock on, or ripple effect of an attack on one business (whether a financial institution or not) on another - as the Talk Talk incident demonstrated.

And the reality is, that the stronger the defences of some institutions, the more likely it is that attackers will go for the firms with weaker defences. This can be seen from recent attacks on Asian banks in Vietnam, Bangladesh, and Bangkok, which then served to have an impact in Europe. For example, the compromise of the Bank of Bangladesh highlighted the risks that one bank can introduce to other members of core payment systems such as SWIFT.

So, really this is an issue that affects us all. And, as we all know, it is an ever changing threat – sometimes it feels like learning a new language, with an ever expanding vocabulary!

So what can we do?

The reality is that all businesses present different levels of risk to their customers and markets, and have varying budgets to spend on cyber security. But as cases have shown, even the largest budgets cannot guarantee to prevent all attacks. 

We know that it is not enough just to defend ourselves (an attacker can scale your wall and get inside) – we need to also have good detective capabilities (can you see that they are there?), and to be able to recover and respond, getting back to business as usual, with tested back up strategies.

So this is where we need to move the dialogue on. We all need to be able to prevent, detect, recover and respond – but how can we make this really effective?

a) Get the basics right

Many organisations believe that they are getting the basics right, but the reality is often not the case. The 2016 Verizon Data Breach Investigations Report provides an excellent sanity check, providing an analysis of 2,260 data breaches and 64,199 security incidents from 61 countries. It found that ten vulnerabilities accounted for 85% of successful breaches. The vast majority of vulnerabilities used in these attacks were well known and had fixes available at the time of attack. Furthermore, some of these attacks used vulnerabilities for which a fix had been available for over a decade. Being rigorous about patch management is key. Tools to enable effective management of vulnerabilities are well established, and yet organisations either don’t use them, or don’t use them effectively.

If we cannot get the basics right, then what chance is there that we can repel the sophisticated attacker?

Our work in the financial sector has shown us that firms continue to struggle to get the basics right. Schemes such as Cyber Essentials or the 10 steps to cyber security articulate what is considered by UK Government, and the UK Financial Authorities, as the basics of what we term ‘good cyber hygiene’. It’s a common statistic that the 10 steps to cyber security, properly implemented, would eliminate around 80% of the cyber threat firms are struggling to manage. I think this is true: effective risk management, complemented with good basic controls such as malware prevention, user education and awareness and incident management arrangements are examples of what we consider critical capabilities to be.

We also want firms to consider specific cyber risks. Whilst we cannot do much about DDoS attacks being launched against us as individual institutions, we can take steps to make sure we are protected from their impacts. We urge financial institutions to carry out robust and comprehensive risk assessments focussed on the impact of a DDoS attack on their systems. 

Mitigation solutions are available and we support their use. We do ask that you consider concentration risk when subscribing to a given service, to avoid contamination in the event of widespread sector attacks.

I should add here that some concentration may be inevitable (with iCloud for example) but due diligence of third party suppliers should include a review of their cyber resilience. You should also ensure that you have controls in place to swiftly recognise when an attack has happened in a third party supplier and have plans in place to correct or reduce undesirable outcomes.

b) Move to a "secure culture"

Where we can arguably do more to protect ourselves is aligned to the proliferation of malware. Beyond endpoint protection and the basic cyber hygiene components that can be found in many good practice standards, we need to consider how we manage our staff, to help to stop the spread of malware within a firm, or system.

We need to stop telling people what to do and help them reach a realisation themselves about why security is so important to them, professionally and personally.

How do we create secure cultures, how do we manage those and how to we ensure our efforts are impactful and meaningful within our staff population? We need to stop trying to educate our staff and, instead, take them on a journey. We need to stop telling people what to do and help them reach a realisation themselves about why security is so important to them, professionally and personally. We can do this in a number of ways.

We need to stop using a staff “policy” as the sole baseline for security training. Policy is important - it is the articulation of what you as a business will be doing - but for staff it’s a corporate piece of paper that is easily forgotten. 

We need to empower staff to make secure decisions themselves.

Numerous behavioural change methodologies have been considered over a long period of time across a wide range of subjects, but perhaps for security we might consider the ‘health belief’ model which emerged in the 1950’s. Within this model, it is proposed that an individual will take action if the perceived benefit outweighs the cost of taking action. Turning this model to information security, by articulating the requirements, the rationale, and critically the impact of non-conformance, we may be able to start changing mind sets and engendering a secure mentality. By taking staff on a journey and working with them to help them become security focused individuals, we may find that we reap better rewards and improve our collective capabilities. 

Examples of this include: introducing fake phishing scams, educating staff who click on them, reward those who avoid/spot attacks, take further action on those who persistently do not.

We have been impressed with the number of firms who have started to adopt such approaches.

Some firms have found ways to harness enthusiasm within their firms by finding that many of their staff code in their spare time, or are aspiring ethical hackers, and have subsequently moved into a more information security focussed role and flourished. I encourage you to seek to achieve similar results.

An interesting area of study within the FCA is the potential measurement of security culture. It is too early to say if we will reach meaningful conclusions about how such a qualitative and intangible concept is measured, but perhaps by setting key performance indicators and success criteria, we can begin to start looking at measuring security culture and setting the baseline for improvement in a more quantitative way. For example, by aggregating the outcomes of ethical phishing exercises, red team tests, senior leadership exercises, staff awareness events and information security training, we can begin to gather baseline metrics against which to track improvement. By tracking improvement, we can begin to make tangible steps to improve our cultural attitude towards security and start to tackle the more difficult challenges emanating from within our organisations.

Measurement can consist of both positive and negative behaviours. For example, simulated phishing tests allow measurement of the percentage of the population that would fall for a phishing scam. However, on the positive side, you can also measure the number of reports from your staff of emails that they are suspicious of.

Then there is also the role of the Non Executive Directors (NEDs) – using them to help to share experiences from other businesses, and to ask challenging questions of their board colleagues, and of the senior leaders within an organisation. In 2014 the UK Government released guidance for NEDs on the types of questions that should be asked, and we very much support this advice. NEDs should be able to satisfy themselves that an organisation is managing cyber risk effectively; the Institute of Directors specifically calls for NEDs to satisfy themselves “that systems of risk management are robust and defensible”. 

Another development we are seeing is security being taken beyond the boardroom, and becoming an investor led conversation. We are seeing the emergence of a number of institutional investors now questioning boards as to how they effectively manage this risk, which in turn is driving increased focus in the Board room. We would encourage investors to ask questions about cyber defences, to use a firm’s cyber maturity as a key indicator of resilience, and to push firms to improve in this space. We have seen how cyber can have an impact on a firm beyond the operational disruption caused, extending into equities pricing, and harming the balance sheet. It’s a key consideration and we will be considering how investors can be better equipped to ask the right questions.

By approaching cultural change in this way, we may be able to move away from the narratives we have heard before, over the past few years – “cyber is an asymmetric threat, it’s bad, etc”. If these messages have not landed at board level, then we need to re-examine our approach - as Einstein said “The definition of insanity is doing the same thing over and over again, but expecting different results”.

c) Share information

We can also seek to share our learnings and threat information amongst each other better. Through our work at the FCA, we have noticed a lack of information sharing outside of the critical, systemically important institutions and have taken action to address this. We have established a number of Cyber Coordination Groups, or CCG’s, to achieve a better collective cyber capability.

Security is being taken beyond the boardroom.

We are collecting, anonymising and aggregating actual risk data across around 175 firms in each area of the financial sector. This will provide us – and firms - with a much better picture about how cyber risk crystallises. Are we seeing unique threats in specific parts, such as retail banking, compared to other parts, such as insurance? Or are we seeing the same generic cyber threats threaten all firms? We will be seeking to carry this work out over the coming year and will look to share our findings.

Perhaps critically, within each CCG we are sharing threat information amongst the attendees. We are looking to share how attacks are being carried out and what unique and innovative solutions are being invented by some of the brilliant minds that work within our institutions. By sharing such actionable information, we hope to improve the collective resilience of the sector. Again, we will be seeking to investigate how we can share the findings of these groups in a secure and trusted fashion with a wider audience.

And for critical national infrastructure providers, and dual regulated firms – we work closely with the Bank of England and are party to its Co-ordination groups, both with other government bodies, HMT and NCSC, and with you.

The CCG’s are one example of how the FCA is seeking to help – we are also seeking to use our resource for maximum benefit, but we can only go so far. The CCG’s are limited attendance and not open sessions, and so I encourage industry to seek to implement creative and useful solutions collectively which is why events such as today’s session are so important. Speak to your peers, build your networks, and impart knowledge, share ideas and try to innovate. Cyber criminals are not constrained by a lack of sharing and neither should we be. Create your own secure and trusted networks and leverage them as far as you can.

This extends also in our case to international information sharing. At the FCA we have been active in creating the international frameworks with other countries that will serve to form a common language and understanding on cyber – the G7 cyber principles are one example, as is the CMPI/IOSCO guidance. We conduct exercises with other countries – the latest was US Resilient Shield in early 2016. This needs to continue, as actors do not recognise geographical boundaries.

d) Building the capability

Additionally, the UK financial sector requires more talented and qualified cyber security professionals.

The UK’s National Cyber Security Strategy recognises the need for the UK to tackle the systemic issues at the heart of the cyber skills shortage:

• the lack of young people entering the profession
• the shortage of current cyber security specialists
• insufficient exposure to cyber and information security concepts in computing courses
• a shortage of suitably qualified teachers
• the absence of established career and training pathways into the profession 

As an example of this, the government is establishing 13 Academic Centres of Excellence that specialise in developing cyber security research and innovation, attracting students and investment in to the UK.

As a financial sector, we too need to play our part, and seek innovative ways to develop additional talent. It is no longer sustainable to rely on experienced hires attracted by ever larger compensation packages – we need to grow the talent pool.

Furthermore, as the demand for resources continues to grow, we need to ensure that professional standards are maintained. The FCA fully supports the UK government’s intent to develop a cyber security profession, including through achieving Royal Chartered status by 2020, reinforcing the recognised body of cyber security excellence within the industry and providing a focal point which can advise, shape and inform national policy.

Conclusion

So, to conclude, the threat from cyber crime continues to rise, and with the asymmetric nature of this battle favouring the criminal.

Even those mature organisations that have recognised the threat, are well funded and have mature security capability, cannot fully counter the threat in isolation.

As a sector we need better collaboration amongst ourselves and with government to share intelligence and grow the necessary talent to keep us safe and secure in the future.

We have to expect the unexpected.

Thank you.