tv [untitled] June 7, 2012 11:00pm-11:30pm EDT
reported that their computers were compromised and industry positions were accessed and the financial services are a big target, because where the money is, and that is where they are trying to armor their networks and deal with breeches as quickly as possible. the cost to business consumers are difficult to quantify, but we have to ensure that we have the proper safeguards to stop or minimize other attacks and protect the privacy of all the citizens. so consumer confidence is playing a significant role in any financial transaction or investment, beit by an individual or small business. just as there were numerous instances of identity theft, there's a significant rise of corporate take overs as well.
the threats come in all different shapes and sizes. according to a strategy and research study, identity theft cost americans $37 billion in 2010 alone. today, i cannot think of a less appetizing scenario having someone other than myself accessing my personal banking information for their personal benefit. additionally there have been a significant corporate account take overs and that is identity theft of a company instead of a business -- or an individual. which leaves small businesses seeking solutions to safeguard their information and their finances. our financial markets and clearing houses have spared the high profile attacks that were happening with banks because of their hard work and partially because of the way they are constructed but they are still vulnerable to service attacks on public websites or on utilities that serve them.
fortunately what we saw in the attacks in new york city, our markets are resilient and they have become more so ever since. but it's important for them to tell their story today in their own words. so we are here to hear and discuss how we together can better be prepared against future such attacks. now, we must remember that we must remain vigilant when protecting personal and financial information, much of our economy is relying on the internet today and that we must not be complacent in all this, our economy has been a contributor to our strength, we must protect it from threats. and i thank you for your testimony that will follow and i yield back and yield to the gentlelady from new york for -- >> thank you, i'll just be very,
very brief. certainly the security of our financial markets our government, it's incredibly important to our national and personal security and today's hearing is part of a continuing oversight and dialog we are having in congress about the threats to our markets and the impact these attacks could have on our economy, on our individuals and on our government. and with the rapid pace of technology, and the growing number of threats across a wide range of businesses, both large and small it is truly a huge, huge challenge and one that needs the absolute total commitment and coordination between the public and private sector to protect our markets to protect individuals, to protect our government. i do want to note this recent report by sim on-nek, it's the
internet security report. it states that half of our businesses which is truly a wakeup call, both big and small, half of the businesses in america are targeted by cyber attacks and over 232 million identities were stolen in 2011 including my own. there's a caroline maloney running around. there's many of us that have that inconvenient situation happen to us. they say 5.5 billion attacks were blocked in 2011. so, not only do we have to look at ways to continue to block this, but we need to continue to look at ways to protect our capital markets and our industries, both public and private. the information that we have. i look forward to hearing from the witnesses today and i yield back. thank you. >> thank you, and the gentle
lady yields back to the gentleman of arizona. >> i'll try to be fairly quick. what i'm hoping to actually hear from the panel and actually, should i be worried that there's another one of you running around maryland. >> there is. the fbi is looking for them. >> it is a combination of a handful of things. first of all, how we allocate liability, are we creating incentives or disincentives for folks in the financial food chain to invest and others to not invest? that is sort of a side concern. second of all, i would like to hear and understand how throughout the industry you coordinator best practice s and
knowledge. i'm one of the members of congress who has a great concern that a growing governmental role in the whole issue of cyber attacks and data protection, that government so often becom s s so slowly, will they make reaction time worse and therefore raise our exposure? that is a concern and i would like some definition back in, are we making it more difficult to react in an instant. m plr chairman, i yield back. >> i thank you for holding this hearing. and thank you for joining us today. i believe our critical markets are a critical driver of our economy and technology is the
most advanced in the world. today we are facing constant threat of cyber crime. it's costing us billions of dollars each and every year and threatening our power grids and our national security. that is why it's critical to focus on this issue and protect ourselves from cyber threats. hundreds of thousands of cyber threats hit the financial stituti institutions every day. in that regard, i'm confident that my colleagues and i share several bipartisan goals, first we must main and improve our cybersecurity infrastructure and share information to have a fast and effective response. and do it in a way that does not
infringe on privacy rights, consumer rights or the integrity of business contracts. third, the private sector and the public sector must work together in leveraging existing institutions to deal with the cyber attack complexity. and the businesses must be able to work with enforcement officials to make sure information is used appropriately. to maintain the public trust, the financial sectors and government agencies must stay committed to protecting personal data and intellectual property. i thank you for your testimony today. i yield back. >> if gentleman yields back and i echo the remaining comments to the panel, and seeing no other opening statements i turn to our panel for your opening statements. and as always, for those of you who have not been here before,
you will be recognized for five minutes and your complete testimony will be made part of the record and you can summarize what you have in front of you. first to ms. candorly, and you are recognized. >> thank you. members of the sub committee. i'm the chief information security officer for regents bank and i am appearing for the financial services information center. i want to thank you for this opportunity to address the sub committee to important issue of corporate account take over. i have been head of information security at the bank since 2004, regents is the 12th largest bank by deposits and loans, it's a member of the fsic, an organization formed in 1999 by presidential order with a mission of protecting the financial services sector against cyber and physical
threats and risk. today, the organization has more than 4400 member organizations that represent the majority of the u.s. financial services industry. it's important to note that industry has spent much time and effort and has worked closely with the regulators and other interested parties to provide safe systems to its customers. it's aware through the information sharing contracts that criminal actors are targeting our sector, corporate account takeover is one method of attack, corporate account takeover is the taking of information that effects computers and workers work stations. they attack by phishing. threw advertisements and by
fraudulent messages on social media sites. they attempt to trick their victims to click on a bogus link that redirects the victim to a server that downloads malwear on their program. it captures the banking credentials and allows the criminal to steal the identity. losses experienced by financial institutions and their customers as a result of cyber related fraud has declined even as the number of attacks has increased. the organization and its members recognize the threat both to the effect eed institutions and the consume confidence. as part of our active efforts to counter act the threat of corporate account takeover, the organization formed the act takeover task force. it consists of 120 individuals.
it has completed a report and it recommends three main areas of focus. prevention, detection, and response in order to ensure an improved and effective defense against account takeover. the membership has taken steps to limit cyber crime and corporate account takeover, nonetheless, corporate account takeover attempts cannot be stopped solely by the financial institutions, all participants in the internet have roles to play. banks for instance have no direct control over the end-customer's computers nor can banks control what e-mails the customers open or websites they visit prior to accessing the online banking systems. still, to increase the security of our customers accounts, we must educate the customers on the risk, monitor for fraudulent transactions. customers have a role to play in
learning about the threats and practice safe internet habits. providers can monitor for much of the malwear and alert the customers to the threats. the private sector and government are continuing to work together to improve government security. one area that i would highlight is that law enforcement should continue to move aggressively against cyber criminals and that more work on international, legaler and diplomatic levels so that all country cans recognize this type of cyber crime. i look forward to any questions that you may have and thank you for the opportunity to appear before the sub committee today. >> and we thank you as well. mr. clancy. you are recognized for 5 minutes, and you are welcome. you want to pull them closer to you. yeah, they do not pick up that well.
>> my name is mark clancy. i'm the corporate information security officer. dttc is a participant owned and government own ed cooperative. our operations and processes are to ensure the safe operation of the financial system. cyber crime is a significant threat to markets globally. a study showed that cyber crime accounts for more revenue than drug cartel income running into the hundreds of billions of dollars annually. the first attack is theft of confidential data, cyber criminals take over the accounts of a victim and directly steal the fund sas or use pump and du scams. they move the market and bid
against themselves and anyone else they can lure into the scam. in recent years, they have witnessed data theft in the industry. attempt to give foreign entities an advantage in -- the second type of attack involves compromising the integrity of the financial system. the goal of the cyber crimes is to grind the financial system to a halt and disrupt national economies, there are no public reports of them being effected today, the change on the hong kong threat re-enforced the threat. the other attack that is the potential to be the worst. the european market for carbon credit trading was the target. when they changed the ownership
of carbon credits. this resulted in the theft of 30 million euros and the closing of the trading system for more than a week. while robust programs are in place, they are not fool proof. a critical resource that the industry relies on to safeguard the system is information sharing between institutions, most notably threw the information sharing center. i want to talk about a successful but defunct program. under the program, advance threat and attack data information was given. the program provided the sector with access to action able searches and to better understand threats.
the ability to use information that was previously unavailable to identify threat. and the need to develop stand d standards to consuming and sharing data. it helped reshape the sector's approach to assessing risk. and it provided best practices. unfortunately the program was terminated for reasons that were unclear, since then, more than five financial experiences have experienced threats. the threats will continue to increase in the future. dtc strongly supports restarting the program and removing its pilot status and expanding its reach. as a means of the cyber
criminals increases, they need to move to a risk based protection system. the public and private sectors have taken important steps in recent years to enhance collaboration, all resources need to work in concert to defend the financial sector from cyber attack. dtc stands ready to work in partnership to harden the differences against cyber crimes. thank you for your time. >> and i thank you as well. mr. graph is recognized for five minutes. welcome. >> thank you, chairman garrett, and the ranking member, waters, my name is mark graph, i'm the vice president and chief security officer, i'm new to the company having arrived this
april, i'm not a new comer with information security, with about 25 years serving the industry and government. most recently i was head of security in one of the crown jewels of research in the country but the repository of the country's most important secrets. i moved to omx to help protect another part of america's infrastructure, its financial markets. i changed industries, but most of the challenges and many of the adversaries remain the same. it's committed to a vigorous defense of the infrastructure and with the methods that are used to protect the systems from attack, i can tell you that many of the same techniques and technologies are used to defend omx, one key method at both institutions is the isolation of critical systems from the internet at large, while many of
the services that we deliver are housed on internet facing web servers, our trading and market services are safely tucked away behind several layers of fire walls and network isolation zones. this is an important distinction to remember and we should keep it in mind when we hear about denial of attacks against one institution or another. any troublemakerer can run up to the house and ring a door bell over and over again, and that is what denial of service amounts to. if they are unable to reach an outward facing page for a few minutes, it does not bheen that someone broke in the house, the market system is secure. we do not rely on isolation alone, we have a security program that has a multi-layered approach. for example, in developing software, we treat information
security as a critical element from the design and implementation and in every day use. these controls that i've talked about span our entire network, our trading systems are further protected by the overall resilient architecture. each trading platform is isolated from the rest of the network and the internet. but the system restricts the information that is allowed to be submitted to it through a fixed set of protocols that control inputs to the trading platform. it also is refreshed at the end of the trading day, every information trading system and no data is maintained in the trading platform beyond the trading day. this helps secure the trading markets which are so important to us. for all those steps we have serious concerns on the worldwide attacks that are being led not by just rogue hackers or organized crime but by
governments. it's not reasonable to expect individual companies no matter how large, to independently stave off attacks that are coordinated from a foreign government. that is one of the reasons we are pleased that both houses of congress are looking at ways to protect our infrastructure through improved sharing. we support the house passage. although there are concerns about data privacy that needs to be addressed. we feel it's a good move forward in the area. nasdaq omx is and continues to be a willing partner with industry peers at every level, cooperating to protect the critical infrastructure. and it's my pleasure to continue and expand such contacts and relationships. thank you again for inviting me to testify.
>> and thank you. mr. smelzer is recognized for 5 minutes and thank you from the panel. >> thank you, my name is paul smozer and i'm part of the financial services round table. as the recent passage of key legislation during cyber week indicates the house clearly understands the importance of cybersecurity, likewise the financial services industry recognizes the serious and constantly evolving nature of cyber threats to its customers and u.s. institutions and the broader economy. we try to identify institutional and customer threats and eliminate them from the key service providers. this includes providers of service such as clearings, settlements and accounting within the capital markets environment. these assessments help assure that the institutions and financial infrastructure such as capital markets remains secure.
in the battle, no one institution can fight alone. at the sector level, several collaborative efforts exist. through associations such as bits, institutions ban together to collectively identify cyber risk s and reduce freud. the largest of the collaboration is the financial services sector, consisting of the largest u.s. based financial institutions. the council works closely with the public sector partner, the banking infrastructure kbhee. chaired by the treasury department, it include says 16 government agencies. working together, council and committee members focus on key cybersecurity issues including the ability to recover vital --
they have exercises, the latest had a focus of the resiliency of the equities clearing trading and processes. bits and other associations have formed relationships with various law enforcement agencies to prevent and prosecute crime. they conduct outreach efforts to sectors, one recent example is the participation in the botnik group, they are acting collaboratively to mitigate the problem of device take overs by cyber criminals. these types of efforts are consistent with the financial services industry recognition that today's cyber world is highly integrated. the industry recognizes the importance of cybersecurity education. consumers and businesses play a key role in cybersecurity and have a responsibility to protect
themselves though the industry and others have recognized that they often lack the skills and awareness to do so. as a result, institutions and associations have nad significant institutional investments. a key collaborative area of particular note is threat information sharing. financial institutions share information, broader and public/private share opportunities remain. because of the key infrastructures such as capitol markets, it's needed to improve the responsiveness and response of all sectors. protecting confidently is a concern. organizations are concerned that revelations of information will impact the reputation and their customer's confidence. that is why the financial services industry was supportive of the passage of hr 3523 which
if inacted offers additional protection. we recognize that as hr 3523 was debated, legitimate concerns about protecting individuals' information and privacy was raised by several members of the house, as you consider future legislation however, we do urge you to consider solutions to allow sharing of this type of information under certain circumstances in a manner that protects individual's privacies rights but also facilitates their financial protection as well. there are legitimate reasons to share the information that benefits citizens. sharing deals about breeched customer information and sharing it quickly would allow institutions to take action to prevent fraud against their commercial and retail customers. in closing, again, accept my thanks for the opportunity to testify today. cybersecurity is a vitally important issue for the private and public sectors, protecting companies, customers is crucial.
we commend the sub committee for your attention in strengthening the nation's cybersecurity. >> thank you. >> good morning. my name is mr. weiss and i'm the director of the city's intelligence center. we protect city's customers, our brand, global business information against threats worldwide. i'm testifying on behalf of the securities industry and i -- on how to safeguard emerging markets. i'll be focusing my testimony on cybersecurity in the financial services sector and what we are currently doing to protect our infrastructure and more importantly our customers from cyber attacks. we support the goals of the administration and congress to limit cybersecurity threats
against the american people, businesses and government through a more integrated approach. the increase in cyber intrusions and cyber crimes in the past decade is cause for great concern. the members and firms are on the front lines defending -- defending against cyber threats in the markets and we take our role seriously. cifma members comply with laws including the fair credit reporting act and the right to financial privacy act, these laws and regulations are re-enforced by regular pro active review and audited by highly specialized regulators that are supported by the ffiec, an agency that issues data privacy and cybersecurity guidance and monitoring procedures. in addition if services sector found do information anal