Congress Hears of Fresh Cyberthreats to US Financial FirmsExperts Describe Increasing Security Concerns During COVID-19 Crisis
U.S. financial institutions are vulnerable to a new array of attacks from cybercriminals and nation-state hackers as a result of the COVID-19 pandemic, experts told a Congressional panel this week at a virtual hearing.
The Tuesday testimony before the House Financial Services' Committee's National Security, International Development and Monetary Policy subcommittee came as Democratic and Republican lawmakers introduced a series of legislative proposals to deal with the challenges facing financial institutions.
In their testimony, experts warned that banks and other financial institutions are not equipped to mitigate the latest cyberthreats - including sophisticated hacking campaigns, ransomware attacks, cryptojacking, intellectual property theft and business email compromise schemes - that have surged during the COVID-19 crisis.
The shift to a remote workforce has led many firms to change their approach to cybersecurity at a time when attacks are increasing, experts testified (see: Rethinking Risk for the Remote Workforce).
"America is grappling with a cyber insurgency, and our financial sector is the number one target," said Tom Kellermann, the head of cybersecurity strategy at VMware who served as a cybersecurity adviser to former President Barack Obama.
Also testifying were Kelvin Coleman, executive director of the National Cyber Security Alliance; Amanda Senn, chief deputy director of the Alabama Securities Commission; and Jamil Jaffer, the founder and executive director of the National Security Institute and an assistant professor at Antonin Scalia Law School at George Mason University.
“With virtual currencies, dark web marketplaces, and illicit technologies expanding to threaten citizens’ safety and hard-earned savings, it is imperative that our federal agencies evolve to meet and conquer these new challenges,” said subcommitte chairman, Rep. Emanuel Cleaver, D-Mo., in an opening statement.
The U.S. financial sector now faces numerous cybersecurity threats - including attacks orchestrated by elite hackers working for nation-states or organized crime syndicates, Kellermann testified. A few rogue nations, including North Korea, are offsetting economic sanctions by attacking payment systems in the U.S (see: Modern Bank Heists 3.0: 'A Hostage Situation').
Jaffer testified about the importance of the U.S. having a unified approach to threat actors, instead of leaving companies of all sizes to protect themselves from the challenges presented by skilled hackers.
Jaffer pointed to the dramatic increase in financial sector threats since the COVID-19 pandemic began. He also noted that the U.S. government has repeatedly warned of North Korea's capabilities to conduct disruptive or destructive cyber activities that can affect America's critical infrastructure, including the financial sector. This includes money laundering, extortion campaigns and cryptojacking attacks (see: US Offers $5 Million Reward for N. Korea Hacker Information).
Jaffer also warned about the threats to U.S. financial firms from Russia, Iran and China.
"China doesn't operate only through their government agents, although they have a tremendous number of military and intelligence resources devoted to focusing on the U.S.," he told members of Congress.
Jaffer backs legislation introduced earlier this month by Reps. Roger Williams, R-Texas, and Denny Heck, D-Wash., that proposes moving the U.S. Secret Service from within the Department of Homeland Security back to its original position under the Treasury Department to help better investigate cyber incidents.
In the first five months of 2020, cyberattacks against the American financial sector have increased by a staggering 238%, Kellermann said. Ransomware attacks have surged at an even greater rate, he added.
In recent months, security experts have seen an increasing level of coordination among cybercriminals to maintain persistence within vulnerable networks and to counter incident response efforts, Kellermann told the Congressional subcommittee (see: Microsoft Warns of COVID-19 Phishing Emails Spreading RAT).
"Because of telework, the major security provisions that have been put in place by banks are no longer effective because the network security paradigm can be bypassed by the VPN tunnels that allow access to the systems,” Kellermann testified. “So I think better forms of authentication and just-in-time administration should be granted within those ecosystems.”
Kellermann tells Information Security Media Group that members of both political parties appear to be open to the idea of creating new cybersecurity standards. "They seemed very receptive,” he says. “I believe in my heart that these lawmakers appreciate that cyber is not a partisan issue but rather a patriotic imperative."
Lawmakers have introduced four legislative proposals to address financial sector challenges:
- The Internet Fraud Prevention Act: This bill calls for studying business email compromise scams as well as updating examination and investigative procedures related to such schemes. It would create a Real Estate Fraud Advisory Group.
- COVID-19 Restitution Assistance Fund for Victims of Securities Violations Act: This bill would establish a fund to help ensure restitution is paid to victims of securities violations related to the COVID–19 pandemic.
- Senior Investor Pandemic and Fraud Protection Act: This bill would amend the Consumer Financial Protection Act of 2010 to provide states with the funds to protect seniors from misleading and fraudulent marketing or sales practices related to COVID–19.
- A yet-to-be named bill would require federal financial regulators to issue guidance to encourage depository institutions to establish programs to educate customers at risk of unwittingly becoming money mules.