Financial Sector Cybersecurity is National Security

OPINION — The world stands at an existential crossroads, torn between dueling visions for tomorrow. On the one hand, the United States, allies, and partners fundamentally agree on the rules and the norms of the international system. Choosing to build more security and resilience in this robust system is the only way to protect the interests of the free world. On the other hand, the authoritarian governments, such as Russia and the People’s Republic of China (PRC), are striving for a grim alternative. These governments are taking steps to bring about a “post-West” global order to further their regimes’ survival, territorial expansion, or quest for power and status.

U.S. adversaries are also vying to control the destiny of the 4th industrial revolution, which is merging the physical, digital, and biological worlds in ways that create both opportunities and risks. How authoritarian governments employ technologies like artificial intelligence (AI) and quantum computing could have profound long-term implications for U.S. national and economic security.

To advance their agendas, Russia, the PRC, and other adversaries are increasingly looking to wield cyber capabilities as instruments of power. Further, they are developing the technical means to harm the American economy through a range of malicious activities such as data theft and disruptive attacks, which fall under the umbrella of cyber-enabled economic warfare. Geopolitical tensions, meanwhile, are rising across the globe. Examples of this include the Russia-Ukraine war and the PRC’s stated desire for reunification with Taiwan.

Now more than ever, critical infrastructure owners and operators must proactively prepare for disruptive threats to digital systems and supply chains, including the potential for significant risks that cascade across sectors. Such threats may fall below the threshold of kinetic war but can still be consequential. No wonder most Americans are concerned about cyberattacks, particularly those targeting financial institutions and those emanating from the PRC and Russia.

9 in 10 Americans are concerned about cyberattacks on U.S. financial institutions	7 in 10 Americans say the PRC and Russia are the biggest threat to U.S. cybersecurity	6 in 10 Financial services firms  are only in the early or intermediate stages of implementing the NIST Cybersecurity Framework
Source: The Pearson Institute and The Associated Press-NORC Center for Public Affairs Research		Source: Cybersecurity Solutions for a Riskier World, ThoughtLab

Key Steps to Take Now

Protect cloud deployments from today’s common problems and tomorrow’s challenges.

Fix misconfigurations, excessive privileges, a lack of visibility and compliance, and an overreliance on click-ops (manual activities) that can lead to widespread data spills and exposure of PII and financial data.

Use a threefold approach:

• Build security into the deployment process by default. Small mistakes in the cloud pose big risks because cloud network, data, and access services are seamlessly integrated and automated. Use automated deployment processes to avoid human errors and misconfigurations that can jeopardize sensitive data and systems.

• Adopt and enable continuous integration / continuous delivery (CI/CD) pipelines that enforce security, end-to-end automation, and compliance from day one for all cloud infrastructure as code (IaC) deployments. Provisioning cloud infrastructure with code leads to better documentation and auditability of configurations, improves the quality and speed of the development and testing lifecycles, and reduces the level of effort for ongoing operations and maintenance.

• Enforce least privilege, separation of duties, and role-based access controls for cloud-based person entities and non-person entities to limit the blast radius in the event of compromise. Cloud identity and access management systems are extremely granular and complex because so many services are constructed using application programming interfaces (APIs)—a legacy on-premises strategy for least privilege is not sufficient for secure cloud operations.
  

---

Looking for a way to get ahead of the week in cyber and tech?  Sign up for the Cyber Initiatives Group Sunday newsletter to quickly get up to speed on the biggest cyber and tech headlines and be ready for the week ahead. Sign up today.

---

Implement steps to securing your data with Zero Trust

Moving to a zero trust architecture (ZTA) can be overwhelming. Organizations often need greater perspective to assess their current cybersecurity posture—and to determine where and when to modernize the infrastructure and capabilities within their current environment to best secure their critical data. Here is a four-step approach to identifying and deploying new cybersecurity solutions when moving to a ZTA:

• Diagnose – Identify current IT capabilities and roadmaps covering the zero trust (ZT) focus areas outlined in guidance issued by the Cybersecurity and Infrastructure Security Agency (CISA), the National Institute of Standards and Technology (NIST), and the Department of Defense (DOD). Conduct a ZT maturity assessment to attain objective insights into your organization’s ZT strengths and improvement areas.

• Design – Create an overarching ZT strategy, identifying solutions to close critical gaps identified during the diagnose phase. The overarching strategy spans the ZT pillars, provides a unified ZT target state and a multiyear roadmap blueprint, and prioritizes the development of strong governance policies that drive enforcement of conditional access. It’s a comprehensive strategy to enable secure anytime, anywhere access to resources that utilizes risk-based access controls while continually inspecting, monitoring, and alerting on key events. 

• Develop – Test new configurations, integrations, and solutions. Conduct proof of concept trials of new technologies with a limited user set and develop migration and implementation plans.

• Deploy – Reconfigure existing systems using validated implementation plans. Integrate new solutions to support capability gaps. Migrate users to new solutions. Provide continuous visibility by adopting a data-driven cybersecurity approach to unlock the benefits of security analytics at scale in real time and enable the use of predictive analytics to turn threat intelligence into actionable insights.

Zero trust is not a security product for sale in the marketplace. It’s a journey propelled by a change in mindset that brings people, processes, and technologies together to deliver better cybersecurity outcomes.

Treat the anticipated cracking of public-key encryption by quantum computers as a current threat.

While most of quantum computing’s potential is more than a decade away, it is important to start investing in risk management now:

Identify critical assets that will be vulnerable to quantum attack and create a post-quantum cryptography (PQC) transition strategy sensitive to the risk that an adversary may capture inadequately encrypted information today for later decryption using a quantum computer (a “hold now, decrypt later” attack).

Develop comprehensive PQC testbed facilities to inform PQC algorithm selection in different use cases and anticipate network and infrastructure impacts, including latency and interoperability challenges.

Use the PQC migration as an opportunity to improve cryptographic agility. Develop network infrastructure and policies that enable rapid updates to cryptographic protocols in the event new quantum or conventional vulnerabilities are discovered.

By proactively anticipating and preparing for these future challenges, financial sector organizations can outpace emerging threats, build resiliency, and deliver continued reliability in support of national and economic security.

Sign up for the Cyber Initiatives Group Sunday newsletter to quickly get up to speed on the biggest cyber and tech headlines and be ready for the week ahead.

The Cipher Brief is committed to publishing a range of perspectives on national security issues submitted by deeply experienced national security professionals. 

Opinions expressed are those of the author and do not represent the views or opinions of The Cipher Brief.

Have a perspective to share based on your experience in the national security field?  Send it to [email protected] for publication consideration.

Read more expert-driven national security insights, perspective and analysis in The Cipher Brief