In Wake of Revelations about Corruption and Coercion, OCC Wails about Bank Cybersecurity

Over 3 months ago, the Guardian revealed that the President reserved the right to declare “inherent right of self defense” to access private networks deemed part of our critical infrastructure in the name of cybersecurity.

2 weeks ago, the Guardian, ProPublica, and NYT reported that, to make it easier to spy on others, the NSA had “deliberately weakened the international encryption standards adopted by developers.”

Also 2 weeks ago, FP reported that “many corporate participants” in an NSA initiative to protect US critical infrastructure “say Alexander’s primary motive” in that initiative “has not been to share what the NSA knows about hackers. It’s to get intelligence from the companies.”

And just this week, Spiegel provided details of how NSA conducts Man-in-the-Middle attacks — hacks — on financial giants like VISA and SWIFT.

Yet none of those revelations prevented Comptroller of the Currency Thomas Curry to give a fairly breathtaking speech yesterday about financial cybersecurity.

In it, a member of the Executive Branch that has made everyone less security by corrupting encryption said,

The growing sophistication and frequency of cyberattacks is a cause for concern, not only because of the potential for disruption, but also because of the potential for destruction of the systems and information that support our banks. These risks, if unchecked, could threaten the reputation of our financial institutions as well as public confidence in the system.

A member of a regime that is routinely hacking financial entities said,

The global nature of the Internet means they can conduct their activity from almost anywhere, including in countries with regimes that, at worst, sponsor attacks and, at a minimum, act as criminal havens by turning a blind eye toward criminal behavior.

And a member of the government that has hacked key third party providers like SWIFT and cooperated with third party telecoms to just steal data said,

Banks not only operate their own networks, they also rely on third parties to support their systems and business activities. Some of these third parties have connections to other institutions and servicers. Each new relationship and connection provides potential access points to all of the connected networks and introduces different weaknesses into the system.

I recognize the cybersecurity threat to banks is real. I’d like to be protected against criminals trying to steal my money online and I endorse OCC including IT security among things bank inspectors review. I grant that Curry may well be operating in good faith when he says all these things. But when he talks about partnerships like this, he simply loses credibility.

Clearly, much of the responsibility for assessing cyber threats is housed in other agencies, from the Department of Homeland Security to the FBI to the National Security Agency. They are on the front lines, and they are the ones that are doing the most within government to identify, evaluate, and respond to threats in this area. However, we – the OCC, the FFIEC, and the other regulatory agencies individually – are working closely with them to strengthen the coordination and overall effectiveness of government’s approach to cybersecurity of critical infrastructure.

[snip]

But this is not a problem that can be addressed by one agency alone or by any one institution acting on its own. It is a threat that we can deal with only if we work together in a collegial and collaborative way for the good of our country.

The banks’ regulators may believe he is in a position to lecture about collegiality in the face of threats. But since the government is one of the biggest of those threats, it doesn’t strike me as all that convincing.

image_print
11 replies
  1. Big Bob W says:

    EDIT: (just trying to be helpful)!

    In it, a member of the Executive Branch that has made everyone less security by corrupting encryption said,

    –change to—

    In it, a member of the Executive Branch that has made everyone less secure by corrupting encryption said,

  2. Frank33 says:

    Do not worry. The Linux operating system has Cyber Security and Cyber Torvalds. Linus Torvalds who developed open source Linux, denied the NSA tried to put a “Back door” in his “Kernel”. But I think, that NSA is not amused. They never forgive or forget.

    Torvalds was also asked if he had ever been approached by the U.S. government to insert a backdoor into Linux.

    Torvalds responded “no” while shaking his head “yes,” as the audience broke into spontaneous laughter.

  3. Peterr says:

    From the speech:

    Banks not only operate their own networks, they also rely on third parties to support their systems and business activities. Some of these third parties have connections to other institutions and servicers. Each new relationship and connection provides potential access points to all of the connected networks and introduces different weaknesses into the system.

    Kind of like when robosigners forge signatures on documents and homes are illegally foreclosed upon based on these lies?

    Kind of like when banks make representations in court that the chain of title is clear, even when MERS cannot document their transactions?

    Yep, weaknesses in the banking system are a terrible thing. If only there were a governmental regulator who could deal with these situations . . .

  4. C says:

    @Frank33: Considering the amount of effort the NSA spent on Secure Linux which handles access rights and sits on top of the Kernel but runs in kernel space the sanctity of the kernel may be immaterial.

  5. C says:

    I grant that Curry may well be operating in good faith when he says all these things. But when he talks about partnerships like this, he simply loses credibility.

    Perhaps he doesn’t know or doesn’t really know.

    Remember when the DOD essentially ordered all of its’ personnel to avoid reading anything from or about Wikileaks? While that order sounds silly I have encountered people in government who really are that walled off. I used to think it was just acting but I have since realized that in places like DC the groupthink is really so strong and self-imposed that they are out of touch.

    Think of McCain’s screed in Pravda today or anything Obama has said about the PCLOB, Guantanamo Bay, or Syria. To anyone outside of DC it all sounds like insulting guano. Inside the beltway and the self-insulated corridors of power where rocking the boat is not welcome its easier to pretend to believe what you don’t.

    Matt Taibbi did a great piece on what he calls “Groupthink City” here:
    http://www.rollingstone.com/politics/blogs/taibblog/bailout-neil-barofskys-adventures-in-groupthink-city-20130206

    This includes the point where Neil Barofsky the former Inspector General for TARP is told, quite seriously, that in DC an IG doesn’t want to be seen as “too much of an attack dog, you don’t want to be seen as promoting yourself.”

    But I must admit that at times it reminds me of that part in 1984 where Orwell says (paraphrasing):

    Occassionally it was necessary for a member of the party to know that this piece of news or that fact was false. But he must at all times believe in the whole official story.

  6. orionATL says:

    three questions:

    1) step back from his specific words and ask youself “what is the office of the controller of the currency/curry trying to sell us citizens?”

    answer: fear

    2) ask yourself who else in the government has been trying to peddle fear to us citizens?

    answer: the nsa, the whitehouse, the director of national intelligence, and the doj/fbi, plus allied media commentariat.

    3) is it possible that the coc is participating in a public relations scheme designed for the use of whitehouse/dni to protect nsa spying “authority” by reiterating versions of “terra,teera,terra” in multiple realms of american life?

    answer: read this article by a former dept of treasury employee about the pr scheme treasury had cooked up to deal with any news release about treasury’s taking of SWIFT data –

    http://www.salon.com/2013/09/07/new_york_times_and_terrorism_when_lapdogs_roar/

    the article is intended as a putdown of nytimes. it’s value, however, is as a road map for government schemes to have a pr strategy available to control what news stories might say about a government program and to deflect any criticism, legitimate or not.

  7. Greg Bean (@GregLBean) says:

    And yet another condemnation from those outside bubble city.

    Will Obama be arrested as a war criminal next time he sets foot outside the US.

    http://rt.com/news/morales-obama-humanity-crimes-109/

    It won’t be long until the whole of South and Central America become part of BRICS foregoing any relationship with what we like to think of as the exceptional, indispensable west.

    I’ve marveled at a lot of the outrage about the NSA spying on Americans. Why? Mostly because there is rarely a whisper about the deep disgust of citizens in the entire rest of the world.

    And yet that is where the true damage has been done, damage that will not be undone in our lifetime. So very sad.

    I wonder if citizens of Rome, or France, or England felt like this as their elite squandered their empire?

  8. Peterr says:

    @orionATL: There’s fear in this speech alright, but the fear is that folks will notice the failures of the OCC in regulating the megabanks who have chosen OCC to be their regulator specifically because they are so bad at that regulatory job.

    Since taking office as Comptroller of the Currency, a lot of my time has been spent addressing issues stemming from the financial crisis. That’s as it should be. Ensuring that our banks have sufficient capital to absorb losses in times of stress, curbing excesses in the securitization market, and restricting bank investment in hedge funds and private equity companies are all important steps that will protect not just banks and thrifts in times of future turbulence, but the financial system as a whole.

    However, as important as it is to look back and deal with issues arising from the financial crisis, it is equally urgent that we look ahead and stay on top of emerging threats – some of which have the potential to be as destructive of the financial system as the excesses of the mortgage and securitization markets. The particular issue I have in mind, and the one I want to spend the rest of my time on today, involves the operational risk posed by cyberattacks.

    Shorter OCC: Don’t look back at what we’ve done. I have, and it’s not a pretty picture.

  9. orionATL says:

    @Peterr:

    that’s what makes a goos speech – something for everybody.

    we’ll be able to make a better guess if curry’s speech is part of a whitehouse orchestrated “boo!”

    if the food and drug folks start claiming cyberwar will give us more salmonella cases,

    if dept of labor blames cyberwar for intractable joblessness,

    if dept of education claims cyberwar is messing up school test scores,

    if dept of treasury starts claiming it was cyberwar the brought about the depression of 2007-2027.

Comments are closed.