FFIEC on DDoS: What Are Expectations?
TOM FIELD: Why do you believe that the FFIEC has suddenly issued this new bulletin on banks and DDOS attacks?
RODNEY JOFFE: A really interesting question, and it's a really interesting situation. I can't remember a time when a federal regulator has actually come out with a statement around cybersecurity like this, with what are very clear directions. I think the reason that it's happening now is actually pretty fast from a government point of view. It obviously comes about as a result of the attacks that we saw two and a half years ago, but it has nothing to do with those attacks per se; it has to do with the fact that the federal government really got a wakeup call, as did the private sector, during those DDOS attacks. They've now decided that the sector that is most likely to be sympathetic and responsive to this, and also the most easily described, is the financial sector. I think they chose the FFIEC to go ahead and be the body that now recommends to the smaller financial institutions how they should behave.
It's also a little bit more than that I think. I think it's also a matter of saying, 'We're going to spell out for you what the challenges are and what the threats are. We're going to point you to a series of steps that we believe you should be taking. We've ultimately given you fair notice that this is an issue, so that in the future, if there are any issues, you can't throw your hands up in the air as a small branch institution and say we didn't know, we didn't expect it, we're not in that business; we're a bank.'
DDoS Activity
FIELD: What current DDOS activity against banks do you see now, and how have attacks evolved?
JOFFE: We've seen the regular group of attacks over the last couple of years, so there's been no major change in the numbers. I'd say that the attacks we're seeing are more focused [for a] shorter duration, which will probably lend credence to the fact that more of these attacks have actually been launched as diversion incidents rather than as direct attacks to disable the banks. But the reason I think that it's happening now is, it just took that period of time for the government to work [it out] with the banks themselves. Obviously no private organization likes to be subject to new regulations, but I think that it took this amount of time to work out a series of ground rules and to get some agreement. I think it's being announced now because this is a span the government could actually put together.
Number one, all of the systems out there need to be able to issue a public announcement like this, that lays out step by step what banks and financial institutions are expected to do. And number two, to be able to deal with all of the backroom discussions, knowing that this is going to have fallout. I can guarantee that at this moment a large percentage of the smaller financial institutions that were just vaguely aware of the attacks two years ago are suddenly having meetings to say, 'What do we need to do that we're not already doing, how do we convert the plan, how do we cover ourselves, and how do we make sure that if there is an incident that we're involved in, we don't find ourselves being personally liable for not having followed the guidance of the council?'
Rapid Response
FIELD: So you're saying that this is the government's version of a rapid response to what we saw a year ago?
JOFFE: I think it's more than just a rapid response. I think what we did see during the attacks was response from various parts of the US government, from the operational side to give whatever advice they could, to give input, to provide data. What we're seeing now is a rapid response to the regulatory or policy side. And if you think in terms of the way that the government really works, this is lightning fast. I mean, this is probably 12 or 15 months. I'm almost prepared to bet that this wasn't just developed within the financial sector of the government, but I'll bet you that you'll find that the White House, as well as the congressional committees that are involved with banking, were all involved in working together to craft this response. I think this is really fast given the fact that this policy is operational.
Substance of the Message
FIELD: What would you say is the substance of what the FFIEC is saying to the financial institutions?
JOFFE: What they've basically said is, and it's interesting because this is focused mostly around DDOS, that DDoS [attacks] are now something to be recognized as being a major threat. These are the indicators, here are ways that you can actually recognize it. What we expect you to do is to now begin to put in process, number one: a series of plans that take into account that you have to recognize attacks. Number two, you have to mitigate them. Number three, that you have some process in place that looks for continuing improvement. So in other words, if you look at the very first part of the recommendations, it really says that you want to have an ongoing process of evaluation, standards [and] procedures in place, and then continue to improve them over time. This isn't a one-time thing, this is really saying to banks ultimately that cyber-attacks are a reality for you, and we now expect you to take as much care with protecting your infrastructure against cyber-attacks as you do in the physical world. Which is putting bars up, having locks on the doors and having cameras and alarms; we expect you to take the same care and the same effort in the cyber domain.
FIELD: In your estimation, how are they currently meeting these expectations?
JOFFE: I think what they're doing is meeting them by saying, "Bob downstairs takes care of it, and it's really not an issue for us if we don't talk about it, and we haven't really been attacked directly. That's something we'll worry about some other time." I think that smaller banks have been dealing with it that way.
Improving Mitigation
FIELD: Where specifically must financial institutions improve how they are assessing their risks and mitigating them?
JOFFE: I think the first thing they have to do is -- and this is something that may not seem obvious -- look to outside third parties to give them some form of defense immediately. Two things are going to happen; number one, this is going to create a fair bit of public awareness, and number two, the bad guys are going to see this recommendation come out and may as well get in [their] licks as soon as [they] can because it's going to get more difficult over time. I think that we're probably going to see attacks from the people who are genuinely in the business of attacking banks, and from people who just want to make a point to just see how easy is it to actually attack banks.
What banks need to do as a first step is probably look to outside vendors or advisors to help put mitigation in place immediately. Then, they need to go through the recommendations that are provided by the FFIEC in their publication they report it through; they have a number of links, all with best practices. Banks now need to start looking at those best practices and seeing what they already [had], and how close they come to fulfilling them already. They probably want to get some specialists in that will help them develop a plan of action [to] go through these initial steps and also begin to build a long-term program. I think they have to also now deal with the reality of the costs that are going to be involved in this; this is obviously going to be a cost. I think that they are also at some level going to reach a point where they make a decision that, from a long-term point of view, it seems better to outsource this service in the same way as they outsource, for example, the carrying of money between customers and the bank. In order to do it, they use third-party companies. They're going to probably come to the realization that in smaller banks it's useful to engage your ISPs and the security service providers as DDOS mitigation providers and bring them in from a long-term point of view and make them part of a trend.
Teeth in the Report
FIELD: Where do you see the teeth in what the FFIEC is saying?
JOFFE: I think it's going to occur in a couple of ways. If you look at what they've said, they actually talk about risk mitigation. The document says the members expect each financial institution to address DDoS readiness as part of an ongoing security response plan in accordance with regulatory requirements, and they point out a number of regulatory requirements that cover the whole spectrum of financial institutions. But they say in accordance with those, they're interpreting quite literally, that they expect institutions to take the buying steps as appropriate. And they spell out very specific DDoS mitigation steps. So I think the teeth are going to come into effect as we start to look at the audits that are performed as part of the FFIEC members' process. Number two, a number of these organizations provide the insurance for deposit, for example, the FDIC. If there ends up being any claims around a DDOS event, you might find that some of the teeth are going to be in the back of the insurance policies no longer paying out, that the FDIC is no longer prepared to guarantee [this] for institutions that don't follow these recommendations and guidelines. So I think it's going to come in two different ways. I have no idea about whether this is going to actually be codified into any of the regulations that govern the banking industry. That's obviously something that no one likes to have, but this would seem to be a first step along that path.
FIELD: As you have traveled around the world, have you seen a regulated entity penalized for having been a DDOS victim?
JOFFE: I find this quite remarkable, not just that it's happening, but that it's happening now in a regulated industry. I think that what this is, is the first step in a number of other regulators within the U.S. putting forward their own recommendations. I think that this is the opening of the flood gates from the regulatory point of view. It's absolutely the first time I've seen a regulator incorporate cyber in this kind of way, and very specifically DDOS. This is not talking about cyber in general; it's talking about DDOS. Two years ago you would probably hard pressed to find anyone who worked in a bank other than the IT department who even knew what DDoS was.
Current DDoS Vulnerabilities
FIELD: How should organizations best assess their current DDOS vulnerabilities and mitigation capabilities so they know what gaps they must fill?
JOFFE: The first thing is to obviously go through the information that's available to them through the FFIEC and the FS-ISAC, and certainly they have to bring in outside professionals that do this for a living. They really have to find a way of taking from the enormous repository of knowledge that already exists. For example, a company like Neustar, we've been doing this for many years and do it for a large group of customers. So this is not new to us. There are other companies obviously that do the same kind of thing, but we've been through this. We went through this with the banks two and a half years ago, and some of them were customers of ours and we were able to successfully help them mitigate the effects of the DDoS [attacks]. So we've been there already, there is experience. The smaller banks need to go ahead and make use of that experience so that they're not starting out fresh.
