Related Links

• Conference on Measuring Cyber Risk in the Financial Services Sector

Transcript

Tim Sablik: My guest today is Daniel Weitzner. Danny is the founding director of the MIT Internet Policy Research Initiative, and the 3Com Founders Senior Research Scientist at the MIT Computer Science and Artificial Intelligence Research Lab. Earlier this year, he helped lead a conference hosted by MIT, the Richmond Fed, and the Federal Reserve Board of Governors on measuring and modeling cyber risk in the financial system, which is the topic of our conversation today.

Danny, welcome to the show.

Daniel Weitzner: Thanks, Tim. Great to be with you.

Sablik: You've had a very long and influential career as a researcher in the fields of internet policy and cybersecurity. So, I'm delighted to have you on the show to share your perspective on the important topic of cyber risk in the financial system.

To start, could you give us some sense of how you got involved in this space?

Weitzner: When I was in government, I was the deputy chief technology officer in the Obama White House from about 2010 to 2012. We spent a lot of time on cybersecurity because it was a growing threat. It was clear that there was going to be an increasing amount of society's value at risk, even then. Now, that's certainly come true.

One of the things that I observed was that we really didn't have very much science or data to guide us in making policy in this area. It led me, when I left government, to spend some time with some colleagues looking at cyber risk in the critical infrastructure sectors, including financial services.

Somewhat to my surprise, I learned that even the firms that I would consider to be the most prepared [and] the most well-resourced in this area really had trouble answering some basic questions about whether they were spending the right amount of money on cybersecurity — were they spending enough, were they spending too much, how they would prioritize their cybersecurity investments. I figured that if individual firms that should really have a very clear view of their own risk were having trouble making those decisions, then certainly all the small and medium-sized firms that we know are struggling with these kinds of issues must be having those problems even more so.

It also raised real questions in our mind about whether regulatory and enforcement efforts are being targeted properly. I think in the cybersecurity arena, certainly we've been learning and learning a lot more. But I think most of that learning, frankly, has been anecdotal and not empirical. That worried us and led us to try to understand what we could do to develop more rigorous models that could predict cyber risk and guide our actions.

Sablik: I think that was part of the motivation that led you to develop this conference, which I mentioned at the beginning. This conference that was held in January was the second joint MIT-Federal Reserve conference on this topic. How did this collaboration between you and your colleagues at MIT and researchers at the Richmond Fed come about?

Weitzner: We discovered that we were all working on the same questions. Of course, the economists and others at the Fed wanted to be able to answer questions about what kinds of impact cybersecurity risk was having on the overall systemic risk picture that, of course, the Fed works so hard to understand. One of the things that we've done is to host these annual conferences.

At this year's conference, we learned a lot that was quite encouraging. We saw that there's evolving sophistication in how financial services firms are looking at their cybersecurity risks. They're looking at it, I would say, from a more systemic risk view through the eyes of chief risk officers who tend to have to have a view of a whole range of risks — financial and credit risk, operational risk — and now they're adding cyber risk to their portfolio. They're working alongside the chief information security officers.

The chief information security officers, or so-called CISOs, used to be the main figures in cybersecurity. They have operational responsibility to make sure systems are properly designed, all the security measures are taken, vulnerabilities are patched and all that kind of stuff. What we're seeing now is an increasing partnership between the operational side, as represented by the CISO, and the more comprehensive risk view from the chief risk officer.

Part of this, we learned at the conference, comes from the fact that boards of directors are trying to get an increasingly strategic view of the cybersecurity risks that their firms are facing. Both boards of directors and regulators are able to look, in pretty quantitative ways, at things like credit risk — what's the overall risk in a firm's loan portfolio? These same boards are now asking the similar kinds of questions about cyber risk. They want to know whether they're putting enough resources against the risks that they're facing.

The Fed, in turn, I think, is asking similar questions when looking across the whole financial services sector. Do we have ways of characterizing resilience as to cybersecurity risk? Is the sector as a whole investing enough capital against that kind of risk?

Sablik: That was definitely a major theme that emerged from the conference — there is this ongoing challenge to measure and quantify cyber risk. What are some of the things that makes that so difficult?

Weitzner: There was a view, initially, among people in cybersecurity that cyber risk was something that was not quantifiable. It was an inherently dynamic set of threats. You had all these bad threat actors out there who are constantly looking for clever ways to attack, and the initial view was that this was just essentially a war where you had to do your best to keep up against the attackers. There wasn't really a way to quantify that risk or predict where the risks were going to come from in the future.

We've taken a somewhat different view. When you look at cyberattacks that happen, whether in financial services or other sectors, you do see very similar attacks happening over and over and over again. The attackers will use an attack strategy as long as it works because if they could do the same thing to a new victim, that's cheaper than having to come up with a new attack pattern. What that suggested to us is that it might be possible to understand where the biggest sources of attacks were coming from, particularly as measured by who was losing the most money against what kinds of failures.

Let me just say what you need in order to develop a risk model. Risk is really a very simple equation. Risk is the product of the frequency that a harmful event occurs and how much you lose when that event happens. So, you basically need to know event frequency and loss magnitude — how much money did you lose and why did you lose it? If you can collect enough of that data about any kind of risk — whether it's the risk of thunderstorms or the risk of your favorite football team losing — you can eventually start to predict what's likely to happen in the future.

What is challenging about cybersecurity risks is that it requires collecting very sensitive data. If you ask any given firm, "Who are your worst attackers and how much did you lose to them?" that's not a question they're that eager to answer. Many smaller and medium-sized firms, and even some larger firms, are not even keeping that data. They pay attention to when they're attacked, and they try to fix whatever went wrong. But they're not necessarily keeping track of how much they actually lost from particular kinds of failures.

Sablik: How are you and your colleagues working to improve the collection and sharing of cyber risk metrics?

Weitzner: What we've done is we've used some relatively complex cryptographic technology that has enabled us to build what is called a secure computing platform.

What this means, in a nutshell, is that we can collect data from firms in encrypted form — the event frequency data and the loss data. We ask firms to gather that data internally [and] before they give it to us, they encrypt it. Through the encryption mechanisms that we have, we're able to do computation on the encrypted data. All anyone ever sees, including us, is the aggregate result, which we think has been somewhat of a breakthrough in being able to build these kinds of cyber risk models. Firms have the ability to share this data and get useful insights from it without having to risk the possibility that that data will be disclosed to anyone else.

Sablik: What would you say are the biggest cyber threats facing financial institutions today?

Weitzner: Hackers use the same techniques until they don't work. So, for the purpose of our research, we're a little bit less interested in the kinds of attacks that firms face and a little bit more interested in what kinds of defenses work against any set of attacks.

We did a study with a large number of municipal governments in one particular state. We expected to find a relatively low level of technical readiness because we know they have low budgets for IT generally and even lower budgets for cybersecurity. We also know they're particular targets for ransomware attacks.

What we found was that their technical readiness was actually better than we thought, but that their institutional readiness was pretty poor and that most of the money that they lost in the attacks they're facing had to do with lack of institutional preparedness. That meant things like can you recover quickly from an attack, not can you protect yourself against an attack because you're always going to get attacked. The question is can you recover? Most firms have backups of most of their data, but can you use those backups? That is, can you get them installed and get your whole system back up and running?

What we're seeing is that for firms to be well prepared, they have to look beyond just technical measures. Have you encrypted your data? Do you have multi-factor authentication? All those things are certainly important. But do you have an overall institutional capacity to respond when you're attacked, to keep going when your systems are under threat?

Sablik: That's super interesting. As someone who is looking at this from the outside, you sometimes get the impression that the threats are evolving so quickly and the defenses are not so good. But what you're saying it sounds like the cyber defenses have matured pretty well, but there are other things that maybe need to be done.

Weitzner: To be clear, firms have to keep investing in up-to-date technology. There are a lot of firms that are stuck with very, very old systems that have really terrible abilities in them. It's important for vendors to invest on the technical side. It's important for firms that are customers of software solutions to really look hard at how their vendors are doing.

Sablik: Are there emerging threats on the horizon that you've got your eye on? I know a lot of people now are talking about AI and what that might mean for cyber threats and cyber trends.

Weitzner: There's always emerging technical threats.

One of the things that we heard quite a bit at the conference that we did with the Fed was the focus on what people would call third-party and Nth-party risks. If you're a bank, for example, and you depend on some third party to print your credit cards or to handle some of your customer service or do some of the risk scoring for your loan portfolio, those third parties that provide service to you and that also probably have access to a lot of your data are a clear emerging source of risk question marks.

We think that larger banks are doing a better and better job of managing their own internal risk. Now the challenge is for all the firms that they contract with, all the firms that they partner with, how do you assess the risk that those firms pose? You still have to be responsible for your customers' data. But how you exactly go about assessing whether that third party is taking all the necessary steps, how do you make sure that they assume liability in the event of harm, are some of the emerging threats.

This is important because, as the financial world becomes more and more fluid from a data perspective — you have more and more fin techs, you have a lot of these new open banking services that enable customers to move their personal data from one place to another — all of a sudden the threat model that you have to consider goes way beyond just the walls of your bank and includes all those other parties.

Sablik: Are there particular things that regulators can do to help ensure that the financial system remains resilient to these emerging cyber threats?

Weitzner: Regulators, of course, do quite a bit of institution-by-institution examination and supervision of banks. This happens at the federal level with the various supervisory authorities. It happens at the state level with some of the larger state regulators like the New York State Department of Financial Services. They are looking more and more at cyber risk, which is great.

We think that more attention on quantitative cyber risk models can help guide that examination process, at whatever level it happens, to make sure that the examiners are asking the right questions. One of our big motivations, and what we hope will be a contribution to the work that the Fed is doing, is to refine these models so that enforcers and supervision authorities have them to guide their work.

The second thing that's happening in the regulatory environment is there is more and more emphasis on reporting of cyber losses. The Department of Homeland Security has recently put out some proposed rules on reporting various kinds of attacks. The New York State Department of Financial Services has what were really groundbreaking rules on cyber event reporting. We're interested in making sure that the data that's collected comes in a form that's most useful to drive the risk models that we're working on developing.

Having the data on an individual basis is useful. It provides direction for individual investigations. But we think that the big value in that data is going to come when we can get a more comprehensive view of risk across the entire financial services sector.

The final thing I'll say that's happening in the regulatory environment is there is a lot of discussion about who should hold liability in the event of losses. The White House has kicked off a very important discussion on whether software and service providers should have increased liability for cybersecurity losses resulting from negligent security design practices. Up until now, for the most part, the providers of off-the-shelf software — like Windows and name your favorite Oracle software or whatever else, Quicken, Intuit, whatever else — are all sold with the legal proviso that if there's a flaw in that software, the software vendor is not responsible. That has led to probably inadequate investment on the part of software developers.

Sablik: Danny, thank you so much for joining me today.

Weitzner: Tim, it's been a pleasure talking with you.